In association with heise online

12 May 2011, 16:08

Google doodle takes you to scareware sites

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Zoom The Google Doodle for Martha Graham's 117th Birthday.
Source: Google
It's not unusual for links to scareware to turn up in Google search results. But it is rare for a click on a prominently positioned Google doodle to take you to links for fake virus scans. Fake virus alerts are a common method of trying to infect users' computers with scareware and ransomware.

Many times throughout the year, Google changes the logo on its homepage into a doodle to mark special dates such as public holidays, special events and anniversaries, as well as on the birthdays of noted people; these dates and doodles vary by region. If a user clicks on the doodle to find out what it means, Google launches a search for the term the doodle refers to.

On Wednesday, Google celebrated the 117th birthday of dance icon Martha Graham. Clicking on the doodle displayed a list of preview images of the modern art dancer, some of which were links to a scareware site that claimed to have scanned the user's PC and found it to be infected. At present, a search for Martha Graham on Google still displays those images.

Once on the scareware site the user is then offered the SecurityScanner.exe file for download in order to solve the alleged virus problem; the file contains malware. Only 4 of the 42 scanners used by Virustotal flagged the file as being a threat at 11am on Wednesday. A test conducted by The H's associates at heise Security revealed that the scareware managed to infect a Windows 7 system with Microsoft Security Essentials 2 (MSE2) enabled. The malware disabled MSE2 and added itself to the security centre as "Win 7 Home Security 2011" – and labelled itself as disabled. Users are then asked to pay €60 to activate it.

The infected system could no longer be used in any meaningful way. Warnings constantly popped up whenever any web page was visited regardless of which browser was used. The program does not appear on the list of installed software and therefore cannot be uninstalled easily. In similar cases, scareware could, with a lot of effort, be manually removed, but this software changed so many settings in the system that reinstalling Windows was the safest solution.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit