Google Search hijacked only when not being observed. Attaching a debugger returns normal results

Solution 1:

Some malware was probably impersonating Fiddler, as the original developer of Fiddler, Eric Lawrence, pointed out:

Various pieces of malware check whether Fiddler is in use, and if so, they stop doing their malicious activities in order to attempt to hide their actions.

(source)

Fiddler is a web debugging tool. It has no malicious behavior whatsoever, and it is never installed unless you personally install it using the installer downloaded from Telerik. The scenario described here is a piece of malware which is attempting to avoid detection by making itself look like Fiddler.

(source)


Behavior

The clearest sign of malware is that Google Chrome doesn't load HTTPS websites as intended unless you are using Fiddler to capture traffic. Fiddler is not designed to interfere with your normal web browsing when it isn't in use.

In order for the malware to hide itself, it needs to hijack the Fiddler proxy and resign HTTPS traffic with the Fiddler certificate's private key. It is trivial to change the proxy settings, and it is possible to obtain a copy of your Fiddler installation's private key.

Root Certificate

You had Fiddler install a root certificate on your computer, which allows it to insert itself as a man-in-the-middle (MitM) to monitor the data contents being sent over HTTPS:

Screenshot from https://superuser.com/questions/1034394/google-search-hijacked-only-when-not-being-observed-attaching-a-debugger-return?noredirect=1#comment1443606_1034394

In contrast, here's how https://www.google.com/ is normally trusted:

Screenshot of proper Google HTTPS security chain

Your computer trusts the DO_NOT_TRUST_FiddlerRoot certificate because it was installed to your operating system's certificate trust store.

Proxy to Intercept HTTPS

You indicated that HTTPS behaves properly on Mozilla Firefox, which can be configured to use its own independent proxy rules rather than the operating system's proxy rules. Google Chrome uses the operating system proxy without an easy option to do otherwise.

Going through Fiddler's operating system-level proxy, Fiddler can now be the MitM to capture unencrypted HTTPS data while still serving the site. Fiddler fetches some web page, then signs it as "www.google.com" using the certificate that was trusted earlier, DO_NOT_TRUST_FiddlerRoot.

Under these circumstances, malware can take over both the proxy and the certificate to feed you the wrong site while still showing you the green lock icon. I can see this leading to elaborate phishing attacks.

Security Concerns

Related on Security Stack Exchange: What security risks are posed by software vendors deploying SSL Intercepting proxies on user desktops

As Eric Lawrence once wrote,

Fiddler’s HTTPS interception capabilities (rightly) raise eyebrows among security-conscious users.

That's why Fiddler warns about the security implications of intercepting HTTPS traffic:

Screenshot of a Fiddler built-in warning

By user error or malware installation, Fiddler has been associated with various problems:

  • Fiddler showing tunneling to unknown IPs
  • found a bunch of DO_NOT_TRUST_FiddlerRoot personal certificates installed on my system
  • I don't know how, but I got Fiddler on my computer (I didn't approve any installation)
  • Thunderbird Certificate Alert keep popping up
  • PC's Proxy settings being overridden

Although Fiddler itself is not a harmful program, its misuse and misunderstandings led to past bad reputation and viruses pretending to be Fiddler.


Removal

I don't know if your computer has been compromised by some Fiddler hijacker, but you indicated that you don't have time to wipe your computer and reinstall, so hopefully the following steps can get rid of Fiddler and restore proper secure web behavior. (I would still recommend reinstalling and changing your passwords afterwards, especially if you're serious about security. You wrote that Spybot – Search & Destroy found some malware.)

Foreword: De-configure Fiddler

The original poster discovered these additional steps to resolve his issue with Fiddler:

Ultimately what fixed it was: Settings -> Show advanced settings -> Under network -> Change Proxy Settings -> Advanced -> Reset

and

Also in Fiddler Settings I disabled the options allowing it to decrypt HTTPS traffic before uninstalling and re-clearing certificates.

Remove Fiddler's Root Certificate(s)

  1. Press Win+r
  2. Open: certmgr.msc
  3. Look through all of the folders and remove the DO_NOT_TRUST_FiddlerRoot certificate.

Uninstall Fiddler

  1. Go to Control Panel » Programs » Programs and Features.
  2. Uninstall Fiddler. One source says that Fiddler may be called "FiddlerRoot" or "BrowserSafeguard".

Clear Proxy Settings

Assuming that you normally do not use a different proxy…

  1. Go to Control Panel » Internet Options.
  2. In Internet Properties, go to the "Connections" tab.
  3. Under "Local Area Network (LAN) settings", click on "LAN settings".
  4. Clear and uncheck your proxy settings like so: Screenshot of Local Area Network (LAN) Settings

Remove Malware

As suggested previously on Super User, you should try to find and remove the original malware that displayed modified HTTPS webpages.

Detailed advice:
How can I remove malicious spyware, malware, adware, viruses, trojans or rootkits from my PC?