Inside Google's Anti-Malware Operation 105
Trailrunner7 writes "A Google malware researcher gave a rare peek inside the company's massive anti-malware and anti-phishing efforts at the SecTor conference here, and the data the company has gathered shows that the attackers who make it their business to infect sites and exploit users are adapting their tactics very quickly and creatively to combat the efforts of Google and others. While Google is still a relative newcomer to the public security scene, the company has deployed a number of services and technologies recently that are designed to identify phishing sites, as well as sites serving malware, and prevent users from finding them. The tools include the Google SafeBrowsing API and a handful of services that are available to help site owners and network administrators find and eliminate malware and the attendant bugs from their sites. Fabrice Jaubert, of Google's anti-malware team, said the company has had good luck identifying and weeding out malicious sites of late. Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said."
Re: (Score:3)
Given that most home computers run Windows, and a lot of business workstations as well, would Windows be a normal computer?
I like it (Score:1)
I like this approach and also as usual, they offer you a way to go "there" anyway which saves you from false positives, never seen one though.
Also I like the alerts in the Webmaster tools as they send you an e-mail if you site gets infected, never happened to me but pretty sure is a good tool when you handle a lot of sites. I mean, how many webmasters actively run malware tools in their website?
Re: (Score:3, Interesting)
Much better is stopping the bad sites appearing in the first place. And all for free! Stuff like this is why Google can hold on to the "don't be evil" line for now.
Re: (Score:2)
Actually, I thought many AV companies also had web blacklisting software as well.
Details (Score:2)
Re:Details (Score:4, Insightful)
That's about all the article says. It is amazingly information free. Anything else that is mentioned can be deduced by anybody who uses Google's services and has a bit of knowledge and the logic.
As I was reading it (yes, I know that is a cardinal sin on /.) It felt like there was going to be more in interesting information forthcoming, but there was never anything (other then use use of VMs) that was surprising in any way.
It would be nice if the editors would stop posting content-free stories.
</rant>
Re: (Score:2)
Even the use of VM's isn't really surprising these days. If you are going to intentionally let something get worked over by malware then having a fast way to revert damage makes sense.
What I'm assuming and what the article doesn't make mention of is how a machine is actually determined to be compromised. I suppose there would be some scanner running in the background as log and report only. Then at a higher level accumulating those results and restoring the original disk file. Since this is Google I'm g
Re: (Score:2)
The article could have elaborated a bit I'm sure. Like how this setup appears to be a honeypot [wikipedia.org], while they more than likely monitor the traffic through a transparent proxy.
They also could have setup snapshots before and after visiting each site, and do a diff of the file system and registry to see what files has been planted and which files/settings changed.
Obviously I can't confirm this, but that's what I would do.
Re: (Score:2)
Sorry for the slight terminology mistake, these are actually Client Honeypots [wikipedia.org], similar in function but where honeypots are usually servers that wait for attacks, client honeypots are clients that actively go out and issue server requests.
Re: (Score:2)
That's about all the article says. It is amazingly information free.
That's why I (and probably everybody else) seldom RTFA.
Re: (Score:2)
If you want something done right... (Score:2)
If you want something done right...? :) Hey, let me know too.
To find malware-distribution sites... (Score:1)
Re: (Score:2)
Yeah. What about vulnerabilities introduced by patches?
Pretty sure those happen too.
Fighting malware doesn't have to complicated (Score:1)
Re: (Score:3, Interesting)
Malware is about third of the problem,
There is not one OS that protect against the type your sudo password to see the dancing bunnies. Not one that protect you against phising and scamming.
Re: (Score:2)
try to force them into a Unix centric CLI heavy environment?
There may indeed be arguments against Ubuntu / Linux, but as you have very clearly not used Ubuntu, I dont see why you feel necessary to speculate on what those faults may be.
You might as well complain about Windows, as server 2008 has moved heavily into PowerShell-- which is more of that "CLI heavy environment" that you so vigorously object to.
Windows 7..... without the user needing to run ANY CLI
You clearly havent used Windows in a serious corporate environment for any appreciable length of time, either. Microsoft has one of my USERS running a commandlin
Re: (Score:2)
And FYI you don't need to run gpudate from a command line unless you need the policy to go into effect immediately. If it is something that doesn't need to go into effect right away, you can just wait until the machine updates the policy on it's own. As for the debugger, just disable it. Does the end user really need to debug anything? Is any u
Re: (Score:2)
Why is it the linux users are expected to completely maintain their own machines, but the Windows ones can call IT and never have to deal with command prompt or powershell or vbscript or group policies?
Re: (Score:2)
Did you ever think that maybe, juuust maybe, there is a reason why despite the fact you give your "solution" away NO big box retailers touch it and home users have voted time and time again NOT to switch to it? Like the fact that you refuse to listen to them and give them what they want, an all GUI all the time, simple and easy peasy UI with lots of hand holding and wizards, you insist they "embrace the power of CLI" like it is the fricking force and try to force them into a Unix centric CLI heavy environment?
You've never used Ubuntu have you?
My sister's and mom's laptops both run Ubuntu and they couldn't even figure out how to open a terminal window if they wanted to.
Re: (Score:2)
Allow me to elaborate: They couldn't even figure out how to open a terminal window because they don't know it exists and have never had to use it.
Well one time I tried to talk my sister through opening a terminal and entering "alsactl restore," what a nightmare that was, but it turned out she just hadn't plugged her headset in properly, so it wasn't really necessary in the first place.
Re: (Score:2)
Stating the timeline...
- Microsoft's been a commercial company since 1981, and marketing reaches crowds. The first Windows came out 1985.
- 6 years later...
- Linux started as a hobby project in 1991, GPL'd a year later. It stayed too techy for the average user for the next 10 years (about).
Microsoft got a big head start in terms of exposure to the public, from a human-social-familiarity perspective this is why most people know of, and use Windows.
I'll be a hypocrite to dis Windows, since I've been coding on
Re: (Score:1)
Re: (Score:2)
Did you ever think that maybe, juuust maybe, there is a reason why despite the fact you give your "solution" away NO big box retailers touch it and home users have voted time and time again NOT to switch to it?
Yes, there is a reason -- PC manufacturers use Windows because that's what people are used to (Microsoft has great marketing) and gets incentives from Microsoft to use Windows. Windows users don't switch to Linux for the same reason XP users don't switch to 7; only nerds install OSes.
Plus, nobody but
Re: (Score:1)
The developers of Linux decided long ago they like things the way they are, the world could do it their way or go jump
That's entirely backwards. It's Windows that you have to do it their way, not Linux. With Linux you have a choice of distros, desktops, boot loaders, everything. I had a discussion with a fellow slashdotter the other day about how much I liked the way KDE opens with the apps open that were open, with the book I was reading open to the same page it was on when I shut it down, and he hated that. His is configured to open with a "clean" desktop. His is the way he wants, mine is the way I want, and we're both happy. Not so with Windows. With Windows, it's the Microsoft way and if you don't like it, tough shit.
You missed his point. His point is that end-users don't want a choice of distros, desktops, etc. They want to press "on" and have it work. This is, ostensibly, what Windows provides.
Re: (Score:2)
His point is that end-users don't want a choice
Is that why there are so many models of Ford cars? If that was his point, his premise was badly flawed.
They want to press "on" and have it work.
I have yet to see any modern distro that you didn't simply press "on" and have it work.
Re: (Score:2)
Re: (Score:1)
As a happy Linux user of more than 10 years and more flavors of hardware than I want to remember right now, I must say," Noob!! , Quit whining..." If you don't like it, use Windows...those of us who are capable of asking questions and actually using (or LEARNING to use) cli (gasp!) will continue to use our free, much more capable OS. Incidentally, I didn't go to college for this- I simply learned to read man pages...
Veteran of: Debian, Ubuntu, Slackware, Knoppix, SUSE, DSL, Puppy, Red Hat and Vecto
Re: (Score:2)
Re: (Score:1)
Umm...not only won't be joining the club, but have turned at least 6 of my formerly Windows using friends on to Ubuntu..and the only question I've had in the last 4 years was from ONE friend who asked me if it was safe to run updates because (in her words) she didn't want to run update and have it break things like Windows always did....and it hasn't. I showed her how to set up for long term support updates and she's happy as a clam, everything works and SHE DOESN'T KNOW SQUAT ABOUT COMMAND LINE.
Re: (Score:2)
what happens when things go wrong which is when all the fancy dies hard in Ubuntu or any other Linux and you are staring at a craptastic CLI.
At least with Linux when everything goes wrong you have a CLI. In Windows all you have is "safe mode" and you're locked out of anything that you could access to fix it.
With Linux and things go bad, you can always get in with a thumb drive, or even reinstall the OOS in another partition. Woth Windows, about all you can do is install Linux in another partition to get you
Re: (Score:1)
Incidentally, you're wrong about Android not being supplied with a cli environment-it's in the market, free, for any who care to use it.
Re: (Score:3, Interesting)
Hahaha. I'm glad you aren't in charge of any IT security.
At least, I seriously hope you aren't.
Because if you think that's going to give you a huge security boost, you've got another thing coming.
You get better security with an informed user than switching from any current OS to any other current OS.
Re: (Score:2)
"Another think coming" doesn't even make grammatical sense, let alone logical sense. Also, look up 'idiom' when you get the chance. Also, a 'thought' is a thing, so it might not even fall under the category of idiom, although with the general use of 'another thing coming', it probably should.
You fail at being a Grammar Nazi, sorry.
Re: (Score:2)
Maybe in 10-15 years, but looking around, all I find promoting that use is, at best, second rate sources (third rate more likely), such as what you posted, and bloggers who want to criticize mainstream writers.
Sorry, I don't want to use your new and grammatically idiotic slang.
Re: (Score:2)
Why won't that joke of an OS die already?
Because it comes preinstalled on almost every PC sold. If all the PCs came with Ubuntu preinstalled, Ubuntu would take MS's place as king of the OSes.
We nerds are the only folks who install operating systems. Normal people treat their PCs like TVs or toasters (although we may occasionally hack our TVs and toasters to make them operate the way we want).
Re: (Score:2)
If all the PCs came with Ubuntu preinstalled, Ubuntu would take MS's place as king of the OSes.
-- and king of the compromised OSs. If Ubuntu were installed on 90% of all desktops, the hacker hordes would be all over them with tiny little lock picking tools. All those security updates that I get every couple of days on Ubuntu would also be the subject of hacking attempts. in some cases the defects would be found and exploited by hackers before maintainers knew about them.
IOW, life would be somewhat different but not very different (the security model of *ix is still better than that of 'doze but
Re: (Score:2)
That's likely true, although as you say, the security model of *nix is still better than that of 'doze but no security model can ever be 100%. End users would have a harder time getting pwned, though, as although it's as easy to install a program from a distro's repository as it is to install a Windows program, installing anything not in the repository is a little harder, and probably beyond the capabilities of the average user.
So yes, it would be the targeted OS, but it would still be a lot harder to buil
Re: (Score:2)
Unless ... another story on /. that is suddenly applicable: Hiding-Backdoors-In-Hardware [slashdot.org].
I wonder if it's much harder to build a backdoor in the 'hardware' that compromises *ix than *doze - or both - especially on machines (mostly servers) that are now running some form of boot/maintenance over LAN [wikipedia.org] or management-over-LAN such as IPMI [wikipedia.org].
As usual, convenience impacts security.
Re: (Score:2)
If the back door's in hardware, the OS wouldn't matter, you're pwned no matter what.
Re: (Score:2)
Re: (Score:1)
The problem is the ignorance of user's, the lack of care by user's again, and the lack of care by M$.
If users were smarter about their browsing.....we would have less infection.
If user's chose to be less cheap and run legit copies of windows with full patches we would have less infection
If M$ was less cheap and offer all copies of windows legit or non, to be able to get patched, we would have less infection
(this last one more then all 3 first mentioned put together)
If we had windows programmers be more thor
what about a link.. (Score:2)
Re:Shame (Score:4, Interesting)
Should Linux developers feel shame also when someone gets his/her machine compromised by running ten years old unpatched stuff? Should door lock makers feel shame if I get my house robbed because I didn't fix broken outdoor lock?
Re: (Score:2)
Should door lock makers feel shame if I get my house robbed because I didn't fix a defective outdoor lock?
Yes. Any software house or programmer should be ashamed of bugs in their code, just as a car manufacturer should be ashamed of a product recall.
A bug fix patch is no different than any other product recall.
Re: (Score:2)
Yes, I see your point and understand it. I'm a programmer and whenever I've made a dumb error I put on a hat which says "ass". Well, I used to, not anymore. It always gave a good laugh to coworkers :)
But on the other hand if manufacturer has found the defect, offered to fix the thing with no costs, and I refuse it... I don't see why manufacturer should feel shame anymore. It's my shame not to allow them to fix it.
Re: (Score:2)
Well, no, I don't mean the manufacturer should feel shame that the customer didn't take advantage of the recall. That's clearly the customer's fault. The manufacturer's only shame is that he has to recall it in the first place.
I'll bet that if meatspace product recalls were as cheap and easy as software patches, toasters and TV sets would be a lot less well built.
Re: (Score:2)
No, but Google has been doing it for quite some time now.
intentional?:) (Score:1)
well duh (Score:2)
How many machines? (Score:2)
And do they run FF, Chrome, Opera, etc. looking for vulns in them as well? Can you imagine what would happen if this "huge number of virtual machines" actually got pwned? Now there's a massive spambot or DDOS! Would google spam-block its self?
"Can I turn it off?" (Score:5, Interesting)
This suggests that Google will actively filter out sites that spread malware or are phishing? I'm sure Google will do a fine job at it and odds are I would leave such a feature on, but shouldn't there be an option to turn it off? I would feel way better about a search engine if I knew I could turn all its censoring features off. It's the same with SafeSearch, I have it turned to moderate, but I like the fact that I can opt to turn it off.
Re: (Score:2)
I thought the Google thing just warned you but gave you a "but go ahead anyways, if you're sure" option just in case of a false positive.
Re: (Score:2)
It does, but that doesn't stop ignorant alarmism.
Re: (Score:1)
This suggests that Google will actively filter out sites that spread malware or are phishing? I'm sure Google will do a fine job at it and odds are I would leave such a feature on, but shouldn't there be an option to turn it off? I would feel way better about a search engine if I knew I could turn all its censoring features off. It's the same with SafeSearch, I have it turned to moderate, but I like the fact that I can opt to turn it off.
There's two options in the Security section of Firefox options:
Block reported attack site [x]
Block reported web forgeries [x]
Presumeably unchecking these will turn the protection off. It's not exactly obvious if this will stop the service completely or if will it just stop warning you. I.e. will it stop all communication between Firefox and the service?
And as a sibling comment mentioned, you can proceed regardless of the attack report. You get a cool report about the attack by the way, how many ext
Re: (Score:2)
Hopefully no you can't turn it off; because if you can then miscreants out there will find a way to turn it off for you, without your knowing about it. More to the point it won't be you that get hit like that, you're obviously intelligent/paranoid enough to notice. It'll be your computer illiterate friends and neighbors.
Funny, then (Score:1)
That a google search for malwarebytes has AntiMalwre Pro (see http://www.2-spyware.com/remove-antimalware-pro.html [2-spyware.com]) as the top, sponsored hit.
Crowdsourcing detection maybe? (Score:2)
I wonder Google does not have some simple way for those of us who are savvy enough to recognise span or malware sites to indicate so in the search results. Those results so indicated could be have their page ranking reduced or be hidden until they were checked.
I realize this could be abused and have no idea what the signal to noise ratio would be but it would be interesting to see how this worked..
Google Proxy- (Score:2)
What we need is a google proxy to surf through that would automatically strip malware.
What could go wrong?
Seriously, this Flash / Adobe stuff is crazy. Just browsing a mainstream site with bad adverts can compromise your box these days.
See! (Score:1)
To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs.
Windows IS useful! Time to go cash in on some bets.
It's a group effort. (Score:5, Interesting)
Google's Contribution to Security (Score:2)
two words: false positives (Score:1)
i think google has to work on get rid of the huge amount of false positives. i remember at one point even opengl.org was blacklisted
Google Groups Spam (Score:4, Insightful)
This is all nice and great, but it is quite pathetic that they can't fix all the spam in Google gropus, and isn't like it is rocket science, when exactly the same message with the same spam-link gets posed to hundreds of groups.
Re: (Score:2)
This. Most of the Usenet spam I've seen lately gets posted from DejaGoogle.
Re: (Score:2)
spammers can use a huge
number of techniques that the
the human brain may not be aware of.
Including random characters, or
properly repeating words, or simple
thypos [sic]. That makes harder for
spam to be tracked.
Let's say for example that most people
won't notice it says "the the human" up there.
URL Shortening (Score:2)
Holes in Google malware detection (Score:3, Informative)
There's been considerable improvement. Google still has some holes in dealing with "malware", phishing, etc. But these are mostly obscure tricks used to get around Google's malware reporting. You can report the sites below over and over, but nothing happens, because Google's reporting system doesn't understand that these Google features are exploitable.
I'm pleased to notice that, at last, Google is no longer running ads for software for spamming Craigslist. Search for "craigslist auto poster tool". There used to be ads for programs for spamming Craigslist, and some of them even accepted payment through Google Checkout. (That last could lead to legal problems, since Google was not only advertising an legally questionable product, but taking a cut of the revenue.) That seems to have stopped. There are still ads for offshored services which manually spam Craigslist. [google.com]