Sure Google-owned domains have prompted Chrome customers, from even essentially the most expert researchers to common customers, to query whether or not they’re malicious.
The domains I’m referring to are redirector.gvt1.com and gvt1/gvt2 subdomains which have spun many questions on the web.
After receiving a number of involved questions through the years, BleepingComputer has dug deeper into the domains’ origin and whether or not they need to be one thing to fret about.
What are these suspicious gvt1.com domains?
The domains *.gvt1.com and *.gvt2.com, together with their subdomains, are owned by Google and usually used to ship Chrome software program updates, extensions, and associated content material.
For instance, after we began Chrome simply now, it tried to connect with the next domains:
http://redirector.gvt1.com/
http://r5---sn-8xgp1vo-ab5z.gvt1.com/Nonetheless, these URLs and the area identify has repeatedly prompted confusion amongst builders and researchers on account of their suspicious-looking construction:
Likewise, gvt.1com domains have been beforehand flagged by antivirus merchandise as malware [1, 2] and by researchers as an Indicator of Compromise (IOC) [1, 2, 3].
Furthermore, the redirector.gvt1.com hyperlinks redirect to an URL that accommodates the consumer’s IP deal with, amongst different elusive parameters which can trigger additional suspicion.
For instance, BleepingComputer traced the next hyperlink, which redirects twice to a lot bigger URLs with an arbitrary subdomain and intensive GET parameters, such because the consumer’s IP deal with:
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNmRlQUFXU0o1UkNFTWx3aGRUUHBsWUJUZw/7819.902.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
Supply: BleepingComputer
Ought to we be involved about gvt1.com URLs?
That is the place it will get difficult, however the reply is: no, however Google may safe them higher.
The GVT within the gvt1.com area stands for Google Video Transcoding, and is used as a cache server for content material and downloads utilized by Google companies and functions.
Put merely, the *.gvt1.com domains are solely used by Google to ship official content material, Chrome browser updates, and Android-related executables.
“redirector.gvt1.com is a redirection service utilized by Google for quite a lot of functions, together with obtain of updates, and so on.,” Eric Lawrence, a former member of the Chrome Safety Crew, stated in a Google bug submit.
Going again to the hyperlink analyzed within the earlier part for instance, we are able to see the URL ending in .crx represents a Chrome extension :
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNmRlQUFXU0o1UkNFTWx3aGRUUHBsWUJUZw/7819.902.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
BleepingComputer traced the extension to be the Chrome Media Router extension, a legacy element that was utilized by Chromecast.
What’s regarding, is that Google continues to make use of the insecure HTTP protocol quite than HTTPS when connecting to those URLs.
By connecting to the URLs through HTTP, it could be potential to make use of man-in-the-middle (MiTM) assaults to change the downloads in some method. When you’ve got malware put in that’s intercepting HTTP visitors, you might have extra to fret about at this level.
In conclusion, when seeing visitors regarding *.gvt1.com or *.gvt2.com domains in your company community, it’s not a trigger for alarm however merely a reputable Chromium obtain going down.
Nonetheless, Google ought to change to utilizing HTTPS to stop potential MiTM assaults, and directors ought to proceed to comply with finest practices similar to analyzing visitors from the URLs.
BleepingComputer reached out to Google a number of instances effectively upfront, however we now have not heard again earlier than press time.
