Google to be Our Web-Based Anti-Virus Protector ?

cyberianpan writes "For some time now, searches have displayed 'this site may harm your computer' when Google has tagged a site as containing malware. Now the search engine giant is is further publicizing the level of infection in a paper titled: The Ghost In The Browser. For good reason, too: the company found that nearly 1 in ten sites (or about 450,000) are loaded with malicious software. Google is now promising to identify all web pages on the internet that could be malicious - with its powerful crawling abilities & data centers, the company is in an excellent position to do this. 'As well as characterizing the scale of the problem on the net, the Google study analyzed the main methods by which criminals inject malicious code on to innocent web pages. It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets. Widgets are small programs that may, for example, display a calendar on a webpage or a web traffic counter. These are often downloaded form third party sites. The rise of web 2.0 and user-generated content gave criminals other channels, or vectors, of attack, it found.'"

Only works through Goolge now...

[cyberianpan]

This is potentially a very useful service but not all URLs we visit are from Google searches, some we still type in others as links from pages. However could we soon expect a Firefox add in that will filter all http requests through Google ? So then our new overlords will indeed know everything about our web-habits ?

Wouldn't good sites with bad ads or posts...

[Anarchysoft]

be blocked?

It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets. Wouldn't it be far better to have safer browsers than to shut out (as many people or their organizations will do) 10% of the web?

Pros and Cons

[PixieDust]

I can see a lot of Pros and Cons to this. While certainly it's good that such a major player is taking an active and aggressive stance on this, I thinkk it's also going to cause a lot of people to have a false sense of security. And while this only affects users who search for pages (and that is a LOT of traffic), it's still going to bring the question to some users "Google tells me if a site is dangerous, what do I need malware protection for?"

I surf almost exclusively in Windows, using IE (IE6 + XP Pro on Desktop, IE7 + Vista on laptop) with no protection, and I've not had an issue with malware in years. But most people's browsing habits aren't quite like mine.

One other effect I can see this having, is let's say www.bigcompanyhere.com gets tagged as being potentially harmful. Now Google has done them a favor by alerting them to a security problem, which they can then address, and are likely to do so much quicker to try and minimize damage to their image.

I'm fairly interested to see how this plays out.

Already being done

[zappepcs]

McAfee SiteAdvisor already does this for Google search results pages. This is nothing new. Its a FF extension and works well, though lately it has pointed out that proxy servers are trying to steal my identity when I try to use them.

Informing webmasters

[truthsearch]

Instead of just flagging sites for users, they should first add the detailed information to the Google Webmaster Tools. If it's third party software that's the problem inform the webmasters (at least those who use Google's tools) so they can take it down. Granted, it's their own fault for using third party software without enough investigation, but let them fix the problem before they're flagged for end users.

Huh

[Realistic_Dragon]

I browse the internet on my Linux box, running OS X with MacOnLinux. On OS X I run VMWare player hosting FreeBSD, where I have all the options turned to OFF. That runs Firefox, which connects to a web-2.0 version of Lynx. I use this to connect to another site which manually lets me enter netcat commands and read the result.

My only complaint is that the pirates at Macrodobe STILL won't support my platform of choice! When will there be a flash player for people like me!

Re:aid and comfort to the enemy? Helping microsoft

[Aldur42]

Maybe, but any reduction in the number of infected PCs is win for the entire net.

right..

[mastershake_phd]

It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets.
 
So google is going to protect us from webpages that use less than reputable advertising and widget services. Hmm, maybe google should go into the advertising and widget service, oh wait...

450,000?

[rueger]

Sigh, are basic editorial skills too much to ask here? (I know, it's a rhetorical question).

TFA does not say that "the company found that nearly 1 in ten sites (or about 450,000) are loaded with malicious software." This implies that there are a total of less than a half million sites that pose a risk.

It said that of the 4.5 million pages examined, "about 450,000 were capable of launching so-called "drive-by downloads"..."

It also notes that "A further 700,000 pages were thought to contain code that could compromise a user's computer, the team report."

The problem is probably quite a bit larger than presented in the summary, even if one ignores the confusion between "sites" and "pages".

Re:1 in 10?

[hal2814]

Well most downloaded malware comes through online games and porn. Which one did your sister have a hankering for?

Does it matter?

[Radon360]

I would hope that Google is looking at it more from the perspective of what is generally good for the betterment of the entire internet. Who cares if it directly benefits users of Microsoft product users more than Linux/OSX users? Bottom line, it is potentially one less infection, and one less pwned computer in a bot network. Less infections means less machines that are probing ports on random addresses, or used in brute force attacks, such as DoS attempts.

Don't get too tied up in the means, but rather what the potential end results, good or bad, might be.

10% number misleading

[Orinthe]

It should be noted that the 10% of the web number is somewhat misleading--some comments seem to think it implies that 1 in every 10 pages one visits are likely to contain malware, or the like. Chances are, most of these pages are not worth visiting. This isn't in in every ten pages on yahoo.com or cnn.com, it's probably more like 8 in 10 pages on freekiddiepornplz.com and piratewarezserialzhackz.tv.

Re:aid and comfort to the enemy?

[LurkerXXX]

Do Linux or Apple users not mind when a bot-net army takes down a website they are trying to access, or clogs the pipes?

Do Linux or Apple users not mind all the spam to their inbox from hijacked machines?

Do Linux or Apple users not have to worry about some family member being taken in by a phishing scheme, hosted on a hijacked machine?

Do Linux or Apple users not mind tons of hijacked machines probing any SSH or other ports you might have open, looking for vulnerabilities or doing dictionary password attacks?

Less hijacked machines on the internet helps us all. Be you a Windows, Linux, Apple, BSD, or other user. Not caring about hijacked windows boxes because you are leet enough to use Linux is stupid.

See actual paper. Not really that new.

[Animats]

Here's the actual paper. It's a Usenix paper.

What they're doing is straightforward, and it's much like what many virus scanners do. First, they look at web pages to see if there's anything suspicious that requires further analysis. If there is, they load the page into Internet Explorer (of course) in a virtual machine, and see if it changes its environment. The better virus scanners have been doing something like that for a few years now, running possible viruses in some kind of sandbox. Although they usually don't go all the way and run Internet Explorer in a virtual machine. (Are you allowed to do that under Microsoft's current EULA for IE 7?)

The main problem with Google's approach here is that it's after the fact. They won't notice a bad page until the next time they crawl it. Bad pages come and go so fast today that they'll always be behind. As the paper says, "Since many of the malicious URLs are too short-lived to provide statistically meaningful data, we analyzed only the URLs whose presence on the Internet lasted longer than one week."

If Google implements this, the main effect will be to push attackers into changing site names for attack sites even faster.

It's all so backward. What we need is to run most of Internet Explorer in a tightly sandboxed environment on the user's machine, so that when you close the window, any browser damage goes away. That would actually work.

Easy to defeat?

[140Mandak262Jamuna]

The malicious websites just have to skip the malicious code when the user agent string is google crawler. Are they going to change the user agent string? Will it be considered pretexting (the euphemism for impersonating)?

What you suggest is wrong and immoral

[__aawdrj2992]

Since most of this malware attacks windows machines, isn't google helping microsoft more than it's helping linux or apple?

Since morality is defined by the desire to limit human suffering, protecting innocent people who don't know better from malware is always going to be for a greater good. People shouldn't have to get their OS reloaded every few months.

Not running your choice of OS doesn't make them bad, and is a startling simplistic world view. There's no "helping Microsoft" here; they are trying to protect all Internet users. Since those people are using Google search, it's really more like trying to serve their customers better. Since all their customers are Internet users; so ask yourself: what is concern #1 amongst Internet users?