Internet Security and Google Searches

[Confusednetter 0]

Hi, I have a question. I recently googled http19216811 into chrome and eset did a "connection terminated" due to JS/Adware.subprop.o. My question is more academic, than practical.

When I google something, does Eset scan each search result and so internet warnings/blockings? Or does it only do these when something is clicked on or being loaded? I ask because I did nothing except google that term. It would be interesting if the page it blocked was trying to somehow load simply from a google search. 

Thanks, Alex

[Marcos 4,718]

We scan only what is actually downloaded and block only malicious content.

[itman 1,543]

3 hours ago, Confusednetter said:

Hi, I have a question. I recently googled http19216811 into chrome and eset did a "connection terminated" due to JS/Adware.subprop.o.

Did the same in FireFox and Eset detected nothing in Google search results:

Now I use uBlock Origin in FireFox. So it may have removed any ads from the Google search result prior to web page rendering. It would be very unusual however for a malicious ad to be rendered on its search results web page but I guess anything is possible these days. However, I just repeated the Google search and uBlock didn't block anything malicious.

Edited August 29, 2020 by itman

[Confusednetter 0]

Hi. The search to generate the block is "hxxp://19216811". I am wondering if this could be malware meant to be for people who type the router address wrong? I am not sure what eset is blocking....

Thanks, Alex

[Confusednetter 0]

Note: The previous xx should be tt. 

[itman 1,543]

10 minutes ago, Confusednetter said:

Hi. The search to generate the block is "http://19216811". I am wondering if this could be malware meant to be for people who type the router address wrong? I am not sure what eset is blocking....

Thanks, Alex

Still no issue in FireFox. Looks like a Chrome issue to me.

[itman 1,543]

I even entered http://19216811 directly into FireFox Search bar. Interestingly, it actual converts to an IP address but it isn't route able:

 

Edited August 29, 2020 by itman

[Confusednetter 0]

I saw the same thing with going directly to the url. Anyway i am not sure what is going on with chrome. It startled me and i wonder if hackers are trying to use common mistakes in searches to try to install spyware.

[itman 1,543]

54 minutes ago, Confusednetter said:

I saw the same thing with going directly to the url. Anyway i am not sure what is going on with chrome. It startled me and i wonder if hackers are trying to use common mistakes in searches to try to install spyware.

I also tried this in Edge Chromium which is Chrome based using Google search and again, no Eset detections.

My advice is install a good ad blocker like uBlock Origin in Chrome. Eset's detection appears to be related to a malicious ad.

[Confusednetter 0]

@Itman thanks for the advice. I think this is just benign adware and eset blocked it. I am more concerned about what internet browsers load. Does Eset block ads from google for example? What is being loaded onto a computer from a google search? 

[itman 1,543]

26 minutes ago, Confusednetter said:

@Itman thanks for the advice. I think this is just benign adware and eset blocked it. I am more concerned about what internet browsers load. Does Eset block ads from google for example? What is being loaded onto a computer from a google search? 

Eset will only block an ad in a browser if its known to be malicious. What is the case many times is the ad itself will do a redirect to a web site that is hosting malicious content. So theoretically, the ad itself contains nothing malicious but Eset will block its execution because of the redirect activity.

Edited August 29, 2020 by itman

[Confusednetter 0]

Okay thank you! In this case there was no redirect. I was just searching for the right address for my network. I suppose my core question is whether it is possible to get a virus by simply googling. I was taken back when eset got upset with a google search. 

[Marcos 4,718]

What can happen with relation to Google is that if you go to a particular compromised website through Google search, you'll be redirected to a malicious or scam website instead. However, if you open the website bh typing the address in the address bar, you'd get legitimate content that is on the website.

[Confusednetter 0]

@Marcos  - I did not go to any website from the google search. in chrome I went to google, and typed "hxxp://19216811" and eset said "threat removed". Can you reproduce this or explain what is going on? I did not go to the site directly nor did I click on anything. I will attach screen shots too. 

Thanks, Alex

[itman 1,543]

Would of helped if you initially posted the alert or related log entry.

What doesn't make any sense at this point is why Eset is alerting for that first displayed search result in Chrome but not doing so in Firefox or Edge. Refer to my posted Firefox Google search display. It is identical to your Chrome Google search display.

It's as if the Google search results from Chrome are different internally than other browsers are rendering. If this is the case, it would be an interesting find indeed.

Why don't you try another browser and see if Eset alerts on the same Google search. If it does, then it appears you may have picked up a Google search malware of some type.

Edited August 30, 2020 by itman

[Nightowl 187]

It might have been because Chrome pre-loads pages for faster loading , you  can disable that at the settings and see if it makes any differences.

[itman 1,543]

1 minute ago, Nightowl said:

It might have been because Chrome pre-loads pages for faster loading , you  can disable that at the settings and see if it makes any differences.

Or clear your browser history and/or cache in Chrome at its close time and see if that resolves the alerts.

[Confusednetter 0]

@itman, I tried searching that on Edge and had the same result. I do not have firefox but I could try it. Has anyone else been able to reproduce this error?  

[Enrico 1]

Disable "Preload pages for faster browsing and searching" and see if it happens again. (in order to reduce attack surface never use prefetch/predict browser features)

It seems to me that Google Safebrowsing (aka censorship) is failing again to detect malicious websites.

[itman 1,543]

10 hours ago, Confusednetter said:

@itman, I tried searching that on Edge and had the same result.

Are you stating that that Eset detected the same Google search result malware when using Edge?

Edited August 31, 2020 by itman

[itman 1,543]

Also looks like Google Search itself is having security issues:

Quote

Because all these web resources are authoritative and rank high in Google, the fraudulently posted materials quickly reached the top of search results pages (SERPs) by the target keywords. The articles were riddled with links leading to rogue hacking tools. Users were instructed to download a file that would supposedly unlock the actual password-cracking feature.

Instead of doing what it said, though, the link would redirect users to pages hosting online scams that would try to dupe visitors into handing over their personal information. In some scenarios, covert scripts would also install malicious code onto users’ devices. One of the reported payloads is the infamous malware loader called Emotet.

https://www.forbes.com/sites/davidbalaban/2020/08/25/google-search-fails-again-recent-black-hat-seo-attacks-lead-to-malware-and-porn/#2c8b52945214

Edited August 31, 2020 by itman

[itman 1,543]

In light of the above forbes.com article, I have a pretty good idea of what is going on here in regards to the OP's Google search result displays.

There are thousands of domain servers and like corresponding Google servers worldwide spread throughout the Internet backbone. Although Google will display search results the same  regardless of where you are located, the source for those results vary depending on where you are located. Appears in the OP's case, Google is picking up malicious domains and not properly flltering them out prior to rendering.

Just be thankful that you are using Eset that is filtering those Google search results. Also seriously consider using a different search engine in your case.

[itman 1,543]

Since we are discussing Google search, I will post this issue in regards to Eset and Google search.

What I have observed is on my installation is Eset will not alert on certain Eset PUA classified web sites when using a Google search result. Eset will just silently block the web site access attempt and create a corresponding log entry for this activity. This can be duplicated by doing a Google search for pcrisk and then clicking on any result showing the domain name of pcrisk.com. On the other hand if I am using DuckDuckGo for example as my search engine, Eset will through a PUA alert. I posted a forum thread about this behavior some time ago and never did receive an Eset response to it.

Edited August 31, 2020 by itman

[Confusednetter 0]

@nightowl @Enrico  I was able to disable the predictive services feature in chrome and the eset alert failed when googling hxxp://19216811. It must be related to pre-loading.

@itman - I had the same error with Edge. Oddly I cannot find the button to disable pre-loading but I suspect that is the issue. 

Cheers, Alex

 

[itman 1,543]

You can disable Chrome page pre-loading as shown here: https://ccm.net/faq/28055-google-chrome-enable-disable-the-pre-rendering-of-webpages . I could not find a way to do the same in Edge Chromium version.

Open up IE11 and see if the same Eset threat alert is shown when the Google search page is rendered. If it does, this would be confirmation to what I posted previously; that the Google search results rendering of malware links is occurring  via Google servers. Your only solution presently is to change your search engine in Chrome if that is possible.

Edited September 1, 2020 by itman