One common class of attacks includes images that
resemble popular video players, along with a false warning that the computer is missing essential codecs for
displaying the video or that a newer version of the video
player plug-in is required to view it. Instead, the provided
link downloads a trojan that, once installed, gives the
attacker full control over the user’s machine.
A more recent trick involves fake security scans. A
specially crafted Web site displays virus-scanning dialogs,
along with animated progress bars and a list of infections
presumably found on the computer, but all the warnings
are false and are meant to scare the user into believing the
machine is infected. The Web site then offers a download
as a solution, which could be another trojan, or asks
the user for a registration fee to perform an unnecessary
cleanup of the machine.
We have observed a steady increase in fake anti-virus
attacks. From July to October 2008, we measured an
average of 60 different domains serving fake security
products, infecting an average of 1,500 Web sites. In
November and December 2008, the number of domains
increased to 475, infecting more than 85,000 URLs. At
that time the Federal Trade Commission reported more
than 1 million consumers were tricked into buying these
products, and a U.S. district court issued a halt and an
asset freeze on some of the companies behind these fake
products.
3 This does not appear to have been sufficient to
stop the scheme. In January 2009, we observed more than
450 different domains serving fake security products, and
the number of infected URLs had increased to 148,000.
Malware activities on the user’s machine. Once attackers have control over a user’s machine, they usually
attempt to turn their work into profit. We have previously
analyzed the behavior of Web malware installed by drive-by downloads.
10 In many cases, malware was equipped
with key-loggers to spy on the user’s activity. Often, a
backdoor was installed, allowing the attacker to access
the machine directly at a later time. More sophisticated
malware turned the machine into a bot that listened
to remote commands and executed various tasks on
demand. Common uses of botnets include sending spam
or harvesting passwords or credit card numbers. Botnets
afford the attackers a degree of anonymity since the spam
appears to be sent from a set of continuously changing IP
addresses, making it harder to blacklist them.
To help improve the safety of the Internet, Google
has developed an extensive infrastructure for identifying
URLs that trigger drive-by downloads. Our analysis starts
by inspecting pages in Google’s large Web repository.
Since exhaustive inspection of each page is prohibitively
expensive as the repository contains billions of pages, we
have developed a lightweight system to identify candidate pages likely to be malicious. These pages are then
subjected to more detailed analysis in a virtual machine,
allowing us to determine if visiting a page results in malicious changes to the machine itself.
The lightweight analysis uses a machine-learning
framework that can detect 90 percent of all malicious
All that is required for
someone to gain control
over your system is a
single vulnerability.
pages with a false positive rate of only 10–3. At this false
positive rate, the filter reduces the workload of the virtual
machines from billions of pages to only millions. The
URLs that are determined to be malicious are further processed into host-suffix path-prefix patterns. This system
has been used to protect Google’s search engine since
2006. Our data is also published via Google’s Safe Browsing API for browsers such as Firefox, Chrome, and Safari,
which use the data to prevent users from visiting harmful
pages.
CHALLENGES
Despite these efforts to make the Web safer for users, a
number of fundamental challenges remain, requiring
future work.
