Google Detects 9500 Malicious Sites Per Day

An anonymous reader writes "Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users, as well as those searching for content through the company's eponymous search engine. According to Google Security Team member Niels Provos, the program detects about 9,500 new malicious websites and pops up several million warnings every day to Internet users. Once a site has been cleaned up, the warning is lifted. They provide malware warnings for about 300 thousand downloads per day through their download protection service for Chrome."

How accurate is this?

[Quakeulf]

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

Re:How accurate is this?

[The MAZZTer]

Well for starters it's open source [google.com] so you can see for yourself.

Re:

[swillden]

Well for starters it's open source [google.com] so you can see for yourself.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Re:

[swillden]

Well for starters it's open source [google.com] so you can see for yourself.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Er, I guess I should have clicked your link before shooting my mouth off, rather than after :-)

Re:

[swillden]

Well for starters it's open source [google.com] so you can see for yourself.

I'd guess that the malware detection is actually performed by servers at Google. That would make more sense (to me, anyway) than trying to embed the code in the browsers where malware authors can examine it, and where updates require a browser release.

Er, I guess I should have clicked your link before shooting my mouth off, rather than after :-)

Er, I guess I should have read the code at the link you provided before correcting myself... since it appears that it does indeed connect to "safe browser servers" at Google.

I think I'll just shut up now, even if further perusal shows this comment to be wrong as well.

Re:

[LifesABeach]

I'm just curious, but did Google detect any web sites that stroll through any city collecting information off wireless routers?

Re:

[Johann Lau]

LOL? Well for starters that's the client side stuff. And this gets derped up to +5 informative? Holy crap haha.... if your comment was tongue in cheek, I salute you. Otherwise, let me just slowly back up and then run like fuck.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Fastolfe]

Please read a little deeper:

https://code.google.com/p/google-safe-browsing/wiki/SafeBrowsingDesign [google.com]

Because it would be both inefficient and privacy-invasive to send every URL that is loaded to a server to do this check, the SafeBrowsing protocol takes the approach of downloading this data to the client. Every few minutes, the client will perform an update request to get new blacklist data from the server. This process is described in more detail under Update Process.

Re:

[Mashiki]

Accuracy can be hit or miss. A lot of people in the translation communty use tools like chiitrans, chiitrans2, Translation Aggregator(TA) and agth. Google reguarlly flags sites with these as malware and specifically mentions these as malware, when they're no such thing. They also regularly flag mentions of RPG maker 2k(JP) [famitsu.com] as malware. To me it seems more like the engine is looking for anything that injects or hooks, which chiitrans, TA and agth do. Or non-standard character sets which the old RPG maker

Re:

[Billly Gates]

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

Well according to one user named AnonymousCoward it has to use MyCleanCP(spelling). He went on saying it was the only one that would work.

Re:

[Let's All Be Chinese]

The plural of anecdote is not data. Since anecdote is all I have to offer, here goes: I occasionally run into its malware warnings, most, in fact all in recent memory, for some site I know for a fact has no ill intentions, though malicious adverts might always slip through, of course. What irks me most about those warnings isn't even the indiscriminate false positives, but much more the lack of detail as to just what was found to be suspicious. I for me would be much safer knowing exactly what the problem w

Re:

[gmanterry]

After digging around a little I did not find much useful knowledge about the accuracy and how it works.

I just put one of my domains online yesterday. It's OK now but the first couple of time I tried to access it I got one of those "This site could be dangerous to your computer" banners. I wonder if Google needs to crawl the site before it blesses it as safe.

Malicious?

[Anonymous Coward]

Does Google include *.gov?

Re:

[h4rr4r]

Is your name so uncommon that it matters?
Do you look that much like this thug?

Re:

[h4rr4r]

You might want to mention that when applying for jobs then.

Re:

[BattleApple]

Would you really want to work for someone so stupid they don't realize two people can have the same name? You could also tell them ahead of time it's not you in the mugshot. What would you have to lose? It might even help them remember you.

Re:

[digitig]

First name "Anonymous", last name "Coward", but what's your middle name?

Re:

[Anonymous Coward]

"fucking"

Re:

[Johann Lau]

going to that site, I see

"[name], [job], arrested for alleged embezzlement, report says"

Seriously, what the fuck is this shit? What kind of nazi would defend it?

Re:

[Baloroth]

"Extortion"? Really? Unless mugshots.com is actually claiming you are that person, it has nothing whatsoever to do with you. People googling your name who are too stupid to realize multiple people can have the same name... well, I probably wouldn't want anything to do with them anyways.

And it can't even be extortion unless they are threatening to release the name unless you pay them money. They aren't, are they? No? Than welcome to the Internet, where 10,000 people have the exact same name as you.

Re:

[Sulphur]

Detects malicious websites, but allows mugshots.com to end up at the top of search results. My own site (with a myfullname.com), my twitter page, my linkedin profile, etc., etc., etc. are all now listed after a mugshots.com page for someone else with the exact same name as me. Mugshots.com is nothing but an extortion attempt. And I get to suffer because someone thug has the same name I do.

Anyone named Anonymous Coward is going to be taunted from grade school onward. Either that or he learns to fight.

Just stop hosting it!

[Simpson,Homer_Jay]

Gmail, Google Docs, Blogspot - Google needs to eliminate abuse on their products.

Do a search in Google for - https://docs.google.com/a/njit.edu/spreadsheet/viewform?formkey=dEdpR1lrTjZPenFtY3BkS1l3UF9VWHc6MQ

hmmm, no flags...

or how about https://docs.google.com/spreadsheet/viewform?formkey=dEZfZjkwa0FxYmRRbzFvend5ODhhX2c6MQ

oh, it's in Phishtank as 100% verified (and yes, Google gets reports from Phishtank), but has Google taken it down? NO.

Geniuses would have this down programmatically. Google only does enou

Re:

[Simpson,Homer_Jay]

<quote><p>Did you see that "Report abuse" link on the bottom of those pages, eejit? Did you click it?</p>

Yes, it has been clicked on many times, and reported to many contacts @Google. Their abuse was de-centralized many moons ago down to the product level, and it's been a mess ever since.

Does it take a genius to remove phish and malware reported to Safe Browser when they are hosted on blogspot and google docs? Nope.

Re:

[utkonos]

Google stopped dealing with abuse on their own systems over a year ago. They don't correct any abuse complaints at all anymore. For example, if you take down a phishing site, there is always going to be a drop email somewhere in the php code of the phishing page. The stolen credentials get sent to this email address. If you report this illegal email address to google, they ignore it. These drop email addresses stay up and allow phishers to profit from their phishing campaigns for very very long periods

Re:

[cbiltcliffe]

Somehow, I think if someone sees a form purporting to be from either Yahoo or Microsoft, but says right on it "Powered by Google Docs," and they still go ahead and enter their information, then they're stupid enough that they'll give away their information anyway at some point, so it doesn't make much difference if this stays up or not.

Incidentally, I did get a warning on the second one.

Re:

[utkonos]

This is precisely what I'm talking about. One part of Google may care about phishing and malware (the Stop Browsing team). But Gmail doesn't care about drop emails. Google Docs doesn't care about phishing pages they host. Google Apps couldn't care less about malware payloads that you can download from their sites.

Re:

[utkonos]

Abuse reports to Google fall on deaf ears. Google couldn't care less about crime on their own systems, unless it's copyright violations on Youtube when a bird song infringes a record label's intellectual property. Google is one of the worst companies on the internet with regards to responding to abuse on it's systems. Even nasty dens of garbage like OVH and iWeb respond faster.

Re:

[utkonos]

No idea, but if you deal with reporting abuse all day long, you would respect Microsoft and Yahoo. They shut down abuse within moments. Google ignores abuse reports.

Impressive numbers?

[el_flynn]

"Five years after it was first introduced, Google's Safe Browsing program continues to provide a service to the 600 million Chrome, Firefox, and Safari users"

Is that 600 million users served over the five-year span? Or the total number of users on Chrome, Firefox and Safari that we have now? 600 million is just a little under 9% of the world's population.

Impressive numbers, in any case.

Phishing site hotspots

[el_flynn]

This [blogspot.com] image from Google's blog post [blogspot.co.uk] shows that majority of the phishing sites are hosted in the US. Interestingly, most of Africa is relatively "clean", except for Algeria and South Africa.

Re:

[Billly Gates]

That is deceiftful and doesn't tell the whole picture.

The malware is not developed here. It is just America has lots and lots of old servers running unpatched wordpress, apache, and linux software full of vulnerabilities. Many slashdotters are under the impression most malware is still installed by a user clicking something and the problem is always between the monitor and keyboard and also that Linux is 100% safe and only IIS gets infected etc.

Most bad sites are legit and just get hacked and crackers inser

Re:

[cbiltcliffe]

If you used Windows without AV software guess what? You are owned if you visited slashdot in late february or early march.

That's almost as vague as Google's warnings. Did the malware in this case target IE? Firefox? Chrome? Flash player? Java?
Did it rely on a zero-day exploit? Or something that you just hadn't got around to patching?

I haven't run A/V for somewhere around a decade. I've never been infected. I visit /. on a regular basis, including the time in question. Obviously your blanket warning isn't accurate.

Re:

[swillden]

I haven't run A/V for somewhere around a decade. I've never been infected.

That you know of.

Re:

[Em Adespoton]

True, but he likely does run noscript and an ad blocker.

Re:

[cbiltcliffe]

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

How do you think A/V companies know to add something to their definitions? Does it have to show an infection in an antivirus scan?
Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing,

Re:

[swillden]

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

How do you think A/V companies know to add something to their definitions?

There are many ways malware is discovered initially. It depends on the type of malware and the infection vector.

Maybe the fact that I don't get falsely complacent by running A/V software, means that when the A/V companies miss something like Flame for two years then I'd know about it on my machine before the AV warning, because I wouldn't be thinking "My A/V software shows nothing, so I'm not infected."

No one (well, not me anyway) is claiming that A/V software never gives false negatives. But not having A/V software gives a lot more false negatives.

Re:

[cbiltcliffe]

Why does everyone think the only way to know if you're infected is to run some resource-sucking A/V software?

Because with well-written malware it is the only way to know, unless you routinely snapshot your system and do off-line verifications that your system files have not been modified.

Which is essentially what I do, thanks to a security project I've been working on for a few years.

Besides, with well-written malware, even A/V software can't tell you're infected without an offline scan.

Re:

[swillden]

True, but the implication in your original post was that it was reasonable for people to run without AV -- but the approach you use, while better than AV, is hardly reasonable for anyone but hardcore Windows experts (to know what should or should not change) who are also willing to do snapshots and offline scans.

Re:

[cbiltcliffe]

I think I quite clearly said _I_ don't run antivirus. There was no implication that it was a good idea for others; at least, I didn't mean it. If you took it that way, then maybe I need to be more careful how I word that statement.

Re:

[Billly Gates]

It was a faulty ad using a flash exploit. If you didnt run flashblock your system got owned. If you hate av software you can download a free scanner from Kaspersky that doesnt effect your system or use malware bytes from filehippo. You need to run AV software in this day and age. Modern av software like avast doesnt slow your system down

Re:

[cbiltcliffe]

Ok, so it was a flash exploit. That still doesn't say whether it was zero day or not. If it wasn't, then you were unpatched, and I wasn't, and I'd be safe. If it was zero-day, I was doing a lot of experimenting with Chrome at that point, which has sandboxed flash since at least 2010, meaning I'd still be safe. All without flashblock.

And incidentally, _all_ antivirus software slows your system down. Unless it's magic, it takes processing time to scan every file you open, meaning there's less processor ti

Re:

[Billly Gates]

Well do not take this the wrong way or anything but if you do not run any AV software how do I know that your credible saying it doesn't slow your computer that much if you do not use it?

True Norton 360 and McCrappy circa 2006 was a total POS but that doesn;t mean they all are. Avast added only 3 second of bootup time to my computer and that is it and well worth it. Sandboxing slows your computer down. Anything besides DOS or pure assembly slow your computer down. I stand by my words when I say a go

Re:

[cbiltcliffe]

Boot time isn't the only way your computer can be slowed.

And we still don't know if it was a zero-day exploit or not. For that matter, we don't know if it would have even infected you.
Did you know that Avast's web shield doesn't know if you're vulnerable to the exploit or not? It simply warns you when it sees a malicious file, even if you don't have the vulnerable plugin. Just because it blocked something doesn't mean you would have been infected without A/V.

Re:

[fearlezz]

And Antarctica is hosting zero phishing sites...

It's over 9000!

[Lord Lode]

(no text)

Re:

[cbiltcliffe]

That's almost 10000!

Tool for webmasters?

[Yvan256]

Is there a place where we can put our domain names and our emails, so that Google can contact us when they detect something on our websites?

Google needs to clean up their own act first.

[Animats]

Here's our current list of major domains being exploited by active phishing scams. [sitetruth.com] Notice who's at the top of the list. Google.

We've been generating that list for years. It's based on PhishTank data, updated every 3 hours, and uses Open Directory to decide if a site is "major". 46 domains are on the list today. 9 have been on the list since 2011 or earlier. One has been on the list since 2010 - Google. Google is the last free hosting service unable to clean up their phishing problem. MSN, Yahoo, and various free hosting services have been successful at aggressively cleaning up phishing problems, and haven't been on this list, other than briefly, for years.

Here's the oldest phishing attack hosted by Google, up since 2010 [google.com]: "Free Habbo Coins. Email your username and password to..."

For years, Google didn't realize that Google Spreadsheets could be used to host phishing sites. [phishtank.com] They finally caught on, and there's now a "report abuse" button on spreadsheets. Most, but not all, of the spreadsheet-hosted phishing sites have been taken down.

If anybody from Google is reading this, go over to your abuse department and apply a clue stick. It should embarrass someone that Google is the most clueless free hosting provider in the world about phishing.

Re:

[utkonos]

Please mod this UP! Google is unable to deal with abuse on their own systems. They ignore reports of phishing drop emails hosted at Gmail. In fact they ignore most all reports of abuse submitted to them, period.

I wonder though...

[spottedkangaroo]

... what percentage of these sites are false positives? They don't really seem to mention that, but as with any antivirus pile, I'm sure a large number are false. They have a feedback form to request a fix if it comes up, because it obviously does. What's the turn around like? How many days do you have to live with not being able to talk to customers when it does?