Google adds malware data to Transparency Report

Posted on June 26, 2013 - 15:34 by ccondon

For more than five years, StopBadware has been working with the Safe Browsing team at Google to help webmasters clean up hacked sites and make the Web safer. Through their detection systems, browser and search warnings, and notifications, Google’s Safe Browsing initiative helps protect millions of Internet users from potentially harmful websites every day. As a result, Google has quite a bit of data on harmful websites and their behavior. Data like Google's is essential to understanding the malware problem—and understanding the problem is, in turn, a prerequisite to solving it. Yesterday, Google announced that they’ve added a Safe Browsing section to the Google Transparency Report to shed more light on the sources of malware and phishing. 

Unsafe websites detected per week - Google

The new Safe Browsing section of the Transparency Report includes data like the weekly number of users who see browser and search warnings, the number of compromised legitimate websites vs. “attack” sites (those created expressly to distribute malware), and webmaster response/reinfection rates. It also includes information on malware distribution by AS that allows users to sort data by region, type of site detected, and time range.

A few notable points (several of which our partners over at Sucuri have already pointed out):

  • The ratio of compromised legitimate sites to intentionally malicious attack sites is pretty staggering. The vast majority of sites Google detects to be distributing malware are legitimate sites that have been infected without the permission, and often without the knowledge, of their owners.
  • The 2008 spike in website reinfection rate has been gradually declining. (Google makes note of the fact that a change in their process caused the initial spike.) Decreasing reinfection rates and increasing preventative website security is one of StopBadware’s long-term goals, so it’s encouraging to see this metric expressed as a downward trend over time.
  • Webmasters’ response time (once they’ve been notified a site is compromised) is still much longer than optimal. As both we and much of the security community are well aware, there are several factors that likely contribute to the lag in cleanup time. Many webmasters either don’t see or don’t know how to interpret malware notifications, for instance, and many more lack the relevant technical expertise to find and remove malicious code and eliminate infection vectors.

Resources like StopBadware’s community forum, our webmaster resources, and Google’s Help for hacked site owners informational series can help address these needs. At the same time, it’s clear that there’s more to be done. 

StopBadware hears on a regular basis how one of the security industry’s most persistent problems is establishing and sharing metrics that accurately express the state of malware on the Web. It’s why we’ve long published data like our Top 50 IP and AS lists, and why we’re piloting a data sharing program among our partner companies. Google’s Safe Browsing data offers another key glimpse of the ways malware distribution is evolving and ways the industry can shift to more effectively fight it. Props to the team at Google for their work on the new report section!

Openness versus consumer protection? Android, iPhone, and transparency

Posted on January 30, 2009 - 16:22 by egeorge

If you follow news about the Android mobile phone platform, you may have seen recent allegations of malware against a third party application available on Google's Android application market. It's unclear whether or not the application in question, MemoryUp, was actually capable of any of the reported claims against it - Google's own testing showed no malicious behavior - but the application disappeared from the Android Market anyway.
Elisabeth Oppenheimer, of StopBadware director Jonathan Zittrain's "Future of the Internet" blog, writes:
[I]f Google is going to have the kind of open marketplace they want, they’re going to have to be more clear about what they’re doing. No one seems to know who pulled the app—the developer, Google itself, or perhaps some automatic system based on customer complaints. If Google is silently pulling disputed apps while the developers protest … they’ve replicated the iPhone’s App Store. There hasn’t been much protest about the Android kill switch, and people might well be okay with pulling apps that pose security problems from the Market (especially since there are alternative distribution methods). But Android users ought to know who pulled the app, and why.
Contrast the Apple iTunes App Store, which pre-screens applications. It's unlikely for malware to get through, but the high level of gatekeeping also can keep legitimate applications out - including, controversially, competitors to some applications designed by Apple.
Elisabeth continues:
Professor Zittrain argues for solutions that engage the community of users and don’t assume a zero-sum game. Having users test and rate applications—as they do on Android—is a certainly a step in that direction. (Google removing apps without explanation would be a step in the opposite direction, and would make developers nervous.)
Do we really need to choose between openness and security? Professor Zittrain argues that, with the help of the community of internet users at large, we should not need to. For companies in a position to act as gatekeepers seeking a balance they can live with, a high level of transparency and communication with users can help mitigate any restrictions on openness - and can help foster a more secure internet for us all. 
Disclosure: Google is one of StopBadware's sponsors.

Open and transparent malware filtering

Posted on July 9, 2008 - 17:00 by egeorge

StopBadware's manager, Maxim Weinstein, has a "guest editorial": today in ZDNet's Zero Day security blog. The editorial urges more transparency in malware filtering by anti-virus companies, search engines, and web browsers.

Maxim argues that a good filtering system should have:
* A low false-positive rate
* Clear, publicly-available criteria for determining which sites are listed
* Information about why a particular site is listed
* A transparent, responsive process for requesting removal of incorrect or outdated listings
* Support and education for owners of compromised sites

Helping to foster these kinds of fair and open systems for user protection is, of course, one of StopBadware's missions. Have thoughts on ways to make malware filtering better? Share them in the comments to "Maxim's post":