Hello wayne, and welcome to the forums.

There are essentially four public channels for communicating with Google, as detailed in our Forum Charter [webmasterworld.com].

However, there is also a direct report page for "badware" reports at:
[google.com...]

[edited by: tedster at 6:04 am (utc) on Aug. 17, 2009]

Thank you, I've done some more searching. One of them has 10,000 pages targeting everything from names of dead people to video games. With spamy doorway which redirect to another site that contains the virus - I've blocked the site that delivers the virus on my system.

I hate the idea of reporting people to google, but they can do serious harm with those viruses to people who don't have computer skills.

Google is pretty successful overall in finding these and blocking the website from being accessed in search, however preventing others early from accessing the website is definitely a good thing.

Vundo is now propagated in many different variations on websites and PC's. It is notorious for infecting files that are unknowingly uploaded via FTP to the web, and then spreads by download as you have mentioned.

The wonder is that google visits such sites in the first place. Most of the IPs are known within a few hours of a virus being placed (indeed, many are permanent feed IPs) yet they still suck them up. Possibly this has something to do with google's virus detector being (I think) third party. Or not.

In some cases it's possible to determine that a specific hosting service is botnet-friendly - again they are well-known to (it seems) everyone except law-enforcement agencies. Surely google could kill the hosting service by IP range?

In any case, how long does it take a new site to be indexed and get a good rating? Most people seem to wait weeks if not months so why do virus sites register so quickly and so well? Cloaking presumably plays a part in deceiving google and their collaborators but quick-reacting "topical" virus exploits still seem to get in very quickly.

I submitted a detection pattern to google some time ago to detect hijacked forums. No reply, no action: the forums are still listed in SERPS. Since they are obviously neglected by their owners it would have caused no harm to block them.

Surely google could kill the hosting service by IP range?

I wonder if the reason why that doesn't happen is doing so might create a legal liability for Google? Removing malware-tainted sites upon discovery is not the same as removing IP ranges where such "might" occur. Not giving legal advice, just observing that in the law there is the concept of assumed liability wherein one party takes it upon themselves to do "x"--whatever "x" might be. Taking that route might make Google liable for damages if they FAILED to catch one of those IP ranges. So, by being "reactive" instead of "proactive" that liability cannot exist.

Purely speculation on my part (but I'll bet I'm not far off the mark!).

You're probably correct about the legal side of it, although it might make the hosts wary about accepting such junk. :(

It should be possible, though, to send bots to known bad ranges more often to check for exploits. Preferably from non-google IPs and disguised as people - hey, they already do that last bit on our sites anyway!

There was a similar case where ISPs wanted to scan their broadband customers for virus traffic and terminate the connection if found. Would have been a good inroad into botnets but the legal people said no.

I wonder what the legal position is re: google showing actual virus sites in their listings, especially if they don't flag them and it can be proven the site / IP is a known exploit.

Waste of time reporting virus sites. I've been reporting one in particular that tries to load a pretty nasty one for the last year.

I finally gave up since Google still lists the site at #1 and does not have any warning on it.

[edited by: Robert_Charlton at 11:40 pm (utc) on Aug. 17, 2009]

mrguy, did you use this form to file your report -- [google.com...]

I've reported sites a few hours after I got the URL from this forum; still have not seen any changes - with the exception that the site that gets redirected to now has a warning in google. However many more sites have now become infected.

The doorways get uploaded to a random directory of a random directory and they are PHP files. Sooner or later a site will get infected that has a higher ranked pages.

The doorways are interlinked and contain variations of keywords that one may find in the news (or blogs?). The structure is such that Google should be able to see them as duplicates across the internet when ever they choose to act. The keyword variations may or may not be different across different sites? One would need to look at one of the PHP files.

Dropping out now.

The Google anti-malware team (Oliver Fisher) has an open Q&A going right now at:

[google.com...]

Thanks to SE Roundtable [seroundtable.com] for highlighting this opportunity.