Wednesday, May 09, 2007

Google's upcoming drive-by download approach ...

Blogreader Jonatan Van Hove sent me an interesting link about Google's upcoming
security approach at Nicholas Carr's Blog 'Rough Type':
http://www.roughtype.com/archives/2007/05/driveby_malware.php
Increasingly worried by the use of conventional web sites to distribute the viruses that turn innocent PCs into botnet "zombies," Google appears to be readying a plan to police the web. If the plan goes forward, Google will use new software to automatically identify compromised web pages in its database and label them as "potentially harmful" in its search results. Because being labeled as suspicious by Google could devastate a site's traffic, the move would raise the security stakes for site owners dramatically. A recent Google study, led by Provos, a Google security specialist, discovered "around 450,000 web pages that launched drive-by downloads of malicious programs. Another 700,000 pages launched downloads of suspicious software. More than two-thirds of the malicious programs identified were those that infected computers with bot software or programs that collected data on banking transactions and emailed it to a temporary email account." Anything that makes people wary of visiting web sites or clicking on links stands as a big threat to Google's business. It's not surprising, then, that the company has a unit investigating the dissemination of malware through the web. The paper that Provos and four of his Google colleagues have written on the subject, The Ghost in the Browser, explains how Google is preparing to respond to the threat by incorporating an automated security analysis into its routine spidering and indexing of sites.

What do I think about it ... well ... it's basically a good idea however
1) It's not completely new as McAfee (SiteAdvisor) and TrendMicro (TrendProtect) for instance are already using this approach more or less.
2) It will possibly only work if you search with Google and you have a dozen of other search engines like MS Live Search.
3) It will not be foolproof as it could be easily circumvented (Oh yes it can and it will be!)

So actually it's re-inventing the wheel again. At least it will help of course in the global approach. Don't listen however to Provos statement: "The firewall is dead." in the article. If he really said this than he is possibly wrong cited by the journalist or he really don't know anything about real security.