Google busts itself for distributing malware

Google is under fire in Washington for favoring its own properties. This week, I ran across proof that on at least one front it doesn't discriminate.

The company's Safe Browsing service uses Google's wide-ranging spiders to look for evidence of malware distribution on the network at large; the findings are used to block potentially dangerous sites.

So what happened when Google inspected Google.com? Here's the Safe Browsing Diagnostic page:

Oh my. Here are some results:

• "Part of this site was listed for suspicious activity 3 time(s) over the past 90 days."
• "Of the 2321615 pages we tested on the site over the past 90 days, 50 page(s) resulted in malicious software being downloaded and installed without user consent. ... Malicious software includes 296 trojan(s), 35 scripting exploit(s), 15 worm(s). Successful infection resulted in an average of 5 new process(es) on the target machine."
• "Over the past 90 days, google.com appeared to function as an intermediary for the infection of 11 site(s)..."
• "[T]his site has hosted malicious software over the past 90 days. It infected 172 domain(s)..."

This shouldn't be a surprise to anyone who follows distributors of malware. As I've demonstrated here and here, the bad guys love to target Google search results. And Google search results were the primary vector for the Mac Defender attack that plagued Mac users in May and June of this year.

The notion that malicious software can be downloaded and installed without user consent is chilling, but to put things into perspective, that count represents about 1 dangerous page for every 50,000 in Google's index.

I asked a Google spokesperson for an explanation and received this response:

Google's automated malware scanning systems don't play favorites when searching for malware - they scan and flag Google sites just like any other site. Many Google properties are designed for user-generated content - like Google Sites, Google Docs, YouTube, etc. So Google has developed sophisticated systems to help ensure user-generated content is safe, including our dynamic malware detection system which feeds data to the the Safe Browsing Diagnostic pages.

Whenever we find malware on a Google property we're committed to protecting users. Yes, that may mean adding a Google property to the malware list. But the best way to protect users is to remove the malicious content. Google's Anti-Malware team works closely with other Google teams to quickly clean up user-generated content on Google properties.

Battling malware is a difficult and on-going task. Google's priority is protecting users, and we hold ourselves to a very high standard. Google's Safe Browsing API protects millions of users every day as proof of our commitment.

And how did Microsoft's properties fare? Here are the Safe Browsing Diagnostic pages for Microsoft.com and Bing.com. When I checked earlier today, both sites were found to have hosted malicious software, just as Google did. Microsoft.com showed no evidence of having allowed malicious software to be downloaded and installed without consent. For Bing, however, the result was less than perfect:

Of the 17068 pages we tested on the site over the past 90 days, 2 page(s) resulted in malicious software being downloaded and installed without user consent.

In Bing's case, the last detection of malicious software was on August 29. By contrast, Google found malicious software on its own properties as recently as this morning.

The moral of the story: Keep your guard up when you search.