Google to be Our Web-Based Anti-Virus Protector ?

cyberianpan writes "For some time now, searches have displayed 'this site may harm your computer' when Google has tagged a site as containing malware. Now the search engine giant is is further publicizing the level of infection in a paper titled: The Ghost In The Browser. For good reason, too: the company found that nearly 1 in ten sites (or about 450,000) are loaded with malicious software. Google is now promising to identify all web pages on the internet that could be malicious - with its powerful crawling abilities & data centers, the company is in an excellent position to do this. 'As well as characterizing the scale of the problem on the net, the Google study analyzed the main methods by which criminals inject malicious code on to innocent web pages. It found that the code was often contained in those parts of the website not designed or controlled by the website owner, such as banner adverts and widgets. Widgets are small programs that may, for example, display a calendar on a webpage or a web traffic counter. These are often downloaded form third party sites. The rise of web 2.0 and user-generated content gave criminals other channels, or vectors, of attack, it found.'"

Already being done

[zappepcs]

McAfee SiteAdvisor already does this for Google search results pages. This is nothing new. Its a FF extension and works well, though lately it has pointed out that proxy servers are trying to steal my identity when I try to use them.

450,000?

[rueger]

Sigh, are basic editorial skills too much to ask here? (I know, it's a rhetorical question).

TFA does not say that "the company found that nearly 1 in ten sites (or about 450,000) are loaded with malicious software." This implies that there are a total of less than a half million sites that pose a risk.

It said that of the 4.5 million pages examined, "about 450,000 were capable of launching so-called "drive-by downloads"..."

It also notes that "A further 700,000 pages were thought to contain code that could compromise a user's computer, the team report."

The problem is probably quite a bit larger than presented in the summary, even if one ignores the confusion between "sites" and "pages".

See actual paper. Not really that new.

[Animats]

Here's the actual paper. [usenix.org] It's a Usenix paper.

What they're doing is straightforward, and it's much like what many virus scanners do. First, they look at web pages to see if there's anything suspicious that requires further analysis. If there is, they load the page into Internet Explorer (of course) in a virtual machine, and see if it changes its environment. The better virus scanners have been doing something like that for a few years now, running possible viruses in some kind of sandbox. Although they usually don't go all the way and run Internet Explorer in a virtual machine. (Are you allowed to do that under Microsoft's current EULA for IE 7?)

The main problem with Google's approach here is that it's after the fact. They won't notice a bad page until the next time they crawl it. Bad pages come and go so fast today that they'll always be behind. As the paper says, "Since many of the malicious URLs are too short-lived to provide statistically meaningful data, we analyzed only the URLs whose presence on the Internet lasted longer than one week."

If Google implements this, the main effect will be to push attackers into changing site names for attack sites even faster.

It's all so backward. What we need is to run most of Internet Explorer in a tightly sandboxed environment on the user's machine, so that when you close the window, any browser damage goes away. That would actually work.

Re:aid and comfort to the enemy?

[mrsteveman1]

It is in everyone's interest to both secure Windows and stop malware in general, because an infected box can be used for things other than gathering info on the owner, which then affects people who have nothing to do with Windows.

For instance, botnets generally are made up of windows PCs, but are used to DDoS attack Unix webservers for ransom or political gain. They can also be used to attack network nodes such as vulnerable Cisco routers or corporate firewalls, it's a generic proxy model of attack which can be used for any number of attack vectors on any number of different systems. Recently there was even a browser exploit that allowed an attacker to use the box as a security scanner for vulnerable websites, this affected ALL systems, including OS X and Linux.

So, you can see windows is a huge part of the problem and everyone would be better off if it died, but it benefits everyone to stop malware, even if it means fixing problems Microsoft can't or wont fix themselves.

Re:aid and comfort to the enemy?

[fred fleenblat]

Neither, it is my honest opinion that microsoft should clean up its own mess.

False positives?

[Anonymous Coward]

And how is Google going to handle false positives?

I'm a lot less enthusiastic about this as Gmail is rejecting my home IP, because "Our system has detected an unusual amount of unsolicited mail originating from your IP address."

I've checked and monitored my Linux box. I'm not sending spam. Personal mail would be 0 to 5 a day to Gmail addresses. I've had this DHCP issued IP since at least February, so it's not an inherited problem. I contacted Google as a Gmail customer two weeks ago (there's no direct way to contact them) and gave them all the relevant detail so we can fix it, and have been sending a test message to my Gmail account once a day since.

I've heard bugger-all from Google. The daily test messages are rejected. Two of the "rejected" messages have gone through a day later.

Search for 'Google is blocking my IP' & similar reveals I'm hardly alone. So yeah, no. With Gmail they've proven they're not perfect, yet don't provide support to clear up the inevitable mistakes. So I'm not enthusiastic about further censorship by them.