Introducing Google's online security efforts

Monday, May 21, 2007 9:43 AM



Online security is an important topic for Google, our users, and anyone who uses the Internet. The related issues are complex and dynamic and we've been looking for a way to foster discussion on the topic and keep users informed. Thus, we've started this blog where we hope to periodically provide updates on recent trends, interesting findings, and efforts related to online security. Among the issues we'll tackle is malware, which is the subject of our inaugural post.

Malware -- surreptitious software capable of stealing sensitive information from your computer -- is increasingly spreading over the web. Visiting a compromised web server with a vulnerable browser or plugins can result in your system being infected with a whole variety of malware without any interaction on your part. Software installations that leverage exploits are termed "drive-by downloads". To protect Google's users from this threat, we started an anti-malware effort about a year ago. As a result, we can warn you in our search results if we know of a site to be harmful and even prevent exploits from loading with Google Desktop Search.

Unfortunately, the scope of the problem has recently been somewhat misreported to suggest that one in 10 websites are potentially malicious. To clarify, a sample-based analysis puts the fraction of malicious pages at roughly 0.1%. The analysis described in our paper covers billions of URLs. Using targeted feature extraction and classification, we select a subset of URLs believed to be suspicious for in-depth investigation. So far, we have investigated about 12 million suspicious URLs and found about 1 million that engage in drive-by downloads. In most cases, the web sites that infect your system with malware are not intentionally doing so and are often unaware that their web servers have been compromised.

To get a better understanding about the geographic distribution of sites engaging in drive-by downloads, we analyzed the location of compromised web sites and the location of malware distribution hosts. At the moment, the majority of malware activity seems to happen in China, the U.S., Germany and Russia (see below):

Location of compromised web sites. These are often sites that are benign in nature but have been compromised and have become dangerous for users to visit.


Location of malware distribution servers. These are servers that are used by malware authors to distribute their payload. Very often the compromised sites are modified to include content from these servers. The color coding works as follows: Green means that we did not find anything unsual in that country, yellow means low activity, orange medium activity and red high activity.

Guidelines on safe browsing

First and foremost, enable automatic updates for your operating system as well your browsers, browser plugins and other applications you are using. Automatic updates ensure that your computer receives the latest security patches as they are published. We also recommend that you run an anti-virus engine that checks network traffic and files on your computer for known malware and abnormal behavior. If you want to be really sure that your system does not become permanently compromised, you might even want to run your browser in a virtual machine, which you can revert to a clean snapshot after every browsing session.

Webmasters can learn more about cleaning, and most importantly, keeping their sites secure at StopBadware.org's Tips for Cleaning and Securing a Website.
The comments you read here belong only to the person who posted them. We do, however, reserve the right to remove off-topic comments.

52 comments:

Sebastian Nohn said...

You should mention that most threats to the average surfer can be eliminated by disabling active contents like JavaScript, Java, Flash etc. Most sites work without, the few that don't can be managed with the Firefox NoScript extension or the IE zone model.

Nebon said...

Its good big companies, like google are finally recognising malware as a problem. I am part of some of the security communities that deal with the cleanup of such malware and spyware.

Maybe this will trigger other services involved like ISP's to aid the anti-malware effort. At the moment it feels like a war with the casualities on only one side. We need to take more action to punish the producers of malware.

!Keith said...

Glad this blog enables comment. But it seems the RSS isn't working properly.

Bill Pytlovany said...

Welcome aboard. I've added GoogleOnlineSecurity to the list of "Blogs I Read" and look forward to regular postings.


Bill Pytlovany

8O said...
This comment has been removed by the author.
Brute said...

Google and security...
http://ha.ckers.org/blog/20070520/phishing-through-google-yet-again/

Well close your holes first!

hldevore said...

"Security is the condition of being protected against danger or loss." from Wikipedia...

Gentlemen...Ladies... I appreciate very much your technology focus on 'security' however I find it incredibly disheartening to see such extraordinary efforts when other blatantly obvious issues are affecting the user experience.

I have four young daughters. They use the word 'Google' as a verb. I recently spent over 6 hours of my precious weekend time messing with Norton 360 trying to install it and block video.google.com because of the inappropriate content presented to them.

Note that your 'Safe Search Filtering' doesn't do anything to eliminate access to videos of "Webcam Girls Go Wild", "Hot girls making out", "Tokio Hotel Sex", "Naughty Golf Lessons"...

The "Top 100" is particularly troubling because it lists this stuff directly in their face and IS NOT excluded by the 'Safe Search Filtering'...

So this is a different kind of security...important in a different way than malware but no less, if not even more important.

Most parents I know don't let their young kids on the internet at all. Personally I want them to learn and be empowered and knowledgable in the future...but I also want some semblance of security and don't need them watching bed bouncing t&a and women kissing each other so prominently pushed at them...

If they have to search deep to find it, so be it...like the kids back in the day that had to flip through the Natl Geo's to find the Polynesia women bare breasted...

C'mon...how about a parental security blog? And a set of parental security tools from the best minds at Google?

hldevore said...
This comment has been removed by the author.
Jay said...

From my blog, Social Strategist:

Whenever Google enters a market, big changes happen. It happened with search, it happened with advertising, and one of the key points of my Innovation in E-mail post is that it happened in webmail. Now Google is stepping up to the plate as one of the largest global Internet corporations, and on their new blog they're talking about tackling malware. The advantage a search company has in tracking this sort of thing is enormous, and Google's renowned data-center processing power is sure to help too. I can't help but note that this is another jab at software rival Microsoft and its perceived security vulnerability. A few predictions:

1: Google hasn't been lax in making acquisitions, and I expect them to buy the expertise they need both to complement their knowledge of search, and possibly to enter the desktop security market. The Google Pack, "a free collection of essential software" already includes Norton Security Scan and Spyware Doctor Starter Edition. I wouldn't be surprised if Google replaced these with it's own re-branded tool, but I also think they're more likely to offer an online utility.

2: In the past, when Google has entered a market, some aspects of the service they've offered have usually seen reductions in prices. Search was free to begin with, but AdSense and AdWords made advertising available to all kinds of budgets, and Gmail brought data storage to the commodity-level pricing it deserved to be at.

Unlike security companies, Google's long-term profitability is enhanced by *fewer* threats on the web, and even fewer threats of threats on the web.

Kai said...

Great input!
Having your real-time monitoring data as background for the analysis of malware distribution surely helps pinpointing the problem.

I like the idea of Google beeing able to let me know if a webserver is infected before I click the link. I know a lot of users who need more than just a warning, tho.

Terry said...
This comment has been removed by a blog administrator.
hldevore said...

Thanks Terry. I visited K9 and poked around...I may even try them out. FYI, Norton 360 messed with enough of my system(s) that it flaked my Wi-fi somehow! I'm not techie enough I guess to know what was happening and why. I want simple protection for my kids...i.e. at least make it a little hard to find bad stuff. The world has plenty of bad, they do need to learn about it. Google's malware efforts certainly should be applauded, but it also sure seems to me that I should be finding solutions to basic Maslowian-hierarchical needs from them instead of from Canine Security systems? Who's the marketer over at Blue Coat Systems that came up with that? Sure I get it K thru 9, Kindergarten through 9th grade... My kids aren't dogs, but I do have a Black Lab!?!? C'mon Google. S-e-c-u-r-i-t-y Wake up! http://en.wikipedia.org/wiki/Maslow%27s_hierarchy

pat_bitton said...

I'd also recommend webmasters concerned with site security add LinkScanner Online to their sites. It's free, and helps your visitors to know they'll be safe at the next site they hit after yours. Don't get blamed for some infection that you didn't cause! Check it out at http://www.explabs.com/LinkScanner/MyLinkScanner/

Jeremy said...

Nice job, Google!

We need people to fight malware.

buddy said...

ebastian Nohn said...

You should mention that most threats to the average surfer can be eliminated by disabling active contents like JavaScript, Java, Flash etc. Most sites work without, the few that don't can be managed with the Firefox NoScript extension or the IE zone model.

May 22, 2007 3:57 AM
I wanted to repeat the above so more will see it. That is part of my safe surfing strategy and can vouch for it.
One other comment: If Google is reading these, I like the idea of identifying bad sites, but it would be much more effective in RED as the warning is easy to miss when trying to find a link.

est said...

Red star over China, not bad, not bad

sz-iris said...

哈哈!看来我是第一个中文评论者了!
在中国上网建议大家使用:
360度安全卫士,瑞星卡卡,超级兔子等等

我的最爱360!

to est:yes,not bad.

CdrPlum said...

我挖网 www.5dig.net 全体员工表示支持!

Spanish speaker said...

Why do not you add antivirus to the Google Tool bar? Hereby, not only it would report of the infected pages when you do a search but also it would warn you when you come for other sites

besthandbag said...

Of course, the safest way to avoid Malware is to NOT use your computer as an Administrator.

Hopefully, Vista will help eliminate some of the outcome from this societal negligence

http://search-engines-web.com/ said...

from the two maps, it appears that the USA is almost completely filled with a very high level of drive by malware servers and malware distribution.


How has this occurred. Is it because of being a target or having a high degree of malware perpertrators??

Wuyinxv said...
This comment has been removed by a blog administrator.
kyant said...
This comment has been removed by a blog administrator.
The People History said...

i think google and the other search engines could do more by tying up with a stronger player in this market and NOT listing sites in SERPS if identified as malware or dodgy

dsphunxion said...

Infiltrated.net is another site doing something similar by tracking infected machines trying to brute force other machines using ssh Why don't some of these sites create a collaborative effort?

Ronald said...

Anti-malware software does some good, but it also seems to lull users into a false sense of security. If it is necessary to run software that removes already-known malware from your computer, isn't that a tacit admission that your computer may already be infected by as-yet-undiscovered malware?

We're doomed...

Cooper said...

It would be *great* if google would pro-actively notify site admins (particularly at public uni's), when their sites are hosting malware or spammy content.

Definitely would 'not be evil', IMHO.

Chuck said...
This comment has been removed by the author.
absk said...

Great, Google is now going to provide security. Let’s see the Google secured world !!!

Nebon said...

I highly doubt it google will provide an anti-malware product. The best way they can help to prevent malware is monitoring and shielding. I would like to see the big companies, ie google, and security companies, norton for example, get more involved in the Security community. There is alot of ideas out there and most of these Online Communities have alot of users with expertise in malware and security.
A list of all the offical Security boards can be found here: http://asap.maddoktor2.com/

Nebon said...

In response to:

from the two maps, it appears that the USA is almost completely filled with a very high level of drive by malware servers and malware distribution.


How has this occurred. Is it because of being a target or having a high degree of malware perpertrators??

May 23, 2007 3:28 AM

I would say that there is alot of users in the USA so the more users that can be targeted the better for the guy who infects them. I personally think its as America is a target rather than has a high degree of malware perpertrators. Alot of these hackers and such also come from mainly eastern Europe and Russia, so that is another reason why America is a target.

rAmIx said...

Spanish translation: http://docs.google.com/Doc?id=dcnj5zwh_7gw3hh3

sectorzero said...

I like the single secure sign-on of Google Accounts. Now that more and more of my dat is becoming Google-centric, I like to have a default method of switching between HTTPS and non secure reads.

Also, a big flaw is that, Orkut does not allow secure sign-on. I just cannot sign into Orkut without exposing my 'Google Account' password to the world. This is a huge bug, which I do not expect from Google. There are no excuses for this, since it is a pretty simple standard feature

Philipp Lenssen said...

Is it possible for you to license your blog under Creative Commons, so other bloggers like me can work with your stuff (like the interesting map image of this post)?

. said...

OK. very cool this site but why the most information here isn't applicated on Orkut (for example)?

The Orkut Community "Orkut Exploits" http://www.orkut.com/Community.aspx?cmm=3537644 are disseminating a javascript code to stole anothers communities.

The case was notorious knowed, the same code work in the same way for more than 2 years and what the Orkut and Googles engineers make to resolve yours own problems? Nothing much serious, just some patches here and there - but the code continues to work.

So the point is, how can someone beleave in a security blog from a people that can not clean your own home?

If do you like to contact me let me a "scrap" on the Orkut [Profile.aspx?uid=1020317660623072042] i got many, many materials that i have collected about these "bugs" and these cracks.

.

CHAD said...

google uses Malware as marketing stragties to find a new base to market to new users every day...malware is not bad unless you know how to uese it's technology in the right way....in my opionion if there was not such thing as Malware there will noot be a google.yahoo.myspace.facebook.ect.....they all need something to keep track of infomation on people surfing....and use that infomation to serve new customers....

Jay said...

Google beat my earlier prediction to the punch. They've already made an acquisition related to security. From my blog, Social Strategist:

"When I first wrote Google Enters the Security Market, I predicted they would “buy the expertise they need both to complement their knowledge of search, and possibly to enter the desktop security market”. Today I found out via Gizmo Richards that Google had beaten my prediction to the punch, and none of us had heard about it.

On May 17th, GreenBorder announced they had been acquired by Google. [...]"

Daniel said...

Congratulations Google for this initiative. We always need to be updated on the recent problems about system security.

I´d like to see here a post about Google´s information security policy. It´s a good and important subject.

Thanks..

The Prize Blog said...
This comment has been removed by a blog administrator.
Jerry Aspar said...

Green Border with Safe Files is definitely the
way to go!

*Before* you make "improvements," DON'T.

Ben Martin said...

I speak to a variety of people of people every day. It seems those in the know, know how and what protection to use. However the more home users I speak to seem completely oblivious to the threats in the market place. One thing I have found a great tool for those who use web browsers is Finjan Secure Browsing. It allows immediate visualistaion of potential threat to web links. A great tool.

Alex Ott said...

Besides the malware, exists also other usages of web-search results for the security purposes.
On the base of collected data, company could prepare profiles of the sites in different categories - pornography, etc., and provide them for the schools, and other organization/users, that need to have a parental control. Or use this data to build web categorization/reputation databases

Exartizo said...

I got a very suspicious email today that said my gmail account could be upgraded to 100gb and that I could register a free domain name with Google. The email takes you to a link after requesting a sign in. Its scary because I'm a techie and I usually catch stuff like this immediately. It looked genuine and the wording was pretty close to what you might expect Google to send. Looks like an asian or eastern european phish hack to me.

I changed my password to prevent a problem. If you'd like to see the email or want a copy of it.. just email me.

Mary said...

My step-son received two $1 Google xharges along with large sum fraudulent purchases. Explain how google's name gets in the mix

Runescape Cheats&Tips said...
This comment has been removed by a blog administrator.
Scott said...
This comment has been removed by a blog administrator.
Nebon said...

It would be great to see the blog administrator comment on some of these issues.

Peter said...

My site has been hacked, unfortunately, and I'm working to clean it. The malware notification that appears in front of the site lists several of our customers who have also been infected, but not the full list. In order to contact them, how can I get access to the full list?

Thanks,
Peter

DesignerCurios.com said...

WARNING... and I hope someone at Google will see this:

www.ShoppersInlet.com is an INFECTED site that attempts to launch a trojan horse when simply visiting the site. Here's the report from our Virus Scan/Blocker:

detected: Trojan program Trojan-Downloader.JS.LuckySploit.q

URL: http://pwgegrsdfs.ru/aety....

Anyone without an active virus scan would have been instantaneously infected.

Google has not identified this as an infected site and should do so.

Gareth said...

Security in any medium is only the assumption of safety, threats can come in many forms but only when you are either open to it or looking for it. You will never get hurt by anyone living in a box but is that a comfort as you starve to death!

abcdef said...

Good to read you guys are doin all this and much more to make browsing safer. I just tried searching this feature on my gmail account but was not able to find it. One more thing i`m an administrator of the website spcet.org which was earlier infected with malware code, as of now i hv sent many review requests,your partners at stopbadware.com have checked the website and found no suspicous link, i want to know what all do i need to do now to remove that "This is an attack site" from my site. thank You keep up the good work!!

Trevor said...

Whatever happened to Googles "Report Infected Site" in its search engine?
I just got a trojan from http://topsoft10.com/?WinRAR_3.90
WHICH WAS A GOOGLE AD!!!!
There was nowhere even to just notify google they had a malicious website ad.
You need fix this problem google and screen the sites you advertise for!!!