Original URL: http://www.theregister.co.uk/2007/09/21/google_malware_warning/

Google malware watchdogs bite mom-and-pop shops

But not MySpace

By Dan Goodin

Posted in Security, 21st September 2007 00:32 GMT

One morning last week, Alan Jay, director of Digital Spy, woke up to discover that Google was warning millions of web surfers that his UK-based entertainment news site was one "that may harm your computer."

Those brave enough to click on the Google link anyway were invited to learn more about malware by visiting a page at StopBadware.org that said Digital Spy "has been determined by Google's testing to be a site that hosts or distributes badware." Users who still wanted to access the site had no choice but to cut-and-paste its url into their browser address bar.

Image of Google page showing warning for Befuddled.co.uk. It reads in part: "Warning - visiting this web site may harm your computer!"

Google issues thousands of "harmful web site" warnings, often without notifying site operators.

Jay managed to get the warning removed five days later after tracing the problem to tainted banner ads that were served by one of the four advertising networks used by Digital Spy. Throughout the entire time, Jay says, Google and StopBadware refused to identify the source of the badware.

"We've been completely left in the dark, and we're in a situation where people think we have done something wrong," he says. "So Google’s policy here seems to be to punish an innocent site but not provide information to allow an advertising network to find out what the advert is that is causing the problem and stop it delivering elsewhere in the network."

Banner badware

Jay's experience comes as cyber crooks increasingly look to legitimate third-party ad networks as a vehicle for distributing software that silently installs Trojans and other forms of malware while an end user surfs presumably safe sites.

Last week, it was revealed that a company owned by Yahoo dished out an estimated 12 million ads on sites such as MySpace and PhotoBucket that installed a back door on unpatched Windows machines. Several days later, Roger Thompson of Exploit Prevention Labs said in a blog post that a banner ad infected a test machine while it surfed FaceBook. Malware-laced ads date back at least 14 months, when banners running on MySpace infected more than 1 million users with adware.

"How come they pick on me, for example, but they don't pick on ... one of the really big sites?" Jay asked. "They don't appear to have penalized any of the sites that were subject to this last week."

Few law-abiding denizens of the net have a problem with Google using its considerable computing heft to sniff out malicious sites and warn its users to stay away. Regrettably, such initiative is sorely lacking at Yahoo and Microsoft's Live.com. But the experience of Jay and others like him expose some of the pitfalls of a system that frequently doesn't inform webmasters of its findings, fails to provide enough information for them to identify the source, and, in the minds of many operators of smaller sites, gives large websites an unlimited number of get-out-of-jail-free cards.

The Internet is Large

A Google spokeswoman says the company uses an objective set of criteria to label potentially harmful sites that is applied to equally large and small sites.

"Clearly, the Internet is very large and we cannot constantly monitor all sites," she says. "We select a daily subset of the Internet to investigate." She declined to say whether MySpace, PhotoBucket, FaceBook or other large sites known to have served tainted ads has ever been flagged, citing a policy of not discussing individual sites.

She also said company representatives send email to several addresses associated with the site being flagged so webmasters will know of the malware warning as soon as possible. She added that a feature known as Google Webmaster Tools provides a list of specific URLs to help site operators pinpoint the source of the problem. She also acknowledged that Google security watchdogs are still hammering out their policy for malware delivered via banners.

"Malicious content delivered by ad networks is a relatively new threat, and we are looking at different approaches to help site owners with this issue while protecting our users," she says.

That's little comfort for people like Raymond Theakston, operator of Befuddle.co.uk, a site that offers pictures of Britney Spears and other celebrities as they are spotted drinking alcohol, often to excess.

On September 12, Google sent him an email that said some pages of his site "can cause users to be infected with malicious software." The email pointed to three offending URLs, and Theakston says he has scoured their html for iframes or other scripts that attackers could have added without his knowledge. When he came up empty-handed, he dumped the ad network he had been using for years and removed a statistics counter that someone told him might be suspect.

He is awaiting a rescan of his site, and if it comes up clean, Google says it will remove the warning. But after 10 days of being branded a parasite, Theakston says the damage has been done.

The site averaged 1,648 unique visitors per day during the first week of September, but a week after the Google warning began, unique visitors dropped to an average of 619.

"Traffic has gone down a lot," says Theakston, who lives in Leeds and by day works as a senior tester for a large telecommunications company. "Fortunately, I don't rely on the site for revenue anymore."

A Free Pass For MySpace?

Google's claims of impartiality notwithstanding, several malware specialists say they have a hard time believing web destinations generating millions of dollars in revenue would tolerate the treatment Google metes out on smaller sites.

"I'm sure they have an exclusion in there for sites like MySpace," says Eric Sites, a researcher at security provider Sunbelt-Software.

He notes that ad-driven malware is especially hard to catch because banners are frequently programmed to unload toxic payloads only in certain timezones during certain hours. Add to that the highly decentralized nature of affiliate advertising - in which one network hands banners off to another network, which in turn distributes them through a third - and even Google, which seems to have eyes everywhere, may be unable to track offenders competently.

"I think the Google process is actually flawed," says Thompson, the Exploit Prevention Labs researcher who, having watched several small sites struggle to undo the stigma that's resulted from Google's warning, says he sympathizes with the operators.

"This poor guy got nailed through no fault of his own, and now he's tainted," Thompson says. "Arguably, this guy was never infected in the first place. He was just unfortunate enough to have a bad banner ad. That can happen to FaceBook, and it can happen to anyone." ®

If you've had experiences with Google malware watchdogs or have other security-related intelligence, please share them with this reporter by using this link. Confidentiality assured.