The majority of Yandex’s search results are links to various web resources. Some of these websites may contain malicious software potentially harmful to the user’s computer. Visiting an infected site may lead to personal information being stolen, valuable data deleted, or the user’s computer used without their knowledge.
From May 2009, Yandex has been checking indexed web pages and alerting users about websites containing malicious software. The search engine displays a warning message next to the links to such pages in its search results. In January 2013, the message “This website may be harmful to your computer” was displayed about eight million times a day.
According to Yandex, the number of these websites does not exceed 1% of all indexed web documents. Some of them, however, are quite popular and, therefore, are especially attractive for malware authors. Every day, dozens of popular websites with the citation index of over 1000 get into the infected websites list. Once a month, malware gets detected on high-ranked resources with the citation index higher than 10 000.
To detect malware, Yandex relies on two technologies: the Sophos antivirus software and the company’s own proprietary antivirus technology.
The Sophos antivirus software, based on a signature approach, uses predominately the database of already known virus signatures to identify the existing codes as malicious. If the program detects a signature from the database in the code of a webpage, it immediately classifies it as harmful. This malware detection technology is very good at finding known hazards but, unfortunately, often proves inefficient for tracking new viruses until they are registered in the database.
The Yandex antivirus technology, on the other hand, is based on an alternative, “behavioral” approach. The idea behind it is that the program detects malware by performing the actions similar to those of a visitor to a web page. If a download or a program execution begins on a page automatically without user initiation, this page is very likely to be infected. This method allows detecting malware anywhere on the page including external code, such as the code of a banner ad. The main advantage of the behavioral approach is its ability to detect viruses that haven’t yet been added to any antivirus database.
Thanks to the combination of the signature-based and the behavioral approaches, Yandex’s antivirus software and the Sophos program spot different kinds of malware – the overlap between the viruses found by both programs is just 34%. According to a mutual agreement, Yandex also assists Sophos in augmenting its database by providing information about new malware.
Using Sophos’ antivirus solution and its own malware detection technology, Yandex checks about one billion web pages every month and warns users about infected websites. As of January 2013, the number of infected pages in Yandex’s antivirus database exceeded 5 million.
Website owners are often completely unaware of the malware on their pages. Viruses can intrude into a website after a break-in or a failure in website administration. A website monitoring service, Yandex.Webmaster, alerts users about any malware detected on their websites. Receiving notifications from the service allows website owners to quickly fix the problem. The warning message in search results is removed if no malicious elements are detected after the next virus check.