Wednesday, 29 September 2010

Google and Safe(r) Browsing

So Google has announced a new tool. This tool, Safe Browsing Alerts seeks to notify ISPs of malicious web content hosted on their AS. I love to see things like this, and it gives me a little hope for the future. It is the proverbial step in the right direction to my line of thinking. The fight against malware needs to become more proactive.  However, I don't know how effective letting AS owners know will be.  The information really needs to go more towards hosting companies and the like. people with the ability to pull content.

Here is my brief, idealized, dream. We take the stop badware model and expand it. A strong coalition is created to proactively identify malicious content on the internet and stamp it out where possible. This coalition would include the major AV vendors (Kaspersky, F-Secure, TrendMicro,Symantec,Mcafee, Sophos, etc) and the major search engines Google, Microsoft, and Yahoo(does anyone really use yahoo anymore?). A crawler is designed to go out across the web and look for malicious content. I am envisioning two main branches of this:

  1. As new exploits/payloads are discovered, the crawler searches for specific files or content that indicate the presence of the exploit or payload. Very google-hacking approach. This would be like looking for the windows RDP web connection by doing intitle:"Remote Desktop Web Connection" inurl:tsweb . This detection can be avoided fairly easily, but it will still quickly catch some of the low hanging fruit.
  2. The actual crawler. This crawler goes out and actually analyses the content on the pages it crawls and looks for malicious content. This would be hard to do efficiently, I suspect, but could be done with proper resources.
So, assuming this dream comes true, what happens next? Well, a couple of things would happen at this point. The discovered malicious content would be cataloged. This would then be fed back to the participant  companies. It would go to the AV vendors to examine and create new definitions if needed. It would go to the search Providers to reflect in their own search engine results. Suddenly alongside your Google or Bing results, you see a warning "Potentially Dangerous Content Detected". This serves as a warning to the public, sort of a "caveat lector". Then, the coalition should attempt to notify appropriate parties. This could include AS owners,  hosting companies, and/or whois contact persons.

None of this of course 'solves' the problem. It is still up to individuals to do the right things. It is up to the user to not go to a site flagged as dangerous, and to have appropriate protection on their machine. It is up to the webmaster to make sure that their sites are not compromised, or hosting malicious content. What this could do, however, is raise visibility and awareness. It would give malware less places to lurk. Of course the bad guys will just move faster, finding new ways of hiding their stuff. It would be a start though. anyways, that's jsut my silly little dream. Who knows, maybe it will one day become a reality.

No comments:

Post a Comment