Forgot your password?
typodupeerror
Google Security The Internet IT Technology

Google Detects 9500 Malicious Sites Per Day 69

Posted by timothy
from the surely-they-miss-1-or-2 dept.
An anonymous reader writes "Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users, as well as those searching for content through the company's eponymous search engine. According to Google Security Team member Niels Provos, the program detects about 9,500 new malicious websites and pops up several million warnings every day to Internet users. Once a site has been cleaned up, the warning is lifted. They provide malware warnings for about 300 thousand downloads per day through their download protection service for Chrome."
This discussion has been archived. No new comments can be posted.

Google Detects 9500 Malicious Sites Per Day

Comments Filter:
  • After digging around a little I did not find much useful knowledge about the accuracy and how it works.
    • by The MAZZTer (911996) <<megazzt> <at> <gmail.com>> on Wednesday June 20, 2012 @12:50PM (#40386931) Homepage
      Well for starters it's open source [google.com] so you can see for yourself.
      • by swillden (191260)

        Well for starters it's open source [google.com] so you can see for yourself.

        I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

        • by swillden (191260)

          Well for starters it's open source [google.com] so you can see for yourself.

          I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

          Er, I guess I should have clicked your link before shooting my mouth off, rather than after :-)

          • by swillden (191260)

            Well for starters it's open source [google.com] so you can see for yourself.

            I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

            Er, I guess I should have clicked your link before shooting my mouth off, rather than after :-)

            Er, I guess I should have read the code at the link you provided before correcting myself... since it appears that it does indeed connect to "safe browser servers" at Google.

            I think I'll just shut up now, even if further perusal shows this comment to be wrong as well.

            • I'm just curious, but did Google detect any web sites that stroll through any city collecting information off wireless routers?
      • LOL? Well for starters that's the client side stuff. And this gets derped up to +5 informative? Holy crap haha.... if your comment was tongue in cheek, I salute you. Otherwise, let me just slowly back up and then run like fuck.

      • by hairyfeet (841228)

        Uhhh...all that is is the client connect code friend, have Google released the code they run on their own servers? last i checked that was a big NO so who the hell knows what is going on there. Frankly with as much data as Google gathers already and the changes in the privacy policy I'd be leery of sending that company, or any other for that matter, every single website i visit so they can "check it" for me. That is what i had an AV that scans before load and a sandboxed browser for anyway.

        I do find it quit

        • by Fastolfe (1470)

          Please read a little deeper:

          https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign [google.com]

          Because it would be both inefficient and privacy-invasive to send every URL that is loaded to a server to do this check, the SafeBrowsing protocol takes the approach of downloading this data to the client. Every few minutes, the client will perform an update request to get new blacklist data from the server. This process is described in more detail under Update Process.

    • by Mashiki (184564)

      Accuracy can be hit or miss. A lot of people in the translation communty use tools like chiitrans, chiitrans2, Translation Aggregator(TA) and agth. Google reguarlly flags sites with these as malware and specifically mentions these as malware, when they're no such thing. They also regularly flag mentions of RPG maker 2k(JP) [famitsu.com] as malware. To me it seems more like the engine is looking for anything that injects or hooks, which chiitrans, TA and agth do. Or non-standard character sets which the old RPG maker

    • After digging around a little I did not find much useful knowledge about the accuracy and how it works.

      Well according to one user named AnonymousCoward it has to use MyCleanCP(spelling). He went on saying it was the only one that would work.

    • The plural of anecdote is not data. Since anecdote is all I have to offer, here goes: I occasionally run into its malware warnings, most, in fact all in recent memory, for some site I know for a fact has no ill intentions, though malicious adverts might always slip through, of course. What irks me most about those warnings isn't even the indiscriminate false positives, but much more the lack of detail as to just what was found to be suspicious. I for me would be much safer knowing exactly what the problem w

    • After digging around a little I did not find much useful knowledge about the accuracy and how it works.

      I just put one of my domains online yesterday. It's OK now but the first couple of time I tried to access it I got one of those "This site could be dangerous to your computer" banners. I wonder if Google needs to crawl the site before it blesses it as safe.

  • Malicious? (Score:4, Funny)

    by Anonymous Coward on Wednesday June 20, 2012 @12:33PM (#40386723)

    Does Google include *.gov?

  • Gmail, Google Docs, Blogspot - Google needs to eliminate abuse on their products.

    Do a search in Google for - https://docs.google.com/a/njit.edu/spreadsheet/viewform?formkey=dEdpR1lrTjZPenFtY3BkS1l3UF9VWHc6MQ

    hmmm, no flags...

    or how about https://docs.google.com/spreadsheet/viewform?formkey=dEZfZjkwa0FxYmRRbzFvend5ODhhX2c6MQ

    oh, it's in Phishtank as 100% verified (and yes, Google gets reports from Phishtank), but has Google taken it down? NO.

    Geniuses would have this down programmatically. Google only does enou
    • Somehow, I think if someone sees a form purporting to be from either Yahoo or Microsoft, but says right on it "Powered by Google Docs," and they still go ahead and enter their information, then they're stupid enough that they'll give away their information anyway at some point, so it doesn't make much difference if this stays up or not.

      Incidentally, I did get a warning on the second one.

    • by utkonos (2104836)
      This is precisely what I'm talking about. One part of Google may care about phishing and malware (the Stop Browsing team). But Gmail doesn't care about drop emails. Google Docs doesn't care about phishing pages they host. Google Apps couldn't care less about malware payloads that you can download from their sites.
      • by utkonos (2104836)
        Abuse reports to Google fall on deaf ears. Google couldn't care less about crime on their own systems, unless it's copyright violations on Youtube when a bird song infringes a record label's intellectual property. Google is one of the worst companies on the internet with regards to responding to abuse on it's systems. Even nasty dens of garbage like OVH and iWeb respond faster.
  • "Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users"

    Is that 600 million users served over the five-year span? Or the total number of users on Chrome, Firefox and Safari that we have now? 600 million is just a little under 9% of the world's population.

    Impressive numbers, in any case.

  • by el_flynn (1279) on Wednesday June 20, 2012 @01:45PM (#40387621) Homepage

    This [blogspot.com] image from Google's blog post [blogspot.co.uk] shows that majority of the phishing sites are hosted in the US. Interestingly, most of Africa is relatively "clean", except for Algeria and South Africa.

    • That is deceiftful and doesn't tell the whole picture.

      The malware is not developed here. It is just America has lots and lots of old servers running unpatched wordpress, apache, and linux software full of vulnerabilities. Many slashdotters are under the impression most malware is still installed by a user clicking something and the problem is always between the monitor and keyboard and also that Linux is 100% safe and only IIS gets infected etc.

      Most bad sites are legit and just get hacked and crackers inser

      • If you used Windows without AV software guess what? You are owned if you visited slashdot in late february or early march.

        That's almost as vague as Google's warnings. Did the malware in this case target IE? Firefox? Chrome? Flash player? Java?
        Did it rely on a zero-day exploit? Or something that you just hadn't got around to patching?

        I haven't run A/V for somewhere around a decade. I've never been infected. I visit /. on a regular basis, including the time in question. Obviously your blanket warning isn't accurate.

        • by swillden (191260)

          I haven't run A/V for somewhere around a decade. I've never been infected.

          That you know of.

          • True, but he likely does run noscript and an ad blocker.

          • Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

            How do you think A/V companies know to add something to their definitions? Does it have to show an infection in an antivirus scan?
            Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing,

            • by swillden (191260)

              Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

              Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

              How do you think A/V companies know to add something to their definitions?

              There are many ways malware is discovered initially. It depends on the type of malware and the infection vector.

              Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing, so I'm not infected."

              No one (well, not me anyway) is claiming that A/V software never gives false negatives. But not having A/V software gives a lot more false negatives.

              • Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

                Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

                Which is essentially what I do, thanks to a security project I've been working on for a few years.

                Besides, with well-written malware, even A/V software can't tell you're infected without an offline scan.

                • by swillden (191260)
                  True, but the implication in your original post was that it was reasonable for people to run without AV -- but the approach you use, while better than AV, is hardly reasonable for anyone but hardcore Windows experts (to know what should or should not change) who are also willing to do snapshots and offline scans.
                  • I think I quite clearly said _I_ don't run antivirus. There was no implication that it was a good idea for others; at least, I didn't mean it. If you took it that way, then maybe I need to be more careful how I word that statement.

        • It was a faulty ad using a flash exploit. If you didnt run flashblock your system got owned. If you hate av software you can download a free scanner from Kaspersky that doesnt effect your system or use malware bytes from filehippo. You need to run AV software in this day and age. Modern av software like avast doesnt slow your system down

          • Ok, so it was a flash exploit. That still doesn't say whether it was zero day or not. If it wasn't, then you were unpatched, and I wasn't, and I'd be safe. If it was zero-day, I was doing a lot of experimenting with Chrome at that point, which has sandboxed flash since at least 2010, meaning I'd still be safe. All without flashblock.

            And incidentally, _all_ antivirus software slows your system down. Unless it's magic, it takes processing time to scan every file you open, meaning there's less processor ti

            • Well do not take this the wrong way or anything but if you do not run any AV software how do I know that your credible saying it doesn't slow your computer that much if you do not use it?

              True Norton 360 and McCrappy circa 2006 was a total POS but that doesn;t mean they all are. Avast added only 3 second of bootup time to my computer and that is it and well worth it. Sandboxing slows your computer down. Anything besides DOS or pure assembly slow your computer down. I stand by my words when I say a go

              • Boot time isn't the only way your computer can be slowed.

                And we still don't know if it was a zero-day exploit or not. For that matter, we don't know if it would have even infected you.
                Did you know that Avast's web shield doesn't know if you're vulnerable to the exploit or not? It simply warns you when it sees a malicious file, even if you don't have the vulnerable plugin. Just because it blocked something doesn't mean you would have been infected without A/V.

    • by fearlezz (594718)

      And Antarctica is hosting zero phishing sites...

  • (no text)

  • Is there a place where we can put our domain names and our emails, so that Google can contact us when they detect something on our websites?

  • by Animats (122034) on Wednesday June 20, 2012 @02:55PM (#40388721) Homepage

    Here's our current list of major domains being exploited by active phishing scams. [sitetruth.com] Notice who's at the top of the list. Google.

    We've been generating that list for years. It's based on PhishTank data, updated every 3 hours, and uses Open Directory to decide if a site is "major". 46 domains are on the list today. 9 have been on the list since 2011 or earlier. One has been on the list since 2010 - Google. Google is the last free hosting service unable to clean up their phishing problem. MSN, Yahoo, and various free hosting services have been successful at aggressively cleaning up phishing problems, and haven't been on this list, other than briefly, for years.

    Here's the oldest phishing attack hosted by Google, up since 2010 [google.com]: "Free Habbo Coins. Email your username and password to..."

    For years, Google didn't realize that Google Spreadsheets could be used to host phishing sites. [phishtank.com] They finally caught on, and there's now a "report abuse" button on spreadsheets. Most, but not all, of the spreadsheet-hosted phishing sites have been taken down.

    If anybody from Google is reading this, go over to your abuse department and apply a clue stick. It should embarrass someone that Google is the most clueless free hosting provider in the world about phishing.

    • by utkonos (2104836)
      Please mod this UP! Google is unable to deal with abuse on their own systems. They ignore reports of phishing drop emails hosted at Gmail. In fact they ignore most all reports of abuse submitted to them, period.
  • ... what percentage of these sites are false positives? They don't really seem to mention that, but as with any antivirus pile, I'm sure a large number are false. They have a feedback form to request a fix if it comes up, because it obviously does. What's the turn around like? How many days do you have to live with not being able to talk to customers when it does?

fortune: not found

Working...