Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google's Research on Malware Distribution

Posted by Soulskill on from the making-a-mountain-out-of-a-really-big-piece-of-rock dept.

GSGKT writes "Google's Anti-Malware Team has made available some of their research data on malware distribution mechanisms while the research paper[PDF] is under peer review. Among their conclusions are that the majority of malware distribution sites are hosted in China, and that 1.3% of Google searches return at least one link to a malicious site. The lead author, Niels Provos, wrote, 'It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed.'"

14 of 83 comments (clear)

  1. Now then... by Bluewraith · · Score: 3, Funny

    Where is the page listing each of the bad sites? I'd like to get started on my Virus Aquarium

  2. Google itself? by XanC · · Score: 3, Interesting

    Did Google consider itself to be a source of malware? http://blog.opendns.com/2007/05/22/google-turns-the-page/

    1. Re:Google itself? by moderatorrater · · Score: 3, Insightful

      The name "Browser Error Redirector" doesn't make its purpose clear to a non-technical user I would argue that there is no way to make its purpose clear to the non-technical user without using at least a full sentence, probably a paragraph. For those who are familiar with the concept of error page redirection in the first place, it's a very adequate description, very honest and the first thing I would suspect once I realized there was a problem. If it had been "Browser Helper" or "DNS Accelerator" or "Bonzai Buddy" then arguing that the name wasn't clear would be applicable; as it is, it's a specific name for a specific condition that doesn't hide what it is.
  3. Read it again by EmbeddedJanitor · · Score: 4, Insightful
    There are three million bad URLs being served off 180,000 web sites.

    Three million out of billions is not bad, assuming randomness (only, say 1 in 1000 chance of using a bad URL), but it is a lot worse than 180k out of billions.

    However not all URLs are used equally. Bad URLs linked to some popular pron site, for instance, will get hit a lot more than Joe Sixpack's facebook site.

    --
    Engineering is the art of compromise.
  4. Re:And what platform does the malware run on? by grcumb · · Score: 5, Interesting

    I found it quite interesting that the methodology of the research doesn't even bother to check sites with Mac OS X or Linux operating systems. But on the server side, Apache websites running outdated versions of PHP were singled out for comment.

    In all there were twice as many compromised IIS servers as Apache, but fully 50% of all compromised Apache servers were running some version of PHP.

    It was also interesting to note that computer-related websites ranked second only to social networking sites as most likely to be compromised with redirections to malware sites. Seems we might want to tone down our holier-than-thou rhetoric. 8^)

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  5. Maybe Goole should delist a few sites. by budgenator · · Score: 4, Interesting

    It occurred to me that if Google started desisting sites that tried to implant malware into visitors computers, then webmasters would be much more diligent about keeping the crap off their sites, or at least keep a few more hapless victims out of harm's way.

    --
    Apocalypse Cancelled, Sorry, No Ticket Refunds
    1. Re:Maybe Goole should delist a few sites. by moderatorrater · · Score: 3, Insightful

      The problem with that is the number of sites that happen to host malware without meaning to. Too often the malware comes through advertising services or sneak through in user generated content that would be fine if not for a browser vulnerability. Google does a lot as it is, outright blocking the sites goes too far (unless that's the only thing that the site is made for, which is rare and would probably mean that the site is ranked low in the first place).

  6. zero script policy for serious web use by Anonymous Coward · · Score: 3, Interesting

    The problem is with the client software. I can understand the danger of sites that try to fool you into downloading and running an application, or infected media that harnesses an exploit in an application - but automatically infecting the machine just by visiting the site is beyond belief. There's a serious problem with what the "web" has become, forced upon us by reckless and naive developers. The WWW and HTML was never meant to be something that runs active code on the client. Period. Most of us realise there is no way this problem can ever be solved without revising exactly what a browser is supposed to be, as long as browsers will run code instead of interpreting data there will always be malicious sites set up to exploit this.

    I have to observe a cast iron policy in my work. It means that quite a few sites on the internet are unavailable, but since they are mostly entertainment based it isn't a serious loss. No Javascript, no ActiveX, no Macromedia Flash. My activities are limited to viewing HTML and PDFs, even animated GIFs are blocked. In many years we have had no malware incidents (that I know of). Sometimes it's absolutely necessary to view a site containing potentially insecure content, so there is a "dirty machine" which is not allowed to connect to anything else and is wiped and reinstalled weekly.

    The problem is that even serious academic and scientific sites (that should know better) are starting to add Flash plugins and heavy scripting, so it's getting hard for conscientious users to maintain security even where they want to. Insecure technology is being forced upon us by the site developers.

    It would be nice if Google could display whether a site needs JavaScript, Flash or whatever and be able to search for HTML only content. The difficult way is to use Google Cache in text only mode of course.

  7. Re:Search engine ranking by calebt3 · · Score: 5, Insightful

    Searchers won't use your engine if it does not give them what they want.

  8. Re:Be careful what you ask for by onepoint · · Score: 3, Interesting

    they have the vote for this on the tool bar. Which to my knowledge works rather well if you are a heavy user and consistently vote pages for which you do a search. I do about 40 to 80 search per day and I am sure that I vote on 90% of it, I have come back to the same topics to search and have seen changes which were major improvements ( lag time about 4 to 6 weeks )

    --
    if you see me, smile and say hello.
  9. Actually they do add a warning for infected sites by Slur · · Score: 5, Informative

    One site I work on got hit by a PHPBB SQL injection attack and had a tiny iframe inserted into the forum header that pointed to a well-known malware site, hightstats.net (and if you're curious the malicious script is in the strong/044 folder). Google picked up on the iframe's contents being a malicious script and added the malware warning to the search results pertaining to the forums section of our website.

    I just wonder how it is that hightstats.net can still be in existence when it contains known malicious stuff that hackers are inserting into unwary websites?!

    --
    -- thinkyhead software and media
  10. Key points to take from the paper by The+Master+Control+P · · Score: 4, Informative

    2/3 of all malware distribution sites & sites that link to them are hosted in China.
    The next worst offender is the US with 1/6.
    About 3.5M websites attempt to send you to exploits from 180K distribution sites.
    63% of the 180K malicious sites are IIS, 33% are Apache, and a handful are other.
    80% of malware from not in ads (e.g. iframes) was within 4 redirects of the malware distributor.
    80% of malware from ads was more than 4 redirects from the distributor.
    3/4 of distribution sites and 1/2 of landing sites are in 2 blocks occupying 6.5% of IP4.
    Among drive-by downloads, 1/2 alter your startup, 1/3 attack your security, 1/4 corrupt your preferences, and 7% install BHOs.
    87% of outbound connections the malware initiates are HTTP, 8.3% are IRC.
    The three AV engines tested against malware retrieved by the study had detection rates of about 35, 50, and 70%.

    The part I find scariest is the 3.5M malware fronts. I mean, there are only about 70M active hosts on the entire Internet - that's 5 percent! Since I think that trying to make programmers these days write secure code is a lost cause, we should focus on breaking up the software monoculture. This kind of shit really starts to lose it's efficacy if only 1/4 or 1/5 attempts even attack the right browser...

  11. This can be fixed, but impacts ad revenue model by Animats · · Score: 3, Informative

    The paper points out that most of the attacks involve redirection of some portion of page content. That's a useful piece of information, because, other than for advertising purposes, redirection of IFRAME items and images is quite rare. A useful blocking strategy would be to block all redirects below the top level page. Many ads will disappear; no great loss.

    Checking for hostile full web pages is already being done. McAfee SiteAdvisor was the first to do that, then Google copied them. Our "bottom feeder filter", SiteTruth, does some of that too, although it throws out far more sites than McAfee or Google do, just by insisting that some identifiable business stand behind any page that looks commercial.

    Google's revenue model depends, to some extent, on those "bottom feeder" sites: all those anonymous "landing pages", "directory pages", "made for AdWords pages", and similar junk. Those things bring in substantial AdWords revenue, although they don't usually generate much in the way of sales for advertisers. Throwing them out of the "Google Content Network" would cut Google's ad income. This is where "don't be evil" collides with Google's profitability.

    This looks like a solveable problem, but the solution will come from the security companies, not the search companies. The search companies can't afford to fix it.

  12. Re:Search engine ranking by darthflo · · Score: 3, Informative

    The GoogleBot doesn't execute JavaScript. Google listing any content from a given site means it does, to a certain point, degrade gracefully.

    Also, what's your problem with JavaScript? If you ever used the Google front page (instead of your browser's quick search function or /search?q=your+query), you probably didn't mind not having to click into that textbox, now did you? JavaScript can cause some problems, but implemented sensibly (by the browser devs) it is no security threat and used responsibly (by web devs) has great benefits.