In my company, we began experiencing a problem when the users tried to access http://www.google.com.co though our Forefront TMG proxy. Every corporate user saw the following message:

This really looked strange, specially coming from google. I captured some packets and queried about the http get operations and got the following:

Got three operations: one from the main query, second one retrieving a javascript file and a third one unknown. First one looked normal as always, so I started analyzing second one. The MD5 for the javascript file is 886e4780fc0af43a19eb4dcd55b728d7. I looked up the resulting MD5 and got nothing. I uploaded the script to jsunpack and got nothing:

Also tried VirusTotal to scan the URL (http://www.google.com.co) and also got nothing:

I started analysis for http get number three. Wireshark shows some compressed content, so I took it from the capture and decompressed:

The compressed file has md5 1375a0f59d52d862a1297df7566c6894, the uncompressed file has md5 c4c490a2a55a16492c068ec50827958b and when loaded starts a download from http://ssl.gstatic.com/gb/js/sem_480d0cc56e70fa5af3dda306c8bc7ce6.js. I analyzed that javascript and wepawet and jsunpack shows nothing abnormal.

This problem has been confirmed in Microsoft website. I will update the diary when I have more information about it.

UPDATE: As of 20:11 GMT-5 Feb 14 2012, we received confirmation from Microsoft stating that this problem is a false positive and will be corrected in the update 1.119.1986.0 or higher for the antivirus.

Manuel Humberto Santander Peláez

SANS Internet Storm Center - Handler

Twitter: @manuelsantander

Web:http://manuel.santander.name

e-mail:msantand at isc dot sans dot org