"In the past few months, more than 1% of all search results contained at least one result that we believe to point to malicious content and the trend seems to be increasing," said Niels Provos, a security engineer at Google, in a blog post.
Provos said that in the year and a half since Google began tracking malicious Web pages, the company has found more than 3 million unique URLs on more than 180,000 Web sites that attempt to install malware on visitors' computers.
Provos co-authored a technical paper, "All Your IFRAMEs Point To Us," with Panayiotis Mavrommatis, a Google colleague, and two Johns Hopkins University computer scientists, Moheeb Abu Rajab and Fabian Monrose. The paper describes the increasing impact of "drive-by downloads," the exploitation of Web browser vulnerabilities to download and run malware automatically on the computers of Web site visitors.
Remarkably, Provos and his co-authors acknowledge that Internet advertising, Google's lifeblood, is contributing to malware distribution. This is an issue that has been raised by security companies recently, but to hear it coming from Google is unusual. In general, industry-backed research tends to confirm business models rather than call them into question.
A Google spokesperson didn't immediately reply to a request for comment.
"Today, the majority of Web advertisements are distributed in the form of third-party content to the advertising Web site," the report explains. "This practice is somewhat worrisome, as a Web page is only as secure as its weakest component. In particular, even if the Web page itself does not contain any exploits, insecure Ad content poses a risk to advertising Web sites. With the increasing use of Ad syndication (which allows an advertiser to sell advertising space to other advertising companies that in turn can yet again syndicate their content to other parties), the chances that insecure content gets inserted somewhere along the chain quickly escalates. Far too often, this can lead to Web pages running advertisements to untrusted content."
Provos said that on average, 2% of malicious Web sites were delivering malware via advertising, based on an analysis of about 2,000 known advertising networks. But because ads target popular sites, searchers are more likely to find them than their general prevalence suggests. "[O]n average, 12% of the overall search results that returned landing pages were associated with malicious content due to unsafe Ads," the report says.
Provos and his co-authors single out the practice of ad syndication -- in which ad companies redirect online ad content requests to a chain of partners -- as the source of many problems. "Clearly, it is increasingly difficult to maintain trust along such long delivery chains," the report says.
Some of the blame for the proliferation of drive-by downloads can be laid at the feet of server administrators. The report finds that among the servers distributing malware, 38.1% of Apache servers and 39.9% of servers with PHP scripting support were older versions with known security vulnerabilities. Provos and his co-authors said they could not verify the versions of infected Microsoft IIS severs. Overall, more than twice as many Microsoft IIS servers (113,905) were distributing malware as Apache servers (55,088), according to the report.
Provos didn't offer any happy endings. "One thing is clear," he said. "We have a lot of work ahead of us."