A quick-witted Google engineer has uncovered evidence that as many as one million Windows PCs appear to have been infected by browser redirection malware that is sending searches through proxy servers in order to generate hit traffic.
This type of attack has been around for years in one form or another, but the scale of what Google engineer Damian Menscher chanced upon from a single family of malware is still unusual in its scale.
Performing routine maintenance on a data centre, Menscher noticed unusual traffic still arriving at the servers from unusual addresses. Calling in help from security experts, it was discovered that the requests were coming from a large clutch of PCs infected by proxy redirection malware.
Google has now added a layer of detection that picks up on the redirection attack and gives its victims a search page message 'Your computer appears to be infected' if traffic through the proxies is noticed.
"We hope that by taking steps to notify users whose traffic is coming through these proxies, we can help them update their antivirus software and remove the infections," Google said in an official blog.
For anyone in doubt, the symptoms of this type of attack are easy to spot although not always easy for a user to clean up. When making Google searches, users are sent to any one of a variety of unrelated sites for porn, malware, fake anti-virus, or cloned products.
That points to the limitation of Google's action; it tells affected users they have a problem but doesn't directly do anything about it.
The basic symptom will be interference in the PC's 'hosts' configuration file, but editing is not guaranteed to succeed. If the PC is infected with malware, the redirection is likely a symptom of a deeper issue that requires a system restore (to a point before the infection was noticed) or the use of up-to-date antivirus software to attempt to strip out the infection.
Google doesn't mention which malware is associated with the issue but Menscher told security writer Bryan Krebs that he believed that a fairly standard fake AV scareware campaign was the most likely culprit. That would explain the large numbers of users that appear to have been affected.
Google has published a basic help article for anyone that sees the Google warning.