In a word: malware.
This is a fairly classic case of a browser hijacking.
There are many variations on the theme, but the idea is very simple: you try to go somewhere and you land … somewhere else.
What you’ve experienced seems like a pretty direct hijack. If the address bar remains unchanged – i.e. it still says “google.com” – and yet you know that you’re not seeing google.com at all, then malware has perhaps modified your system’s “hosts” file, your DNS settings, or potentially the DNS settings in your router.
Both of those approaches modify the way your system locates servers on the internet. Looking up “google.com” in DNS should normally return the IP address of one of Google’s servers. In the case of a DNS hijack, a different IP address is
returned – the IP address of a malicious server. In some cases, the malicious server can be set up to look like the site that you think you’re accessing in order to fool you into divulging personal information, like login credentials or worse.
The DNS changer malware that we’ve all heard so much about recently did exactly this.
Some malware, rather than playing with your DNS, takes a more direct route and infects your browser or a component of the browser directly.
Apparently. the recent “Flashback” malware that infected so many Macs worked this way, leveraging a vulnerability in the Java browser component used by many websites and web-based services. It’s my understanding that once infected, simple page loads weren’t impacted, but clicking on certain search results would take you not to the result you clicked on, but rather to something else, as set up by the malware authors.
Analyzing and modifying search results is just one example. Once infected, malware can do many different things in your browser.
To be complete, we also need to mention that occasionally it’s not your problem at all, but a problem at the site that you’re attempting to visit. This is almost never the case with high profile sites like Google or Yahoo!, but occasionally smaller sites do get hacked.
Most often when a site gets hacked, it’s simply defaced in some way.
It’s possible, however, that once hacked, a site could fairly easily be modified to automatically send any visitors that it does get to some other website – presumably a malicious one.
Fixing the problem
Except for the later case, where the problem is actually not on your machine, fixing it should be fairly easy.
Run an up-to-date anti-malware scan.
If you’re unsure of what to run (and you should be running something, always), What Security Software do you recommend? has my current recommendations.
For a problem like this one, I’d install and run Microsoft Security Essentials, keeping that as your ongoing anti-virus and anti-spyware solution and then also run a scan by the free Malwarebytes Anti-malware tool, which seems to pick up a number of nasties that other tools do not.
(This is an update to an article originally published November 3, 2005.)