Google result redirector malware - I'm infected; CIS did nothing!

[Guest]

[puddingpants]

Hi all.  To my horror, today I ran a Google search and clicked on a result, and was redirected to some money-generating "scareware" site.  The search result's URL looked good on the screen, looked good in the status bar when I hovered the mouse over it, and works fine if I right-click the URL, select "Copy Link Location", then paste it in a new tab/window.  But if I click it directly, I get redirected to scareware/ad-spam type pages.  This only happens rarely though, the vast majority of search results work correctly.

I don't see how this can be anything but malware on my PC, and I'm VERY careful and have been running CIS since April, and I installed it on a known-clean new PC.  I use Firefox only, latest version always, NoScript and AdBlock Plus in use and updated promptly, Windows XP Media Center Edition XP3 with all security updates always applied, always login as a limited user except for installs/updates, etc.  And I'm not dumb, I'm a professional software engineer, and I know what not to do.

I restored my boot partition from a mid-October image (over 20 days ago), and the malware is STILL there and functional, so it's been there quite awhile now, without CIS ever noticing or alerting me.  I scan daily and have CIS configured at nearly maximum security levels.

And CAV happily reports 0 malware found on all scans, and D+ never, that I can recall, gave me a single alert about the thing, and Comodo Firewall never caught anything either... and obviously this malware must be communicating with the outside world, to get its list of links, etc.  

Now I'm likely going to have to blow away the machine's boot partition and restore it back to the manufacturer's factory default image, then spend days applying updates, patches, programs, configuring, etc.

Anyone have any idea how this might've happened, and why CIS can't find the thing?  I'm considering downloading and running a scan with that "malwarebytes" scanner, turning off CAV's realtime mode while I do so.  Anybody done that before?  Does it work?

I'm not too happy with CIS right now.  Has anyone encountered this, and can they help, or should I just blow the drive back to the factory image?  If it's a nasty, deep, hidden rootkit (I don't see anything unusual in Task Manager or startup items, for instance!), I may have to.

[cvsa]

before formatting , try to use malwarebyte on your pc and tell us if it found something 

[AeoniAn]

Hi, puddingpants;


See this:

https://forums.comodo.com/virusmalware_removal_assistance/what_to_do_if_youre_infected_experience_rev3-t41380.0.html

[DaRtH VaDeR.]

HI,

my personal opinion on this is that it does not necessarily mean you have malware on your machine when you get "redirected" to a phising scareware site when clicking on a link in the google search engine result page.... If it was real malware you mostly always get redirected, because the creator of the malware wants you to get infected more, so even when copying the link you would get to a malware site, assuming you are real infected....

To get more clearness about your issue, you can try mcafee siteadvisor, linkscanner or wot firefox extension, to see what they "judge" about the specific site.. I would recommend you to try linkscanner, as it scans a site "real time". If any of these programs find the site dangerous, it is possible you got infected, especially when that specific site is an "attack site", which mostly exploits os en application bugs and contains drive by downloads... otherwise I would not worry that much....

When it is clear you are dealing with a dangerous site according to google or any of the suggesting security programs (Linkscanner, mcafee siteadvisor, wot), you need to check if you reduced the chance of infection:

* Have you clicked on anything on the site?
* Have you left information on the site?

if you answer the above questions with a "NO", you are good to go. Let us continue from here:

When it is a combination of a phising site and attack site:

* Are you logged in as a user with limited acces rights?
* If you use firefox, do you use security add-ons like noscript, ad block plus, better privacy, taco, and so on?
* If you use CIS, have you configured CIS with highest security settings? (for example paranoid mode..) or have you configured it in a way it would detect new threats?
* Do you keep your programs and main operating system up to date?
* Do you clean and scan you pc regularly?

If you answer the above questions mostly with "YES", you have minimized the effects of any malware that has entered your system in some way drastically!

To be sure, you can scan your system with different anti-malware programs of different security vendors who offer free scans or free on demand scanning programs.. Also there is the possibility to use system restore, before taking drastic measures as a back-up image!

Also check your system performance, running processes, and start-up entries and other important system areas. if everything runs "smoothly" I do not think you have to worry

I wish you a nice day!



 

[puddingpants]

Oh boy, do I feel silly.

CIS didn't detect any malware because I NEVER CAUGHT ANY!

I scanned my system with Malwarebytes and two rootkit scanners (GMER (see gmer.net) and F-Secure Blacklight), and found nothing.  My pal visited some of the affected links I gave him, and he got the exact same evil redirects.... and he was using a Mac running Safari!

So I have no malware at all.  The evil redirects are really "out there" on the web pages themselves.

I did some reading on the web and figured out what's going on.

Turns out that fraudsters have some new tricks.  They'll take some currently-popular/hot search term(s), and will:

(1) make new webpages that contain text highly relevant to that search term (for example, stolen article text about the subject) and also contain a redirect to a "traffic management" URL.

and,

(2) compromise real (and vulnerable) webpages relevant to the search term, and put redirects on them that also lead to a "traffic management" URL.

The "traffic management" URL takes requests and redirects them to a randomly-chosen (or round-robin-chosen, or whatever algorithm is used) evil website it has in its list of evil websites.

These systems are smart, though.  If the request's "HTTP Referrer" field doesn't contain "google.com", the redirect to the evil site doesn't occur.  Instead, if the request was for a site of type (2) above, the user is sent to the real webpage.  If type (1), since there's no "real webpage" at all, the user is redirected to some innocent site (in my experience, they sent me to CNN.COM's main page).

Since the administrators of the compromised real sites access their sites directly, and not through Google search result pages, they're unlikely to notice that their own sites have been compromised for quite some time!

Clever.  Also, the systems will check all incoming requests' IP addresses against known security companies (Norton, Symantic or whoever) and will NOT do any evil redirects for those requests.

There are several articles about it on the web.  Take note, folks.  If you're getting redirected from seemingly-valid Google search results to evil sites, then you may NOT be infected with any malware (even if pasting the same URL into a fresh tab manually doesn't cause the redirects!)

This is something everyone ought to be aware of, so they don't potentially waste lots of time hunting down nonexistent malware on their PC.

Hope that helps.  And thanks for the suggestions, guys.  I like Malwarebytes.  Since the free version has no realtime component, it plays nice with CAV, and gives me extra anti-malware confidence.

[Beanie]

Hope that helps.  And thanks for the suggestions, guys.  I like Malwarebytes.  Since the free version has no realtime component, it plays nice with CAV, and gives me extra anti-malware confidence.

It's great software

[Michael Withstand]

Thanks for the elaborate heads up really appreciate that 

[Chiron494]

If there is a link on Google that is malicious in any way they appreciate it if you report it at
http://www.google.com/safebrowsing/report_badware/

[Tags:]