homepage Welcome to WebmasterWorld Guest from
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Google / Google SEO News and Discussion
Forum Library, Charter, Moderators: Robert Charlton & aakk9999 & brotherhood of lan & goodroi

Google SEO News and Discussion Forum

Malware in Google's Top Searches - Symantec Study

 12:24 am on May 25, 2010 (gmt 0)

The bad guys (and I mean the really bad guys) are pretty successful at getting their malware URLs into Google's most popular search results, according to a Symantec study.

  • On average on any given day, 7.3% of links are malicious in the top 70 results for top search terms

  • The most poisoned search term resulted in 68% of links leading to malicious pages in the first 70 results

  • Almost all of the malicious URLs redirect to a fake antivirus page...

    They have an automated infrastructure that is able to automatically collect the latest, most popular search trends and poison the results, the company [Symantec] said.


  • Looks like these bozos have found a working business plan.



     1:16 am on May 25, 2010 (gmt 0)

    IMO It's a pretty sad day when you think about the legitimate webmasters who try to follow all the rules and try to build good, high-quality websites and get 'penalized' or 'filtered' because they didn't use the right words in their links or used a word too many times or something else that really does no one any harm, then read something like this...

    Absolutely PATHETIC on G's part IMO.

    Maybe someday they'll see fit to fix this issue before they make another call for webmasters to report paid links? Nah, probably not... Those paid links probably totally ruin their link graph, so I'm sure the issue Symantic is reporting pales in comparison, otherwise we'd be reading about that instead of site speed and paid links being possible ranking issues...


     2:48 am on May 25, 2010 (gmt 0)

    Yes, Google does need to do better here - but I can't lay the whole thing on their doorstep, that's for sure. It's always easier to wreck things than build things.

    Last December I caught one of these payloads right on release day, apparently, and I know first hand that these criminals are devious. The little bugger not only disabled my installed A-V, it disable Task Manager so I couldn't easily terminate the processes it was launching. And then it tells me I can buy some special software to fix my computer - just give them my credit card!


     3:50 am on May 25, 2010 (gmt 0)

    Yeah, I understand tedster, but the whole 'penalty' and 'filter' situation just gets a bit out-of-control sometimes IMO, and if Symantec is finding these site, then I don't see how G couldn't spider the same terms and just start zapping them from pubic view with a little more frequency than they must be doing.

    I mean I really do understand they're getting gamed, but if it's a number as high as Symantec says on any given day, then I would think that's what MC would be begging people to report it immediately (malware sites), not paid links...

    Maybe he can't / doesn't because it would be really bad pub to let people know about the situation, but now they know anyway, so keeping quiet doesn't seem to be the answer either.

    I do understand the people who are doing it are really good at what they do, but for the number one SE to be getting gamed in their own results with the frequency they spider everyone else would make it seem to me they need to turn on an unassociated IP Address (Amazon seems like a good candidate), bot a browser UA and spider themselves frequently before they go asking for more stinking spam reports about people who might be cheating.

    IDK, I guess people could argue they can't detect it, but I don't buy it, and if they can detect it then IMO they should clam up about the paid links and other types of spam for a bit until this issue is sorted out and all but removed from the results, because one (spam) is an annoyance, and the other (malware) is a serious issue, especially for people who don't have a task manager open to try and shut it down like you do.

    Think about it this way: Symantec found this information some how and it must be fairly accurate to report it, so if Google did the same thing and gave someone a 'zap it' button it wouldn't be there any more would it?

    Sematic had the resources and man power to find it, and it seems to me if they had a 'remove now' button they probably would have used it, but G has to remove it, and I can't see what the obstacles to removing it are when obviously Symantec had the means, resources, knowledge and man power to detect it... All they were missing was the ability to remove it and this thread probably wouldn't even be here.

    Of course that's my opinion only.

    /* EndRantHere */


     4:50 am on May 25, 2010 (gmt 0)

    I think the anti-virus companies still anonymously pay big $$ to spread viruses in order to sell their anti-virus stuff.


     5:44 am on May 25, 2010 (gmt 0)

    I've got to disagree with that idea, SEOPTI. There's enough junk in the wild that the A-V companies don't need to invent any enemies to fight.

    This is especially true now that "fake anti-virus software" is the theme of the day - almost ALL the pages that Symantec found, in fact. The botnet builders have found a real cash-cow and they don't need any outside contributions.


     7:14 pm on May 25, 2010 (gmt 0)

    This is really scary. Potentially millions of people could have their computers infected with malicious software. In my opinion Google needs to make finding a solution to this their top priority.


     8:32 pm on May 25, 2010 (gmt 0)

    From 3 years while I am in webmaster area and surfing the Internet often :) , i don't see many pages like that. Maybe 1% ?! I think under 1%.

    But their report talk about first 7 pages or results, i use 1 and 2.

    Will be interesting to see how many users surf result pages pages 1,2..10,if there is a data provided by G.


     8:58 pm on May 25, 2010 (gmt 0)

    With all the different options on Google's new SERPs page layout, with each option showing different rankings based on different criteria, it might open up more possibilities for spammers and malware spreaders to find a way into the results.


     9:05 pm on May 25, 2010 (gmt 0)

    Security blogs have been warning of this situation for a long time but don't have the circulation that (eg) symantec has. And a lot of it IS fixable by google.

    There are a number of IP blocks which are regularly associated with scam/virus sites, quite apart from the botnets that redirect to these serving sites. It surely isn't beyond google (and others and their detection partners) to check the IP of URLs that are submitted. A simple check of site content on such an IP, using a cloaked bot masquerading as (eg) the most vulnerable browsers (eg IE, Safari), should confirm suspicions.

    It would also help if a large company such as google used its clout to pressure the registries to turn off IP blocks of hosting companies that run exploit-friendly servers. This has been done a few times before so it obviously CAN be done again.


     9:38 pm on May 25, 2010 (gmt 0)

    their detection partners

    I wonder if Google hasn't "outsourced" malware detection a bit too much and needs to become more hands-on. Just wondering, no real knowledge, but the issue does have that kind of feel. If so, this prominent study should deliver a goad to the right places.


     6:44 pm on May 26, 2010 (gmt 0)

    What's it like being an optimist, tedster? :)

    Robert Charlton

     8:16 pm on May 26, 2010 (gmt 0)

    Not to lull anyone into a false sense of security... and using an admittedly small sample... I just did some test searches using Norton Site Safety, and, in the first 70 results, I'm not seeing anything like the percentages of sites identified as unsafe that the above story suggests.

    In fact, on all the searches I did, for some highly competitive terms, for download sites, for pop stars, etc, where you'd expect some mischief, I only came across one site flagged as unsafe by Symantec... with a few others not rated, and two flagged as having annoyance factors. This is out of hundreds of sites, though only dozens of searches.

    I should add that I do pay attention to the Site Safety warnings, even though I'm sometimes skeptical of them. (There is, eg, a social component to the Symantec warnings that might allow sabotage by competitors).

    I've also encountered warnings on some sites (web/tech organizations, eg) that I'd expect to be web savvy, where I've contacted them about it, they've responded that they've looked into it, and the warnings have persisted. Hard to know what to make of that. Also, outside opinions have differed on some other sites that I've seen flagged by Symantec. I've not seen them flagged by Google.

    To a degree, we do want malware warnings to err on the safe side, and at the moment I'm supposing that Symantec is doing a more thorough job on this than Google is. I would like to see some more players enter the game, though.

    Again, and not to minimize the problem... Symantec is most definitely trying to sell its products, which makes me wonder about the statistics in the story just a bit.


     8:30 pm on May 26, 2010 (gmt 0)

    Robert Charlton , i totally agree with your opinion, especially from the last paragraph.I admire your sincerity.

    Maybe there is a risk surfing adult sites,but on safe search things looks very ok.

    Also,i would expect to see results from Y! search, Norton has a service who scans email attachements for example.

    This is advertising,in my opinion.At least one example should be attached when are making an analyze like this (who can harm other image).


     9:27 pm on May 26, 2010 (gmt 0)

    In My experience, Trend Micro Internet Security catches & prevents more that Norton Does


     10:09 pm on May 27, 2010 (gmt 0)

    According to blogs I've read the situation fluxes. One day there may be several for a given keyword, next day the popularity has shifted to something else - usually topical. Next day again and the server farm has mended its nets and it'll take a day to find another compromised server.

    Global Options:
     top home search open messages active posts  

    Home / Forums Index / Google / Google SEO News and Discussion
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved