Thursday, March 25, 2010

Web Security: the Google paradox

Google has done a great deal to help people safely browse the web:
  • Google Safe browsing is a feed of malicious URLs and phishing sites, which is integrated with Firefox
  • skipfish, released earlier this week, aims at testing the security of websites
  • Chrome, Google's new browser, has a strong emphasis on user security
  • etc.
However, we have shown in previous blog posts that Google often includes malicious websites in the top-50 search results for breaking news stories: March Madness, the Chile earthquake, the Winter Olympics, the Haiti earthquake, etc. After clicking on one of these search results, the user gets redirected to a malicious website.

How safe are the most popular searches?


Yesterday, I started an experiment. I am retrieving the most popular US searches from Google Trends to check how many malicious sites are displayed by Google. Note that Google Trends changes each the day, and the might be different when you read this post.

Here are the searches I tried, all from Google Trends on 03/24 and 03/25

03/24, casey reinhardt:
  1. page 5, hxxp://iablaas.com/present/casey-reinhardt.html redirects to the malicious site hxxp://search4-protect.xorg.pl/
03/24, wikipedia down:
  1. page 1, hxxp://wikipedia-down.prolinepitcarts.com/ uses a PDF exploit
Malicious link within the Google search results.

Note that my antivirus thinks this page is safe. It does warn me while the PDF exploit is running, however.

03/24, patrick trainor:
  1. page 7, hxxp://riablaas.com/present/patrick-trainor.html redirects to hxxp://runforclear1.xorg.pl/
03/24, jarrett rex:
  1. page 1, hxxp://mandurphy.com/presentation/jarrett-rex.html redirects to hxxp://runforclear1.xorg.pl/
  2. page 3, hxxp://jarrett-rex.prolinepitcarts.com/ uses a PDF exploit
  3. page 3, hxxp://riablaas.com/present/jarrett-rex.html redirects to hxxp://runforclear1.xorg.pl/
03/25, dame edna:
  1. page 1, hxxp://front9design.com/ztssw.php?on=dame%20edna redirects to hxxp://save4my-sys.xorg.pl/
  2. page 2, hxxp://www.friendsofguitar.com/sqgrk.php?go=dame%20edna redirects to hxxp://save4my-sys.xorg.pl/
  3. page 3, hxxp://denverneighborhoodnews.com/ddlkc.php?a=dame%20edna redirects to hxxp://save4my-sys.xorg.pl/
  4. page 3, hxxp://global-equality.org/tcwud.php?in=dame%20edna%20wiki redirects to hxxp://save4my-sys.xorg.pl/
  5. page 6, hxxp://origin.ny1.com/1-all-boroughs-news-content/top_stories/... redirects to hxxp://save4my-sys.xorg.pl/
  6. page 7, hxxp://friends.opensourcediet.com/adugq.php?page=dame%20edna redirects to hxxp://save4my-sys.xorg.pl/
  7. page 8, hxxp://friends.opensourcediet.com/adugq.php?page=dame%20edna redirects to hxxp://save4my-sys.xorg.pl/
  8. page 8, hxxp://dennek.com/pilxf.php?a=dame%20edna%20broadway redirects to hxxp://save4my-sys.xorg.pl/
03/25, beyonce pregnant:
  1. page 1, hxxp://americanbeachsoccer.com/noldor/beyonce-pregnant.html redirects to hxxp://runforclear1.xorg.pl/
03/25, johnny maestro:
  1. page 1, 2 results are malicious
  2. page 2, 6 results are malicious!
  3. page 3, 6 other results are malicious
  4. page 4, 7 other results are malicious
  5. page 5, 4 malicious results (I stopped there)
As you can see, this is pretty bad. All the queries I tried did show at least 1 malicious page on the first 10 pages (top 100 results). I suspect the ratio of good URLs:malicious pages is even worse for trends that are older than what I looked at in my initial research. For the search ,johnny maestro, more than 50% of the links are malicious!

xorg.pl is involved in most of the malicious redirections. It shows a fake AV page and tricks the user into running malware on their computer. Fortunately, it is a known malicious domain and it is flagged by Firefox:

Malicious page blocked by Google Safe Browsing in Firefox

If you look for prolinepitcarts.com in Google, they list 2,200 results. These are 2,200 malicious links for a single domain. They are all PDF files, with the URL in the form of keyword1-keyword2.prolinepitcarts.com.

Search result for prolinepitcarts.com

The Challenges

Why does Google not do a better job in cleaning up the results? Malicious hackers are doing their best to hide the malicious pages from security scanners. First, you have to hit the malicious page by coming from Google (referer header). Then, you need to have a vulnerable browser (Internet Explorer 6 is a good bet). Then the tool has to run all of the Javascript, Flash and PDF elements to follow the redirections.

But I would hope that they could at least clean up their top results for the top searches. After checking a couple of bad links, you can find a few elements that make the malicious content stand out. For example, they often are .php pages with the search query in the URL parameter. Or they have all the right keywords in the sub-domains. By targeting these few URLs, limited resources would be needed by Google to cleanup their search results.

What's next?

I am looking at extending this experiment to other search engines. I also want to see if this is specific to the US, or if search results in other languages contain as many malicious sites. Finally, I will try to get more comprehensive results for more trends, older trends, etc.

-- Julien
Posted by Julien Sobrier at 6:46 PM
Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)