Google Wants You to Report Malware

darthcamaro writes "As part of its ongoing effort to keep a clean index Google is soliciting the help of web browsers to let them know when we find malware in the index. Celebrated Google hacker Johnny Long thinks it's a good idea, though he told the site Internet News that he doesn't think it'll stop real hackers. From the article: 'Most in search of malware for offensive use know the good stuff — it ain't distributed through public Web ... It's distributed through dark Web servers, peer-to-peer networks, IRC channels, torrents and the like. Google's efforts will not affect how skilled hackers get access to malware.'"

Not affect how skilled hackers get malware

[nurb432 (527695)]

Nor should it. Google is now telling me what is moral and immoral and wanting to restrict access on their concepts of right and wrong? Who died and made them king?

Either they are a public company that should be considered a 'common carrier' or the aren't, which is it to be?

Re:Not affect how skilled hackers get malware

[webmaster404 (1148909)]

But for the Windows user, it could cut down MASSIVLY on the ammount of malware they get.

Re:Not affect how skilled hackers get malware

[quanticle (843097)]

This isn't about that. Google already has a service that reports and detects sites that try to phish your personal information or try to install malware on your machine. No, this effort is to try to purge the Google index of sites that sell malware creation and deployment toolkits to black-hats. IMHO, the original poster is correct. This wouldn't make it much more difficult for script-kiddies and black-hats to get their hands on malware kits, while making it more difficult for white-hats to find information about these programs.

Re:Not affect how skilled hackers get malware

[DutchSter (150891)]

This isn't about that. Google already has a service that reports and detects sites that try to phish your personal information or try to install malware on your machine. No, this effort is to try to purge the Google index of sites that sell malware creation and deployment toolkits to black-hats. IMHO, the original poster is correct. This wouldn't make it much more difficult for script-kiddies and black-hats to get their hands on malware kits, while making it more difficult for white-hats to find information about these programs.

Not to drift too far off topic but I've never been very impressed with the Google phishing site service. On the one hand they say that solicit feedback from the user community as to what is a web forgery I don't know that they ever listen. I deal with phishing sites as part of my job and I've had situations where at least 10 or 12 customers have told us that they submitted the page to Google's Web Forgery report page but it never gets flagged. The only time I've ever seen them flag a site is when one of the major anti-phishing players classifies it as such. I've done some experiments where I've watched phishing sites stay online for a while. It seems that without fail within an hour of a major vendor like Symantec announcing the forgery Google will flag it. Otherwise users can spam the Google report link for a week and it'll never get flagged.

With this new service it makes me wonder if they have any plans to actually respond to user input or if the user input will be up only for good PR. Will all the accepted submissions come from professional security firms who have a vested interest in knowing about malware leaving your more casual security researcher unable to a) effectively report malware pages and b) learn about new threats once the big players have done their research and told Google to de-index the page.

Now I understand that if you get a report from Symantec the credibility is very high as opposed to web-based reports from anybody who can read squiggly letters in a box, but it does make me wonder if the public submission forms are just for show so people can feel like they're doing a good thing.

Re:Not affect how skilled hackers get malware

[wizardforce (1005805)]

it isn't the noobs that worry me, it's when people like you think that malware only affects the noobs and not the servers they will later attack. storm botnet ring a bell? preventing the noobs from inadvertantly joining spam botnets is in our best interests.

Re:

[ozbird (127571)]

Not knowing how to spell/spell-check doesn't make you stupid. Ignorant, yes; stupid, not necessarily.

Re:

[techno-vampire (666512)]

Yes, we're being asked to help protect noobs who don't know any better. It's just the same as protecting children who haven't learned better, or do you object to that too?

Re:

[Impeesa (763920)]

Google doesn't provide access, it only indexes (wow, that sounds familiar), so the common carrier argument is totally unrelated. In this case, it's more like a phone book refusing to list crack dealers in the yellow pages, and requesting that people report any crack dealer listings that happen to slip in somehow.

Re:

[nurb432 (527695)]

If they are not a common carrier and actively filter results, then they need to be held legally liable for any results that are inappropriate/illegal.

Cant have it both ways.

Re:

[a whoabot (706122)]

How so? Is linking to something that is illegal, illegal? Doesn't sound necessary.

Re:Not affect how skilled hackers get malware

[nurb432 (527695)]

Personally, i feel that if they filter ONE item, EVER, then it blows the entire idea of them not being liable for future content. They really shouldn't be in the business of deciding what is ok and what isn't ok. Just report the links as is, and collect their revenue leaving it up to us to decide what is right and wrong.

Re:

[maxume (22995)]

You are being oddly pedantic; Google returns search results in what is essentially an arbitrary order; changing that order based on the presence of malware isn't filtering, at least not anymore than the initial search result is filtering.

And really, if you don't think that being able to advertise that their searches are 'safe' has the potential to effect revenue, I don't know where to start.

Re:

[maxume (22995)]

Google already selectively decides what it wants to let through. They call it 'Pagerank'. I've heard dirty rumors that different people get different results for the same search, and that sometimes, the number of results printed on the result page doesn't match up with the actual number of results available. Also, I've heard that they have removed stuff based on DMCA takedown notices.

If you have a problem with Google doing this, you have a problem with what Google was doing yesterday.

Re:Not affect how skilled hackers get malware

[hedwards (940851)]

I will say it again, for the last time:. If they filter once, they should be liable for any future result. if they filter 'malware' results, but allow KP results, they should be put out of business. You cant selectively decide what you want to let thru then claim protection on the basis that you cant control illegal content.

Why? Your argument makes abolutely no sense whatsoever. Of course they can filter one thing out, they could manually do it without any additional technolgy, by having a temp or intern manually typing in regexes. If they could be held liable for not getting all the kiddie porn off their results, they already would.

Regardless of your opinion, it is far easier to remove malware than it is to remove kiddie porn. For starters identifying kiddie porn requires in many instances knowing the age of the participants, while it is reasonable to assume that a 3 or 4 year old isn't 18, when you start talking about 14 or 15 year olds, it isn't necessarily an easy determination to make in large quantities. With malware, it is relatively straightforward to determine what if anything its doing. Some adult women are the same proportions as teenage girls.

The other thing is that there will always be malware, child porn and various other types of bad stuff on the net, the initiative here is to try and limit it. Google isn't going be able to stop linking to enough sites to stop it, but hopefully hit enough of them that people don't casually run into it.

Re:Not affect how skilled hackers get malware

[darkpixel2k (623900)]

As a public company they can drop any search results they disagree with...

I could give a shit about the windows malware that's out there. I don't run Windows and a good portion of my client base either doesn't run windows or doesn't have access to the net. But what I really wish google would fucking drop from their index is experts-exchange and tech-republic.

The last damn thing I want any of my search results to return is "Hey--here's the answer you're looking for. The solution is to...[PAY US FOR A FUCKING SUBSCRIPTION PLEASE]"

Re:

[SnowZero (92219)]

None of these keywords will show up any pictures with Google

Yes [google.com] they [google.com] do [google.com].

I think it's about malware in use not distribution

[by Anonymous Coward]

Obviously hackers don't look for their tools on Google. But if regular people get to websites through Google's index, Google does not want them to get infected by web-borne malware.

That's not the point, you dolts!

[Wog (58146)]

'Most in search of malware for offensive use know the good stuff -- it ain't distributed through public Web ... It's distributed through dark Web servers, peer-to-peer networks, IRC channels, torrents and the like. Google's efforts will not affect how skilled hackers get access to malware.'

I imagine the idea is that people who are making (ahem) innocent searches will not be so prone to stumble across a malicious page with the latest unpatched IE/Firefox/Whatever exploit.

Re:

[bladesjester (774793)]

Criticizing the sentence and then showing your lack of expertise in the language? :P

"Use" is not a verb in this sentence. Use as in "I have found a use for this" is a noun.

"Offensive" is used as an adjective describing "use"

"Good" is used to describe "stuff" and in this context it means "good at what it was meant to do". It isn't confusing at all.

It isn't three levels of prepositional phrases. It's three prepositional phrases back to back (which is also not uncommon). "in search" (preposition, object) "

Re:

[Actually, I do RTFA (1058596)]

You can see my response to the grandparent pointing out his errors, including "most" being a plural pronoun (not merely common venacular). However, the prepositional phrases, while not confusing in the slightest, were nested. "For offensive use" was clearly an adjective describing malware in "of malware". "Of malware for offensive use" is a prepositional phrase used as an adjective to describe the search in "in search". "In search of malware for offensive use" is a prepositional phrase used as an ajecti

Re:

[bladesjester (774793)]

Actually, "most" could be interpreted two ways. One is as a plural pronoun, however the other is as an adjective for the understood subject "people" (understood in the same way that "you" is in the sentence "Do the dishes"). Both would be acceptable.

Additionally, the prepositional phrases are not nested, and all three are indeed prepositional phrases. The first is used as an adjective, and the last two as adverbs. Prepositional phrases are categorized as a sequence of preposition [adjectives] subject.

I

Re:

[bladesjester (774793)]

preposition [adjectives] object rather.

(this is what I get for multitasking)

Re:

[Actually, I do RTFA (1058596)]

I know someone already called you out on this, but incorrectly. Hence, I shall also attempt to explain:

• Most: A plural pronoun, in addition to an adjective.
• Search: In addition to a verb, a noun meaning the act of searching.
• Offensive: An adjective to describe "use" (see below).
• Use: Noun, a method of employing something. Ironically, Merriam-Webster lists this usage as more common than "use" as a verb.
• Good: Pejorative use of the adjective.

Also, apparently the nesting of prepositional phrases was conf

The article author and submitter aren't too bright

[sirwired (27582)]

The point of this is not to keep hackers from finding malware, it is to keep Google search users from getting infected through poisoned search results.

Duh.

SirWired

Re:The article author and submitter aren't too bri

[Technician (215283)]

The point of this is not to keep hackers from finding malware, it is to keep Google search users from getting infected through poisoned search results.

Duh.

This is exactly what ScrubIT has been doing for a long time now. Instead of search results, it is DNS, which blocks malware sites. It has a function to submit sites to be added to the blacklist.

Many think ScrubIT as a filtered DNS service is just a porn filter to protect the kids. It's much more than that. It kills phishing and malware sites also. Th

"will not affect how skilled hackers get access.."

[cynicsreport (1125235)]

Obviously, by definition, skilled hackers can get the tools they need without google's help (or despite google's measures).
I think this is a great move by Google anyway. The hackers I find annoying are the 'script kiddies'; these kids (or immature adults) can too easily find programs that waste my bandwidth, hitting my server to find obvious holes, looking for very outdated software; in general, banging their heads against my firewall. If a 'real' hacker wants to waste his time, he could probably find som

He appears to have misfired or gone way off course

[bogaboga (793279)]

Celebrated Google hacker Johnny Long thinks it's a good idea, though he told the site Internet News that he doesn't think it'll stop real hackers.

Who told Johnny Long that the purpose of this development was to "stop real hackers?" I am speculating now that one of the purposes of this development is to mitigate the damage these hackers create.

In my opinion, hackers are more like terrorists. They are motivated by sadism and determined at their craft.

Re:He appears to have misfired or gone way off cou

[DaveAtFraud (460127)]

In my opinion, hackers are more like terrorists. They are motivated by sadism and determined at their craft.

This may have been true some time ago. The folks who create and spread malware these days are motivated by simple greed. Botnets and such are big business. So is the information harvested from unsuspecting users through key loggers. Terrorists tend to be ideologically motivated regardless of whether the ideology is religion, politics or whatever.

Change the economics of web sites hosting malwar

No!

[bogaboga (793279)]

Terrorism is a strategy, not an end; it's often adopted when your opponent's military is far stronger than your own and attacking it directly would lead to instant defeat.

Terrorism as defined in the west, is not necessarily a strategy. It's fighting a "war" on your terms.

The west is right in saying that if the terrorists attacked directly, they would be defeated instantly but why would the west want the terrorists to attack directly - that is, on the west's terms?

As an opponent, I attack using a method that best suits me...a method that guarantees maximum headache to the adversary. That is what is at stake. You can call it terrorism but limit that to your definition not

Just malware?

[rhizome (115711)]

I'm not a religious man, but I pray for the day Google allows you to blacklist certain domains globally (for your cookie or login). Malware sites sure, but link farms and pay-forums and gopher indexes and yadda yadda clog up so much, I'm thinking this feature would be akin to a Do-Not-Call list for the web.

Re:

[Feyr (449684)]

hell yeah! i'd blacklist that shit site called expert-exchange.com, it's ALWAYS in my search results

Re:

[rhizome (115711)]

Amen!! %#&%$%n' Expert-exchange is right up there every time I google any technical/coding problem, no matter how obscure..

Little-known fact: the experts-exchange answers are at the bottom of the page. They just insert those fake greyed out boxes to throw you off.

Re:

[nullbort (944876)]

The CustomizeGoogle [customizegoogle.com] extension for Firefox allows you to blacklist sites from search results.

DTTP?

[BorgCopyeditor (590345)]

'Most in search of malware for offensive use know the good stuff -- it ain't distributed through public Web ... It's distributed through dark Web servers

Well, then, they should just block the ports typically associated with the DarkText Transfer Protocol.

Different goals

[kabloom (755503)]

I think Johnny Long and Google have different goals. I think Google wants to protect users from unsuspectingly visiting sites that will exploit browser bugs (i.e. the sites themselves are malware, no user would search for it explicitly), while Johnny Long thinks this is about preventing the spread of rootkits and the like (which people would search for explicitly).

What else is new?

[no-body (127863)]

Ghee - if you have the time and...

- get a phising email for your paypal account
- get a dubious email from your bank asking to reenter your credentials ....

don't you go to those sites and feed them expired credit card numbers, wrong information and then report them anyway?

It's great that Google provides resources for to accomodate reporting but hardly any exciting at all.

To get so worked up about it by branding it as inefficient or thinking the Big Brother tries to tell you what is right or wrong surely is

don't stop with just malware

[Adult film producer (866485)]

let users flag all of those websites that only have indexes of other websites, link farms or whatever they're call... and please let me flag those "ask the expert" pages as spam.

Re:

[techno-vampire (666512)]

et users flag all of those websites that only have indexes of other websites...

Yes, and the moment they do that, all the trolls and script kiddies out there would be listing Google itself, because what is it except an index of other sites?

Re:

[AlXtreme (223728)]

But then Google wouldn't be able to show you all their Adwords on those websites (and the ones they link to).

Why do you think Google isn't doing anything against link-farming? Because they merely have to act ignorant and rake in the cash. Vote with your feet and use a different search engine (or meta-searchengine like clusty), diversity is good.

Generalized IP blacklisting

[drDugan (219551)]

What would be more helpful is if someone set up a distributed, fully automated IP address blacklist system and web servers and intrusion software could simply log IP address "hate" a-al a system like this http://savingtheinternetwithhate.com/ [savingthei...thhate.com]

I'd love to be able to get a daily list of IP addresses that have been community-logged with reputations as having "bad behavior" (like worm propigation, scanning for website or ssh weaknesses, DOS attacks, open relays, etc) to feed to a firewalls, ssh and web server, e

ISR

[SeaFox (739806)]

In Soviet Russia, malware reports YOU!

Small security firms?

[palegray.net (1195047)]

I wonder if this system will affect listings in Google for small security firms who publish "proof of concept" demonstrations of new exploits. Could this lead to an unintentional (?) block of such firms' research products?

Re:

[checkitout (546879)]

I sincerely hope not. However, I suspect that if it's automated in any fashion, some sites will get wrongly tagged. The general public doesn't know the difference.

Re:

[palegray.net (1195047)]

If my guess is right, the scans are almost certain to be almost completely automated, at least for the "first stage." Then again, Google has some incredibly smart people working for them, and my hope is that secondary analysis of the results would prevent inappropriate blocking of benign sites.

Any improvement is good.

[palegray.net (1195047)]

Quoth the poster: "Google's efforts will not affect how skilled hackers get access to malware."

It may not stop skilled crackers from gaining access to rootkit builders, trojan generators, etc, but if implemented properly it will definitely help identify sites actively hosting pages designed to exploit things like browser vulnerabilities to compromise user machines. Less fodder for the botnets is a good thing in my book.

Dear Google,

[iminplaya (723125)]

Sony, the RIAA, the MPAA, the FBI, the CIA, the NSA all produce malware. Please block access to their sites.

Re:

[Dunbal (464142)]

Not to mention Comcast. Sending RST commands at will is pretty much malware in my book.

Full Disclosure

[checkitout (546879)]

I really fear for how this will affect full disclosure security sites. These sites are vital and used by security professionals world-wide.

Are they going to ignore sites safely hosting exploit code, or just those attempting to actively use it against the browser? Let's hope it's only the latter.

There are already systems like this.

[Animats (122034)]

McAfee's SiteAdvisor [siteadvisor.com] already looks for malware available from web pages, downloading everything that might be a threat and running it in a virtual Windows machine with Internet Explorer. SiteAdvisor does the work themselves; they're not trying to get people to work for them for free. Google already had something like that, although not as good. Allowing users to add to the machine-generated lists is useful, but not a big deal.

Besides, why work for Google for free? If you're going to report phishing si

Re:

[by Anonymous Coward]

You forgot to mention, to type "free" anything, then click "I'm feeling lucky"... Boom - malware.