Google is expanding the amount and kind of data that it supplies to network operators about potentially malicious activity happening on their networks and elsewhere. The company is now giving operators information on dedicated domains that are being used for malware hosting and distribution.
Last fall, Google began a program through which operators of autonomous systems (AS) could sign up to receive information about any malicious content that Google’s scanners found on sites they owned or operated. The Google Safe Browsing Alerts are meant to give operators an early heads-up when a site on their network has been compromised and is being used either as an attack site or as another piece of an attack chain.
Legitimate sites often are compromised by attacker through tactics such as SQL injection, and then used as platforms for hosting malware or malicious links redirecting users to other attack sites. Operators of large networks may not know about a compromise of one of their sites for quite a while, and Google’s alerts are meant to fill in that gap.
Up until now, Google had been simply alerting administrators about compromised sites on their networks. Now, that program is expanding to include malware distribution sites that could be hidden on a large network. A malware distribution site is different from a compromised legitimate site in that it is set up by an attacker for the specific purpose of hosting and distributing malware.
Attackers will often use hosting providers that look the other way for such operations, but if they can somehow latch onto an existing legitimate domain, that’s all the better for them. Having their distribution site on a known legitimate domain can lend a bit of legitimacy to the site and up their chances of finding more victims.
Google also has services fo network operators that will send them automated messages when the company’s scanners find a potential phishing page on their network or will send a code sample when malicious content is found.