Google to be Our Web-Based Anti-Virus Protector ?

cyberianpan writes "For some time now, searches have displayed 'this site may harm your computer' when Google has tagged a site as containing malware. Now the search engine giant is is further publicizing the level of infection in a paper titled: The Ghost In The Browser. For good reason, too: the company found that nearly 1 in ten sites (or about 450,000) are loaded with malicious software. Google is now promising to identify all web pages on the internet that could be malicious - with its powerful crawling abilities & data centers, the company is in an excellent position to do this. 'As well as characterizing the scale of the problem on the net, the Google study analyzed the main methods by which criminals inject malicious code on to innocent web pages. It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets. Widgets are small programs that may, for example, display a calendar on a webpage or a web traffic counter. These are often downloaded form third party sites. The rise of web 2.0 and user-generated content gave criminals other channels, or vectors, of attack, it found.'"

1 in 10?

When I was living at home my sister must've found every last one of them. She was terrible for breaking the computer.

Re:1 in 10?

Well most downloaded malware comes through online games and porn. Which one did your sister have a hankering for?

aid and comfort to the enemy?

Since most of this malware attacks windows machines, isn't google helping microsoft more than it's helping linux or apple?

Re:aid and comfort to the enemy? Helping microsoft

Maybe, but any reduction in the number of infected PCs is win for the entire net.

Does it matter?

I would hope that Google is looking at it more from the perspective of what is generally good for the betterment of the entire internet. Who cares if it directly benefits users of Microsoft product users more than Linux/OSX users? Bottom line, it is potentially one less infection, and one less pwned computer in a bot network. Less infections means less machines that are probing ports on random addresses, or used in brute force attacks, such as DoS attempts.

Don't get too tied up in the means, but rather what the potential end results, good or bad, might be.

Re:aid and comfort to the enemy?

Do Linux or Apple users not mind when a bot-net army takes down a website they are trying to access, or clogs the pipes?

Do Linux or Apple users not mind all the spam to their inbox from hijacked machines?

Do Linux or Apple users not have to worry about some family member being taken in by a phishing scheme, hosted on a hijacked machine?

Do Linux or Apple users not mind tons of hijacked machines probing any SSH or other ports you might have open, looking for vulnerabilities or doing dictionary password attacks?

Less hijacked machines on the internet helps us all. Be you a Windows, Linux, Apple, BSD, or other user. Not caring about hijacked windows boxes because you are leet enough to use Linux is stupid.

What you suggest is wrong and immoral

Since most of this malware attacks windows machines, isn't google helping microsoft more than it's helping linux or apple?

Since morality is defined by the desire to limit human suffering, protecting innocent people who don't know better from malware is always going to be for a greater good. People shouldn't have to get their OS reloaded every few months.

Not running your choice of OS doesn't make them bad, and is a startling simplistic world view. There's no "helping Microsoft" here; they are trying to protect all Internet users. Since those people are using Google search, it's really more like trying to serve their customers better. Since all their customers are Internet users; so ask yourself: what is concern #1 amongst Internet users?

Only works through Goolge now...

This is potentially a very useful service but not all URLs we visit are from Google searches, some we still type in others as links from pages. However could we soon expect a Firefox add in that will filter all http requests through Google ? So then our new overlords will indeed know everything about our web-habits ?

Re:Only works through Goolge now...

However could we soon expect a Firefox add in that will filter all http requests through Google ? http://www.google.com/history [google.com]

Wouldn't good sites with bad ads or posts...

be blocked?

It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets.

Wouldn't it be far better to have safer browsers than to shut out (as many people or their organizations will do) 10% of the web?

Pros and Cons

I can see a lot of Pros and Cons to this. While certainly it's good that such a major player is taking an active and aggressive stance on this, I thinkk it's also going to cause a lot of people to have a false sense of security. And while this only affects users who search for pages (and that is a LOT of traffic), it's still going to bring the question to some users "Google tells me if a site is dangerous, what do I need malware protection for?"

I surf almost exclusively in Windows, using IE (IE6 + XP Pro on Desktop, IE7 + Vista on laptop) with no protection, and I've not had an issue with malware in years. But most people's browsing habits aren't quite like mine.

One other effect I can see this having, is let's say www.bigcompanyhere.com gets tagged as being potentially harmful. Now Google has done them a favor by alerting them to a security problem, which they can then address, and are likely to do so much quicker to try and minimize damage to their image.

I'm fairly interested to see how this plays out.

Re:Pros and Cons

. . . even if they fix the minor problem that google flagged for them?

minor problem my foot. Your notion that bigcompanyhere.com is entitled to grandma's money even if they're peddling spyware is ridiculous. Google gave grandma exactly what she wanted: a place to buy a widget without getting 0wn3d. The fact that they did no favors for bigcompanyhere.com is of no concern to her. Or me.

I wouldn't be surprised if they (google) began offering "consulting" fees to remove the malware that google flagged from the companies site quickly

I would be very surprised indeed. They don't offer consulting fees to get you back on the gravy train after you got penaltyboxed for purveying spam links

Their job should not be to tell people where to search but rather to let them go where they want to go.

Spyware central isn't where I want to go, even if they sell the cheapest RAM by four cents. Google, of course, is working for their shareholders and get paid by their advertisers, but they have a vested interest in keeping the searchers happy so the advertisers will keep paying them. The people whose sites are included in the results don't have some God given right to be on the first page so they can make money. Nevertheless, google has always tried to walk the tightrope between being overrun by crappy keyword farms and kicking out legitimate sites.

Already being done

McAfee SiteAdvisor already does this for Google search results pages. This is nothing new. Its a FF extension and works well, though lately it has pointed out that proxy servers are trying to steal my identity when I try to use them.

Informing webmasters

Instead of just flagging sites for users, they should first add the detailed information to the Google Webmaster Tools. If it's third party software that's the problem inform the webmasters (at least those who use Google's tools) so they can take it down. Granted, it's their own fault for using third party software without enough investigation, but let them fix the problem before they're flagged for end users.

Huh

I browse the internet on my Linux box, running OS X with MacOnLinux. On OS X I run VMWare player hosting FreeBSD, where I have all the options turned to OFF. That runs Firefox, which connects to a web-2.0 version of Lynx. I use this to connect to another site which manually lets me enter netcat commands and read the result.

My only complaint is that the pirates at Macrodobe STILL won't support my platform of choice! When will there be a flash player for people like me!

Excuse me ...

Of course Google can protect us against everything and everyone (except the IRS, acne and that kid on the bike in Better Off Dead). They can do anything they say they can do ... and even stuff that they haven't thought of yet.

Google is good, Google is great, and Google can do no wrong. Where on Earth did I ever get that pearl of wisdom? I read it on the internets, of course ... on some site that rhymes with froogle.

right..

It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets.
 
So google is going to protect us from webpages that use less than reputable advertising and widget services. Hmm, maybe google should go into the advertising and widget service, oh wait...

Useful, if reliable, but not 100%

Some people don't like, or cannot use, Firefox or Opera, plus sensible add-ons such as anti-phising plug-ins, noscript...

For example, one of my (very big) corp. customers is still running IE 7...

When I challenged the support guys about this, they said 'that's OK, we detect & block most things at the firewall'...

*sigh*

When I pointed out that:
1. That's bullshit.
2. Lots of their managers travelled, and surfed the net via unsecure methods like hotels using proxy servers, public wifi, they said 'that's OK, they can only access the intranet and internal mail via VPN'.

*double sigh*

So now I advise people not to click on URLs directly, or type them in, but go via Google. It's better than nothing...

Anything wrong with this?

From the article,

The user is presented with links that promise access to 'interesting' pages with explicit pornographic content, copyrighted software or media.

In other words, the people who have their computers hacked are those looking for trouble in the first place (although I have to admit that I don't consider porn trouble but I bet most of these problematic sites are serving copyrighted material anyways.) I guess you get what you pay for!

Five second answer

Just display something different, that is hide malware) when googlebot comes on your website.

end-users, man

It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets.

These days, almost nothing is designed by the website owner. Unless you're coding your own html/php/asp/pearl/ruby/python or at very least peruse the source code of the widgets you download to make sure there's nothing bad in there, you're just another end-user. And so this is not unexpected. End-users are the ones that "CL1CK TH3 PURPL3 M0NK3Y F0R ELEVENTY M1LL10N DOLLERZZZZ!!!" and install all sorts of crazy stuff on their machines. (Rabbit trail: one of my clients many years ago actually ASKED me to install the infamous purple monkey for him because he liked the text-to-speech). Whether it's on the desktop or on the web, people who will install anything without even a hint of research will continue to spread computer-borne diseases. It's one of the reasons I hate MySpace. What 13-year-old girl isn't going to think sparkly, smiling unicorns aren't cute? Of COURSE they're going to spread them around, even though they're attached to a malicious website.

A Malware Site in China

http://www.usconstitution.net/ [usconstitution.net]

Re:A Malware Site in China

You're not very smart, are you?

450,000?

Sigh, are basic editorial skills too much to ask here? (I know, it's a rhetorical question).

TFA does not say that "the company found that nearly 1 in ten sites (or about 450,000) are loaded with malicious software." This implies that there are a total of less than a half million sites that pose a risk.

It said that of the 4.5 million pages examined, "about 450,000 were capable of launching so-called "drive-by downloads"..."

It also notes that "A further 700,000 pages were thought to contain code that could compromise a user's computer, the team report."

The problem is probably quite a bit larger than presented in the summary, even if one ignores the confusion between "sites" and "pages".

Confusing title

"Our Web-Based Anti-Virus.."

Is this not based more at phising scams, trojans and other exploits, rather than just virii?

What's the main source of virus infections? Anybody got some research?

I'm guesing it's swapping infected files, not visiting pr0n sites...

What I'd like to know

Is how they plan on allowing sites to redeem themselves or explain why they had the software there in the first place. If some spammer embeds some malware in a comments section, and you later find it and clean it up, will you be able to get back into Google's good graces?

10% number misleading

It should be noted that the 10% of the web number is somewhat misleading--some comments seem to think it implies that 1 in every 10 pages one visits are likely to contain malware, or the like. Chances are, most of these pages are not worth visiting. This isn't in in every ten pages on yahoo.com or cnn.com, it's probably more like 8 in 10 pages on freekiddiepornplz.com and piratewarezserialzhackz.tv.

Ghost in the Browser?

Is that anything like Ghost in the Shell?

I'm googleperplexed...

the company found that nearly 1 in ten sites (or about 450,000)

Let me get this straight.. 1. there are only 4,500,000 web sites, and 2. 37% of them [google.com] have 09-f9-11... on them?

It's inclusion of StopBadware ....

Its inclusion of StopBadware project that Google started in 2005. It also has WebSense as its partner now.. http://web-software.broadbandindia.com/2007/03/sto pbadware-inducted-in-googles-engine.html [broadbandindia.com]

See actual paper. Not really that new.

Here's the actual paper. [usenix.org] It's a Usenix paper.

What they're doing is straightforward, and it's much like what many virus scanners do. First, they look at web pages to see if there's anything suspicious that requires further analysis. If there is, they load the page into Internet Explorer (of course) in a virtual machine, and see if it changes its environment. The better virus scanners have been doing something like that for a few years now, running possible viruses in some kind of sandbox. Although they usually don't go all the way and run Internet Explorer in a virtual machine. (Are you allowed to do that under Microsoft's current EULA for IE 7?)

The main problem with Google's approach here is that it's after the fact. They won't notice a bad page until the next time they crawl it. Bad pages come and go so fast today that they'll always be behind. As the paper says, "Since many of the malicious URLs are too short-lived to provide statistically meaningful data, we analyzed only the URLs whose presence on the Internet lasted longer than one week."

If Google implements this, the main effect will be to push attackers into changing site names for attack sites even faster.

It's all so backward. What we need is to run most of Internet Explorer in a tightly sandboxed environment on the user's machine, so that when you close the window, any browser damage goes away. That would actually work.

Frivolous Lawsuit Time

I once wrote a document called Ghost in the Shell [google.com] which dealt with crypto/stego. I wonder if I can sue Google for stealing the concept name in order to pay back the anime producer who will sue me after they get wind of it..

Woohoo!

Good! now I can finally get that copy of Vista without getting all the spyware....just kidding....i dont condone software piracy...

Easy to defeat?

The malicious websites just have to skip the malicious code when the user agent string is google crawler. Are they going to change the user agent string? Will it be considered pretexting (the euphemism for impersonating)?

This is a good step, but not enough

It's very nice from Google or any other company to do so. But I think the solution is to teach people to surf smarter! I.e When they think they want to download a movie, there's no way to download .exe file! it's just plain stupidity. People need to read the messages they pop before they click yes on every message like : By Clicking yes 1Click-weather-adware-traybar will be installed.
One day people will learn to surf smarter, meanwhile, we will help them becoming smarter.

Pardon my cynicism, but....

the Google study analyzed the main methods by which criminals inject malicious code on to innocent web pages. It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets

I am shocked, SHOCKED, to discover that a company that makes money selling ads on other websites would want to highlight malware-spouting ads by other companies.

Yes, I agree that identifying these ads is a Good Thing. No, I don't think publicly-traded Google's intentions are entirely noble.

Great Idea - No False Sense of Security

Regardless of whether not not this provides a "false sense of security" it is a good idea. It would certainly be better than nothing. It won't really provide a false sense of security anymore than a phishing tool bar, antivirus software, or e-mail filtering. Right now people search for stuff on Google and click the link. There is no false sense of security. People are already assuming the websites are safe. If Google steps in and says "hey, this site isn't safe", then at least people have advance notice and choice.

I see references to common things like widgets, but I don't see that as the most commonly attacked/exploited part of websites. Sure it's a real issue and is common (yes AdSense was hit with this kind of attack), but I hope they look for a lot more. One of the most common these days are the surprise addition to website sources of iframes with widths of 0. Or new and sudden references to .js files or new obfuscated JavaScript. If they look for all of this and possibly analyze/process it, they can go a long way to stop this type of malware. This feature if implemented correctly is a win for everyone on the Internet... well except the bad guys. :)

Great.

I've always wanted protection from those dreaded Anti-virus software.

robots.txt

What about malicious sites (fake login pages) that disallow indexing/crawling via meta tags or robots.txt. If Google still searches/indexes that page then they break the rules for crawlers/bots and how does that reflect on them?

Also, what about content that's delivered on pages that require you to login first (poral, message boards, etc..). These are areas a crawler is not going to get to and completely miss.

Going back to the fake login pages bit, unless Google can index every site every day these fake login pages will be up and down long before the crawler reaches them.

The speed with which web-based worms, fake logins, viruses, etc.. spread is probably far far greater than the cycle time for Google to crawl the malicious site in question.

Where I could see some real value here is in using Google to detect vulnerabilities in existing sites (publicly available documents with sensitive information like CCs, open directories with long lists of mp3s or large videos, simple phrases that indicate some web vandal has hit the site like "X was here" or "hacked/owned/pwnd by X" etc. Focus on giving web developers a tool to evaluate their own site from a security perspective rather than worrying about the end user. Google's infrastructure really isn't built to work like that.

False positives?

And how is Google going to handle false positives?

I'm a lot less enthusiastic about this as Gmail is rejecting my home IP, because "Our system has detected an unusual amount of unsolicited mail originating from your IP address."

I've checked and monitored my Linux box. I'm not sending spam. Personal mail would be 0 to 5 a day to Gmail addresses. I've had this DHCP issued IP since at least February, so it's not an inherited problem. I contacted Google as a Gmail customer two weeks ago (there's no direct way to contact them) and gave them all the relevant detail so we can fix it, and have been sending a test message to my Gmail account once a day since.

I've heard bugger-all from Google. The daily test messages are rejected. Two of the "rejected" messages have gone through a day later.

Search for 'Google is blocking my IP' & similar reveals I'm hardly alone. So yeah, no. With Gmail they've proven they're not perfect, yet don't provide support to clear up the inevitable mistakes. So I'm not enthusiastic about further censorship by them.

It's like any other RBL

Works to some extent, take a lot of maintenance and user participation, has falses, pisses off some innocent people whose sites get compromised and then added to the list, requires effort to get taken off the list. stopbadware.org is a partner with google and I think it's a great idea, but it's going to require a ton of maintenance and will not end up being the sort of thing that uses few enough resources to continue out of the goodness of one's heart, so partnering with Websense is smart. They already have over 77000 hosts listed on their site, and that is likely to keep going up and up.

Physician, heal thyself.

So, are they going to point out all of the scam/spam/malware pages in their "Sponsored Links"? Hell, even searching for "Google Earth" turns up five pages purporting to be the download location, pages which no doubt either make their money from ads, or encase the download in absolute spyware hell.

This is awesome - googlehacking helps blackhats

So this helps redress the balance.

What a great idea.

im not being paranoid but...

im not being paranoid but now if lets say your site doesnt conform to "google" standards they can just label you site as spyware?! i can see it now, goes and types http://live.com/ [live.com] google tollbar pops up "this site is marked as malware, blah blah" great way to take out your competition and extend own monopoly!

i noticed this when checking my stocks WWW!

type "SOLF" into google, it brings up solarfun's web page, this is a company i have invested money into!!! This does not look good, atleast I sure hope it's accurate, i emailed the PR and IR people. Still If it's not right, then it could cause damage, or suppose someone wanted to sabotage your business, is there some way they can make google warn people to not even visit the site as a way of corporate sabotage? Terrible for business (at SOLF at least)!! JEff

Oh yes. I trust everything to Google

Google will take care of us. Not to worry. They don't do evil...as long as you watch their ads. Just don't ask questions or break their NDA's. Then you're fucked.

They need good insurance then...

This opens them up to a lot of liability. They get a site wrong and it loses business, they will have defamation claims, interference in business claims... their legal team will be plenty busy.

Where can I find it?

Does someone knows where can I find the paper? I've ran a resarch on Google, but oddly none of the results is from Google itself...

TIA,

Super Google?

I'm not sure that I have faith in google's ability to do this, but I do admire the intent.