03.29.12

Malware and Google

Posted in Cyberterrorism at 10:28 am by George Smith

Yesterday, GlobalSecurity.Org was flagged as a site “that may harm your computer” by Google. I was off and on it during the day, porting the Yellow Fever post to the SITREP blog.

When Google flags your domain as harmful you take a hit.

So what was the deal? Hard to say with certainty.

Initial indications were a malware redirection attack put in through an iframe and ad server.

Iframes are used to run advertisements and attackers always use them to put invisible or nearly invisible windows on a page which get the browser to make a request to a malicious site.

The anti-virus software maker, Sophos, explains it in technical terms here.

Excerpting:

When the page loads, [the iframe] element causes the browser to request … content from the ad server. Ordinarily, this content would just contain the relevant ads, but when the ad server has been compromised, it also contains a malicious JavaScript …

[The malicious] iframe points to an exploit site, which proceeds to [probe] client vulnerabilities and infect the user with malware.

Any websites that take ads from third parties are vulnerable and it’s a common occurrence. The damage is done and the remedy is to remove the compromised adserver scripts and code from the domain.

DD is intimately familiar with web-served malware.

So the Google flag was a surprise. During the afternoon, when the warning was issued, I noticed no malicious code served to my computer. I have a number of things in place which fairly immediately allow me to see suspicious activity generated by malware that is not yet detected by anti-virus software.

And there’s the rub. The anti-virus software site linked to above describes the malware and says it flags some such attacks. But because anti-virus software can only block those signatures it already carries, there is always a time in which new attacks get through.

This is what all the makers of malicious code exploit. It is a game of continual catch-up and clean-up.

This attack, indeed almost all current malware attacks, render this article on home clean-up of viruses quaint.

The article, on Yahoo, is essentially a recommendation to get all the free anti-virus software you can, once you’re infected, and run it.

Eventually, you’ll have something that will remove the malware. And if you’re still stuck you’ll have to pay someone to finally get rid of it.

It illustrates, with some hard finality, that malware is beyond management by the average user. The risk and existing hazards have to be dealt with by layers above. Malware attacks are administered beyond the intervention and knowledge of, for argument’s sake, virtually all users.

In the cases of domains flagged by Google, the webmasters and administrators have to cope with it.

Yesterday, Google was the only place flagging GlobalSecurity.Org. However, as the biggest and most important entity, functionally it’s the only one that matters. If Google blacklists you, you suffer.

I was not served any malware while on the site. However, that doesn’t mean there was a problem.

I scanned the domain with Wepawet, a UC Santa Barbara web app that probes for malicious code and embedded exploits. The first result in very late afternoon returned an almost benign report. There were a couple elements, the report indicated, which could not be interpreted. Later in the evening these warnings were gone, too, apparently after Globalsecurity had removed an applet that Google’s diagnostics had flagged as malicious.

It was also possible that it was a false positive, a very annoying reality of the current worldwide model of computer security. It is an ineradicable feature of modern computing.

For a couple months Globalsecurity has been running a Javascript clock that displayed a countdown to Israel’s bombing of Iran. If you use the site, you would have seen it at the top of the page.

“Yesterday Google decided the script was malware,” John Pike told me in e-mail.

The malware flag is now removed from GlobalSecurity.Org.

Whatever had actually transpired — I have no samples of malicious code downloaded to my machine to look at — Google’s response time was pretty good.

Comments are closed.