Will Google blacklist itself?

We were analyzing an infected site today and their Google blacklist diagnostic said the following:

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 3 domain(s), including site.com/, google.com/.

Hum… So Google.com was somehow infected as well? I know it is probably some small sub site from within Google, but I found it interesting that they listed Google’s main domain in there.

If you look at Google’s own diagnostic page, it says:

31 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.

 
Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, google.com appeared to function as an intermediary for the infection of 71 site(s) including our-pretty-pets.blogspot.com/, daum.net/, portovelhodownload.blogspot.com/.

 
Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 72 domain(s), including tamansoftware.co.cc/, agusnih.co.cc/, duniamisteri.co.cc/.

Let’s see if Google actually blacklists themselves :)

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • http://www.UnmaskParasites.com Denis

    Hi,

    It’s a normal situation. The thing is there are many Google properties that share the google.com domain. Some of them allow users to post content (e.g. support forums) or even build whole sites (Google Sites). Moreover, Google offer CDN for popular JavaScript libraries, that can be used my malicious sites (e.g. fake AV sites). But as long as the malware scanners are compeltely automated, they will make no exception to Google when they find anything suspicous on google.com. That’s why you see the diagnostic page mentions so many problems.

    On the other hand, I believe that their are aware about false positives (if there are any) cased by use of google-hosted js libraries and ignore then. And they closely monitor the rest google.com-related problems, and when scanners find something suspicious they can immediately address the problems (to avoid self-blacklisting).

    By the way, there is the same issue wiht yahoo.com.
    http://www.google.com/safebrowsing/diagnostic?site=yahoo.com
    “The last time Google visited this site was on 2011-03-28, and the last time suspicious content was found on this site was on 2011-03-28.”

  • Oliver Fisher

    My name is Oliver Fisher and I’m an engineer with Google’s Anti-Malware team. Thanks for paying close attention to Google’s Safe Browsing API information. We’re glad that you find it useful and interesting. I wanted to explain the data, how it happens and what Google does about it.

    Google automated malware scanning systems don’t play favourites when searching for malware — they scan and flag Google sites just like any other site. Many Google properties are designed for user-generated content — like Google Sites, Google Docs, YouTube, etc. So Google has developed sophisticated systems to help ensure user-generated content is safe, including our dynamic malware detection system which feeds data to the the Safe Browsing Diagnostic pages.

    Whenever we find malware on a Google property we’re committed to protecting users. Yes, that may mean adding a Google property to the malware list. But the best way to protect users is to remove the malicious content. Google’s Anti-Malware team works closely with other Google teams to quickly clean up user-generated content on Google properties.

    Battling malware is a difficult and on-going task. Google’s priority is protecting users, and we hold ourselves to a very high standard. Google’s Safebrowsing API protects millions of users every day as proof of our commitment.

    • http://armeda.com/ Andres Armeda

      Thanks for the clarification Oliver, this is very helpful information.

      Dre Armeda
      Sucuri Security

Share This