incrediBILL - 10:58 pm on Apr 27, 2007 (gmt 0)

The problem becomes a profitability and survivability issue if they do NOT check. Because eventually, consumers will not trust Adwords, and perhaps not trust Google at all. They will stop clicking on ads, and Google will be done.

Really?

Just because one fringe article decries the issue doesn't make it a business buster for Google. I've been using Google and clicked AdWords for years and never had a single problem but I can't claim the same from the SERPs.

So why is AdWords/AdSense the spotlight?

Because it's their cash machine.

Why didn't they point out the big infected hosts as an issue?

I'll hazard a guess their pockets aren't deep enough to bother rattling or more importantly their name isn't GOOGLE so it's not a headline.

A less laissez-faire attitude would seem prudent.

If the legal system wasn't so jacked up, judges technically illiterate on the issues, and every ignorant spaz didn't sue for negligence at the drop of a hat I would agree. If Google can silently filter out bad sites from their entire product line, it would be wonderful. But, as I mentioned before, it will probably be noticed and the malware will quickly evolve to avoid them, if they aren't cloaking already.

Besides, I told you I'm already actively filtering for malware, I just don't publicly post that factoid on my site. I don't want the criminals to wise up, nor visitors to think I'm doing anything special that their current AV products should already be doing.

FWIW, my quality filter drops a lot of sites that Google allows in their index. I drop domain parks, sites that mutate become porn sites, virus fingerprints, even certain keywords in their meta tags or redirect URLs can trigger my link checker to suspend a listing. However, I couldn't evaluate 35K sites manually to make sure I catch everything so I do the best I can. Compare the scale of Google with billions of web pages and the theoretical mutations of malware, it's a no-win scenario.

If you have a stupid malware script, it's easy to identify and block.

If you have something a wee bit more sophisticated, which I've run across, the obfuscated javascript is randomized and the only way to identify that it's malware is physically run the javascript and print the result. The results can also be further randomized using domains unwittingly involved in botnets due to 3rd party software vulnerabilities, making it virtually impossible to stop with automation because the fingerprints are rapidly evolving.

I don't just make this stuff up as I was under attack by a botnet for almost 2 months and the sources and compromised sites hosting the files changed daily.

How would you suggest Google address this problem?

So far, the AV people have the best solution as the actual malware download code itself has enough specific fingerprints you can stop it. The problem is having to dissect and track through quite a bit of stuff in the botnet just to get to point you're able to examine the final malware download, and by then it's too late as it's slightly different hosted somewhere else the next day. Been there, tracked it, quite frustrating to keep on top of it and not something I would reasonably expect Google to be doing.

Hosting companies, Open Source software, and webmasters bear a lot of responsibility here, not Google, but that's a whole 30 minute dissertation for a different day.

Besides, why just Google?

Yahoo and MSN sell ads too, you think none of their ads ever point to infected pages?

Of course the other ad networks most likely do link to infected pages, but Google bashing is in vogue as poking a stick at the #2 or #3 players don't make good headlines.

[edited by: incrediBILL at 11:04 pm (utc) on April 27, 2007]