Microsoft Mistakenly Claims Google Home Page Infected With Blackhole

Microsoft quickly updated its security tools after users reported seeing warnings that Google’s home page was infected with the Blackhole exploit kit.

Microsoft’s Forefront corporate security products and the consumer-focused Security Essentials anti-malware software were updated Feb. 14, shortly after the company announced nine bulletins for its scheduled Patch Tuesday release. Corporate users trying to access Google’s home page through the Forefront TMG proxy were warned that the search page was infected, Manuel Humberto Santander Pelaez, wrote on the SANS Institute’s Internet Storm Center Diary.

“Access to the requested file is blocked due to a detected infection,” the message said, before identifying the infection as Exploit:JS/Blacole.BW.

Pelaez analyzed the packets and was unable to find anything wrong. Security writer Brian Krebs saw a similar warning on a Windows XP machine running Microsoft Security Essentials. Microsoft’s Technet support forums were full of questions from concerned users and administrators.

“For whatever reason, Microsoft’s security software thought Google’s home page was infected with a Blackhole Exploit Kit,” Krebs wrote.

The Blackhole exploit kit is a popular attack kit used to compromise legitimate Websites and direct users to malicious portals that download more malware, steal data or perform other nefarious acts. The kit is regularly updated with new exploits and can be used to launch attacks targeting vulnerabilities in Java, Adobe and Microsoft products.

Leak repository Cryptome disclosed it had recently been infected with Blackhole and may have redirected about 2,900 visitors to malicious sites. The kit was the source of about 95 percent of all malicious links identified by M86 researchers between July and December 2011.

False positives happen with security products, and Microsoft was able to push out a new update within four hours to fix the problem.

“Microsoft AV team is removing the detection from Signature. 1.119.1986.0 or higher will contain this change,” Microsoft Support said.

As false positives go, this was a minor one, as the security tool did not try to remove or modify files in order to clean up the perceived threat. If the user clicked on the “remove” option to clean the infection, the software reported that it was unable to find the threat, according to Krebs.

Interestingly enough, it appears that the false positive was detected when users landed on the Google home page using the Internet Explorer Web browser or actually performed a search using Mozilla Firefox. Google Chrome or Safari users did not appear to have seen the warning. Some users on Technet reported seeing warnings on any site using Google Adwords or Google Analytics.