Bright Hub (BH): Could you provide an overview of the technologies that Google deploys to protect people using its search from web-based malware?
Ian Fette: Google heuristically checks the billions of pages in its index on an ongoing basis for signs of suspicious activity. Pages that are identified as potentially suspicious are loaded into a virtual machine and their actions monitored. Under normal circumstances, simply visiting a page should not result in programs being installed, changes to the registry, etc. and if that does happen while a page is loaded in the virtual machine, it’s a strong indication that the page is malicious or hostile. Such pages are then flagged in Google search results in order to ensure that users are alerted to the potential risks and can elect not to visit those pages. The entire process is completely automated and enables us to alert our users to potential dangers in the shortest possible time.
BH: According to some research, the incidence of web-based malware is increasing exponentially. Does this mean Google's security measures are simply not effective?
Ian Fette: No, not at all. Google’s security measures are very effective. But web security is a community problem and as such can only be addressed by community effort. While Google certainly does – and will continue to do - everything it can to ensure the safety of its users, it can only do so much. Webmasters need to ensure that their websites are running good code that isn't open to exploitation, and users need to practice safe browsing habits, install and use antivirus software, and ensure that their computers and browsers are patched and adequately protected against malware. By working together in this way, the community will be able to make the internet a much safer place.
BH: SANS place "Increasingly Sophisticated Web Site Attacks" in the number one spot on their list of the Top Ten Cyber Security Menaces for 2008 and highlight the fact that "web site attacks have migrated from simple ones based one or two exploits posted on a web site to more sophisticated attacks based on scripts that cycle through multiple exploits to even more sophisticated attacks that increasingly utilize packaged modules that can effectively disguise their payloads." What does Google do to protect users from attacks which rely on complex obfuscation techniques to conceal their payload?
Ian Fette: While the attacks may indeed be becoming increasingly sophisticated, so too are the methods we are using to detect those attacks. As I mentioned, we do not rely solely on heuristic analysis to detect threats; we also load suspicious pages into a browser in a virtual machine and observe their actual behaviour. In other words, we are able to see exactly what the page would do if it were to be visited by a user. Accordingly, it really doesn’t matter whether or not a website is using a packaged module to disguise its payload – we’ll still see the end result and be able to determine that the website is malicious.
BH: Some websites are configured to drop their malicious payloads intermittently in order to avoid detection. How do you deal with that?
Ian Fette: I really cannot go into too much detail here. If I were to say that we checked pages at four hourly intervals starting at midnight, then you can be sure that malicious websites would be configured to drop their payload once every four hours starting at 1.00 am! Suffice to say, we are fully aware of such tactics and have appropriate detection mechanisms in place.
BH: What happens when a user reports a site that they suspect contains malicious software to Google?
Ian Fette: We do not flag pages as potentially malicious based only on user say-so, as that would be open to abuse. Instead, when a person uses the web form to alert us to a potentially suspicious page, that page is run through the automatic processes outlined above. If the page is found to exhibit potentially malicious behaviour, it’s flagged in search results; if it does not exhibit such behaviour, no action is taken.
BH: When a website is found to be hosting malware, a label is added in Google search results ("This site may harm your computer"). Is that all that happens or does Google also take other action?
Ian Fette: In addition to flagging the page in search results, we also send multiple emails to addresses that may be associated with the website (webmaster@, abuse@, etc.) notifying that a problem exists and providing links to Google resources which may help them to fix that problem. Additionally, the URL of the suspicious website is entered into the database that is referenced by Google Safe Browsing API. This is an experimental API that developers can incorporate into their own products to enable them to check against Google’s constantly updated list of suspected phishing and malware pages. Google Chrome and Firefox 3 also access this database to ensure that their users are alerted about suspicious pages – even if they are searching with a search engine other than Google.