Tracking down malware targeting google

Hello,

We run a NAT network, and we are now having trouble with an infected client with bot/malware attacking google searches.

So google comes back with an error asking the client to enter a series of characters to ensure they are not a bot, or worse, it blocks them entirely.

Google has been no help with providing information on the situation.

My thought is to make a Regex matcher that will log the hits to google, and set some kind of firewall rule that if there are so many hits per minute, log the attempts.
Similar to logging/blocking too many connection attempts.

Can something like this be done? Any suggestions?

If you check out ARIN and put “google” in the search, you’ll see just how many IP addresses you would have to block/ match against in North America alone. If you are trying to match that traffic via Layer 7, its going to drive the CPU though the roof. Everything calls out to Google. It would be easier to match the “Virus pattern” or whatever it is and block the end user. If you can narrow it down to who is causing the problem, then you could do a packet capture. The best course of action would be to dis-infect the offending node before the problem spreads.