Why are you reading this? Go outside. Do something meaningful with your life.

Thursday, July 16, 2009

Diagnosing the Diagnostics: Background

This is the first part of a series about Google's Safebrowsing Diagnostics page.

Google's Safebrowsing Diagnostics pages are a valuable source of information for webmasters. Unfortunately the information can sometimes be difficult to understand. Hopefully the next few posts will help clarify - I've been struggling with them for the past couple of months since they're fairly complex. Bear with me and jump in with any questions you may have.

Before we get to the diagnostics pages, we'll need to understand how malware works. Malware distributors have created sophisticated infrastructures. Typically, they use three types of servers and domains:
  • Distribution Servers: Malware distributors usually have a set of servers that they control and use as a base of operations. The servers host malware tools and exploits and are usually on a network where they are unlikely to be shut down. They often don't have domain names associated with them, only IP addresses.
  • Compromised Domain: Malware authors compromise legitimate domains and insert malicious scripts. The owner of the website usually doesn't realize this has happened. Most of the entries in Google's Safebrowsing malware list are these sorts of servers that have unintentionally become dangerous.
  • Intermediary Domains: Between the distribution servers and the compromised domains there are often one or more intermediary domains. Malware authors establish domains to obfuscate their malicious code. For instance, they may use a common domain name with a slight misspelling, like gooqleanalytics (notice the Q), hoping that webmasters won't spot the typo.
The structure of Google's Safebrowsing Diagnostics pages mirrors these types of servers and domains. Most flagged domains will only be one type of server eg. compromised domains usually aren't also distribution servers.

With that background, you may already be able to understand the diagnostics pages a bit better. In future posts we'll dive into the details of each section of the diagnostics page.

Diagnosing the Diagnostics series:

1 comment:

Unknown said...

Hi Oliver,

Thanks for starting this series. Safe Browsings Diagnostic pages sometimes are pretty confusing and translation to plain English is really needed.