Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Purges Thousands of Malware Sites

Posted by kdawson on from the just-in-time-for-holiday-shoppers dept.

Stony Stevenson sends in word on the most massive "SEO poisoning" seen to date. The attack was directed at Google in particular and resulted in tens of thousands of Web pages hosting exploits showing up on the first page of Google searches for thousands of common terms (PDF). Sunbelt Software blogged about the attack on Monday after investigating it for months. By Wednesday Google had removed tens of thousands of malware-hosting pages from its index.

19 of 133 comments (clear)

  1. BBC News piece by MLCT · · Score: 4, Insightful

    http://news.bbc.co.uk/1/hi/technology/7118452.stm

    The sites were targeting IE exploits.

    1. Re:BBC News piece by TubeSteak · · Score: 4, Informative
      FTF Summary:

      Sunbelt Software blogged about the attack on Monday after investigating it for months. From Your BBC:

      "This was fairly epic," said Alex Eckelberry, head of Sunbelt Software - one of the firms that uncovered the attack.

      Mr Eckelberry said tens of thousands of domains, many based in China and only a couple of days old, were used in the vanguard of the attack.
      ...
      The booby-trapped websites were thought to be in operation for about 24 hours before Google began stripping them out of its search index. So which was it?
      Months of Google poisoning or just day(s)?
      --
      [Fuck Beta]
      o0t!
    2. Re:BBC News piece by Mike89 · · Score: 4, Insightful

      They could've 'poisoned' Google for months (linked to domains that didn't exist yet), then set the domains up and waited a few days for Google to recrawl. Then again, I'd have thought pagerank would be age-based too. Those search requests are the kind that show up weird dodgy sites anyway (who searches any of those exact terms anyway?!)

    3. Re:BBC News piece by darthflo · · Score: 4, Insightful

      Most users of Windows and IE don't make a conscious decision to do so. It comes preloaded with a computer they buy, they don't question it. Blaming those users for using "poor quality software" (I, for one, find Windows XP a rather pleasant os to work with; IE on the other hand...) would be like blaming any driver for using "poor quality airbags" that came with his car or "poor quality doors" that came with his house after a break-in.
      Not everybody is interested in knowing details about every single one of his possessions. You, me and the rest of the /. crowd cares about computers, but a majority of people (wild guess) probably cares as much about their inner workings as I care about the inner workings of my dishwasher. It's a tool ideally fulfilling one or more given tasks (e.g. "get stock quotes" or "clean my dirty dishes") and is to be professionally serviced upon failure to do so. Installing a more secure browser like Opera may be just as good an idea as adding multi-stage UltraSplash 3D cleaning rotors but as long as I can put dirty dishes in and get 'em out clean I wouldn't know why I should care.

    4. Re:BBC News piece by Inda · · Score: 4, Funny

      I search for 'fetch doggy go go go go go microsoft vpn excel' all the time. The top result was my favourite site until this happened.

      --
      This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
    5. Re:BBC News piece by Alexeck · · Score: 5, Informative

      So which was it? Months of Google poisoning or just day(s)? It wasn't "months". I think that confusion came from a subsequent blog post we made where we talked about having tracked _comment spam_ bots for months. This attack was only a matter of days. A number of the domains involved, for example, were registered on the 24th or 25th of November. Alex Eckelberry Sunbelt

    6. Re:BBC News piece by jrp2 · · Score: 4, Informative

      "The idiots who use Windows affect me indirectly which is really annoying since their computers are sending me spam and brute forcing my servers."

      The most common brute-force attack I see on my IPS are ssh brute-force attacks coming from *nix servers that have been compromised. From what I understand, those ssh brute force attacks are highly effective.

      I am no fan of Windows either, but I think that might be a stretch to blame Windows for the bulk of brute-force attacks.

      Spam, absolutely.

      --
      The only athletic sport I ever mastered was backgammon - Douglas William Jerrold
  2. Re:Some, but not all.... by Albanach · · Score: 3, Informative

    Google can still screw you over
    That's another goatse link for those of you still sleepy at this time of the morning...
  3. They've also changed their PageRank for many sites by garcia · · Score: 5, Interesting

    Recently (end of October) Google reordered some of their sites and dropped the PageRank on many (mine included) there was a blog post about it here. My PageRank suffered immensely dropping from an overall high of 6/10 to the now 3/10. The most noticeable difference for me was that for the next two weeks (and the first time ever) I was no longer the #1 hit for: Bill Roehl, "Bill Roehl", or any variation thereof. Not only that but the first result from Google wasn't even for my root page, it was for some post I had underneath. I found that to be very odd.

    Now, while I was digging through the Google results to find out why this could have possibly happened (prior to reading the blog post linked above) I found tons of SEO spam sites that my site had been linked from. I had never seen that many junk results returned before and was surprised they were getting through. I was seriously concerned that they had something to do w/my ranking drop.

    At least Google is getting back on track dumping those bastards. While most people probably don't change their default settings to see anything more than the first 10 results, I am constantly looking through the first 100 on various searches and have seen more and more of that. I was wondering if some of the claims of Google's drop from #1 would imminent if something didn't change.

  4. And what's SEO? by allcar · · Score: 3, Informative

    For those of you, like me, who did not immediately recognise this TLA, it stands for Search Engine Optimization.

  5. Censoring by Fredtalk · · Score: 5, Funny

    Sounds like net censorship to me! What if I wanted to visit those malware sites?

  6. Re:all your base by sm62704 · · Score: 4, Interesting

    When will their crawlers automatically disqualify ALL sites that contain malware though? That would be nifty.

    I don't think it would be possible. I linked to a turing test program I wrote called "art.exe" from my Artificial Insanity page that I hosted on another site I owned (which I since have let lapse). The only way a crawler would know that this program was benign was because it isn't listed in any of the antivirus lists of viral signatures.

    What would be nice is if Google would have its crawlers automatically check pages as they crawled. If there were any known malwars the page would be blacklsted. But there's no way I can think of to flag malware that hasn't been identified as such by humans.

    -mcgrew

    PS:)downside would be that you couldn't find microsoft.com (Foghorn Leghorn says...)
    PPS: I've been mulling over rewriting the Artificial Insanity program in javascript. But I'm having a hard time finding the time.

    --
    mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
  7. A hidden gem by dotancohen · · Score: 5, Interesting

    The pdf contains a list of 2161 popular Google search terms. This is an SEO wet dream. Thanks!

    --
    It is dangerous to be right when the government is wrong.
  8. Re:Some, but not all.... by toleraen · · Score: 4, Funny

    Wide awake.

  9. Re:They've also changed their PageRank for many si by Rob+T+Firefly · · Score: 5, Funny

    I was no longer the #1 hit for: Bill Roehl, "Bill Roehl", or any variation thereof. Perhaps there is simply someone else who is better at being Bill Roehl than you. Don't fret, though. You can always go back to Bill Roehl School and brush up with some post-graduate Bill Roehl stuff.

    Personally, I'm comfortable with the fact that I'm only the second-best me out there. Let that other fella have his glory, because I'm never going back to the Rob Vincent Academy. I'm not going into it here, but those bastards Rob, Rob, and Rob know why.
    --
    Slashdot Burying Stories About Slashdot Media Owned
  10. Re:Sounds Good To Me by Andrew+Nagy · · Score: 5, Informative

    I'm probably too late on this discussion, but I thought something needed to be said. I work in online marketing (no, that doesn't mean I am a spammer) and I think this speaks volumes about what Google is hard-pressed to admit. The system can still be gamed. And it seems to me that no matter what Google does to improve their algorithm, the system will still be vulnerable to gaming.

    In part, I think this has to do with the oddness that is their ranking strategy. They want to find the most relevant sites for any given query. So they study online behavior and adjust their algorithm to reflect that behavior. At the same time, they publish "guidelines" on how webmasters should design their sites and link out/in. It seems like they're trying to influence how websites behave online and then say that they're picking up on the organic trends. But in the end, they generate the trends. And then they tell everyone how to do it. Because of this, the system will always be vulnerable.

    Until, that is, PigeonRank(TM) is launched.

    --
    Yes, you can dance to Radiohead.
  11. Re:all your base by darthflo · · Score: 4, Insightful

    Nothing (except antitrust law, maybe) stops Google from "forgetting to include" live.com in it's indexes now and this situation is quite unlikely to change in the near future. The only two reasons I think of as relevant to leave competitors in are the outrage from both the internet community and the "forgotten" competitor (perhaps culminating in lawsuits for anti-competitive behaviour, IANAL) and the desire for the own index to be perceived as fair and complete.

    An independent body deciding about the malness of any ware is, if a certain responsiveness could be guaranteed, a creepy idea. Forming such a commitee would very surely be a huge leap in the direction of an often-mentioned TCPA (Palladium, NGSCB, Donkey poop)-secured blacklist society. A small aristocraty of people in this decision commitee would become the target of a trillion-dollar industry and be able to decide exactly what piece of software is ran by anybody. On the other hand, allowing anybody to participate in these votes would guarantee this operation not to be effective because of the huge delay this would cause. The same goes for adding legal ways to fight a decision by this body - having one would cause the system to become as slow as many legal systems throughout the world are today, not having one would be a surefire way to cause dissatisfaction with lots and lots of developers (both natural and legal persons).
    Also, don't forget to take into account the current legal trouble e.g. encryption software is going through. I'm certain an independent body would decide similar to lawmakers throughout the world. Essentially, you could probably forget about running Linux (Open Source? That could run anything, including highly illegal tools like decss without any way to stop it), any cd/dvd copying software (It's fun to break the D-M-C-A (sung to the tune of YMCA)), nmap (Remember germany banning "Hacker tools"?) or anything else.

    Sorry for painting such a dystopian future, but letting any (independent, governmental or profit-oriented) body whatsoever decide what software's good and what's bad just isn't what you, me or most anybody else wants.

  12. Re:all your base by Nossie · · Score: 3, Interesting

    I do agree... and maybe an independent body would just become corrupt like the rest of them BUT.

    In googles interest, they are a search engine and not a publisher and for that reason are not subject to the indexes of child porn and other illegal activity. Once google start going down the road of blocking spam and other malicious sites it could be suggested they lose the right of being an automatic aggregation engine.

    All the The pirate bay does is index pointer links, all google does is index pointer links -- one of them has a safe harbour in the US and the other does not. How long before Google itself loses its 'safe harbour' ?

  13. Google still hasn't fixed their open redirector by Animats · · Score: 4, Informative

    After reading this, I immediately checked to see if Google had fixed their open redirector. No, they haven't, and there are six exploits of it listed in PhishTank. Google needs to turn that off. If they absolutely insist on having an open redirector, it needs its own subdomain, which is what Yahoo does. Then the subdomain can be blacklisted without collateral damage.

    Phishing via exploits of major sites is a big problem, but involves a small number of major sites. 168 major sites today. The usual exploits are:

    • Phishing site web servers on DSL lines. Some ISPs are good at kicking these off, and some aren't as good. "bellsouth.net" has more entries in PhishTank than any other domain.
    • "Open redirectors", URLs that can be exploited to redirect to another site, like the Google URL above.
    • Web hosting services, especially free ones, sometimes find themselves hosting phishing sites.
    • "Web 2.0" sites which allow uploading of user content but don't check it for exploits. Photobucket is used by some phishers, who upload hostile ".swf" files.
    • Break-ins on legitimate sites, where, typically, some obscure page is hosting hostile content. When an ".edu" site shows up in our list, that's usually what happened.

    Out of 1.6 million domains in DMOZ, and over 10,000 phishes in PhishTank, only 168 domains are in both. So the number of sites that need to be fixed is small. In fact, some of those sites are already fixed, but the entries haven't been removed from PhishTank yet. (Hint: if you kill a hostile page on your domain, make it a 404 error; that gets the page out of PhishTank's "active and online" list automatically. Don't just change the content or redirect it somewhere else, or it stays in the tank until somebody rechecks it manually, which can take weeks.)

    For every site in the list, there's some competitor in the same business who isn't on the list. "Everybody has this problem" isn't a valid excuse any more. This is a useful point to make with management if you find your own company on the list.

    This list of 168 exploited sites is updated automatically every three hours. There's also a list of sites recently removed from PhishTank. "n-insanity.com", "tropmet.res.in", "wsjob.com" were dropped from the list today; they no longer have active, online entries in PhishTank. "gentlesource.com", "t35.com" (an eBay phish), "tilapia.com" (another eBay phish), and "uic.edu" (already fixed) were added; they just appeared in PhishTank. If you have any responsibility for a site on the list, please take steps to fix the problem. If you're not part of the solution, you're part of the problem.