Security researchers warn that a one-letter typo in Google's domain name could have resulted in unwanted downloads of malicious software for computer users.

The typo site, Googkle.com, included links to several different sites for anti-virus and spyware cleaners, but the downloads actually installed a spyware toolbar known as "Perez," according to the anti-virus vendor F-Secure’s Web site.

The site was shut down after media outlets noted its existence last week, but an unknown number of computers had already been infected. The site is registered to Sergey Gridasov of St. Petersburg, Russia, according to a search at WhoIs.com.

”When the user happens to mistype Google's URL (Internet address) and ends up in Googkle, a set of Web pages - each trying to trigger different vulnerabilities - will load," said Ero Carrera, an anti-virus researcher for F-Secure. "Their purpose is to find a way of dropping certain malware (malicious software) into the users' computer.”

“It is not just a virus; it's a set of Trojan-downloaders and information stealing tools, targeted at gathering personal information such as bank logins,” Carrera said, referring to Trojan horses, or malicious programs disguised as legitimate software. “So, it's more of a privacy concern.”

Upon loading the typo site, two pop-up windows instantly redirected users to third-party sites loaded with scripts. The scripts could download programs that can replace applications or corrupt users’ hard drives, according to the anti-virus vendor F-Secure’s Web site.

Carrera said users' computers could be infected if they accessed the site without any anti-virus protection. The software appears to be targeted at users of Microsoft Internet Explorer, who comprise some 90 percent of the Web browser market.

“We don't have numbers of the amount of users who might have mistyped the name, but given it's just one of a set of possible mistypings, I would not believe it is a very large number,” Carrera said.

Jonathan Rood of the SF State Information Technology Department said he has not heard about any questions concerning this specific issue from students.

“SF State students are technology-savvy enough not to get confused with things like that,” Rood said. “They have high technological understanding.

“I don’t think this particular issue has been having an impact on them at all.”

More than three-quarters of Internet worms and viruses use Google as their default search engine to retrieve e-mail addresses, according to a study by eWeek, a computer technology trade journal.

“Typosquatting,” or registering Internet addresses using common misspellings of popular Web sites, was first a common tactic for pornography sites in the late 1990s.

The site hosted at whitehouse.com for many years was an advertisement for pornography in one of the most famous instances of URL deception. The link was not to the office of the President of the
United States, whose official site is whitehouse.gov.

Google officials did not respond to repeated requests for comment. However, the company does control sites for some of the more commonly misspelled variants of its name, including gooogle.com and gogle.com, and redirects users to its home page.

Carrera said it is the responsibility of the country where the site is hosted to act and take it down.
He said students can protect their computers by keeping their software updated.

”Install all the security updates and have some sort of anti-virus software installed and be suspicious of sites which do not look legitimate," Carrera said. “It's not a bad idea either to use browsers such as Firefox or Opera, which are less targeted by malware writers (than Internet Explorer).”