The report, "The ghost in the browser: Analysis of web-based malware," says that Google researchers analyzed the contents of several billion URLs and executed an in-depth analysis of approximately 4.5 million URLs.
The researchers discovered that about 450,000 URLs were successfully launching drive-by downloads of malicious code. The study also uncovered 700,000 other pages that "seemed malicious," but "did not meet the thresholds we had in place," said Niels Provos, one of the study’s co-authors.
Malware found included trojans, adware and obfuscated binary code. The study, which analysed a year of queries using the search engine giant, pinpointed four mechanisms — poorly secured servers, user-contributed content, advertising and third-party "widgets" — as the most prevalent methods for injecting malicious code onto websites.
Some media reported those numbers as 10 per cent of the internet being infected with malware. Provos called this "an unfortunate misquotation."
"We applied automatic analysis on billions of pages…looking for signs of exploits or drive-by-downloads," Provos said. "This analysis phase reduced the billions of URLs to a candidate set of 4.5 million. Of those, 450,000 could be confirmed to engage in drive-by-downloads."
Dan Hubbard, vice president of security research for Websense, noted that a 10 per cent infection rate "would be catastrophic...Clearly we're not in that situation."
While pointing out that "any kind of research on the web — in particular, on what we call the port 80 problem — is encouraging," he questioned one aspect of the Google study.
"It's difficult to take such a large timeframe [a year] to measure the web," he said, noting that malicious code often turns up on major websites and is removed before it would show up in a year-long survey, such as Google's.
Hubbard also said the Google study isn't the final answer on web-based malware. It doesn't include statistics on email- or instant messaging-borne threats. Nor does it include "information on the massive amount of what are called deception-based attacks, which just lure people to do something they shouldn't, such as execute a file, type in a Social Security number — those are big cases that were not covered by Google."
"It’s nice to see Google putting an effort into security because search engines are one of the key vehicles people use to get malicious code onto end-users’ machines," Hubbard said.
Google: 450,000 websites launching drive-by attacks
By Jim Carr on May 17, 2007 10:10AM