Last week, Google's Niels Provos made an announcement regarding a newly introduced feature aiming to help owners of compromised sites in understanding the implications of the compromise, as well as the malicious events that took place when Google last indexed the site. From Google's Online Security Blog :
We've been protecting Google users from malicious web pages since 2006 by showing warning labels in Google's search results and by publishing the data via the Safe Browsing API to client programs such as Firefox and Google Desktop Search. To create our data, we've built a large-scale infrastructure to automatically determine if web pages pose a risk to users. This system has proven to be highly accurate, but we've noted that it can sometimes be difficult for webmasters and users to verify our results, as attackers often use sophisticated obfuscation techniques or inject malicious payloads only under certain conditions. With that in mind, we've developed a Safe Browsing diagnostic page that will provide detailed information about our automatic investigations and findings.
These are some of the key benefits that I've already found highly effective in my investigative assessments.
- despite that the data is kept for 90 days only, even a three months period of time with a snapshot of the malicious activity that's been going on at a particular domain is handy when conducting assessments, especially in those cases where the compromise has already been detected by the site owner, and the malicious links/scripts removed
- the feature's investigative and relationship establishing nature in the sense of listing other sites compromised by the same malicious domain, as well as the domains where the malware was hosted acting as redirection points in this case, easily allow you to see the big picture from different angles regarding a particular malware group or an incident
- the endless possibilities for automation and integration of the data thanks to the Safe Browsing API, as well as the possibility to use the service as a early warning system for security incidents
What type of data is stored about a compromised site anyway? Google's Diagnostics answers four questions regarding a compromised site :
What is the current listing status for [the site in question]? What happened when Google visited this site? Has this site acted as an intermediary resulting in further distribution of malware? Has this site hosted malware?
Let's test the service and diagnose Redmond Magazine, which was among the high profile victims of a recent SQL injection attack, in order to demonstrate the type of data Google gathers. According to the historical situation at this domain :
Of the 59 pages we tested on the site over the past 90 days, 3 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 05/19/2008, and the last time suspicious content was found on this site was on 05/10/2008. Malicious software includes 3 trojan(s), 3 exploit(s). Successful infection resulted in an average of 5 new processes on the target machine. Malicious software is hosted on 2 domain(s), including ririwow.cn, jueduizuan.com. 2 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including wowyeye.cn, ririwow.cn.
You can safely test the service by looking up the fast-flux domain which I mentioned in a previous post, or if curiosity prevails, diagnose the malicious domains injected in the ongoing SQL injection attacks.
The introduction of the Safe Browsing diagnostic feature is a step in the right direction - limiting speculations and empowering both, researchers, and the average end users with evidential data regarding a particular compromise. However, there have been and continue to be numerous successful attempts by malicious parties to trick Google's crawlers into flagging a malicious sites as a clean one. In fact, a huge number of the sites used as redirectors to malicious domains in the recent SQL injection attacks, remained undetected, yet another indication that the bad guys change their tactics and adapt rapidly, sometimes more rapidly than we'd like to imagine they do.