Google's Research on Malware Distribution 83
GSGKT writes "Google's Anti-Malware Team has made available some of their research data on malware distribution mechanisms while the research paper[PDF] is under peer review. Among their conclusions are that the majority of malware distribution sites are hosted in China, and that 1.3% of Google searches return at least one link to a malicious site. The lead author, Niels Provos, wrote, 'It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed.'"
Odd number presentation (Score:1, Interesting)
Google itself? (Score:3, Interesting)
Re:And what platform does the malware run on? (Score:5, Interesting)
I found it quite interesting that the methodology of the research doesn't even bother to check sites with Mac OS X or Linux operating systems. But on the server side, Apache websites running outdated versions of PHP were singled out for comment.
In all there were twice as many compromised IIS servers as Apache, but fully 50% of all compromised Apache servers were running some version of PHP.
It was also interesting to note that computer-related websites ranked second only to social networking sites as most likely to be compromised with redirections to malware sites. Seems we might want to tone down our holier-than-thou rhetoric. 8^)
Maybe Goole should delist a few sites. (Score:5, Interesting)
zero script policy for serious web use (Score:3, Interesting)
I have to observe a cast iron policy in my work. It means that quite a few sites on the internet are unavailable, but since they are mostly entertainment based it isn't a serious loss. No Javascript, no ActiveX, no Macromedia Flash. My activities are limited to viewing HTML and PDFs, even animated GIFs are blocked. In many years we have had no malware incidents (that I know of). Sometimes it's absolutely necessary to view a site containing potentially insecure content, so there is a "dirty machine" which is not allowed to connect to anything else and is wiped and reinstalled weekly.
The problem is that even serious academic and scientific sites (that should know better) are starting to add Flash plugins and heavy scripting, so it's getting hard for conscientious users to maintain security even where they want to. Insecure technology is being forced upon us by the site developers.
It would be nice if Google could display whether a site needs JavaScript, Flash or whatever and be able to search for HTML only content. The difficult way is to use Google Cache in text only mode of course.
Be careful what you ask for (Score:2, Interesting)
I wonder if Google has ever considered a moderation system, allowing logged-in Google users to rank the results of their searches on a random and infrequent basis. It would be easy enough to have the "click here to open" link change to a "click here to open, and open survey in new tab/window" if the user said they were willing to moderate search results.
If a page got a bad "reputation" for a given search, its rank would go down for that particular search.
If a page got a bad "reputation" as a malware haven, link farm, or other abusive page, that page would be punished.
If a page got flagged as "illegal content" Google would drop the comment with a note saying "We are not the police, but please contact your local or national police. Click here for a list of national police web sites worldwide."
If a page got flagged as a copyright violation, Google would drop the comment with a note saying "We are not in the business of enforcing private court actions. To find a copyright attorney, click here."
so how about releasing this data? (Score:0, Interesting)
Re:Google itself? (Score:3, Interesting)
Google Malware team. (Score:3, Interesting)
Re:Google itself? (Score:3, Interesting)
Further, the argument about the name seems frivolous. Expecting a non-technical user to even realize that their error pages are being changed in the first place is stretching it; to suggest that the program could somehow name itself in such a way that a non-technical user would know what it did is ridiculous. If you know about the problem, the name is as good as any I could come up with, and certainly better than anything that could properly be called "spyware".
Finally, the article would be 1/3 the length, but he's too busy talking about how he's so morally superior. Granted, OpenDNS is an awesome service that I recommend wide and far, but the fact that he's fixing the problem is enough to show most people that.
Re:Be careful what you ask for (Score:3, Interesting)
Re:Maybe Goole should delist a few sites. (Score:3, Interesting)
I remember years ago that hosts used to have a "no porn" in there service agreements, for fear that their IP block might get blacklisted, Now we often run into the same thing due to virtual hosting, blocking one IP address might knock a 100 websites off the internet. Of course with China some of it may be the government trying to implant surveillance Trojans
Nice plug for Google: (Score:3, Interesting)
Did you catch the above line in their article?
The choke point: distribution sites (Score:2, Interesting)
In the 10 months of data the researchers used, Google found 9,340 distribution sites. The other 180,000 sites simply redirect you to the the distribution site, which is where you download the malware.
It gets better - those 9340 distribution sites are under the aegis of only 500 autonomous systems. [wikipedia.org] Which means Google could send their list to those 500 AS's - and each would have (on average) around 20 malware sites to clean up. After this, Google could keep notifying AS's of the distribution sites found (less than a thousand a month).
Looks like a very measurable and approacheable problem now! I can't wait for Google's spam report. (They are working on one, aren't they?)