Google Highlights Trouble In Detecting Malware

JohnBert writes "Google issued a new study (PDF) on Wednesday detailing how it is becoming more difficult to identify malicious websites and attacks, with antivirus software proving to be an ineffective defense against new ones. The company's engineers analyzed four years worth of data comprising 8 million websites and 160 million web pages from its Safe Browsing service, which is an API that feeds data into Google's Chrome browser and Firefox and warns users when they hit a website loaded with malware. Google said it displays 3 million warnings of unsafe websites to 400 million users a day."

Re:And this is why smart users

[MetalliQaZ]

About the same time I saw any meaningful web development targeting that tool.

Re:

[elsurexiste]

browse in Lynx.

When was the last time you saw malware for it?

When was the last time you saw anything other than text in a BIG font? ;)

Yours sincerely,

A Lynx user.

Re:

[TheRaven64]

Last person I met who actually used Lynx for day to day browsing did so on a braille terminal. So, the last time he saw anything was probably quite a long time ago, if ever...

It's stupidly easy to compromise a windows machine

[Flipao]

And that's even before you escalate UAC rights, I find software like Sandboxie works far better to protect my computer than any antivirus out there.

Re:

[HarrySquatter]

Then prove it. The IP of my Windows machine at home is 66.25.165.182. Come on, little script kiddy, show me your stuff.

Re:

[tukang]

Gladly, but first you need to prove that the IP of your home machine is what you say it is.

Re:

[_0xd0ad]

Surprisingly enough it's in one of RoadRunner's residential IP blocks ("Allocations for this OrgID serve Road Runner residential customers out of the Austin, TX and Tampa Bay, FL RDCs").

He should have at least made it interesting, like 209.251.178.99.

Re:

[HarrySquatter]

Why is that surprising? This just in: someone's home computer will be using an IP within a residential block of their ISP! STOP THE PRESSES!!!

Re:

[_0xd0ad]

The surprising part is that you posted your real IP address. The one I posted is what resolved for fbi.gov (I know, I'm not terribly creative).

Re:

[shoehornjob]

The surprising part is that you posted your real IP address. The one I posted is what resolved for fbi.gov (I know, I'm not terribly creative).

LMAO creative indeed.

Re:

[liquidweaver]

You are missing the point, and are not the OP.

Re:

[HarrySquatter]

Except that anything I post you will attempt to claim doesn't prove anything and you'll slink away like a chickenshit. You either are going to have to believe me or not. I don't really care.

Re:

[CrashandDie]

I'm fairly sure that a simple web-page or telnet reply saying "This is HarrySquatter (1698416), tukang (1209392) please come in for /. story 1328237" would've been sufficient.

Re:

[HarrySquatter]

But that doesn't prove anything. Could I not just as easily be at someone else's computer doing that? Once again, nothing I can do or so is going to be something irrefutable so he's either going to have to man up and just prove himself or slink off like a chickenshit. I honestly don't give a flying fuck.

Re:

[HarrySquatter]

You misunderstand. I don't give a flying fuck if tukang does or doesn't believe me or does or doesn't attack my computer because my point is that if the original poster wants to prove his laughable statement that he has my information to do so. Most likely he won't because he's wrong and is most likely a chickenshit the same as tukang.

Re:

[HarrySquatter]

Oh noes! My entire life is going to fall apart because an AC on slashdot has called me a jackass. Oh wait, I already know I'm a jackass and don't really care.

Re:

[_0xd0ad]

Could I not just as easily be at someone else's computer doing that?

What would that accomplish? So somebody else's Windows computer could be hacked.

Anyway, your Slashdot user ID number is stored in plain readable text in the cookies.sqlite file, which would be the most obvious way to determine if you'd got into the right computer. If you wanted to, I mean...

Granted, that same cookie could probably be used to access your Slashdot account, but I'm confident he'd never do that...

Re:

[HarrySquatter]

My point is that any evidence I can give can easily be faked. Nothing I can do or say is 100% irrefutable evidence. Hell I could be posting from my friend's computer that is running Slackware instead of Windows and we could be doing nothing but laughing at tukang. He's never going to know if that's true or not despite what I can say to the contrary.

Re:

[_0xd0ad]

No doubt. But the overall point was that Windows is "stupidly easy" to compromise, and if that's true it presumably wouldn't be that hard to determine that the computer at that IP wasn't even running Windows. Anyway, I still think you should have posted the IP address for the FBI or CIA or some other spook agency on the outside chance that he'd really try to break in.

Re:

[HarrySquatter]

I'm not afraid of little script kiddy boy. If someone wants to try their hand, they are more than welcome.

Re:

[Suferick]

It can't be. That's my IP address

Re:

[Thud457]

hey, that's the combination to my luggage!

Re:

[cvtan]

Wrong! It's 12345.

Re:

[liquidweaver]

Oh yeah? Stupid easy - ok. Compromise my machine then. Windows 7 64 bit, I've been lazy about patching it, haven't done so for about a month. My IP address is 24.107.113.55, and I've set my pc as the DMZ for all inbound traffic. I'll be at work for about 8 hours, I'll leave it running. Good luck.

Re:

[Anonymous Coward]

I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!

Re:

[PNutts]

I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!

And to teach him a lesson I downloaded Glitter.

Re:

[ElKry]

And to teach him a lesson I downloaded Glitter.

Totally disproportionate actions like this are the reason hackers are classified as terrorists.

Re:

[cc1984_]

I got into your computer and turned it off, it's inappropriate to waste energy like that. Think of the environment!

I can't tell whether this is a joke or not. THE GP's IP is not responding to ping and nmap reports the host is down (I know that these don't mean anything on its own, but deep down, I so wish parent isn't joking!)

Re:

[liquidweaver]

Don't worry, I'm ok. I do use the Windows fw, which blocks ICMP.

Re:

[oakgrove]

I just hacked in and checked your browser history. Good God, man! Don't you know just thinking about that shit is illegal in all but like 3 countries??

Re:

[JonySuede]

Experience (do not install any softwares without making a diff of you registry before and after) and sensible software configuration (like no script in wmv, no script in pdf,..., no script in any kind of document except a web page with everything from the adds servers around the world blacklisted) works even better but is it less convenient.

Antivirus "protection" racket

[MetalliQaZ]

Yet another story hinting at the huge lie that is perpetrated on the world in the form of antivirus "protection". Like I've always said, these tools do more to undermine my PC than malware ever has. A good "secure-by-default" installation and a decent understanding of responsible Internet use is all you need. Instead, most people deal with significantly slower performance, and borderline criminal subscription tactics. Protection from new and future threats has always been and will always be a fantasy.

Layne's Law: What's "good secure by default"?

[tepples]

A good "secure-by-default" installation

One fundamental problem in home computer security is that vendors disagree on how to define [c2.com] "good 'secure-by-default' installation". For example, does it involve establishing a policy of trusting a third party to determine whether each program is safe and enforcing this policy with no way for the end user to override it? Apple (iOS), Microsoft (Xbox 360 and Windows Phone 7), Nintendo, and Sony seem to think so.

Re:

[MetalliQaZ]

That's a good point. I guess all I meant by secure-by-default is an installation that separates system tasks and user tasks. So, users don't have access to change the OS, and they play wildly in their own sandbox. I know that malware can often just skirt those protections and root the system using vulns. That's why I added responsible Internet use. Despite running without any protection at all, I never get the infections that the rest of my family does.

Re:

[tepples]

So you define "secure-by-default" as what I perceive to be the default scenario in Ubuntu, Mac OS X, and Windows Vista/7: only a user with administrative privileges can make system-wide changes, and such users are prompted to elevate before making system-wide changes. Thank you for getting that out of the way, although some people are likely to reply about the data in their user account being ultimately more precious than the operating system. The next problem is coming up with a practical way to instill "a

Re:

[Anonymous Coward]

> So, users don't have access to change the OS, and they play wildly in their own sandbox

That is nothing more than a dogma. For single user, personal machines I could care less about the OS being safe. What I care more about are my personal files. I hope that after 20 years or so of using a PC, i've got some value in my personal files. THAT's what i don't want compromised - THAT's what needs to be safe. Not the OS that I can download and re-install in under an hour.

I do realize that if the OS is compromi

Re:

[sakdoctor]

I support the Antivirus industry, and anything else which causes insane demand for RAM/CPUs in normal users.
Then I can keep my machines at the price sweet spot, and still have awesome specs.

Re:

[Anonymous Coward]

Yet another story hinting at the huge lie that is perpetrated on the world in the form of antivirus "protection". Like I've always said, these tools do more to undermine my PC than malware ever has. A good "secure-by-default" installation and a decent understanding of responsible Internet use is all you need. Instead, most people deal with significantly slower performance, and borderline criminal subscription tactics. Protection from new and future threats has always been and will always be a fantasy.

Not all antivirus is created equal, MSE is very lightweight on resources, and it is free - so no 'criminal subscription tactics". And it do offer additional protection. For me it has several times flagged and cleaned malware, sometimes from quite surprising sources. You can have as safe user practices you want, but that won't completely avoid accidental exposure - malware have been found even on brand new USB memory sticks in unopened shrink wrap.

It is of course not 100% protection, but that isn't really an

Re:

[ka9dgx]

Instead of secure by default, you have run by default in all 3 major environments... Linux, Windows, OSx

Time is running out for this insane approach to doing things... the various band-aids are now in play are rapidly losing their efficacy, and none address the basic issue: code can no longer be trusted.

Fortunately. a few brave souls have ventured into this area with projects oriented at fixing the situation properly.

In the Linux area, seccomp-nurse [chdir.org] is a sandboxing framework based on SECCOMP. It is designed

Reliance on JS

[mfh]

Javascript really is the source of the most recent problems because it can allow entry into systems and activation of malware remotely. This is why ActiveX is also bad. Developers rush into this kind of technology thinking of the payoff but not the cost.

Really though, JS is totally unnecessary so I run noscript and I don't visit sites that have a zillion JS calls to different sites. I probably could turn antivirus off and still be okay.

Re:

[HarrySquatter]

and I don't visit sites that have a zillion JS calls to different sites.

Posting on Slashdot about not going to JavaScript heavy sites. *head asplodes*

"I can relate. I can't relate!"

[wreakyhavoc]

You killed my brother.

I mean, my computer.

Re:

[Darkness404]

JavaScript makes sense because for a lot of sites, it is either JavaScript... or Flash for most interactive content. And yes, I know that HTML 5 will be the cure-all for JavaScript/Flash but it isn't out yet and JavaScript is the best we've got

Re:

[mfh]

http://csszengarden.com/ [csszengarden.com]

Look at these templates. Not one of these uses Javascript and they are amazing. They are functional.

They don't have the same level of backend code pushing that you see with JS topheavy sites, but they also don't have a lot of the annoying "features".

Google for example has a semi-new feature that when you press scroll down the JS captures your keypress and pushes your focus to the next search result. This is horrible and I don't see a way to disable it. When I press downarrow I want t

Re:

[Lunix Nutcase]

But those are all static pages. Of course if you are doing nothing but displaying static content it makes sense to not use JS. Slashdot used to be perfectly fine long before they made it so JS heavy as well. Apparently, though, it was way more fun to create a laggy AJAXy experience over fixing the bugs in the older discussion system.

Re:

[mfh]

I still wish Slashdot had not done the changes in the UI they did. The problem I'm finding with Slashdot is when I click of text or double click it, it collapses instead of selects text. That's a huge change from the way things are supposed to work.

Re:

[oakgrove]

Google for example has a semi-new feature that when you press scroll down the JS captures your keypress and pushes your focus to the next search result. This is horrible and I don't see a way to disable it.

Go into your Google settings and turn off "Instant" and the arrow keys will return to normal functionality. Why instant and the scroll thing are related, I don't know.

Re:

[garyebickford]

I was thinking about this a few days ago. I don't know much about HTML5, but if it has similar capabilities as JS and Flash, how am I going to have the equivalent of NoScript and AdBlock? I _hope_ someone is working on suitable countermeasures.

Re:

[mfh]

Someone will work on countermeasures and then we'll feel secure. The next logical step is when someone works on counter-countermeasures to bypass the countermeasures. This chains on and on.

The closer people get to working together the farther apart we get in this closed system without pure moderation.

Global download queue?

[scorp1us]

Why not have the browser have some kind of globally coordinated download queue that queues the download until someone can scan it. If it's (by URL) already been scanned, then let it download, then verify the MD5 sum of the downloaded vs scanned content. If it matches, then all is good. If not delete it. I don't define "scanned" because it could be a virus scan, or an automated install to a virtual machine, which reports back any opened ports or initiated connections for further review.

This would be a pain

Is this relevant on all computers?

[kurt555gs]

What malware should I be worried about on my Samsung Chromebook?

Re:Is this relevant on all computers?

[TheRaven64]

What malware should I be worried about on my Samsung Chromebook

ChromeOS.

Re:

[shoehornjob]

If your Samsung chromebook is anything like my Samsung tv....RUN. Such an epic POS.

Re:

[kurt555gs]

Actually, I like my Samsung Chromebook. Open, use, close. It just works. (Oops, maybe I can't say that.)

Maths

[ifrag]

FTFS

displays 3 million warnings of unsafe websites to 400 million users a day

I didn't RTFA, but doesn't that look like it doesn't add up? 400 million users are displayed 3 million warnings? I guess it means 400M users are warned from 3M identified sites?

Re:

[danish94]

400 million is roughly the sum of users in chrome+firefox.

Nice to not be so vulnerable then . . .

[Anonymous Coward]

For years, I have had machines on the net that never used any antivirus. And so far, no virus on them either. Nice to have a system that is designed not to be vulnerable. (There is the occational software security error, but they usually get fixed before anyone have time to exploit them.)

If you care about security, don't bother with windows - or any system that need third-party security add-ons to work reliably. Windows has a series of design errors, in addition to the occational programming errors. Runni

Re:

[HarrySquatter]

Running everything with admin privileges

Are you still running Windows 98 or a pre SP version of XP?

automatically running code embedded in email and documents,

Which can be made to work in Linux as well.

automatically running code off the web (activex) and so on.

You don't automatically run ActiveX code. IE will always flag you and ask if you want to run it unless you've set your security settings to the bare minimum. Which would be dumb to do.

A good place to vent

[AlienIntelligence]

1and1 has been a host for me for some time.

Then I got flagged by Google as having malware and I was like... wtf... I don't even actively use
those sites. So, I FTP'd in and downloaded some files, there was an injection of code in all of
my index.htm(l) and default.htm(l) files.

Now, I've had 1and1, since they came to the US. I had a plan back then that had all the goodies,
ssh access to my shell for my sites, so it was easy to administer.

Well, "because of new policies" my old service I had was changed to another... like the cell
companies moving you around on new plans. My new plan, has no ssh access.

What's worse, 1and1, refused to give me shell access so I could take care of all of those
malware files.

Let me repeat... A HOSTING PROVIDER REFUSED TO GIVE ME ACCESS TO MY OWN SITE
TO CORRECT A MALWARE ISSUE!

Nice huh?

So, like I said, since I don't really use those sites, I just deleted them all via FTP and told
1and1 to go fuck themselves. I put up what I needed that was important (after cleaning) on
an EC2 "free" instance.

-AI

Re:

[AlienIntelligence]

Not to defend 1and1 (they have really horrible support), but isn't it a little unfair to blame them for you having bad policies that allow malware to be injected into all of your files?
{snip}
So nice rant, but no sympathy here, except maybe for google.

I appreciate your reply... and I'm not looking for sympathy, just vent.

And, I had something completely different written here a minute ago, thinking
I may have said something, at all... that sounded like I was blaming 1and1
for anything other than sitting on their collective asses and not giving me
access (not asking them to do it for me, just access) to my site, for 24 hours
via ssh to clean up. You know, one simple command that says, delete index.htm*
&& default.htm*, Instead of taking a half hour to g

Funnily enough

[Dexter Herbivore]

Strangely enough, I just got my first ever warning from the safe browsing service about 10 minutes ago. Visiting a website that I go to regularly... I'm glad they caught that one site getting compromised at least as I place very little confidence in AV software nowadays.

Am I the only one thinking it's in response to ...

[_0xd0ad]

http://tech.slashdot.org/story/11/08/16/200209/IE-9-Beats-Other-Browsers-at-Blocking-Malicious-Content [slashdot.org]

Google: "But it's hard!"

That said, I'm not particularly thrilled with a browser feature that tells you where not to go on the internet. I'd rather be able to go there and not get infected by browser exploits. Drive-by downloads I'm not worried about. Embedded PDFs I'm not worried about. (I uninstalled the Adobe plugin. Any PDFs are downloaded rather than opened.) That pretty much just leaves the browser, Fl

what people need to do while surfing the WWW

[FudRucker]

1. use a more secure OS (meaning anything other than MS-Windows) a Linux distro or one of the flavors of BSD

2. keep two webbrowsers = one with plugins and goodies for websites you know are known safe like slashdot, youtube, & etc... but never use that fancy browser with the plugins for general purpose webbrowsing

3. for general purpose webbrowsing and looking in to unknown websites use a locked down and secured webbrowser that does not even have any plugins and with javascript disabled, .. and if a

That's not what the web works like

[tulcod]

That's not what the web works like. The people endangered by malware are your neighbors (particularly your male neighbor because he's watching porn all day, and we all know women don't watch porn). Your neighbors are people who hardly know what "Browser" means, have once heard about this "Microsoft Linux" thing and will buy a new PC when their current one gets slow. This is the majority of the society, and you can't fix it by adding more instructions and manuals to every piece of software.

Re:

[danish94]

Or you could just use chrome with click-to-play (go to about:flags and enable it) and the do not allow javascript setting and put trusted sites in exceptions list. Or you could use NoScripts for more control but i would rather not install any add-on's either. Or you could use the incognito mode as your general browsing browser due to all plugins and extensions are disabled and all your info is deleted so no chance of malicious site getting the info. I see absolutely no reason to have 2 browsers.

Google now detects malware on their own sites

[Animats]

Google used to have a problem with malware and phishing sites being hosted on their own Google Sites. Once they plugged that hole, the malware moved to Google Spreadsheets. Because you can put HTML in Google's spreadsheets, it can be used as a free hosting service. Google hadn't anticipated this, and their abuse operation couldn't handle it.

Google seems to have plugged the spreadsheet hole now. I noticed recently that Google has disappeared from our major domains being exploited by active phishing scams. [sitetruth.com]