Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Google Security Technology

Inside Google's Anti-Malware Operation 105

Posted by timothy
from the please-use-more-stress-positions dept.
Trailrunner7 writes "A Google malware researcher gave a rare peek inside the company's massive anti-malware and anti-phishing efforts at the SecTor conference here, and the data the company has gathered shows that the attackers who make it their business to infect sites and exploit users are adapting their tactics very quickly and creatively to combat the efforts of Google and others. While Google is still a relative newcomer to the public security scene, the company has deployed a number of services and technologies recently that are designed to identify phishing sites, as well as sites serving malware, and prevent users from finding them. The tools include the Google SafeBrowsing API and a handful of services that are available to help site owners and network administrators find and eliminate malware and the attendant bugs from their sites. Fabrice Jaubert, of Google's anti-malware team, said the company has had good luck identifying and weeding out malicious sites of late. Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said."
This discussion has been archived. No new comments can be posted.

Inside Google's Anti-Malware Operation

Comments Filter:
  • I like this approach and also as usual, they offer you a way to go "there" anyway which saves you from false positives, never seen one though.

    Also I like the alerts in the Webmaster tools as they send you an e-mail if you site gets infected, never happened to me but pretty sure is a good tool when you handle a lot of sites. I mean, how many webmasters actively run malware tools in their website?

    • Re: (Score:3, Interesting)

      by LordSnooty (853791)
      It's much more preferable to the AV industry's blackmail tactics... give us your money every year and we'll try and squash these progs... but we might not... if we don't there's bugger all you can do about it.

      Much better is stopping the bad sites appearing in the first place. And all for free! Stuff like this is why Google can hold on to the "don't be evil" line for now.
  • TFA specifically notes that

    To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.

    • Re:Details (Score:4, Insightful)

      by surmak (1238244) on Friday October 29, 2010 @07:40AM (#34061320)

      That's about all the article says. It is amazingly information free. Anything else that is mentioned can be deduced by anybody who uses Google's services and has a bit of knowledge and the logic.

      As I was reading it (yes, I know that is a cardinal sin on /.) It felt like there was going to be more in interesting information forthcoming, but there was never anything (other then use use of VMs) that was surprising in any way.

      It would be nice if the editors would stop posting content-free stories.

      </rant>

      • by ifrag (984323)

        Even the use of VM's isn't really surprising these days. If you are going to intentionally let something get worked over by malware then having a fast way to revert damage makes sense.

        What I'm assuming and what the article doesn't make mention of is how a machine is actually determined to be compromised. I suppose there would be some scanner running in the background as log and report only. Then at a higher level accumulating those results and restoring the original disk file. Since this is Google I'm g

      • The article could have elaborated a bit I'm sure. Like how this setup appears to be a honeypot [wikipedia.org], while they more than likely monitor the traffic through a transparent proxy.

        They also could have setup snapshots before and after visiting each site, and do a diff of the file system and registry to see what files has been planted and which files/settings changed.

        Obviously I can't confirm this, but that's what I would do.

        • Sorry for the slight terminology mistake, these are actually Client Honeypots [wikipedia.org], similar in function but where honeypots are usually servers that wait for attacks, client honeypots are clients that actively go out and issue server requests.

      • by mcgrew (92797) *

        That's about all the article says. It is amazingly information free.

        That's why I (and probably everybody else) seldom RTFA.

      • That's one of the reasons I'm trying to find the next slashdot. Any leads?
  • TFA: "...Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs." ouch.
  • I'm sure the hardware behind this [ubuntu.com] site is much less complex than the google operation and yet fights malware better. Just another example of the huge costs that Windows shitty security is putting on the rest of computing world. Why won't that joke of an OS die already?
    • Re: (Score:3, Interesting)

      by JonySuede (1908576)

      Malware is about third of the problem,
      There is not one OS that protect against the type your sudo password to see the dancing bunnies. Not one that protect you against phising and scamming.

    • Re: (Score:3, Interesting)

      by ByOhTek (1181381)

      Hahaha. I'm glad you aren't in charge of any IT security.

      At least, I seriously hope you aren't.

      Because if you think that's going to give you a huge security boost, you've got another thing coming.

      You get better security with an informed user than switching from any current OS to any other current OS.

    • by mcgrew (92797) *

      Why won't that joke of an OS die already?

      Because it comes preinstalled on almost every PC sold. If all the PCs came with Ubuntu preinstalled, Ubuntu would take MS's place as king of the OSes.

      We nerds are the only folks who install operating systems. Normal people treat their PCs like TVs or toasters (although we may occasionally hack our TVs and toasters to make them operate the way we want).

      • If all the PCs came with Ubuntu preinstalled, Ubuntu would take MS's place as king of the OSes.

        -- and king of the compromised OSs. If Ubuntu were installed on 90% of all desktops, the hacker hordes would be all over them with tiny little lock picking tools. All those security updates that I get every couple of days on Ubuntu would also be the subject of hacking attempts. in some cases the defects would be found and exploited by hackers before maintainers knew about them.

        IOW, life would be somewhat different but not very different (the security model of *ix is still better than that of 'doze but

        • by mcgrew (92797) *

          That's likely true, although as you say, the security model of *nix is still better than that of 'doze but no security model can ever be 100%. End users would have a harder time getting pwned, though, as although it's as easy to install a program from a distro's repository as it is to install a Windows program, installing anything not in the repository is a little harder, and probably beyond the capabilities of the average user.

          So yes, it would be the targeted OS, but it would still be a lot harder to buil

    • Because everyone else in the world doesn't think exactly like you? Because millions of businesses are already invested in it? Because your opinions do not drive the corporate world to make technology decisions? Is that enough, or do you want some more?
    • The problem is the ignorance of user's, the lack of care by user's again, and the lack of care by M$.

      If users were smarter about their browsing.....we would have less infection.

      If user's chose to be less cheap and run legit copies of windows with full patches we would have less infection

      If M$ was less cheap and offer all copies of windows legit or non, to be able to get patched, we would have less infection
      (this last one more then all 3 first mentioned put together)

      If we had windows programmers be more thor

  • ..to the actual slides, position paper, video, or whatever, so we can get some of the meat?
  • "Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said."
  • If they get good enough at finding malware, malware writers will have no choice but build custom targeted attacks that work against them.
  • From TFA

    To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs.

    And do they run FF, Chrome, Opera, etc. looking for vulns in them as well? Can you imagine what would happen if this "huge number of virtual machines" actually got pwned? Now there's a massive spambot or DDOS! Would google spam-block its self?

  • "Can I turn it off?" (Score:5, Interesting)

    by Grismar (840501) on Friday October 29, 2010 @05:29AM (#34060818)

    This suggests that Google will actively filter out sites that spread malware or are phishing? I'm sure Google will do a fine job at it and odds are I would leave such a feature on, but shouldn't there be an option to turn it off? I would feel way better about a search engine if I knew I could turn all its censoring features off. It's the same with SafeSearch, I have it turned to moderate, but I like the fact that I can opt to turn it off.

    • I thought the Google thing just warned you but gave you a "but go ahead anyways, if you're sure" option just in case of a false positive.

    • This suggests that Google will actively filter out sites that spread malware or are phishing? I'm sure Google will do a fine job at it and odds are I would leave such a feature on, but shouldn't there be an option to turn it off? I would feel way better about a search engine if I knew I could turn all its censoring features off. It's the same with SafeSearch, I have it turned to moderate, but I like the fact that I can opt to turn it off.

      There's two options in the Security section of Firefox options:

      Block reported attack site [x]
      Block reported web forgeries [x]

      Presumeably unchecking these will turn the protection off. It's not exactly obvious if this will stop the service completely or if will it just stop warning you. I.e. will it stop all communication between Firefox and the service?
      And as a sibling comment mentioned, you can proceed regardless of the attack report. You get a cool report about the attack by the way, how many ext

    • by Macka (9388)

      Hopefully no you can't turn it off; because if you can then miscreants out there will find a way to turn it off for you, without your knowing about it. More to the point it won't be you that get hit like that, you're obviously intelligent/paranoid enough to notice. It'll be your computer illiterate friends and neighbors.

  • That a google search for malwarebytes has AntiMalwre Pro (see http://www.2-spyware.com/remove-antimalware-pro.html [2-spyware.com]) as the top, sponsored hit.

  •   I wonder Google does not have some simple way for those of us who are savvy enough to recognise span or malware sites to indicate so in the search results. Those results so indicated could be have their page ranking reduced or be hidden until they were checked.

    I realize this could be abused and have no idea what the signal to noise ratio would be but it would be interesting to see how this worked..

  • What we need is a google proxy to surf through that would automatically strip malware.

    What could go wrong?

    Seriously, this Flash / Adobe stuff is crazy. Just browsing a mainstream site with bad adverts can compromise your box these days.

  • To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs.

    Windows IS useful! Time to go cash in on some bets.

  • by happy_place (632005) on Friday October 29, 2010 @06:51AM (#34061076) Homepage
    I've got a buddy from Bluecoat. They regularly search for these sites, and he says their company regularly reports malware sites to Google. He said there was a time when their software blocked Google because it wouldn't clean up its act. Things have changed.
  • I sincerely hope Google continues to improve its services in a similar fashion. Although I know Google is funded primarily by advertisement fees, it certainly feels like I'm getting something great for free. I just hope that Google continues to receive heavy competition on all fronts, preventing them from ever achieving a complete monopoly. Lack of competition is the enemy of innovation.
  • i think google has to work on get rid of the huge amount of false positives. i remember at one point even opengl.org was blacklisted

  • Google Groups Spam (Score:4, Insightful)

    by CondeZer0 (158969) on Friday October 29, 2010 @08:20AM (#34061588) Homepage

    This is all nice and great, but it is quite pathetic that they can't fix all the spam in Google gropus, and isn't like it is rocket science, when exactly the same message with the same spam-link gets posed to hundreds of groups.

    • by Nimey (114278)

      This. Most of the Usenet spam I've seen lately gets posted from DejaGoogle.

    • by Idbar (1034346)
      The fact is that spammers
      spammers can use a huge
      number of techniques that the
      the human brain may not be aware of.

      Including random characters, or
      properly repeating words, or simple
      thypos [sic]. That makes harder for
      spam to be tracked.

      Let's say for example that most people
      won't notice it says "the the human" up there.
  • I find it ironic that at the end of this article on sneaky web malware, there is a link to email a shortened URL.
  • by Animats (122034) on Friday October 29, 2010 @11:28AM (#34063964) Homepage

    There's been considerable improvement. Google still has some holes in dealing with "malware", phishing, etc. But these are mostly obscure tricks used to get around Google's malware reporting. You can report the sites below over and over, but nothing happens, because Google's reporting system doesn't understand that these Google features are exploitable.

    I'm pleased to notice that, at last, Google is no longer running ads for software for spamming Craigslist. Search for "craigslist auto poster tool". There used to be ads for programs for spamming Craigslist, and some of them even accepted payment through Google Checkout. (That last could lead to legal problems, since Google was not only advertising an legally questionable product, but taking a cut of the revenue.) That seems to have stopped. There are still ads for offshored services which manually spam Craigslist. [google.com]

You might have mail.

Working...