It is unusual to see Google’s AS block listed on our Top Infected Networks page for so long. Generally the infections are not the result of blogs being attacked and successfully infected but rather mass fake accounts being setup on the free blogging service and filled with links to malware. The cycle we are used to seeing is a surge of attacks followed by some tweak of the registration system to prevent attackers from setting up fake accounts.
It is also worth noting that the detection of infected blogs on the Google owned service is particularly high since the scanning takes place at a higher frequency. I started to dig into these infections a little deeper and started comparing lists of URLs from different dates going back to December of last year. In each case the intersection (or overlap) was nearly zero. That is to say the list of infected urls are almost entirely new urls for each sample. This would suggest that attackers have figured out how to continue to bypass the registration system and are registering new blogs as fast as Google can take them down. Maybe a little faster.
If you look at the curve of the infections it is pretty obvious the attackers have been gaining a lot of ground. From only 1,000 infections in November 2009 to nearly 8,500 by years end. There was a short reprieve followed by a sudden and non stop surge since the start of 2010. I hope to do some content analysis in the future and determine what the attackers are uploading to these blogs. This is a developing story so stay tuned.

[DISCLAIMER: Google is a data partner and generous sponsor of StopBadware. I am doing my best not to sugar coat this story and treat Google the same as I would any other victim of attackers on the Internet]

In the past couple of years, auto-update mechanisms that allow software applications to check for and install patches or new versions have become far more prevalent. Some software vendors have looked to push auto-updaters beyond the traditional “an update is available, do you want to install it?” format. Last year, Apple began using its updater to push additional software applications. Google’s Chrome browser silently installs updates, including new major versions, with no user interaction or notice. A new updater for Adobe Reader appears to be a hybrid of Chrome’s silent installer and more tradiitonal updaters.

On Wednesday, Feburary, 10, at 1pm EST, we will be hosting a public web chat to discuss auto-update mechanisms from the standpoint of balancing their security benefits with questions about appropriate disclosure and user control. Brad Arkin of Adobe will be participating, and the Google Chrome team has been invited to join, as well. The chat will incorporate VoIP audio (requires headset or microphone/speaker on your computer) as well as text, using dimdim’s Flash-based web conference system. Pre-registration is free and recommended. Just enter your e-mail address in the widget below. Feel free, as well, to help publicize this chat by clicking the “Share Widget” link.

Everyone is talking about Google’s latest move with regard to China and there is a possibility they will pull out of the country. If that were to occur there is the possibility that China will begin blocking Google from within the country. This raises some interesting questions for us here. Google provides the badware URL feed to Firefox browsers which prevents web surfers from viewing pages laden with infections. Will this tool continue to work for those in China?
We also receive appeals from Chinese webmasters whose sites have been infected, that produce warnings in Google’s search results. Will we see a drop off in appeals? Will those webmasters have the ability to use Google’s webmaster tools to manage the process of delisting themselves once they’ve cleaned their infection?

It was reported today that a website of the official newspaper of the Chinese government, The People’s Daily, was flagged for malware by Google. The paper apparently complained that Google was maliciously flagging the site due to the paper’s criticism of Google Library. Google China denied the allegation, pointing out that the site was flagged by automated anti-malware systems, not based on content. As reported, the Google statement makes a small mistake in indicating that StopBadware.org provided the software for this automated system. In fact, Google’s Safe Browsing team developed the system themselves. For more information, see the relevant section of our FAQ.

The important lesson of this incident is that legitimate websites, whether operated by individuals or by large government-sponsored organizations, can fall victim to badware. Indeed, in China, where infection rates have historically been high, we hope this will serve as a wake-up call to website owners, hosting companies, and other parties about the need to secure their sites and platforms.

Google’s Webmaster Tools has, for quite some time, provided verified website owners with a partial list of pages from their site in which Google found badware during their scanning. Unfortunately, it was often frustrating to site owners to know that Google detected something on a page without knowing what the problem actually was. This frustration should be largely eliminated now that Webmaster Tools has added an experimental Labs feature called "Malware Details," which at least in some cases provides more information to the site owner, as shown in this screenshot from the blog post announcing the feature:

This is a big step forward and should make life much easier for the website owners whose sites have fallen victim to malware. Now, if we can just get Google to share this data with us, so we can better help users who have submitted review requests…

[Update: I just saw that the same blog post mentions another feature, Fetch as Googlebot, which will display a particular page as seen by Google’s web crawler. This also, as noted in the post, can be helpful in diagnosing malware, as it allows the site owner to see how Google’s view of the page differs from the user’s own view. One cause of such a difference is malware that responds differently to different agent or referrer strings in the http request.]

Niels from Google’s security team posted some updated detection stats over on the team’s blog:

As we mentioned in our Top-10 Malware Sites blog post, we have seen a large increase in the number of compromised sites since April. The number of entries on our malware list has more than doubled in one year, and we have seen periods in which 40,000 web sites were compromised per week. However, compared to infections associated with Gumblar and Martuz — two relatively large and well-known pieces of malicious code, many compromised web sites now point to hundreds of different domains. As these malware trends evolve, we’re constantly improving our systems to better detect compromised web sites. The increase in compromised sites we observed may have also been influenced by our improved detection capabilities.

Google’s significant increase in detection, along with our addition of Sunbelt Software as a data partner, means our Clearinghouse now holds nearly 420,000 actively reported badware URLs.

Niels also mentions another interesting data point, the percentage of Google searches that contain at least result that Google has flagged as bad, currently around 0.75%. The percentage has dropped since early last year, but has recently begun creeping back up, likely because of the increase in detected badware sites.

Some users are reporting difficulty logging into Google’s Webmaster Tools, a console that allows website owners to do a number of Google-related tasks, including requesting a review after removing malware from a site. Google is aware of the issue and is "looking into it."

Meanwhile, if you are trying to request a review and are unable to access Webmaster Tools, you may submit a review request through StopBadware.

Last week, the ZDNet Zero Day blog summarized a report by researchers from Google Switzerland and ETH Zurich as follows:

Google’s decision to silently update the Chrome browser — without the user’s knowledge or consent –  has put the company at the head of the pack when it comes to securing modern Web browsers.

Indeed, the report noted that, unsurprisingly, the less user intervention and aggravation required to update the browser, the more likely the browser is to be up to date on a given user’s machine. It concludes by trumpeting Google’s own Chrome browser as a success for using silent updates that successfully keep users’ browsers patched. It goes on to encourage other browsers to adopt a similar strategy.

While the technical mechanism in question sounds like an effective and efficient way to update browsers, the lack of user control inherent in Chrome’s system is concerning. There is no clear notice during installation or operation of the software that it will be updating itself automatically. (I didn’t read the entire EULA, but then, neither will most users.) There is also no obvious place in the program’s options screen for disabling this feature, in case you want to test using different builds or have some particular objection to auto updates or a particular change in a newer version.

StopBadware has always been committed to the principle that users should be presented with the information and options necessary to make decisions about how software is installed, updated, and used on their computers. Google should be applauded for seeking new ways to increase browser security, but it should also be held to the highest standards for disclosure and user choice.

What are your thoughts about Google Chrome’s silent updating? Let us know over at BadwareBusters.org.

This morning, an apparent glitch at Google caused nearly every [update 11:44 am] search listing to carry the "Warning! This site may harm your computer" message. Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information. We are working now to bring the site back up. We are also awaiting word from Google about what happened to cause the false warnings.

[Update 12:31] Google has posted an update on their official blog that erroneously states that Google gets its list of URLs from us. This is not accurate. Google generates its own list of badware URLs, and no data that we generate is supposed to affect the warnings in Google’s search listings. We are attempting to work with Google to clarify their statement.

[Update 12:41] Google is working on an updated statement. Meanwhile, to clarify some false press reports, it does not appear to be the case that Google has taken down the warnings for legitimately bad sites. We have spot checked a couple known bad sites, and Google is still flagging those sites as bad. i.e., the problem appears to be corrected on their end.

For more information about how the process works and the relative role that Google and StopBadware.org play, please see our Clearinghouse page or this question in our FAQ.

[Update 1:36] Google updated its statement to reflect that StopBadware does not provide Google’s badware data.

[Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible.

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google’s Android application market. It’s unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it – Google’s own testing showed no malicious behavior – but the application disappeared from the Android Market anyway.

Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain’s "Future of the Internet" blog, writes:

[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.

Contrast the Apple iTunes App Store, which pre-screens applications. It’s unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out – including, controversially, competitors to some applications designed by Apple.

Elisabeth continues:

Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)

Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness – and can help foster a more secure internet for us all. 

Disclosure: Google is one of StopBadware’s sponsors.