At a security conference, SecTor, Google malware researcher gave a rare peek inside the massive amounts of efforts of Google’s anti-malware and anti-phishing technologies. Google showcased stories of the attackers who make it their business to infect sites and exploit users. And what makes it worse is that users are adapting these blackhat/unethical tactics very quickly and creatively to combat the efforts of Google and other Internet giants.
The search giant has deployed a number of services and technologies recently that are designed to identify phishing sites as well as sites serving malware and prevent users from finding them. Among the biggest tools, the most powerful, yet simple, is Google SafeBrowsing API.
Safebrowsing API enables client applications to check URLs against Google’s constantly updated blacklists of suspected phishing and malware pages. The client application can use the API to download an encrypted table for local, client-side lookups of URLs that everyone would like to check.
- Warn users before clicking on links that appear in site when they lead to malware-infested pages.
- Prevent users from posting links to phishing pages from your site.
- Check a list of pages against Google’s lists of suspected phishing and malware pages.
These services help site owners and network administrators find and eliminate malware and the attendant bugs from their sites.
As Google crawls through the web, it identifies malware-distribution sites as well as legitimate sites that have been compromised with injected malicious code. One of the major reasons of adoption of such methodologies is to gain back-links by infecting relatively higher PageRank websites, in order to gain more traffic from search engines.
Malware-distribution sites are regualrly being watched by Google. Google has invested in a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The data hence gathered is then tied up with that of automated crawlers which look for “malicious code” on “legitimate Web sites”. The combiantion of the two gives them full confidence in identifying the culprits.
Fabrice Jaubert, of Google’s anti-malware team, said, “the company does pretty well on identifying malware sites, fast enough. Still, about 1.5 percent of all search result pages on Google include links to at least one malware-distribution site”.
“There’s a lot of fluctuation in that over time, and that could be due to a lot of factors. It could be due to a change in the pages, it could be a change in our detection rate and also in the popularity of the infected pages,” Jaubert said. “The biggest factor is that we’ve found a substantial number of malware pages are spammy and have no content. We remove those pages. But it’s a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them.”
Source of Malware distribution
Its difficult to identify the source of a malware, however prevention helps everyone.
A major cause of this infection and distribution ecosystem is the huge population of unpatched Web servers having known vulnerabilites waiting to be exploited by various code injections.
Malicious code is often hidden in web markup components, and the most favorite one is the iFrames. Such code injections redirects users to another site where malware is installed on the victim’s machine via a drive-by download, or one of the other popular ways.
With time, these malware distributors are getting smarter and have changed their tactics for their own good. Among ewer methods, instead of redirecting, these malicious codes of iframes attempt on loading the malware on the compromised legitimate site and using the same site for malware distribution as well.
On a good front, its relatively easier to identify malware-infected, malware-distribution pages , making web-malware easier to tackle.
But that doesn’t mean that there is an end to web-malware. Despite all the efforts there’s a large set of secrets of web malware that are in the dark even for companies like google. Like Jaubert says “We don’t understand all the details of this. We focus on the technical. There’s monetization aspects that we don’t have visibility into.”