Google Identifies Difficulties in Detecting Web-based Malware

Google engineers analyzed four years worth of data comprising 8 million websites and 160 million web pages from its Safe Browsing service, which warns users when they hit a website loaded with malware.  Google said it displays 3 million warnings of unsafe websites to 400 million users a day.

The detection process is becoming more difficult due to evasion techniques employed by attackers that are designed to stop their websites from being flagged as bad.

The company uses a variety of methods to detect dangerous sites. It can test a site against a "virtual machine honeypot" where it can examine malware. It can make a record of an attack sequence. Other methods include ranking a website by reputation based on its hosting infrastructure, and another line of defense is antivirus software.

One of the ways hackers get around detection is to require the victim to perform a mouse click. This is a kind of social engineering attack, since the malicious payload appears only after a person interacts with the browser.

Browser emulators can be confused by attacks when the malicious code is scrambled, a method known as obfuscation. Google is also encountering "IP cloaking," where a malicious website will refuse to serve harmful content to certain IP ranges, such as those known to be used by security researchers. Google found that some 200,000 sites were using IP cloaking.

Antivirus software programs rely on signatures as one method to detect attacks. That software often misses code that has been "packed," or compressed in a way that it is unrecognizable but will still execute. Since it can take time for anti-virus vendors to refine their signatures and remove ones that cause false positives, the delay allows the malicious content to stay undetected.

While anti-virus vendors strive to improve detection rates, in real time they cannot adequately detect malicious content. Attackers use anti-virus products as test-beds before deploying malicious code.

SUMMARY
Malware detection software is progressing, but attackers are learning also. Interception of suspicious web pages is available, but is still insufficient. The best defense remains in extreme personal caution in opening any messages.



Blog based on http://tech.slashdot.org/story/11/08/19/1328237/Google-Highlights-Trouble-In-Detecting-Malware?utm_source=headlines&utm_medium=email