Have you noticed an increase in the number of reports about malware and compromised web servers? Recently, a computer exploit known as Gumblar has been making news for its ability to launch exploits via drive-by download. Gumblar silently installs itself on a computer if a user simply visits a compromised web site, where it proceeds to steal FTP logins and replace legitimate Google search results with redirects to sites of the attacker’s choosing. Despite the threat of Gumblar and malware exploits like it, users of recent releases of the Firefox or Chrome browser have an extra layer of protection provided by their use of Google’s Safe Browsing API.
The Safe Browsing API is an experimental interface that provides developers with the ability to check URLs against Google’s constantly updated list of phishing and malware sites. The API can not only be used to warn users about suspicious sites while surfing the web, but it can also be used in behind-the-scenes functions, such as blocking malicious users from using online comment systems to post links to malware sites.
Recently, Google’s Online Security Blog decided to contribute to the discussion of the growth of malware and phishing attacks by publishing a graph of the Top 10 Malware Sites culled from the blacklists that the Safe Browsing API references. Google Security Team member Niels Provos writes:
Our automated systems found more than 4,000 different sites that appeared to be set up for distributing malware by massively compromising popular web sites. Of these domains more than 1,400 were hosted in the .cn TLD. Several contained plays on the name of Google such as goooogleadsence.biz, etc.
The Safe Browsing API doesn’t provide perfect protection from malware, as sites will only trigger warnings if they have been added to Google’s blacklist. Furthermore, it’s occasionally possible for a legitimate site to be erroneously marked as a malware site.
Developers should be aware that the Safe Browsing API has a few restrictions that should be taken into consideration when attempting to add the interface to a client-side application. For example, Google does not permit applications to show warning messages to users unless a blacklist update has been successfully retrieved within the past 30 minutes. Developers must also follow Google’s strict guidelines for appropriate language used in warning messages. Furthermore, the API does not provide standardization functions, so URLs submitted for malware check against Google’s blacklist must be valid valid according to the canonicalization guidelines of RFC 2396. Finally, developers who use the Safe Browsing API must sign up for an API key (see the API documentation for more details).
As the technological arms race between creators of online attacks and developers who provide user security systems continues, applications that take advantage of security APIs like Google’s Safe Browsing might gain end user market share. For more information on available security-related APIs, check out our Security API listings.