There is now a combined client- and server-side system that uses blacklisting, whitelisting and the characteristics of an executable file to catch nearly 99 percent of all malicious downloads, said Google researchers.
The content-agnostic malware protection system (CAMP) was part of a research paper presented in February at the Network and Distributed System Security Symposium. The system for the Chrome browser addresses the inherent weaknesses of using whitelisting and blacklisting as a defense against malicious binaries.
“In practice, these approaches continue to provide value for popular binaries at either extreme of maliciousness — the current large outbreak of malware, the benign binaries shipped with an OS — but bridging the gap between whitelist and blacklist detection for Web malware remains a significant challenge,” according to the research paper from Moheeb Abu Rajab, Lucas Ballard, Noe Lutz, Panayiotis Mavrommatis and Niels Provos.
The researchers said 70 percent of the time CAMP can catch malicious downloads on the computer, with the remainder requiring deeper analysis on a Google server. Keeping the analysis as much as possible on the client is important in protecting user privacy.
When cloud-based antivirus systems are in play, binaries typically upload to the cloud for examination, resulting in a much greater loss of privacy, Google said.
“While CAMP also moves detection of malware into the cloud, it reduces the privacy impact by employing whitelists so that most download URLs stay within the browser and do not need to be sent to a third party,” the paper said. “Binary payloads never leave the browser.”
The use of the browser instead of a remote server for some tasks is a key difference between CAMP and Microsoft’s SmartScreen technology. The latter is in Internet Explorer to protect against malicious downloads and links.
In terms of detection rates, major antivirus engines detect between 35 percent and 70 percent of malware binaries, while CAMP’s success rater is 98.6 percent, the paper said. During a six-month evaluation period, Google tested CAMP on the Windows computers of 200 million users, and identified about 5 million malicious downloads each month.
The system first compares downloads against a whitelist of known benign executables and a blacklist of known malware. The latter also involves communicating with Google’s server-based Safe Browsing service.
If a clear determination cannot occur using the lists, then CAMP begins the analysis, which starts with the browser gathering characteristics of the binary. They would include the final download URL and the IP address of the server hosting the download, as well as the size of the binary, its content hashes and certificates attached to it.
The browser also logs the URL that referred the computer user to the download. This is important, because the URL can undergo examination to determine whether it is part of a chain of URL redirects set up to hide the original. Multiple referrals are a good indicator of malware.
Once all the information comes together, it goes out to Google’s servers, which analyzes the information and decides whether the binary is benign, malicious or unknown. The ruling goes through to the browser, which provides a notification to the user.
However, Lance James, chief scientist at application security vendor Vigilant, said that as an overall security system, CAMP falls short because it does not catch malware that exploits vulnerabilities within the browser.
Such malware often gets into a computer by email recipients tricked into clicking on a malware-carrying attachment.
“[CAMP] may be able to see 99 percent of malware downloaded through the browser, but they won’t see 99 percent of malware that is never seen by the browser,” James said. “There’s a big blind spot and that’s a problem.”
Google acknowledges that browser-exploiting malware is not the focus of the system. “CAMP is specifically designed to protect from user-initiated malware downloads, e.g. distributed by means of social engineering, that do not involve browser exploitation,” researcher Moheeb Abu Rajab said.
Click here to download the research paper.