Recent misconceptions about malware warnings

Posted on January 29, 2013 - 13:05 by ccondon

We’ve seen quite a few news articles recently about malware warnings on high-profile websites. The stories we’ve been reading have two things in common: first, they’ve all been about warnings that occur because of an advertisement’s being detected as malware; second, many or even most of them have dismissed the malware warnings as incorrect, overly alarming, and/or too wide in scope.

To be clear, StopBadware is not in a position to comment on whether any of these incidents were, as many have been quick to claim, false positives. While extremely rare, false positives are not impossible. We’ve seen very, very few false positives in our years of reviewing websites big and small, but we know there have been a few. In short, we won’t rule it out.

What disturbs us about the recent spate of news coverage, however, is the attitude that malware warnings in general are error-prone, arbitrary, or to be taken with a grain of salt. This is not the case. Malware warnings in modern browsers exist first and foremost to protect users by informing them and offering them a clear choice about what happens to their computers. Their accuracy is extremely high, they are content-neutral, and heeding them protects millions of users from becoming victims of badware.

Among the recent complaints:

  • The warnings are arbitrary advisories about site contents.
  • False positives are common.
  • The warnings are unjustly alarmist.
  • A whole site or page shouldn’t be blacklisted when “only the ad is bad."

Some background: The malware warnings shown by many major browsers and search engines are based on blacklists curated by companies who put lots of resources into detecting and analyzing malware. These companies have automated detection systems that constantly scan the Web for malicious activity. When a site is blacklisted, it’s because these systems encountered code on that site that caused something bad to happen without asking the visiting entity for consent. Examples of “something bad” might include a redirect to a malicious domain or a download that starts silently in the background while a user is browsing the site.

A great many websites blacklisted by security companies are legitimate sites that have been infected with malware without the knowledge or permission of their owners. There are more than a few organizations that realize this and provide avenues to help webmasters clean up and remove their sites from blacklists as quickly as possible. Google and Microsoft both do this, as do some smaller security firms. StopBadware helps several companies, including Google, provide due process for owners of blacklisted sites by offering independent reviews and cleanup help.

StopBadware often receives emails and other communications from people who are indignant about a big, popular site’s being blacklisted by Google or another company. These people are sure that these incidents must be false positives, because they are understandably unaware that even big sites with high security can be compromised and blacklisted. Infected ad networks are one of the common ways big, high-traffic sites are compromised to deliver malware. Just as a website’s being compromised should not necessarily reflect negatively on the site owner, an advertising platform’s being compromised is not always (or even usually) an indication that the ad provider is irresponsible or negligent. Many advertising platforms take great pains to prevent bad ads and protect the publishers they serve.

When a malicious ad does make it onto a popular site despite the best intentions of the ad provider or the site administrator, that ad has the potential to do a lot of damage. Often, visitors to a site serving a bad ad don’t even need to click on the ad for it to cause harm; their machines are infected as soon as the ad loads in their browsers. In cases like this, warnings are there to help Web users make informed choices about what happens to their computers. At present, it’s not technically feasible to warn about only an embedded ad in a Web page.

Visitors to blacklisted sites are always free to ignore the warnings and continue on to the blacklisted site if they wish. The language in the warnings, however, is deliberately strong and designed to discourage users from clicking through. If a popular site was detected to be doing something bad (like serving a drive-by download or redirecting to a domain doling out the Black Hole Exploit Kit), people should be wary of clicking through a warning. Yes, the warnings are designed to be alarming. They wouldn't be called warnings otherwise. 

As we mentioned, malware warnings in most modern browsers are generated based on automated detection systems. Key word = automated. Site contents—the text, brand, politics, or anything else that lends meaning and substance—are not ever taken into consideration. Automated malware detection systems don’t detect personal opinions or copyright infringement. They simply look for bad behavior, whether that behavior is detected on a community forum, a warez site, or a government portal. This is a major advantage of automated systems: they’re fundamentally unbiased.

Code is not perfect, and neither are any given company’s methods for detecting bad code. The bad guys are always updating and adapting their malware delivery techniques; logically, it follows that the companies who work to detect malicious code must also be constantly evolving and improving their detection mechanisms. As you might expect, the dynamic nature of this process can lead to a false positive every once in a while. Once again, however, we’d like to stress the infrequency of this. In the overwhelming majority of cases, browser or search engine malware warnings alert users to real danger that can cause real damage.

Please, don’t ignore malware warnings—or encourage others to—because a high-profile case or two claim to have been false positives. It’s up to all of us to help stop badware, and malware warnings play a critical role in protecting the Internet ecosystem.


1 response to

Recent misconceptions about malware warnings

Anonymous says:

Thx for laying this out in detail!
It's always helpful to have some 'behind-the-scenes' knowledge.

Add new comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.