Report: Malware Tougher to Detect

Friday, August 19, 2011 @ 01:08 PM gHale

Antivirus software is becoming an ineffective tool when it comes to identifying and defending against malicious websites and attacks, a new study said.

Researchers analyzed four years worth of data comprising 8 million websites and 160 million web pages from Google’s Safe Browsing service, which is an API (application programming interface) that feeds data into Google’s Chrome browser and Firefox and warns users when they hit a website loaded with malware, according to the Google report.

Websites Hit with Injection Attack
ICS, SCADA Boot Camp 2.0
Malware Feeds Off Slow Patching
Sites Face New ZeuS Attack

Google said it displays 3 million warnings of unsafe websites to 400 million users a day. The company scans the Web, using several methods to figure out if a site is malicious.

“Like other service providers, we are engaged in an arms race with malware distributors,” according to a blog post from Google’s security team.

That detection process is becoming more difficult due to evasion techniques used by attackers designed to stop their sites from capturing a red flag, the report said.

The company uses a variety of methods to detect dangerous sites. It can test a site against a “virtual machine honeypot,” which is a virtual machine that visits a website and notes its behavior. It also uses browser emulators for the same purpose, which can record an attack sequence. The browser emulator is an HTML parser and a modified open-source JavaScript engine.

Other methods include ranking a website by reputation based on its hosting infrastructure, and another line of defense is antivirus software.

One of the ways hackers get around VM-based detection is to require the victim to perform a mouse click. Sites can automatically deliver an exploit and execute an attack if they find an unpatched software program.

Google describes it as a kind of social engineering attack, since the malicious payload appears only after a person interacts with the browser. Google is working around the issue by configuring its virtual machines to do a mouse click.

Browser emulators can miss an attack when the malicious code ends up scrambled, a method known as obfuscation. Since the browser emulator isn’t a real browser, it won’t necessarily execute the obfuscated JavaScript code in the same way as a real browser. The only explanation for the more complex JavaScript is can halt emulated browsers and make manual analysis of the code more difficult, the Google researchers said.

Google is also encountering “IP cloaking,” where a malicious website will refuse to serve harmful content to certain IP ranges, such as those used by security researchers. In August 2009, Google found some 200,000 sites were using IP cloaking. It forces researchers to scan the sites from IP ranges “unknown by the adversary,” the report said.

Antivirus software programs rely on signatures as one method to detect attacks. But the engineers wrote

The software will miss code that has been “packed,” or compressed in a way that it is unrecognizable but will still execute.

Since it can take time for AV vendors to refine their signatures and remove ones that cause false positives, the delay allows the malicious content to stay undetected.

Leave a Reply

You must be logged in to post a comment.