Google researchers have developed a combined client- and server-side system that uses blacklisting, whitelisting and the characteristics of an executable file to catch nearly 99% of all malicious downloads.
The content-agnostic malware protection system, called CAMP, was described in a research paper presented in February at the Network and Distributed System Security Symposium. The system for the Chrome browser is meant to address the inherent weaknesses of using whitelisting and blacklisting as a defense against malicious binaries.
"In practice, these approaches continue to provide value for popular binaries at either extreme of maliciousness -- the current large outbreak of malware, the benign binaries shipped with an OS -- but bridging the gap between whitelist and blacklist detection for Web malware remains a significant challenge," according to the research paper from Moheeb Abu Rajab, Lucas Ballard, Noe Lutz, Panayiotis Mavrommatis and Niels Provos.
The researchers claim that 70% of the time CAMP can catch malicious downloads on the computer, with the remainder requiring deeper analysis on a Google server. Keeping the analysis as much as possible on the client is important in protecting user privacy.
When cloud-based antivirus systems are used, binaries are typically uploaded to the cloud for examination, resulting in a much greater loss of privacy, Google said.
"While CAMP also moves detection of malware into the cloud, it reduces the privacy impact by employing whitelists so that most download URLs stay within the browser and do not need to be sent to a third party," the paper says. "Binary payloads never leave the browser."
The use of the browser instead of a remote server for some tasks is a key difference between CAMP and Microsoft's SmartScreen technology. The latter is used in Internet Explorer to protect against malicious downloads and links.Ã'Â
In terms of detection rates, major antivirus engines detect between 35% and 70% of malware binaries, while CAMP's success rater is 98.6%, the paper said. During a six-month evaluation period, Google tested CAMP on the Windows computers of 200 million users, and identified about 5 million malicious downloads each month.
The system first compares downloads against a whitelist of known benign executables and a blacklist of known malware. The latter also involves communicating with Google's server-based Safe Browsing service.
If a clear determination cannot be made using the lists, then CAMP begins the analysis, which starts with the browser gathering characteristics of the binary. They would include the final download URL and the IP address of the server hosting the download, as well as the size of the binary, its content hashes and certificates attached to it.
The browser also logs the URL that referred the computer user to the download. This is important, because the URL can be examined to determine whether it is part of a chain of URL redirects set up to hide the original. Multiple referrals are a good indicator of malware.
Sign up for MIS Asia eNewsletters.