Google antimalware efforts rely on website malware detection
TORONTO -- Google Inc. Tuesday revealed how it detects websites infected with malicious code, part of its effort to protect users from drive-by downloads and other malicious content.
Fabrice Jaubert of the Google antimalware team presented details about Google's antimalware efforts, Tuesday, at the SecTor 2010 conference. The team uses proprietary algorithms to identify malware distribution sites and sites that have been infected with malicious code. While Google's technical efforts succeed in identifying and blocking millions of websites suspected of hosting malicious code, Jaubert described the process as a typical cat-and-mouse game, in which savvy cybercriminals find ways to avoid detection.
"We may be better or worse [at detecting infected websites] on any given day," Jaubert said. "It's very much like the antivirus lifecycle. … We get better at detection and then the bad guys find a better hiding spot."
Jaubert said in the past 12 months, attackers have been redirecting their "infected" distribution servers to other "innocent" servers to try to avoid detection. Another problem has been the recent rise in sites peddling fake antivirus programs. Rogue antivirus programs are mutating at such a rate that Google is finding antivirus signatures unable to keep up with the changes. With antivirus signatures becoming less effective, Google is tweaking its internal algorithms in an attempt to detect and identify sites hosting fake antivirus downloads.
"Today's fake AV sites go up and down in about an hour," Jaubert said, "so it is very difficult [to stop them]."
Jaubert said Google's website malware detection pipeline begins with Internet-connected virtual machines running Windows and Internet Explorer that monitor and log all network traffic. All new processes, newly written files and registry writes are flagged, along with the infected website, and downloaded files are scanned with antivirus software. The collected information is then blended with data collected by Google's crawlers.
Despite Google's efforts, Jaubert said up to 1.5% of Google search results include a link to malware distribution sites. A substantial number of infected webpages are spam and are removed from Google's search index by a team of engineers. But webpages hosting malware typically remain in the index; if they are detected by Google's algorithm, Google uses a warning page in those search engine results.
Finding legitimate websites that contain malicious code is becoming more common, Jaubert said. "There's really no safe harbor on the net and your browsing habits are not a safe harbor in keeping you safe," he said.
Jaubert said Google is working on technical solutions to eradicate malware, but a broader approach is needed. Even if Google eradicated all sites that contained malicious code, cybercriminals would use social engineering tactics to trick users and infect their systems, he said. There's a need for a "multidisciplinary approach with a coalition of different actors" to combat the problem, he said. The United States can begin in its own backyard, he said. Twenty-five percent of malware distribution servers are located in the U.S.
"Although we do need global cooperation to address the problem fully," Jaubert said, "there are definitely servers within our reach that we can try to shut down."