TORONTO–A Google malware researcher gave a rare peek inside the company’s massive anti-malware and anti-phishing efforts at the SecTor conference here, and the data that the company has gathered shows that the attackers who make it their business to infect sites and exploit users are adapting their tactics very quickly and creatively to combat the efforts of Google and others.
While Google is still a relative newcomer to the public security scene, the company has deployed a number of services and technologies recently that are designed to identify phishing sites as well as sites serving malware and prevent users from finding them. The tools include the Google SafeBrowsing API and a handful of services that are available to help site owners and network administrators find and eliminate malware and the attendant bugs from their sites.
All of these are related to Google’s constant crawling of the Web, which, among many other things, allows the company to identify malware-distribution sites as well as legitimate sites that have been compromised with injected malicious code. Attackers have taken to infecting legitimate sites for a number of reasons, one of which is that those sites will show up more prominently in Google search results.
To find malware-distribution sites, Google uses a huge number of virtual machines running completely unpatched versions of Windows and Internet Explorer that they point at potentially malicious URLs. The company then ties this in with the data that it gathers from its automated crawlers that are tasked with looking for malicious code on legitimate Web sites.
Fabrice Jaubert, of Google’s anti-malware team, said that the company has had good luck identifying and weeding out malicious sites of late. Still, as much as 1.5 percent of all search result pages on Google include links to at least one malware-distribution site, he said.
“There’s a lot of fluctuation in that over time, and that could be due to a lot of factors. It could be due to a change in the pages, it could be a change in our detection rate and also in the popularity of the infected pages,” Jaubert said. “The biggest factor is that we’ve found a substantial number of malware pages are spammy and have no content. We remove those pages. But it’s a cat-and-mouse game, just like viruses and AV. We go and find bad pages and they get better at hiding them.”
A major part of this infection and distribution ecosystem is the huge population of Web servers with unpatched vulnerabilities, which the attackers exploit in order to inject malicious code. That code, often in hidden iFrames, typically redirects users to another site where malware is installed on the victim’s machine via a drive-by download.
However, Jaubert said that the attackers recently have shifted their tactics somewhat as Google and others involved in the battle against Web-based exploits have gotten better at identifying and eliminating malware download sites. Now, some crews have started eschewing the extra step of redirecting users to a third-party site and are simply loading the malware on the compromised legitimate site and using that site for malware distribution as well.
It’s a subtle shift, but it removes the dedicated malware-distribution pages, which are usually easily identifiable, from the equation, making the operation more efficient and more likely to succeed in the long run.
Still, despite the vast amount of data that Google collects and analyzes, there’s a lot about the way that the malware ecosystem works that the company’s security teams don’t have a firm grasp on yet.
“We don’t understand all the details of this. We focus on the technical,” Jaubert said. “There’s monetization aspects that we don’t have visibility into.”