After so much discussion on a topic I initially guessed might be answered by someone relatively simply,
I decided to take a look at this, and this is apparently a not-so-simple malware attack.
First, I found no technical report anywhere that describes the malware typically, ie how the malware might be classified, its attack vectors, recommended solutions and workarounds (if a solution doesn’t exist).
Instead, I found sites that describe how to remove but even then probably because no one seems to have clearly defined it and because there is a web component it may also easily mutate.
After skimming a few removal guides, it’s possible to identify a few broad concepts and description of the malware…
To some degree, it will affect <all> web browser applications at the application layer only, which means that it’s possible to be infected on Linux or any other OS.
Beyond the web browser itself, the malware can be seen installed deeply into a Windows system, “infecting” the Windows Registry, and various common file locations where apps can be configured to start on boot. Non-Windows systems like Linux are not affected by this deeper infection.
I won’t recommend any “Guide” to removing this malware from a Windows machine, partly because although all seem to be partly similar (standard practice configuring “safe boot” which involves configuring only minimal services to auto start and then rebooting) but can vary greatly on exactly what to “clean.”
But, even on Linux machines, you need to remove the malware that are installed into the browser like extensions, plugins, add-ons, possibly toolbars, etc.
For this, I will recommend (for now) this webpage which first lists some auto-removal tools and then what is needed to clean each web browser you run
http://www.malwareaid.com/how-to-delete-ssl-gstatic-com-from-your-pc/
But,
As I noted, be aware that my cursory inspection of a number of supposed “guides” don’t agree in total, so YMMV.
Lastly,
For how the machine was likely infected and to avoid another infection,
It should be noted that this type of compromise almost certainly requires <user permission> to infect. It’s very, very unlikely that there is some kind of fundamental security flaw across all those web browsers, particularly for the kind of problems that are caused. On one site, I saw some speculation that it might be a “Java required… Click here to upgrade” which is commonly seen even on legitimate sites. Of course, clicking on <any> warning is bad practice which can lead to infection. The user should instead go to the needed technology by <typing the address> in the URL field (eg http://java.com if you want to update java) but of course typical non-technical people won’t know to do this.
Also,
IMO this attack vector (visiting websites which prompt you to install a missing component) is not necessarily typical only of surfing disreputable websites. For years now, I’ve noticed a very large number of supposed “reputable” or at least “not the underbelly of the Internet” websites serving various forms of malware from Flash cookies (Which was all the rage about 3 years ago but disappearing as Flash is used less often) to normal cookie tracking to otherwise interrogating your machine for more than necessary info because
- Legitimate and reputable websites don’t always partner with advertisers with the same goals. Remember, advertisers want to know everything they can about you to serve targeted content.
- Some sites like political sites (even the major campaigns here in the USA) regularly want to know everything about you just because you expressed enough interest to visit their site and maybe explore content. They won’t ask, they just collect everything they can technically without asking you to provide that info.
- At least the above is possible even without malware because the new HTML5 standards and features enable and require capabilities to deliver services like geo-location, targeted content, more. But, if that isn’t enough, of course infecting with malware is no problem for those who are <really> unethical.
HTH,
TSU