La Piazza

Published by Iñaki Gorostiza, september 29,  2010

This follow-up to the piece An instant with Google Instant furthers the analysis of this issue.

The SERP has changed, or better still, the SERP now changes with every keystroke:

• The first page is now the key component of the search. Where before it was already unlikely that a user would go beyond the second or third page of results returned, Google Instant brings the relevance of the Top 10 results into even sharper focus.

• The visual content fully captures the user’s attention. The SERP becomes a kaleidoscope where Web maps, images and videos stand out against any text content.

• Google Instant minimizes bad searches due to spelling or grammatical errors, and this has a direct impact on those pages that feed off such mistakes.

• The space on the SERP dedicated to organic results is reduced in favor of suggestions. This can lead to a page where there is just one organic result for every eight sponsored links. Let’s take a look:

• Now more than ever, webmasters will have to draw Google users’ attention with the title and snippet (the brief text below the title describing the Web page).

• Interestingly, adult pages are ignored by Google Instant. Try searching, say, for “sex” and you’ll see that the search engine does nothing. Of course certain search terms may suffer collateral damage, careful if you’re looking for “Whorfian hypothesis” for example.

• The influence of the ‘long tail’ is questionable:
  • The long tail can be partially cannibalized by head terms, as before a long search term such as “Antivirus in Spanish compatible with Windows 7″ is entered, a ‘good enough’ result may be displayed.
  • It’s also true that simple searches, such as “Antivirus” will generate more specific suggestions such as “Free antivirus in Spanish”.

• Well known brands will benefit: after entering just one or two letters, don’t be surprised to see the name of a famous company.

It only takes an instant to forget a lifetime, but sometimes even a lifetime isn’t enough to forget an instant.

In a few months we will know exactly the impact that Google Instant has on the search trends of users, as well as on Search Marketing strategies. For the moment, we just have to make educated guesses.

While it’s true that Google Instant represents a significant step forward, it shouldn’t really alter the fundamentals of SEO/SMO, at least not to the extent that some fear. Sleep tight everyone.

==============================================================================

You can contact Iñaki Gorostiza on his blog http://www.hellogoogle.com, where he publishes articles that help companies grow on Internet, and at http://twitter.com/hello_google.

By Iñaki Gorostiza, September 22, 2010

Google Instant highlights just how marvelous human beings are: we can search for something at the same time as we read the results, without our heads exploding.

Instant is the result of 15 new technologies which, according to the people at Google, will help our searches return faster and more accurate results. An unprecedented act of generosity that will help us save five seconds for every search we make. Start thinking what you’re going to do with all this free time!

On the face of it, Instant is a significant advance in the mechanics of search engines, yet Adwords advertisers and behavioral philosophers dabbling in SEO have misgivings. Collective hysteria has erupted across social media, with apocalyptic predictions of the death of SEM and SEO.

This is nothing new, every time the search engine supreme engenders a new function (Google has delivered more than 540 search quality improvements since 2009) the Earth’s axis shifts another millimeter: Caffeine, Google Suggest, personalized searches, universal – realtime search, and now Instant. But, has anything really changed? Do we really have something to worry about?

What’s new in Google Instant?

Broadly speaking, three things are new:

• Dynamic results: Every time you type a letter, the SERP updates to display the results most relevant to what you have written.
• Predictions: Google will predict what you are looking for, and will display this prediction in light gray text.
  
• Textfield with Scroll: You can immediately mouse over the predictions and see the results.

Google Instant supports Chrome, Firefox, Safari and Internet Explorer 8+ and is already available to Google users in France, Germany, Italy, Russia, the UK, USA and Spain.

Although it is currently only implemented for Web searches (and accessed from a Google account), the plan is to include it in other content: videos, images, maps and news, as well as on other devices, such as cell phones.

Why Google Instant?

Google Instant, evidently, optimizes search time, and estimates suggest that users will save some 350 million hours over the next year.

It is also thought that Instant will improve the scope and quality of search results, in other words, our searches will be better.

Google hopes that these two factors will encourage users to make more searches with the consequent positive repercussions for its main source of monetization: its Adwords sponsored advertisements.

Moreover, Google Instant, as we will see below, will subtly favor PPC over organic results in the SERP. Everything suggests that this is another initiative from Google that will improve revenue while making us all happier individuals.

Redefining e-marketing metrics

The first direct consequence of Instant is that it redefines the concept of the impression, which is of essential importance to PPC.

Traditionally, an ‘impression’ has been defined as every time an Adwords advertisement is viewed in the SERP. Starting with this parameter, others such as the CTR or CR can be derived with a view to calculating the ROI of a campaign.

In this new scenario, where the SERP is dynamic, changing with every keystroke, Google does not count impressions until one of the following criteria has been met:

• The user clicks Enter to run the search.
• The user clicks the Search button.
• The user clicks a specific result.
• The user clicks a suggestion.
• The user does nothing for three or more seconds.

One aspect that I personally find lacking is that Google Analytics still doesn’t offer advertisers a way of segmenting traffic directed from Google Instant. Fortunately though, the community has made up for the omission by generating filters for this purpose. So what’s your take on this?

I’ll be following up this issue and shortly publish a second part to the article, looking at how Google Instant revolutionizes the SERP.

==================================================================================

Iñaki Gorostiza works in Panda Security as Web Development Responsable. Since joining the company in 2002, he has taken part in numerous projects, in the Development Area and online promotion. You can contact him on his blog http://www.hellogoogle.com, where he publishes articles that help companies grow on Internet, and at http://twitter.com/hello_google.

At Panda Security we are relentless in our efforts to advise users about the best way of protecting themselves from the continuous threat of malware. On this occasion, I would like to offer a new recommendation, which stems from an unfortunate experience I had recently.

A few weeks ago… I was hit by a virus.

Yeah, I know, I should hang my head in shame; I work as a developer for a major anti-malware company and I’m well aware of the risks. Anyway, I was messing about on my home computer, doing some less-than-sensible things and the inevitable happened.
At first I didn’t notice anything strange, but then some odd things start to happen; for example some games, like Steam or my treasured Battlefield, stopped working, the programs displayed error messages whenever I tried to run them, and my Internet connection went really slowly. Every user knows their own computer, and knows when something is not right, and in this case something was clearly not right.

Then finally the computer just wouldn’t start up, and displayed the BSOD (blue screen) in a critical controller for the Operating System; so critical in fact, that the computer wouldn’t even start in safe mode.

Ideally, at this point I would have had to have a safe boot disk with a commandline antivirus, like our Panda SafeCD, but I didn’t (cobblers’ children and all that…..). Then I remembered that I had two Operating Systems installed in dual-boot configuration, Windows XP and Windows 7:

Dual Operating System

So I could start up the other operating system, which wasn’t infected, launch our antivirus, detect the malware and eliminate it without needing a safe boot disk. So in this way, my dual-boot configuration was an unexpected and valuable ally against the malware that had infected my PC.

In short, this experience has taught me some valuable lessons:

Make sure you always have a way of starting your computer in the event that the operating system fails, whether this is via CD, DVD, USB drive, or as in my case, an alternative operating system installed on another partition.

Always make sure you have a set of tools available for analyzing and eliminating malware in a low resource environment (read commandline). Our free antivirus for command line is a good example. You’ll also find other free scanners and tools at http://free.pandasecurity.com/

Don’t take foolish risks with your system.
And at least if you are going to, don’t use the administrator account.

Posted by Javier Guerrero, September 8th, 2010

Sometimes when writing my posts, I get the urge to forget about malware for a while and talk about the other “side”: antivirus software. Specifically, I like to stress the difficulty involved in certain aspects of developing anti-malware products; I think it’s an interesting subject, and one that is not widely understood.

False positives

And so now, I’d like to talk about a problem that affects all malware detection software: false positives… So what are they?

A false positive occurs when an antivirus erroneously identifies a legitimate file or process as malware. This can happen with signature-based scans as well as behavior analysis.

An antivirus identifies malware basically using one of two methods: signature-based scanning or analysis of behavior. In the first instance, the scanner looks for a specific pattern of bytes, which has been previously catalogued as malicious, or at least suspicious, and may correspond to a sequence of malware commands, a univocal value that identifies the file (known as a hash) or other values that may be used for identification.

In the case of behavior analysis, actions are detected which, although on their own may not be malicious, when they are correlated with others represent a symptom of malicious activity.

The problem is that neither of these methods is infallible: the hash of a file is useless, for example, against polymorphic viruses, or expackers. Moreover, a sequence of instructions classified as suspicious could easily be contained in a legitimate file, as after all, we are talking about executable code.

The same thing occurs with behavior analysis: The process that generates an executable file, which later writes a registry entry referring to the executable, could be an intruder inserting a rootkit on the system, but also the installer of a bona fide application.

The consequences of false positives can be serious: If an antivirus erroneously deletes a file which is vital to the functioning of the computer, the system could be rendered unusable, and this does actually happen, with grave repercussions.

Fortunately, false positives are not frequent (particularly in relation to the immense amount of files that anti-viruses have to scan) and security companies implement strict quality control to avoid them.

In any event, as I mentioned in the beginning, all developers suffer from this problem, which, I believe, demonstrates how challenging it is to develop and anti-malware product.

Published by Javier Guerrero,  September 3rd, 2010

Malware is no longer viewed with the notoriety it once was. Gone are the days of massive infections, such as the “I love you” worm, which was headline news even in the mainstream press.

Today, professional creators looking to profit financially from malware need any virus, worm or Trojan to be able to operate undetected by users, as this is a key ingredient in achieving their objectives. In other words, an invisible virus is far more dangerous than one that is easily noticed.

So how can we see malware?

Well let’s not forget, after all, that it is only software, and all software leaves its trace on a system: not just the file or files that contain the intruder, but also the registry keys, folders, activity reports, etc. Any tool that lets you list files or registry values, such as Windows Explorer or Regedit, will reveal the presence of an intruder that cannot cover its tracks.

Now, this is where rootkits come in to play. A rootkit is software whose sole purpose is to hide system components, such as files, processes, registry keys, etc, so that the user cannot see them. They do this by penetrating the most critical layer of the operating system, the kernel, and manipulating certain internal structures and functions, thereby deceiving applications and preventing them from displaying the real content of the system.

For example, imagine there is a virus, whose binary name is “malo.exe”, installed in  “C:WindowsSystem32”.

Virus binary marked in red.

When the intruder loads to memory, the rootkit manipulates the system functions that list the files in this folder, so that when they detect the path “C:WindowsSystem32MALO.EXE”, they ignore it and go on to the next one. This way, an application that requests the list of files cannot see this folder. The same thing happens with registry keys, processes, or any other component of the system that the rootkit wants to hide.

Now the file has disappeared.

It is interesting to note here that rootkits are not malicious per se, as they may have perfectly legitimate uses, or at least, uses that are not related in any way to malware. In fact, the term “rootkit” first became used on a wide scale thanks to an incident involving the company Sony.

In 2005, Sony BMG Music included copy protection software on its music CDs which also included a rootkit designed to hide the protection system. The problem in this case was that it was done without user authorization, transmitting information and creating a security hole. Any attempt to remove the rootkit manually would leave the CD drive inoperable.

The danger therefore of any malware that includes a rootkit component is evident, given the significant stealth capacity and the ability to control a system without users realizing. Moreover, rootkits are among the most complex, advanced and resilient threats, operating at a level so deep that typical detection techniques are of little use, and specific purpose-built scanners are required, such as the free Panda Anti-Rootkit.

In any event, it is important to remember that all rootkits enter systems initially through a file, so the usual precautionary advice we offer for other types of malware also serves in the case of rootkits: use a good antivirus, keep it up-to-date, use a firewall, install the latest security patches, do not use an administrator account unless strictly necessary , etc.

So now you know…. watch out for rookits!!

Javier Guerrero Diaz
R+D Development Dept.
Panda Security