The Internet is Large
A Google spokeswoman says the company uses an objective set of criteria to label potentially harmful sites that is applied to equally large and small sites.
"Clearly, the Internet is very large and we cannot constantly monitor all sites," she says. "We select a daily subset of the Internet to investigate." She declined to say whether MySpace, PhotoBucket, FaceBook or other large sites known to have served tainted ads has ever been flagged, citing a policy of not discussing individual sites.
She also said company representatives send email to several addresses associated with the site being flagged so webmasters will know of the malware warning as soon as possible. She added that a feature known as Google Webmaster Tools provides a list of specific URLs to help site operators pinpoint the source of the problem. She also acknowledged that Google security watchdogs are still hammering out their policy for malware delivered via banners.
"Malicious content delivered by ad networks is a relatively new threat, and we are looking at different approaches to help site owners with this issue while protecting our users," she says.
That's little comfort for people like Raymond Theakston, operator of Befuddle.co.uk, a site that offers pictures of Britney Spears and other celebrities as they are spotted drinking alcohol, often to excess.
On September 12, Google sent him an email that said some pages of his site "can cause users to be infected with malicious software." The email pointed to three offending URLs, and Theakston says he has scoured their html for iframes or other scripts that attackers could have added without his knowledge. When he came up empty-handed, he dumped the ad network he had been using for years and removed a statistics counter that someone told him might be suspect.
He is awaiting a rescan of his site, and if it comes up clean, Google says it will remove the warning. But after 10 days of being branded a parasite, Theakston says the damage has been done.
The site averaged 1,648 unique visitors per day during the first week of September, but a week after the Google warning began, unique visitors dropped to an average of 619.
"Traffic has gone down a lot," says Theakston, who lives in Leeds and by day works as a senior tester for a large telecommunications company. "Fortunately, I don't rely on the site for revenue anymore."
A Free Pass For MySpace?
Google's claims of impartiality notwithstanding, several malware specialists say they have a hard time believing web destinations generating millions of dollars in revenue would tolerate the treatment Google metes out on smaller sites.
"I'm sure they have an exclusion in there for sites like MySpace," says Eric Sites, a researcher at security provider Sunbelt-Software.
He notes that ad-driven malware is especially hard to catch because banners are frequently programmed to unload toxic payloads only in certain timezones during certain hours. Add to that the highly decentralized nature of affiliate advertising - in which one network hands banners off to another network, which in turn distributes them through a third - and even Google, which seems to have eyes everywhere, may be unable to track offenders competently.
"I think the Google process is actually flawed," says Thompson, the Exploit Prevention Labs researcher who, having watched several small sites struggle to undo the stigma that's resulted from Google's warning, says he sympathizes with the operators.
"This poor guy got nailed through no fault of his own, and now he's tainted," Thompson says. "Arguably, this guy was never infected in the first place. He was just unfortunate enough to have a bad banner ad. That can happen to FaceBook, and it can happen to anyone." ®
If you've had experiences with Google malware watchdogs or have other security-related intelligence, please share them with this reporter by using this link. Confidentiality assured.
wonder why google thinks a site full of rucksacks is harbouring nasties?
May I suggest searching for the Proxomitron. It's ancient, it's clunky, and it works. 3 out of 3 ain't that bad... :-) Seriously, I hardly ever see ads any more. I'm a parasite. So sue me. Obnoxious ads constitute a crime against humanity and should be punished accordingly. Dixit.
If Google want to play at being god...
I think the point that many of you are missing is that where adverts are the issue that Goolge has the technology to help stop the adverts being served but instead of providing that information so that the adverts can be stoped they tell you the page that they were being served from.
Now anyone who has a site that serves adverts will know this is less that useful. The minimum you need is (1) "where was the advert called from - the country - to deal with geo-targeting of advertsing systems" (2) the time it was called (3) the name of the malware being directed towards (4) the advertsing server / network the file is being loaded off and (5) if possible the name of the advert file that is the problem - at the moment usually a flash swf file.
In fact the final bit of information will often be enough.
I'm pretty certain that when they set their test suite on a site that it records this information and if that is the case they could stop the advert being delivered which is surely their goal.
Hopefully Google's Policy team will realise that they can help the situation more by providing enough information to allow the advert to be stopped than the current policy which is to hide their head in the sand and blame the site that was unfortunate enough to have the advert served on there site.
For those who say the sites should be more careful I would say that the example we say was subtle in the way it worked it didn't attack always and didn't appear to be harmful at all. Even more sophisticated all the celver code was held on a remote server which was interrogated in some hidden code to see if it should deply the badware. This is non trivial (if you don't know what you are looking for) and hard if you do.
It has taught us to be much more circumspect but also highlighted the fact that there is an organisation out there that could really help fight this problem but they choose to sit on their hands while waving them shouting "its there" when in fact it is somewhere else.
The additional problem is that as people see more of these "warnings" against sites they use regularly they will loose their effectiveness. A warning that really means something is worthwhile otherwise users will think that Google is "crying woolf" and start ignorning then and problem is that they also use this same warning for sites that have been compromised by hackers and which are dangereous to all visitors rather than being dangerous to 1 in 250,000.