INTERNET SEARCH GIANT Google is testing out an alert system for users whose computers are infected with malware.
It involves displaying warnings at the top of search result pages, a technique that might be abused by scammers to distribute malicious programs in the future.
For now, Google displays these warnings only to users infected with a particular click fraud trojan that hijacks search traffic and routes it through proxy servers controlled by its creators. This is probably done in order to insert ads in response pages.
There is reason to believe that if the results of this initial test are satisfactory, the company might consider extending the system to also cover other threats in the future. "We're trying this as an experiment to alert and protect consumers that we believe have infected machines. Please share this widely," said Matt Cutts, a Google engineer who leads the company's antispam team.
Google's warning is positioned between the web site's top navigation bar and the search box. It warns in big bolded text that "your computer appears to be infected" and contains a "learn how to fix this" link. These characteristics make it a perfect candidate for spoofing by scammers who distribute fake antivirus programs.
So far these criminal gangs have abused many types of alerts people are familiar with, including Microsoft's balloon notifications or Firefox's "attack site" web pages. There's no reason why they wouldn't start spoofing Google's malware warnings to direct users to malware too. However, it's not clear how Google can extend the system to cover other types of threats.
Identifying affected users in this particular test case is simple because the traffic comes from a few IP addresses associated with the rogue proxies. It's only users that access Google through those servers that see the warning, but other malware infections don't present such obvious tell-tales. Very few of them generate traffic that Google will be able to intercept, analyze and link to individual victims.
Even malware threats similar to the currently targeted one might not prove as easy to detect in the future. The creators of this particular Trojan used a small number of proxy servers running on infected computers owned by companies that were willing to work with Google.
Next time, might attackers decide to make each infected computer act as a proxy relay and have them use each other in a peer-to-peer-like fashion? Or they could host the proxy relays with so-called bulletproof hosting companies in Russia or China that ignore abuse requests.
Google would still be able to detect traffic coming from those IPs and display the warnings, but if attackers still control the proxies, they can modify the response pages and remove them in real time.
Ultimately, while this solution might sound like a good idea, it is probably limited to just a few situations. For now, spreading the word about these warnings, like Google's Cutts suggests, might not be the best idea, as it could provide enough incentive for scammers to spoof them. µ