Forgot your password?
typodupeerror
Security Businesses Google The Internet

Google's Research on Malware Distribution 83

Posted by Soulskill
from the making-a-mountain-out-of-a-really-big-piece-of-rock dept.
GSGKT writes "Google's Anti-Malware Team has made available some of their research data on malware distribution mechanisms while the research paper[PDF] is under peer review. Among their conclusions are that the majority of malware distribution sites are hosted in China, and that 1.3% of Google searches return at least one link to a malicious site. The lead author, Niels Provos, wrote, 'It has been over a year and a half since we started to identify web pages that infect vulnerable hosts via drive-by downloads, i.e. web pages that attempt to exploit their visitors by installing and running malware automatically. During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware. During the course of our research, we have investigated not only the prevalence of drive-by downloads but also how users are being exposed to malware and how it is being distributed.'"
This discussion has been archived. No new comments can be posted.

Google's Research on Malware Distribution

Comments Filter:
  • by Anonymous Coward
    During that time we have investigated billions of URLs and found more than three million unique URLs on over 180,000 web sites automatically installing malware 180,000 out of billions doesn't seem like a lot to me.
    • Read it again (Score:5, Insightful)

      by EmbeddedJanitor (597831) on Sunday February 17, 2008 @07:03PM (#22457242)
      There are three million bad URLs being served off 180,000 web sites.

      Three million out of billions is not bad, assuming randomness (only, say 1 in 1000 chance of using a bad URL), but it is a lot worse than 180k out of billions.

      However not all URLs are used equally. Bad URLs linked to some popular pron site, for instance, will get hit a lot more than Joe Sixpack's facebook site.

      • Re: (Score:2, Insightful)

        by Anonymous Coward
        Also, it would likely be inaccurate to assume uniform randomness for the appearance of those pages in search results. They are likely optimized to turn up for very popular queries with every SEO [wikipedia.org] trick available. So it's still 3 million out of billions, but those 3 million likely get significantly more than traffic than an average page.
      • How does that insight fit into '1.3% of Google searches'? I find 1.3% a disturbing figure considering that a lot of people don't even know to handle a back and forward or even a stop button on there browser. More and more people connect without much more knowledge then starting up a browser screen and surfing from google or the (TRUE) history bar. So instead of responding to this kind of news from our own Geeky horizon we should try to keep an eye on the whole picture here. In this case the fact that crimin
  • by Anonymous Coward
    As if we need to ask.
    • by grcumb (781340) on Sunday February 17, 2008 @07:13PM (#22457308) Homepage Journal

      I found it quite interesting that the methodology of the research doesn't even bother to check sites with Mac OS X or Linux operating systems. But on the server side, Apache websites running outdated versions of PHP were singled out for comment.

      In all there were twice as many compromised IIS servers as Apache, but fully 50% of all compromised Apache servers were running some version of PHP.

      It was also interesting to note that computer-related websites ranked second only to social networking sites as most likely to be compromised with redirections to malware sites. Seems we might want to tone down our holier-than-thou rhetoric. 8^)

      • Re: (Score:3, Informative)

        by mrxak (727974)
        There's a lot more servers out there running old versions of PHP than the very latest.
    • Re: (Score:2, Insightful)

      x86
      • Re: (Score:1, Offtopic)

        by dwater (72834)
        how did this get modded 'insightful'?

        It's at most 'funny'. Clearly the gp meant one of the various 'Microsoft' operating systems as a platform, so the parent deliberately misunderstood it...

        I don't get 'insightful' anywhere in that.
  • Now then... (Score:3, Funny)

    by Bluewraith (1226564) on Sunday February 17, 2008 @06:51PM (#22457156)
    Where is the page listing each of the bad sites? I'd like to get started on my Virus Aquarium [xkcd.com]
  • Google itself? (Score:3, Interesting)

    by XanC (644172) on Sunday February 17, 2008 @06:53PM (#22457174)
    Did Google consider itself to be a source of malware? http://blog.opendns.com/2007/05/22/google-turns-the-page/ [opendns.com]
    • by maxume (22995)
      Did you read the article? What Google and Dell are doing is irritating, but the article goes from 'the program has an obscure, confusing name' directly to 'it is hard to uninstall'. If there is an uninstall entry, it isn't hard to uninstall, and if it uninstalls properly, then it isn't misbehaving.

      It's certainly crapware, but I'm not real sure it is malware, and there is some sort of useful difference there(I guess, crapware is software that behaves reasonably and is installed with no consideration towards
      • Re: (Score:3, Interesting)

        by _merlin (160982)
        I'd say it falls into the same category as WGA: borderline malware. The name "Browser Error Redirector" doesn't make its purpose clear to a non-technical user; it sends information to a third party without user confirmation; it is installed without user consent. The information it sends to a third party may be innocuous, and it may be possible to uninstall, but it's still far from respectable.
        • Re:Google itself? (Score:4, Insightful)

          by moderatorrater (1095745) on Sunday February 17, 2008 @08:56PM (#22457948)

          The name "Browser Error Redirector" doesn't make its purpose clear to a non-technical user
          I would argue that there is no way to make its purpose clear to the non-technical user without using at least a full sentence, probably a paragraph. For those who are familiar with the concept of error page redirection in the first place, it's a very adequate description, very honest and the first thing I would suspect once I realized there was a problem. If it had been "Browser Helper" or "DNS Accelerator" or "Bonzai Buddy" then arguing that the name wasn't clear would be applicable; as it is, it's a specific name for a specific condition that doesn't hide what it is.
          • I would argue that there is no way to make its purpose clear to the non-technical user without using at least a full sentence, probably a paragraph.

            They why don't they do it? It's easy to add a long descriptive paragraph in the control panel's ad/remove list. Case closed.

            I don't agree that "redirector" more or less on its own is an apt description however, because the ultimate purpose is to show ads to web surfers, and redirection is a generic mechanism.

            Any apt description should have to inclu

    • Re: (Score:3, Interesting)

      I read that article, and honestly, it comes off as someone trying to sound smart who really isn't. "Spyware" (used in the article) isn't the term for something that changes the behavior of the computer; it would be applicable if the software reports back to google about the browsing habits, but this isn't what's described in the article. It should be considered "malware" or "adware."

      Further, the argument about the name seems frivolous. Expecting a non-technical user to even realize that their error pages
  • by budgenator (254554) on Sunday February 17, 2008 @07:25PM (#22457378) Journal
    It occurred to me that if Google started desisting sites that tried to implant malware into visitors computers, then webmasters would be much more diligent about keeping the crap off their sites, or at least keep a few more hapless victims out of harm's way.
    • by Anonymous Coward
      I have seen search results on Google that show a warning that the site is known to contain malware. Perhaps they just censor the listings outright in other countries though.
    • They have an initiative already with StopBadware [stopbadware.org], there's a quick article [lifehacker.com] here.

    • by dwater (72834)
      Did you notice that it says that most offending sites are hosted in China?

      I think this is kind of interesting. Who hosts sites *in China* that are meant for viewers outside of China? I guess there might be some sites, but not many, I think.

      Also, very few Chinese people use Google, so if Google started taking out 'offending' sites from it's search results then very few people would be affected.

      In fact, it seems to me that only good can come if they do so. Very few people use Google to find sites hosted in Ch
      • If Google were willing to lose China as a market, they'd have refused to cooperate with Chinese censorship of Google results.

        The China sites doubtless includes lots of rootkitted servers, and an active market in rootkitting people's computers and selling their time for spamming and other illegal activities.
        • by dwater (72834)
          Eh?

          Their Chinese search web site already returns different results to their US one.

          I guess my point is that they can still list infected sites in the results on their Chinese search engine, but remove them from everyone else's, and by doing so they'd not affect too many people in a negative way but have a more significant impact in a positive way.

          This still supposes that:

          1) the sites in question are hosted in China for a Chinese audience,
          2) visitors from outside China are there by accident because the sites
          • China remains one of the largest providers of email spam and fraudulent miracle cures and scams worldwide. As such a contributing host, and with Chinese legal authority poorly educated and frankly uninterested in punishing web and email fraud, it remains an email and webhost fraud hotspot. So you've left out this:

            3) The sites in question are hosted in China, by Chinese crackers and fraudsters, to defraud anyone with money or computer resources tricked into visiting the site, no matter where it is hosted.

            Thi
            • by dwater (72834)
              sorry, but I can't understand your point....care to elabourate?
            • This works because Chinese law enforcement is even more behind the times dealing with computer fraud than the USA.

              This shows you have no idea whatever.

              Almost every single example of the products/services/scams being served sends the money via a US based credit card company to a US based criminal. By far the majority of procuts or serveces promoted by these methods are not even available to anyone outside America. In simple terms: both supply and demand are American. China, and other countries are only invo

              • Where are you getting the claim that the fraudsters are mostly American? There's plenty of market for such frauds. The Americans are the logical victims of such fraud?

                I agree that the American prosecution efforts are pitiful, and would help reduce the problem massively. But have you ever tried to track a spammer or fraudster overseas to their hosting website and get anything done about it? The US ISP's are at least somewhat responsive to outright fraud accusations with proof provided.

                And unfortunately, the
          • Re: (Score:3, Interesting)

            by budgenator (254554)
            That first one might not be true, since hosting servers in China is very cheap, so perhaps some entities host sites in China intended for non-Chinese audience in order to cut costs.
            I remember years ago that hosts used to have a "no porn" in there service agreements, for fear that their IP block might get blacklisted, Now we often run into the same thing due to virtual hosting, blocking one IP address might knock a 100 websites off the internet. Of course with China some of it may be the government trying t
      • Sites written in the Chinese language are, of course, mostly written for viewers who read Chinese, including in China and the widespread overseas Chinese populations.

        But there's a huge business of websites in China that are used by spammers, phishers, and other parasites, because the Internet means that you can connect to anywhere in the world for the cost of a few hundred milliseconds, and China not only as a large technically skilled population, a lot of infrastructure, and an imbalance in bandwidth usage

        • by dwater (72834)
          er, ok.
          Nothing of *value* then. Certainly nothing that would stop me wanting to have their results filtered from my google search results.
          I guess I was talking about sites that had legitamate content but which had been poisoned by various malware or whatever.
    • by moderatorrater (1095745) on Sunday February 17, 2008 @09:24PM (#22458122)
      The problem with that is the number of sites that happen to host malware without meaning to. Too often the malware comes through advertising services or sneak through in user generated content that would be fine if not for a browser vulnerability. Google does a lot as it is, outright blocking the sites goes too far (unless that's the only thing that the site is made for, which is rare and would probably mean that the site is ranked low in the first place).
      • by Sancho (17056)

        then webmasters would be much more diligent about keeping the crap off their sites, or at least keep a few more hapless victims out of harm's way.
        What is it the kids say these days? Reading comprehension for the win? I'd love to see more due diligence on the part of web admins, but the only way to really get that is to hit them where it hurts.
    • by Slur (61510) on Sunday February 17, 2008 @10:07PM (#22458330) Homepage Journal
      One site I work on got hit by a PHPBB SQL injection attack and had a tiny iframe inserted into the forum header that pointed to a well-known malware site, hightstats.net (and if you're curious the malicious script is in the strong/044 folder). Google picked up on the iframe's contents being a malicious script and added the malware warning to the search results pertaining to the forums section of our website.

      I just wonder how it is that hightstats.net can still be in existence when it contains known malicious stuff that hackers are inserting into unwary websites?!
    • I agree, if the site's owner was unable to know themsleves they had malware from third party cross scripting techniques, this would be a great way for them to be advised.

      What do you mean I am blocked, why....oooh! ok i'll fix it up for you, and then you unblock me...thanks google, you saved the day.
  • by Anonymous Coward on Sunday February 17, 2008 @07:25PM (#22457382)
    The problem is with the client software. I can understand the danger of sites that try to fool you into downloading and running an application, or infected media that harnesses an exploit in an application - but automatically infecting the machine just by visiting the site is beyond belief. There's a serious problem with what the "web" has become, forced upon us by reckless and naive developers. The WWW and HTML was never meant to be something that runs active code on the client. Period. Most of us realise there is no way this problem can ever be solved without revising exactly what a browser is supposed to be, as long as browsers will run code instead of interpreting data there will always be malicious sites set up to exploit this.

    I have to observe a cast iron policy in my work. It means that quite a few sites on the internet are unavailable, but since they are mostly entertainment based it isn't a serious loss. No Javascript, no ActiveX, no Macromedia Flash. My activities are limited to viewing HTML and PDFs, even animated GIFs are blocked. In many years we have had no malware incidents (that I know of). Sometimes it's absolutely necessary to view a site containing potentially insecure content, so there is a "dirty machine" which is not allowed to connect to anything else and is wiped and reinstalled weekly.

    The problem is that even serious academic and scientific sites (that should know better) are starting to add Flash plugins and heavy scripting, so it's getting hard for conscientious users to maintain security even where they want to. Insecure technology is being forced upon us by the site developers.

    It would be nice if Google could display whether a site needs JavaScript, Flash or whatever and be able to search for HTML only content. The difficult way is to use Google Cache in text only mode of course.
    • Re: (Score:2, Funny)

      by dwater (72834)
      > No Javascript, no ActiveX, no Macromedia Flash.

      You work at heaven.com?

      Cool!

      I want to work there too :)

      On the other hand, I use NoScript, and it can be annoying sometimes...

      I like your idea of Google displaying the technologies used on the pages they list :)
    • It's got nothing to do with active code. It's to do with browsers being large, complex applications. Breaking large parts of the web by stopping scripting reduces the surface area for attack but does not eliminate it. There have been too many image decoder or URL exploits for anybody to believe that.

      In many years we have had no malware incidents (that I know of)

      Modern virus scanners have an observed 80% miss rate.

  • by Anonymous Coward
    Well its in Google's best interest to fight this, as Malware has the potential to affect their business.

    Really, as much as I am not a MS basher, malware is almost entirely Microsoft's fault. If they had paid attention back in the day to security, we wouldn't have the steaming swamp of malware we have now.

    The only serious way to fight malware is to reduce the potential infection hosts.

    fighting this is just like fighting any sort of sickness or plague. If you have enough immunized hosts, they the issue won't
    • That's a nice theory, but you can't argue that Microsoft is the most popular vendor for a lot of software and is, therefore, the biggest target. While Microsoft seems to have a bigger security problem than other vendors, there's no way to tell if other vendors and products would fail miserably given the same scrutiny.
    • by darthflo (1095225)
      In other news Ford is blamed for the United States' foreign policy (If they hadn't built that stupid model T, nobody would be driving cars today not burning all the oil not making raiding middle eastern countries for their oil necessary) while Xerox is being accused for global warming as a whole (THEY started all that copying and printing. If it weren't for them, we wouldn't have had to chop down rainforests for paper which in turn would have photosynthized all that CO2 back to O2.)

      Please, get a grip. Mi
  • It's a shame that Google chose to not identify the three AV vendors it tested. Their ability to protect against malware ranged from bad (~80%) to abysmal (~20%). To identify them would have been a public service for us and a motivation for them.
  • Google Malware team. (Score:3, Interesting)

    by csk_1975 (721546) on Sunday February 17, 2008 @08:31PM (#22457812)
    Having first been unable to use google translate and now google search due to the "Error- Your request appears to be virus related please scan your computer for malware" I do wonder how sound any google analysis of malware is. If they have problems distinguishing between my computer that is not malware infected and the transparent port 80 proxy for my home cable ISP which is shared by 100,000s of computers some of which are obviously malware infected, then what hope a useful analysis of the much more devious and murky world of drive-by installers?
  • Usually, good conferences and journals have an anonymous peer review process. I find if very odd that google researchers chose to publicize their paper before the peer review process is done. That is at least lack of decorum, IMO.
  • Chinese firewall installed upside down!
  • by olddoc (152678) on Sunday February 17, 2008 @10:33PM (#22458512)
    The underlying problem is that advertising space is often syndicated to other parties who are not known to the web site owner. Although non-syndicated advertising networks such as Google Adwords are not affected...

    Did you catch the above line in their article?
  • by The Master Control P (655590) <[ejkeever] [at] [nerdshack.com]> on Sunday February 17, 2008 @10:41PM (#22458578)
    2/3 of all malware distribution sites & sites that link to them are hosted in China.
    The next worst offender is the US with 1/6.
    About 3.5M websites attempt to send you to exploits from 180K distribution sites.
    63% of the 180K malicious sites are IIS, 33% are Apache, and a handful are other.
    80% of malware from not in ads (e.g. iframes) was within 4 redirects of the malware distributor.
    80% of malware from ads was more than 4 redirects from the distributor.
    3/4 of distribution sites and 1/2 of landing sites are in 2 blocks occupying 6.5% of IP4.
    Among drive-by downloads, 1/2 alter your startup, 1/3 attack your security, 1/4 corrupt your preferences, and 7% install BHOs.
    87% of outbound connections the malware initiates are HTTP, 8.3% are IRC.
    The three AV engines tested against malware retrieved by the study had detection rates of about 35, 50, and 70%.

    The part I find scariest is the 3.5M malware fronts. I mean, there are only about 70M active hosts on the entire Internet - that's 5 percent! Since I think that trying to make programmers these days write secure code is a lost cause, we should focus on breaking up the software monoculture. This kind of shit really starts to lose it's efficacy if only 1/4 or 1/5 attempts even attack the right browser...
    • by quux4 (932150)

      The part I find scariest is the 3.5M malware fronts.

      Recheck the paper. There were 3.5M bad urls, which through a series of redirects, pointed to only 9340 malware distribution sites (see Table 1, page 8) hosted on systems in only 500 autonomous systems. This is a solvable problem: 500 hosting companies (or their customers) are the source of it all.

  • ICANN allows the sites (typos and fronting).
    IE, Outlook, and most other web/email clients take you to them happily.
    And Google funds the whole ecosystem with their ads.

    Maybe Google should look in a mirror once in a while. Becasue in the mirror it doesnt say "do no evil" it says "be a greedy profit hungry corporation or get sued by the shareholders and goto jail"
  • by Animats (122034) on Monday February 18, 2008 @01:21AM (#22459760) Homepage

    The paper points out that most of the attacks involve redirection of some portion of page content. That's a useful piece of information, because, other than for advertising purposes, redirection of IFRAME items and images is quite rare. A useful blocking strategy would be to block all redirects below the top level page. Many ads will disappear; no great loss.

    Checking for hostile full web pages is already being done. McAfee SiteAdvisor was the first to do that, then Google copied them. Our "bottom feeder filter", SiteTruth [sitetruth.com], does some of that too, although it throws out far more sites than McAfee or Google do, just by insisting that some identifiable business stand behind any page that looks commercial.

    Google's revenue model depends, to some extent, on those "bottom feeder" sites: all those anonymous "landing pages", "directory pages", "made for AdWords pages", and similar junk. Those things bring in substantial AdWords revenue, although they don't usually generate much in the way of sales for advertisers. Throwing them out of the "Google Content Network" would cut Google's ad income. This is where "don't be evil" collides with Google's profitability.

    This looks like a solveable problem, but the solution will come from the security companies, not the search companies. The search companies can't afford to fix it.

  • In the 10 months of data the researchers used, Google found 9,340 distribution sites. The other 180,000 sites simply redirect you to the the distribution site, which is where you download the malware.

    It gets better - those 9340 distribution sites are under the aegis of only 500 autonomous systems. [wikipedia.org] Which means Google could send their list to those 500 AS's - and each would have (on average) around 20 malware sites to clean up. After this, Google could keep notifying AS's of the distribution sites found (le

  • A potential vector for redirects to malware sites lies in bogus registrations on bulletin boards. A board of which I'm a member has seen a large number of such registrations purporting to originate in England, with links to sites in eastern Europe. Redirection? Walks like a duck ...
  • by c0d3r (156687)
    Shouldn't a centralized spider md5 (or the like) legit binaries with a central CA like authority to verify and identify these exploiters?

    M
  • that because of outdated LAMP configs
  • I'd have thought it'd be way higher than that.* *if the anti-malware companies are to be believed** ** Some of them can't be believed because their anti-malware contains malware.
  • I think since Google has the technology to discover and index malware distributing sites, and they should provide a new feature which will put a small red warning beside malicious results. Like McAfee SiteAdvisor service dose. This will decrease the number of infected machines in the Internet, and this is very easy to be noticed by novice users. ExtremeSecurity Blog Admin http://extremesecurity.blogspot.com/ [blogspot.com]

"Consistency requires you to be as ignorant today as you were a year ago." -- Bernard Berenson

Working...