Inside Google's Anti-Malware Operation

Trailrunner7 writes "A Google malware researcher gave a rare peek inside the company's massive anti-malware and anti-phishing efforts at the SecTor conference here, and the data the company has gathered shows that the attackers who make it their business to infect sites and exploit users are adapting their tactics very quickly and creatively to combat the efforts of Google and others. While Google is still a relative newcomer to the public security scene, the company has deployed a number of services and technologies recently that are designed to identify phishing sites, as well as sites serving malware, and prevent users from finding them. The tools include the Google SafeBrowsing API and a handful of services that are available to help site owners and network administrators find and eliminate malware and the attendant bugs from their sites. Fabrice Jaubert, of Google's anti-malware team, said the company has had good luck identifying and weeding out malicious sites of late. Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said."

Just don't Google EFG...

[Nialin]

Seriously, don't. I learned my lesson the hard way :/

I like it

[KamuZ]

I like this approach and also as usual, they offer you a way to go "there" anyway which saves you from false positives, never seen one though.

Also I like the alerts in the Webmaster tools as they send you an e-mail if you site gets infected, never happened to me but pretty sure is a good tool when you handle a lot of sites. I mean, how many webmasters actively run malware tools in their website?

Re:I like it

[LordSnooty]

It's much more preferable to the AV industry's blackmail tactics... give us your money every year and we'll try and squash these progs... but we might not... if we don't there's bugger all you can do about it.

Much better is stopping the bad sites appearing in the first place. And all for free! Stuff like this is why Google can hold on to the "don't be evil" line for now.

Re:I like it

[ByOhTek]

Actually, I thought many AV companies also had web blacklisting software as well.

Details

[cappp]

TFA specifically notes that

To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.

Re:Details

[surmak]

That's about all the article says. It is amazingly information free. Anything else that is mentioned can be deduced by anybody who uses Google's services and has a bit of knowledge and the logic.

As I was reading it (yes, I know that is a cardinal sin on /.) It felt like there was going to be more in interesting information forthcoming, but there was never anything (other then use use of VMs) that was surprising in any way.

It would be nice if the editors would stop posting content-free stories.

</rant>

Re:Details

[ifrag]

Even the use of VM's isn't really surprising these days. If you are going to intentionally let something get worked over by malware then having a fast way to revert damage makes sense.

What I'm assuming and what the article doesn't make mention of is how a machine is actually determined to be compromised. I suppose there would be some scanner running in the background as log and report only. Then at a higher level accumulating those results and restoring the original disk file. Since this is Google I'm guessing they've managed to automate the entire chain.

What I want to know is if Google has developed their own scanning tools or just integrated themselves with a 3rd party product. Is a separate Google AV product on the way?

Re:Details

[pinkushun]

The article could have elaborated a bit I'm sure. Like how this setup appears to be a honeypot, while they more than likely monitor the traffic through a transparent proxy.

They also could have setup snapshots before and after visiting each site, and do a diff of the file system and registry to see what files has been planted and which files/settings changed.

Obviously I can't confirm this, but that's what I would do.

Re:Details

[mcgrew]

That's about all the article says. It is amazingly information free.

That's why I (and probably everybody else) seldom RTFA.

Re:Details

[pinkushun]

Sorry for the slight terminology mistake, these are actually Client Honeypots, similar in function but where honeypots are usually servers that wait for attacks, client honeypots are clients that actively go out and issue server requests.

Re:Details

[apoc.famine]

That's one of the reasons I'm trying to find the next slashdot. Any leads?

To find malware-distribution sites...

[a_hanso]

TFA: "...Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs." ouch.

Re:To find malware-distribution sites...

[ByOhTek]

Yeah. What about vulnerabilities introduced by patches?

Pretty sure those happen too.

Fighting malware doesn't have to complicated

[antifoidulus]

I'm sure the hardware behind this site is much less complex than the google operation and yet fights malware better. Just another example of the huge costs that Windows shitty security is putting on the rest of computing world. Why won't that joke of an OS die already?

Re:Fighting malware doesn't have to complicated

[JonySuede]

Malware is about third of the problem,
There is not one OS that protect against the type your sudo password to see the dancing bunnies. Not one that protect you against phising and scamming.

Re:Fighting malware doesn't have to complicated

[hairyfeet]

Did you ever think that maybe, juuust maybe, there is a reason why despite the fact you give your "solution" away NO big box retailers touch it and home users have voted time and time again NOT to switch to it? Like the fact that you refuse to listen to them and give them what they want, an all GUI all the time, simple and easy peasy UI with lots of hand holding and wizards, you insist they "embrace the power of CLI" like it is the fricking force and try to force them into a Unix centric CLI heavy environment?

Or that with your "solution" you get to enjoy the "fun" of 6 month upgrades, where one bug is fixed and three introduced, where instead of a simple update driver or find driver button one gets to try to navigate a maze of forums which Deity help you if you don't know the EXACT name make and model of whatever you need a driver for or you're boned? Where on those same forums the answer to damned near EVERY question starts with "open up bash and type" even though users have voted overwhelmingly that CLI is a giant DO NOT WANT?

The developers of Linux decided long ago they like things the way they are, the world could do it their way or go jump. Well the world will NEVER embrace the CLI, it is over, they have spoken. This is why a user can go the entire lifecycle of a Windows or OSX and NEVER see a CLI, because unlike the Linux developers Apple and MSFT have decided to give the people what they want instead of trying to force them to go a completely different direction. finally as further proof I give you Android, pretty much the only consumer Linux moving serious numbers, which by default has NO CLI and is top to bottom a GUI only solution. Give the people what they want or someone else will.

Oh and BTW Windows 7 actually got rid of run as Admin and the security is quite good, and without the user needing ANY CLI. I'm sure their "unppatched Windows VMs" are WinXP RTM or SP1 with IE6. which comparing that to the modern Windows is about as fair as comparing the first release of Slax to modern Ubuntu. Funny though that MSFT still supports a decade old OS with patches. Is there ANY Linux that does the same?

Re:Fighting malware doesn't have to complicated

[ByOhTek]

Hahaha. I'm glad you aren't in charge of any IT security.

At least, I seriously hope you aren't.

Because if you think that's going to give you a huge security boost, you've got another thing coming.

You get better security with an informed user than switching from any current OS to any other current OS.

Re:Fighting malware doesn't have to complicated

[ByOhTek]

"Another think coming" doesn't even make grammatical sense, let alone logical sense. Also, look up 'idiom' when you get the chance. Also, a 'thought' is a thing, so it might not even fall under the category of idiom, although with the general use of 'another thing coming', it probably should.

You fail at being a Grammar Nazi, sorry.

Re:Fighting malware doesn't have to complicated

[LordLimecat]

try to force them into a Unix centric CLI heavy environment?

There may indeed be arguments against Ubuntu / Linux, but as you have very clearly not used Ubuntu, I dont see why you feel necessary to speculate on what those faults may be.

You might as well complain about Windows, as server 2008 has moved heavily into PowerShell-- which is more of that "CLI heavy environment" that you so vigorously object to.

Windows 7..... without the user needing to run ANY CLI

You clearly havent used Windows in a serious corporate environment for any appreciable length of time, either. Microsoft has one of my USERS running a commandline debugger every time Word and Excel crash in order to gather data on why it is happening. And how do you suppose you go about refreshing group policies on a workstation-- pretty sure you have to run gpupdate on commandline.

Again, there are problems with Ubuntu and Linux in general, but commandline usage is probably just as prevalent between them, with the difference that the Linux commandline is actually pretty good (PowerShell isnt BAD tho....). People tend to use it more, because it is easier-- FAR easier to tell the user "click start, type charlie-mike-delta, press enter, type ipconfig, hit enter....whats the first line?" than trying to guide them through the brand-new and poorly laid out network connections GUI which is cleverly hidden away behind 13 clicks (and this is from experience guiding countless users through it over the phone).

Re:Fighting malware doesn't have to complicated

[GameboyRMH]

Did you ever think that maybe, juuust maybe, there is a reason why despite the fact you give your "solution" away NO big box retailers touch it and home users have voted time and time again NOT to switch to it? Like the fact that you refuse to listen to them and give them what they want, an all GUI all the time, simple and easy peasy UI with lots of hand holding and wizards, you insist they "embrace the power of CLI" like it is the fricking force and try to force them into a Unix centric CLI heavy environment?

You've never used Ubuntu have you?

My sister's and mom's laptops both run Ubuntu and they couldn't even figure out how to open a terminal window if they wanted to.

Re:Fighting malware doesn't have to complicated

[GameboyRMH]

Allow me to elaborate: They couldn't even figure out how to open a terminal window because they don't know it exists and have never had to use it.

Well one time I tried to talk my sister through opening a terminal and entering "alsactl restore," what a nightmare that was, but it turned out she just hadn't plugged her headset in properly, so it wasn't really necessary in the first place.

Re:Fighting malware doesn't have to complicated

[mcgrew]

Why won't that joke of an OS die already?

Because it comes preinstalled on almost every PC sold. If all the PCs came with Ubuntu preinstalled, Ubuntu would take MS's place as king of the OSes.

We nerds are the only folks who install operating systems. Normal people treat their PCs like TVs or toasters (although we may occasionally hack our TVs and toasters to make them operate the way we want).

Re:Fighting malware doesn't have to complicated

If you're going to argue with a grammar troll, at least make sure you're right :)
http://en.wiktionary.org/wiki/have_another_think_coming
http://en.wiktionary.org/wiki/have_another_thing_coming

Re:Fighting malware doesn't have to complicated

[pinkushun]

Stating the timeline...

- Microsoft's been a commercial company since 1981, and marketing reaches crowds. The first Windows came out 1985.
- 6 years later...
- Linux started as a hobby project in 1991, GPL'd a year later. It stayed too techy for the average user for the next 10 years (about).

Microsoft got a big head start in terms of exposure to the public, from a human-social-familiarity perspective this is why most people know of, and use Windows.

I'll be a hypocrite to dis Windows, since I've been coding on it for 12+ years, knowing the internals. Now that I'm learning the *nix internals however, I do see fundamental architectural differences.

Not always a result of bad implementation, but more from code and logic designed during a different age, some of which is now irrelevant and obsolete (information age and all). This opens up vulnerabilities and issues that weren't present at the time.

Being a geek I naturally gravitate towards that which I find technically appealing. Naturally that would be *nix. Us Linux fiends love it because it makes us feel like the first time we discovered computers all over again!

Re:Fighting malware doesn't have to complicated

[moeluv]

Mr. Ballmer? That you?

Re:Fighting malware doesn't have to complicated

[Mister+Whirly]

Because everyone else in the world doesn't think exactly like you? Because millions of businesses are already invested in it? Because your opinions do not drive the corporate world to make technology decisions? Is that enough, or do you want some more?

Re:Fighting malware doesn't have to complicated

[Mister+Whirly]

System admins != users - in the sense he is talking about users. He is talking about dumb end users who never do need to use the command line, and do not want to.

And FYI you don't need to run gpudate from a command line unless you need the policy to go into effect immediately. If it is something that doesn't need to go into effect right away, you can just wait until the machine updates the policy on it's own. As for the debugger, just disable it. Does the end user really need to debug anything? Is any useful information gained?

Re:Fighting malware doesn't have to complicated

[ByOhTek]

Maybe in 10-15 years, but looking around, all I find promoting that use is, at best, second rate sources (third rate more likely), such as what you posted, and bloggers who want to criticize mainstream writers.

Sorry, I don't want to use your new and grammatically idiotic slang.

Re:Fighting malware doesn't have to complicated

[mcgrew]

Did you ever think that maybe, juuust maybe, there is a reason why despite the fact you give your "solution" away NO big box retailers touch it and home users have voted time and time again NOT to switch to it?

Yes, there is a reason -- PC manufacturers use Windows because that's what people are used to (Microsoft has great marketing) and gets incentives from Microsoft to use Windows. Windows users don't switch to Linux for the same reason XP users don't switch to 7; only nerds install OSes.

Plus, nobody but nerds have even heard of Linux. I talk to non-nerds all the time, and they're always amazed that a free replacement for Windows that doesn't need AV even exists. Many flat out don't believe me.

Or that with your "solution" you get to enjoy the "fun" of 6 month upgrades, where one bug is fixed and three introduced

I don't know about OSX, but Windows has always been like that.

where instead of a simple update driver or find driver button one gets to try to navigate a maze of forums which Deity help you if you don't know the EXACT name make and model of whatever you need a driver for or you're boned?

But there IS a simple update in the GUI, and it's as easy and automatic as Windows; I just updated my fairly new kubuntu install two days ago (the netbook came with Win 7, I replaced it with Linux) and it was a matter of two mouse clicks to update everything. And I didn't have to reboot ONCE. So it was actually EASIER than updating Windows, and no CLI was necessary.

I had the misfortune several years ago of letting XP update automatically, and it replaced a perfectly good network driver with one that didn't work at all. I had a hell of a time figuring out what went wrong, and was all ready to buy a new network card because I thought (and so did my ISP) that the network chip had gone south.

And if your Windows driver update is hosed, you're STILL going to have to know the make and model of the device you need a driver for.

Where on those same forums the answer to damned near EVERY question starts with "open up bash and type"

That's because there are so many flavors, but a CLI command will be the same no matter what desktop one uses. If I'm familiar with KDE and you're using Gnome, I'm not going to be able to help you with Gnome because I'm no more familiar with it than I am OSX, but I may be able to list a command that will do it.

The developers of Linux decided long ago they like things the way they are, the world could do it their way or go jump

That's entirely backwards. It's Windows that you have to do it their way, not Linux. With Linux you have a choice of distros, desktops, boot loaders, everything. I had a discussion with a fellow slashdotter the other day about how much I liked the way KDE opens with the apps open that were open, with the book I was reading open to the same page it was on when I shut it down, and he hated that. His is configured to open with a "clean" desktop. His is the way he wants, mine is the way I want, and we're both happy. Not so with Windows. With Windows, it's the Microsoft way and if you don't like it, tough shit.

Well the world will NEVER embrace the CLI, it is over, they have spoken. This is why a user can go the entire lifecycle of a Windows or OSX and NEVER see a CLI

A user can go through the lifecycle of any modern Linux desktop Linux distro without ever seeing a CLI as well. That's not to say a CLI is unnecessary, in any OS. In Windows, it's far easier to open a DOS shell and type REN XP????.* WIN7????.* than it is to manually rename all the files with File Manager, and a batch file is just as useful as a shell script. But neither Windows nor Linux forces you to. I don't use a CLI in kubuntu any more than I did in Windows.

Oh and BTW Windows 7 actually got rid of run as Admin and the security is quite good

True, I almost liked Win 7 once I started getting used to it.

Re:Fighting malware doesn't have to complicated

[lantenon]

The developers of Linux decided long ago they like things the way they are, the world could do it their way or go jump

That's entirely backwards. It's Windows that you have to do it their way, not Linux. With Linux you have a choice of distros, desktops, boot loaders, everything. I had a discussion with a fellow slashdotter the other day about how much I liked the way KDE opens with the apps open that were open, with the book I was reading open to the same page it was on when I shut it down, and he hated that. His is configured to open with a "clean" desktop. His is the way he wants, mine is the way I want, and we're both happy. Not so with Windows. With Windows, it's the Microsoft way and if you don't like it, tough shit.

You missed his point. His point is that end-users don't want a choice of distros, desktops, etc. They want to press "on" and have it work. This is, ostensibly, what Windows provides.

Re:Fighting malware doesn't have to complicated

[garyebickford]

If all the PCs came with Ubuntu preinstalled, Ubuntu would take MS's place as king of the OSes.

-- and king of the compromised OSs. If Ubuntu were installed on 90% of all desktops, the hacker hordes would be all over them with tiny little lock picking tools. All those security updates that I get every couple of days on Ubuntu would also be the subject of hacking attempts. in some cases the defects would be found and exploited by hackers before maintainers knew about them.

IOW, life would be somewhat different but not very different (the security model of *ix is still better than that of 'doze but no security model can ever be 100%). Fortunately, since all those hordes of 'dozers are out there, my tiny niche of the computing world is a relatively target-poor niche, and my Ubuntu machines are mostly not worth the time of hackers to spend huge number of hours on.

So, my thanks go out to all those Windows users out there, whose millions of 'unlocked doors' give the hackers something to do besides pick my locks! :D

Re:Fighting malware doesn't have to complicated

[hesaigo999ca]

The problem is the ignorance of user's, the lack of care by user's again, and the lack of care by M$.

If users were smarter about their browsing.....we would have less infection.

If user's chose to be less cheap and run legit copies of windows with full patches we would have less infection

If M$ was less cheap and offer all copies of windows legit or non, to be able to get patched, we would have less infection
(this last one more then all 3 first mentioned put together)

If we had windows programmers be more thorough in coding such as linux programmers are, we would have less infection.

Multiple attack points to end this problem, yet no one seems to care enough...

Re:Fighting malware doesn't have to complicated

[mcgrew]

His point is that end-users don't want a choice

Is that why there are so many models of Ford cars? If that was his point, his premise was badly flawed.

They want to press "on" and have it work.

I have yet to see any modern distro that you didn't simply press "on" and have it work.

Re:Fighting malware doesn't have to complicated

[mcgrew]

That's likely true, although as you say, the security model of *nix is still better than that of 'doze but no security model can ever be 100%. End users would have a harder time getting pwned, though, as although it's as easy to install a program from a distro's repository as it is to install a Windows program, installing anything not in the repository is a little harder, and probably beyond the capabilities of the average user.

So yes, it would be the targeted OS, but it would still be a lot harder to build a botnet.

Re:Fighting malware doesn't have to complicated

[garyebickford]

Unless ... another story on /. that is suddenly applicable: Hiding-Backdoors-In-Hardware.

I wonder if it's much harder to build a backdoor in the 'hardware' that compromises *ix than *doze - or both - especially on machines (mostly servers) that are now running some form of boot/maintenance over LAN or management-over-LAN such as IPMI.

As usual, convenience impacts security.

Re:Fighting malware doesn't have to complicated

[hairyfeet]

Wow, way to miss my point! My point wasn't about what happens when everything works perfectly because nobody has ANY problems in that case, it is what happens when things go wrong which is when all the fancy dies hard in Ubuntu or any other Linux and you are staring at a craptastic CLI. let me give an example that users, which to be clear I'm talking about the 90%+ people on the planet who are NOT CS Grads, IT guys, power users, but ordinary folks run into all the time: No driver. In Windows all you do is right click in device manager and pick "update driver" if you can even get that far, because in Vista and 7 Action Center will often pop up with "do you know I don't have a driver for this?" before you get a chance. If the hardware is less than 5 years old (the VAST majority in the case of home users) windows WILL find and install a driver FOR you. I understand it is pretty similar in OSX.

Now let us to compare that to what I found last time I used Linux (Ubuntu 10.4 to be exact) and I had the same problem. I don't have a driver, now what? No easy GUI, no pop up, nothing. Hell not even a "help me!" link anywhere. So it is off to this horrible maze of forums, which a home user would NOT know about or find easily, where you BETTER know damned well the exact make/model/rev of hardware you are using. Is there a simple installer? A deb file I can clicky clicky? Nope, it is some tar file with a mess of CLI that I the home user is expected to "tweak" to make work. what are the odds I can do this? about zero.

And this don't even count the other major headaches that made me as a PC retailer avoid Linux like the plague, such as the 6 month "update foo broke my driver!" bullshit, which seemed to be a pretty damned regular occurrence. why can't Linux have a stable driver level ABI, so things "just work" without that bullshit when you update? The only real answer I've gotten is 'Linus don't like them". Well good for Linus, it makes retail Linux a living fricking hell because any machine that leaves my shop WILL be coming back in 6 months with the Ubuntu upgrade cycle (which is frankly insane. SIX months? WTF?) rolls around and more shit gets broke. Meanwhile machines I sold seven years ago with XP SP1 have successfully autoupdated to SP3 with all of the drivers continuing to work and the same goes for the Vista and now 7 machines.

The problem I've had dealing with Linux guys and FLOSS in general is they just refuse to realize, for whatever reason, that the rest of the world ain't like them and have NO desire to learn their ways. They want simple, they want clicky clicky, they want hand holding, they want GUI all the way. Instead they get called things like "noob" and get told 'Go back to winblows LOL!' and folks wonder why Linux on the desktop is deader than Dixie? It is because you refuse to give your customers what THEY want and instead design it like the world is made of CS grads and IT guys. It's not, it never will be, and Apple and MSFT knows this. And THIS is why Linux on the desktop is at 1% and not gaining enough to worry about. All those "noobs" are your potential customers which you NEED to get application developer and hardware manufacturers and retailers like me to support your OS. Listen to them, give them what they want, and grow. it is business 101 folks: Give the customer what they want or someone else will. At the moment that is Apple and MSFT.

Re:Fighting malware doesn't have to complicated

This is a different Anon Coward, by the way, but I am also a grammar nazi :)

http://www.phrases.org.uk/meanings/another-think-coming.html
http://alt-usage-english.org/excerpts/fxyouhav.html

OED:
think, n. 2b to have another think coming: to be greatly mistaken.
1937 Amer. Speech XII. 317/1 Several different statements used for the same idea - that of some one's making a mistake...[e.g.] you have another think coming.

I suppose the O.E.D. might be considered second-rate (shoot, if they let J.R.R. Tolkein edit it, they'll let ANYBODY in!) but you can't argue that most people would consider it authoritative.

It appears to be a deliberately ungrammatical construct to promote threat (or humor.) First time I remember hearing it was probably a James Cagney movie from the 40s, I think I also heard it from Groucho Marx, but I might be wrong there.

Re:Fighting malware doesn't have to complicated

I notice you're rather quiet now that you've been shown to be completely wrong.

Re:Fighting malware doesn't have to complicated

[Wyvern2005]

As a happy Linux user of more than 10 years and more flavors of hardware than I want to remember right now, I must say," Noob!! , Quit whining..." If you don't like it, use Windows...those of us who are capable of asking questions and actually using (or LEARNING to use) cli (gasp!) will continue to use our free, much more capable OS. Incidentally, I didn't go to college for this- I simply learned to read man pages...
  Veteran of: Debian, Ubuntu, Slackware, Knoppix, SUSE, DSL, Puppy, Red Hat and Vector.
      I don't particularly CARE if the regular users figure out how to use Linux..if they can't figure out the simple stuff, I don't want them playing in my pool.
        "nuff said :)

Re:Fighting malware doesn't have to complicated

[LordLimecat]

Ah, but then when would an ubuntu USER ever need the CLI-- arent the things that are usually complained about (fixing sound, fixing flash, fixing X or Y) usually administrative things, things that a user would immediately call IT for?

Why is it the linux users are expected to completely maintain their own machines, but the Windows ones can call IT and never have to deal with command prompt or powershell or vbscript or group policies?

Re:Fighting malware doesn't have to complicated

[hairyfeet]

Good, I'm really glad for you, and truly hope you feel that way. if those are your REAL feelings, and you're not just here to troll, then please join me in the "Linux is NOT ready for the desktop!" campaign. It is simple really as what you just flat out admitted is Linux is NOT ready for the desktop for a good 90%+ of the population because in your own words they are "noobs" that won't do things YOUR way and you have NO intention or desire to do things theirs.

So please be honest, and when you see your fellow Linux users pushing the "Linux is ready for the desktop" meme kindly point out that this is NOT the case, nor will it ever be. Because the vast majority of the population is not, nor will ever be, like you or have ANY desire whatsoever to learn your ways, which are frankly a PITA. But pretending Linux is ready when it is not is not only damaging to the users, it is damaging to Linux itself. It makes the Linux users look like delusional fanatics, and it burns and turns off many people that may have been perfectly willing to use other FOSS software like LibreOffice, and finally it makes makes Linux look dishonest when users and retailers find out what is reality is FAR from what those pushing the "Linux is ready" agenda say it is.

But I support you 100% in your views. For web servers, for embedded devices, and for desktops for greybeard CLI heads? Linux is damned good. But for the average person, the one to whom the vast majority of new PC hardware is sold? It is nowhere close and by your own admission it will never be because guys like you DON'T WANT it to be. So join me and help kill the "Linux is ready for the desktop!" meme dead. Then instead of deluding themselves that the world is suddenly gonna embrace CLI and start learning bash commands maybe then the community will devote more time and resources into places where Linux CAN make great inroads, like the above. Also vote up those that speak the truth instead of letting the fanbois mode away anyone who dares to point out the truth. BTW I'm bookmarking your post so others can see the great truth you have spoken today. May it help to finally kill the Linux desktop meme dead.

Re:Fighting malware doesn't have to complicated

[Wyvern2005]

Umm...not only won't be joining the club, but have turned at least 6 of my formerly Windows using friends on to Ubuntu..and the only question I've had in the last 4 years was from ONE friend who asked me if it was safe to run updates because (in her words) she didn't want to run update and have it break things like Windows always did....and it hasn't. I showed her how to set up for long term support updates and she's happy as a clam, everything works and SHE DOESN'T KNOW SQUAT ABOUT COMMAND LINE.
    Methinks to be so very vehement on the subject you may, at some point, had some issues yourself. If that's so, I'm truly sorry for your pain...but don't lump the rest of the human race into your little universe-quite a few of them are willing to learn.

Re:Fighting malware doesn't have to complicated

[Wyvern2005]

Incidentally, you're wrong about Android not being supplied with a cli environment-it's in the market, free, for any who care to use it.

Re:Fighting malware doesn't have to complicated

[mcgrew]

If the back door's in hardware, the OS wouldn't matter, you're pwned no matter what.

Re:Fighting malware doesn't have to complicated

[mcgrew]

what happens when things go wrong which is when all the fancy dies hard in Ubuntu or any other Linux and you are staring at a craptastic CLI.

At least with Linux when everything goes wrong you have a CLI. In Windows all you have is "safe mode" and you're locked out of anything that you could access to fix it.

With Linux and things go bad, you can always get in with a thumb drive, or even reinstall the OOS in another partition. Woth Windows, about all you can do is install Linux in another partition to get your files.

When everything goes absolutely crap, no normal person will be able to do anything at all.

My netbook came with Windows 7 and a bad design flaw -- if you had it set to hibernate when closing the lid and then close the lid before all the lights stop flashing, the OS wnet apeshit. Not just Windows, which would no longer even let me have a C: prompt, but just safe mode. I was lucky to be able to salvage most of the files I hadn't yet backed up.

Linux had a kernel panic, chocked and locked up. After taking the baterry out and putting it back in, Linux booted fine.

No driver. In Windows all you do is right click in device manager and pick "update driver"

Drivers don't just break. Period. I've had Windows replace a good driver with a worthless one, ant it was NOT easy to figure out that it was a driver because drivers don't breal unless someone breaks them.

If the hardware is less than 5 years old (the VAST majority in the case of home users) windows WILL find and install a driver FOR you. I understand it is pretty similar in OSX

As well as modern Linux distros. The difference is, you'll find drivers for hardware OLDER than five years old with Linux.

Now let us to compare that to what I found last time I used Linux (Ubuntu 10.4 to be exact) and I had the same problem. I don't have a driver

For what hardware?

So it is off to this horrible maze of forums, which a home user would NOT know about or find easily

A normal home user would pay someone, whether Windows, OSX, or Linux. Normal users don't have the first clue what a "driver" is or how to fix the problem.

as the 6 month "update foo broke my driver!" bullshit, which seemed to be a pretty damned regular occurrence.

You work for Microsoft, don't you? Because this post is as clueless as your last comment. I never ONCE had a Linux repository give me the wrong driver, and I've been using Linux since Mandrake. I did have Windows replace a perfectly good network driver with a bad one. Being a nerd I eventually fixed it, but there's no way a non-nerd would have. A normal person would have taken it to the repair shop and had someone install a network card (which is what the ISP suggested).

The problem I've had dealing with Linux guys and FLOSS in general is they just refuse to realize, for whatever reason, that the rest of the world ain't like them

Linux is more like OSX than any flavor of Windows is like OSX. If you can use onw GUI you can get through any of them.

They want simple, they want clicky clicky, they want hand holding, they want GUI all the way. Instead they get called things like "noob" and get told 'Go back to winblows LOL

Your problem is you're going into Linux forums with the attitude you're giving me. I'd tell you to fuck off, too. Most people don't take kindly to a bad attitude. Go to a Ford forum to find out what's wrong with the left blinker and talk about how shitty Fords are and extoll the virtues of Chevy and you're going to get treated the same way -- like you're trolling.

ESPECIALLY when you come up with bullshit like "Goddamn fords don't have automatic transmissions, I don't know how to use a clutch" which is EXACTLY what you're doing here.

what about a link..

[js_sebastian]

..to the actual slides, position paper, video, or whatever, so we can get some of the meat?

Shame

"To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs."

If I were a MS employee, that sentence would make me cringe with shame.

Re:Shame

[weicco]

Should Linux developers feel shame also when someone gets his/her machine compromised by running ten years old unpatched stuff? Should door lock makers feel shame if I get my house robbed because I didn't fix broken outdoor lock?

Re:Shame

[mcgrew]

Should door lock makers feel shame if I get my house robbed because I didn't fix a defective outdoor lock?

Yes. Any software house or programmer should be ashamed of bugs in their code, just as a car manufacturer should be ashamed of a product recall.

A bug fix patch is no different than any other product recall.

Re:Shame

[weicco]

Yes, I see your point and understand it. I'm a programmer and whenever I've made a dumb error I put on a hat which says "ass". Well, I used to, not anymore. It always gave a good laugh to coworkers :)

But on the other hand if manufacturer has found the defect, offered to fix the thing with no costs, and I refuse it... I don't see why manufacturer should feel shame anymore. It's my shame not to allow them to fix it.

Re:Shame

[mcgrew]

Well, no, I don't mean the manufacturer should feel shame that the customer didn't take advantage of the recall. That's clearly the customer's fault. The manufacturer's only shame is that he has to recall it in the first place.

I'll bet that if meatspace product recalls were as cheap and easy as software patches, toasters and TV sets would be a lot less well built.

No news

Yandex (the leading Russian search engine) uses this approach to mark infected pages officially since March 2010. Prooflink (in Russian): http://company.yandex.ru/news/press_releases/2010/0301/index.xml . So, Google is not the first to announce this strategy.

Re:No news

[cheater512]

No, but Google has been doing it for quite some time now.

Not working!

[blackdew]

I can still find microsoft.com :(

intentional?:)

[MiP007]

"Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said."

well duh

[hvm2hvm]

If they get good enough at finding malware, malware writers will have no choice but build custom targeted attacks that work against them.

Profit!

From TFA:

"We don't understand all the details of this. We focus on the technical," Jaubert said. "There's monetization aspects that we don't have visibility into."

1. Set up VMs to collect malware data
2. Focus on the technical details
3. ???
4. Profit!!

i'm wearing a tinfoilhat

I don't get spam in gmail (it's all in the spam folder) and Google protects me from getting malware. Am I to presume that since they know so much that they are the ones creating the world's spam and malware? dun dun dunn~

monopoly on information

[FuckingNickName]

Because only Google should be able to collect and process an unholy amount of information about you, the average Internet user, without your (informed) consent.

Google logs and tracking cookies are, in terms of aggregate harm, the most harmful things you'll enjoy when browsing the web.

Re:monopoly on information

http://lmsntfy.com

How many machines?

[Sooner+Boomer]

From TFA

To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs.

And do they run FF, Chrome, Opera, etc. looking for vulns in them as well? Can you imagine what would happen if this "huge number of virtual machines" actually got pwned? Now there's a massive spambot or DDOS! Would google spam-block its self?

Re:How many machines?

Um, they're virtual machines. Presumably, single-use copies of a standard image. Fire up a VM running one of the copies, point it a suspicious site, then turn off the VM and analyze the copied image for changes. Then discard the copied image. No botnet happens.

Why?

This will help Windows. Google is spending resources to keep Windows machines from getting infected. That does not make sense.

Or it is just a social service :-/

"Can I turn it off?"

[Grismar]

This suggests that Google will actively filter out sites that spread malware or are phishing? I'm sure Google will do a fine job at it and odds are I would leave such a feature on, but shouldn't there be an option to turn it off? I would feel way better about a search engine if I knew I could turn all its censoring features off. It's the same with SafeSearch, I have it turned to moderate, but I like the fact that I can opt to turn it off.

Re:"Can I turn it off?"

[Schadrach]

I thought the Google thing just warned you but gave you a "but go ahead anyways, if you're sure" option just in case of a false positive.

Re:"Can I turn it off?"

[Nimey]

It does, but that doesn't stop ignorant alarmism.

Re:"Can I turn it off?"

[contra_mundi]

This suggests that Google will actively filter out sites that spread malware or are phishing? I'm sure Google will do a fine job at it and odds are I would leave such a feature on, but shouldn't there be an option to turn it off? I would feel way better about a search engine if I knew I could turn all its censoring features off. It's the same with SafeSearch, I have it turned to moderate, but I like the fact that I can opt to turn it off.

There's two options in the Security section of Firefox options:

Block reported attack site [x]
Block reported web forgeries [x]

Presumeably unchecking these will turn the protection off. It's not exactly obvious if this will stop the service completely or if will it just stop warning you. I.e. will it stop all communication between Firefox and the service?
And as a sibling comment mentioned, you can proceed regardless of the attack report. You get a cool report about the attack by the way, how many extra processes were spawned by the malware and all that.

Re:"Can I turn it off?"

[Macka]

Hopefully no you can't turn it off; because if you can then miscreants out there will find a way to turn it off for you, without your knowing about it. More to the point it won't be you that get hit like that, you're obviously intelligent/paranoid enough to notice. It'll be your computer illiterate friends and neighbors.

Funny, then

[DangerousDriver]

That a google search for malwarebytes has AntiMalwre Pro (see http://www.2-spyware.com/remove-antimalware-pro.html) as the top, sponsored hit.

Adobe flash player is not responding...

Start worrying

Crowdsourcing detection maybe?

[tebee]

  I wonder Google does not have some simple way for those of us who are savvy enough to recognise span or malware sites to indicate so in the search results. Those results so indicated could be have their page ranking reduced or be hidden until they were checked.

I realize this could be abused and have no idea what the signal to noise ratio would be but it would be interesting to see how this worked..

Google...

doing what Microsoft should be doing!!

Google Proxy-

[gatzke]

What we need is a google proxy to surf through that would automatically strip malware.

What could go wrong?

Seriously, this Flash / Adobe stuff is crazy. Just browsing a mainstream site with bad adverts can compromise your box these days.

Re:Google Proxy-

It's called Google Translate :) Just set the target language as your language, and suddenly you can browse everywhere without worrying as much about drive-by malware.

Oh, and Firefox has the SafeBrowser API built in, so you get that functionality by default for all pages.

See!

[crow_t_robot]

To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs.

Windows IS useful! Time to go cash in on some bets.

does goatse count as a malware site? If so...

I bet you were expecting a goatse link here (obvious or disguised). Sorry to disappoint.

In the meantime we are busy...

...making sure that the infrastructure for malware is friendly & thriving:

• on the server side via sloppy content sanitizing (just yesterday an SQL injection in a well-known PHP framework which shall remain unnamed just sprang into my face by casually reading the code -- and I'm no security guru, I promise)
• on the client side ba making sure that les and less of the internet is usable for those that choose not to enable active content on their browsers "c'mon, folks -- it's the 21th century, just enjoy the rich intarwebs"

Argh.

It's a group effort.

[happy_place]

I've got a buddy from Bluecoat. They regularly search for these sites, and he says their company regularly reports malware sites to Google. He said there was a time when their software blocked Google because it wouldn't clean up its act. Things have changed.

Google's Contribution to Security

[Bicx]

I sincerely hope Google continues to improve its services in a similar fashion. Although I know Google is funded primarily by advertisement fees, it certainly feels like I'm getting something great for free. I just hope that Google continues to receive heavy competition on all fronts, preventing them from ever achieving a complete monopoly. Lack of competition is the enemy of innovation.

read the solution here

Do your browsing from a Ubuntu Live USB device. Lubuntu is a lighter desktop then either KDE or Gnome ..

Insert excuses why not to here:

undisclosed balance-sheet liability of malware

As this click-and-get-infected malware runs on Windows, what's the annual balance-sheet liability to businesses from Microsoft Malware.

"every Linux customer basically has an undisclosed balance-sheet liability", Steve Ballmer link

Virtual Fail Guy

[twitter]

From the article:

To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.

It would be nice if people would call this stuff Windows malware if it does not do anything to normal computers. Please Call out Windows, people.

Re:Virtual Fail Guy

[ByOhTek]

Given that most home computers run Windows, and a lot of business workstations as well, would Windows be a normal computer?

two words: false positives

[edxwelch]

i think google has to work on get rid of the huge amount of false positives. i remember at one point even opengl.org was blacklisted

Google Groups Spam

[CondeZer0]

This is all nice and great, but it is quite pathetic that they can't fix all the spam in Google gropus, and isn't like it is rocket science, when exactly the same message with the same spam-link gets posed to hundreds of groups.

Re:Google Groups Spam

[Nimey]

This. Most of the Usenet spam I've seen lately gets posted from DejaGoogle.

Re:Google Groups Spam

[Idbar]

The fact is that spammers
spammers can use a huge
number of techniques that the
the human brain may not be aware of.

Including random characters, or
properly repeating words, or simple
thypos [sic]. That makes harder for
spam to be tracked.

Let's say for example that most people
won't notice it says "the the human" up there.

URL Shortening

[DIplomatic]

I find it ironic that at the end of this article on sneaky web malware, there is a link to email a shortened URL.

Holes in Google malware detection

[Animats]

There's been considerable improvement. Google still has some holes in dealing with "malware", phishing, etc. But these are mostly obscure tricks used to get around Google's malware reporting. You can report the sites below over and over, but nothing happens, because Google's reporting system doesn't understand that these Google features are exploitable.

• Phony login site hosted on Google Spreadsheets. Yes, you can put a web page into a spreadsheet, and it doesn't seem to be checked for hostile code. Reported to PhishTank on February 19, 2010, and still up.
• Phony login site hosted on Google Groups. Try the "download" link there, and you'll get the phony login page, which seems to be hosted by Google Storage. Somebody figured out that they could store an HTML phishing page in Google Storage and make it publicly visible. Reported to PhishTank on February 13, 2020. and still up.

I'm pleased to notice that, at last, Google is no longer running ads for software for spamming Craigslist. Search for "craigslist auto poster tool". There used to be ads for programs for spamming Craigslist, and some of them even accepted payment through Google Checkout. (That last could lead to legal problems, since Google was not only advertising an legally questionable product, but taking a cut of the revenue.) That seems to have stopped. There are still ads for offshored services which manually spam Craigslist.

A drastic solution

[hardware1949]

Got Seals? SAS? or other retired special services men and women? It seems like they are a solution looking for a problem. It's hard to write malicious code with broken fingers, hands and arms. Oh wait, my bad for wanting to hurt the bad guys, because destroying peoples data and life histories are really just playful hi jinx.

Warning

User maintains more than a dozen sockpuppet accounts on Slashdot.

If you want something done right...

[gottabeme]

If you want something done right...? :) Hey, let me know too.