Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Google The Internet

Google Purges Thousands of Malware Sites 133

Posted by kdawson from the just-in-time-for-holiday-shoppers dept.
Stony Stevenson sends in word on the most massive "SEO poisoning" seen to date. The attack was directed at Google in particular and resulted in tens of thousands of Web pages hosting exploits showing up on the first page of Google searches for thousands of common terms (PDF). Sunbelt Software blogged about the attack on Monday after investigating it for months. By Wednesday Google had removed tens of thousands of malware-hosting pages from its index.
This discussion has been archived. No new comments can be posted.

Google Purges Thousands of Malware Sites More

Google Purges Thousands of Malware Sites

Comments Filter:

  • Re:Some, but not all.... (Score:4, Informative)

    by Albanach ( 527650 ) on Thursday November 29, 2007 @09:39AM (#21517055) Homepage

    Google can still screw you over
    That's another goatse link for those of you still sleepy at this time of the morning...

  • Re:BBC News piece (Score:5, Informative)

    by TubeSteak ( 669689 ) on Thursday November 29, 2007 @09:48AM (#21517137) Journal
    FTF Summary:

    Sunbelt Software blogged about the attack on Monday after investigating it for months.
    From Your BBC:

    "This was fairly epic," said Alex Eckelberry, head of Sunbelt Software - one of the firms that uncovered the attack.

    Mr Eckelberry said tens of thousands of domains, many based in China and only a couple of days old, were used in the vanguard of the attack.
    ...
    The booby-trapped websites were thought to be in operation for about 24 hours before Google began stripping them out of its search index.
    So which was it?
    Months of Google poisoning or just day(s)?

  • And what's SEO? (Score:3, Informative)

    by allcar ( 1111567 ) on Thursday November 29, 2007 @09:49AM (#21517151)
    For those of you, like me, who did not immediately recognise this TLA [wikipedia.org], it stands for Search Engine Optimization [wikipedia.org].

  • Yahoo and LiveSearch, too... (Score:2, Informative)

    by Foolicious ( 895952 ) on Thursday November 29, 2007 @10:33AM (#21517595)
    ...if my eyes and brain RTFA correctly. I recognize Google is the big(gest) player, but it's not like the purveyors of fine malware focused exclusively on Google and Google alone. It's in TFA if you're willing to take a look-see.

  • Re:Sounds Good To Me (Score:5, Informative)

    by Andrew Nagy ( 985144 ) on Thursday November 29, 2007 @10:51AM (#21517841) Homepage Journal
    I'm probably too late on this discussion, but I thought something needed to be said. I work in online marketing (no, that doesn't mean I am a spammer) and I think this speaks volumes about what Google is hard-pressed to admit. The system can still be gamed. And it seems to me that no matter what Google does to improve their algorithm, the system will still be vulnerable to gaming.

    In part, I think this has to do with the oddness that is their ranking strategy. They want to find the most relevant sites for any given query. So they study online behavior and adjust their algorithm to reflect that behavior. At the same time, they publish "guidelines" on how webmasters should design their sites and link out/in. It seems like they're trying to influence how websites behave online and then say that they're picking up on the organic trends. But in the end, they generate the trends. And then they tell everyone how to do it. Because of this, the system will always be vulnerable.

    Until, that is, PigeonRank(TM) [google.com] is launched.

  • Re:BBC News piece (Score:5, Informative)

    by Alexeck ( 864216 ) on Thursday November 29, 2007 @11:05AM (#21518029)
    So which was it? Months of Google poisoning or just day(s)? It wasn't "months". I think that confusion came from a subsequent blog post we made where we talked about having tracked _comment spam_ bots for months. This attack was only a matter of days. A number of the domains involved, for example, were registered on the 24th or 25th of November. Alex Eckelberry Sunbelt

  • Re:BBC News piece (Score:5, Informative)

    by jrp2 ( 458093 ) on Thursday November 29, 2007 @11:36AM (#21518435) Homepage
    "The idiots who use Windows affect me indirectly which is really annoying since their computers are sending me spam and brute forcing my servers."

    The most common brute-force attack I see on my IPS are ssh brute-force attacks coming from *nix servers that have been compromised. From what I understand, those ssh brute force attacks are highly effective.

    I am no fan of Windows either, but I think that might be a stretch to blame Windows for the bulk of brute-force attacks.

    Spam, absolutely.

  • Google still hasn't fixed their open redirector (Score:5, Informative)

    by Animats ( 122034 ) on Thursday November 29, 2007 @01:57PM (#21520805) Homepage

    After reading this, I immediately checked to see if Google had fixed their open redirector. [google.com] No, they haven't, and there are six exploits of it listed in PhishTank. Google needs to turn that off. If they absolutely insist on having an open redirector, it needs its own subdomain, which is what Yahoo does. Then the subdomain can be blacklisted without collateral damage.

    Phishing via exploits of major sites is a big problem, but involves a small number of major sites. 168 major sites today. [sitetruth.com] The usual exploits are:

    • Phishing site web servers on DSL lines. Some ISPs are good at kicking these off, and some aren't as good. "bellsouth.net" has more entries in PhishTank than any other domain.
    • "Open redirectors", URLs that can be exploited to redirect to another site, like the Google URL above.
    • Web hosting services, especially free ones, sometimes find themselves hosting phishing sites.
    • "Web 2.0" sites which allow uploading of user content but don't check it for exploits. Photobucket is used by some phishers, who upload hostile ".swf" files.
    • Break-ins on legitimate sites, where, typically, some obscure page is hosting hostile content. When an ".edu" site shows up in our list, that's usually what happened.

    Out of 1.6 million domains in DMOZ, and over 10,000 phishes in PhishTank, only 168 domains are in both. So the number of sites that need to be fixed is small. In fact, some of those sites are already fixed, but the entries haven't been removed from PhishTank yet. (Hint: if you kill a hostile page on your domain, make it a 404 error; that gets the page out of PhishTank's "active and online" list automatically. Don't just change the content or redirect it somewhere else, or it stays in the tank until somebody rechecks it manually, which can take weeks.)

    For every site in the list, there's some competitor in the same business who isn't on the list. "Everybody has this problem" isn't a valid excuse any more. This is a useful point to make with management if you find your own company on the list.

    This list of 168 exploited sites is updated automatically every three hours. There's also a list of sites recently removed from PhishTank. "n-insanity.com", "tropmet.res.in", "wsjob.com" were dropped from the list today; they no longer have active, online entries in PhishTank. "gentlesource.com", "t35.com" (an eBay phish), "tilapia.com" (another eBay phish), and "uic.edu" (already fixed) were added; they just appeared in PhishTank. If you have any responsibility for a site on the list, please take steps to fix the problem. If you're not part of the solution, you're part of the problem.

Slashdot Top Deals

"The four building blocks of the universe are fire, water, gravel and vinyl." -- Dave Barry

Close