In association with heise online

18 August 2011, 16:42

Google reports on four years of experience in malware detection

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Google has announced the publication of a technical report entitled "Trends in Circumventing Web-Malware Detection"PDF. This report describes the results of analysing four years of data – from 160 million web pages hosted on approximately eight million sites – collected through the company's Safe Browsing initiative. The report comments that "Like other service providers, we are engaged in an arms race with malware distributors", and that each day Google issues around three million malware warnings to over four hundred million users that use browsers supporting the Safe Browsing API.

The report looks into the four most commonly employed methods for detecting malware: virtual machine client honeypots, browser emulator client honeypots, classification based on domain reputation, and anti-virus engines and trends in how well they work in practice.

The report states that "Our results indicate that exploit delivery mechanisms are becoming increasingly complex and evasive." It goes on to describe how the writers of malware are fighting back against the measures used against them, and cites, for example, the growth of social engineering techniques which can thwart VM-based honeypots and JavaScript obfuscation which can be used to evade both browser emulators and anti-virus engines. It also mentions how malware writers are aware of the ranges of IP addresses likely to be used by detection systems, and how there has been a rise in IP cloaking to avoid detection. IP cloaking involves a malware distributing site serving benign content to any visiting detection system but malicious content to a normal visitor.

The report concludes that none of these detection methods are sufficient on their own to provide protection and it recommends that a multi-pronged approach is needed to improve detection rates.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit