Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

Google Uses Reputation To Detect Malicious Downloads

Researchers use data about websites, IP addresses, and domains to detect 99 percent of malicious executables downloaded by users -- outperforming antivirus and URL-reputation services

Google researchers have combined a number of reputation techniques to create a system that is 99 percent successful in detecting and blocking malicious executables downloaded by users of its Chrome browser.

The system, known as Content-Agnostic Malware Protection (CAMP), triages up to 70 percent of executable files on a user's system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (PDF) presented at the Network and Distributed System Security Symposium (NDSS) in February.

While the system uses a blacklist and whitelist on the user's computer to initially detect known good or bad files, the CAMP service uses a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download.

"CAMP bridges the gap between blacklists and whitelists by augmenting both approaches with a reputation system that is applied to unknown content," the researchers wrote in the paper, adding: "One of CAMP's important properties is to minimize the impact on user privacy while still providing protection."

The approach should improve the security of Google Chrome users because it's interfering with one of the primary ways that cybercriminals attempt to infect systems, says Lance James, chief scientist of threat-intelligence firm Vigilant.

"It is sort of using the kill-chain model: We know the bad guys will do this and this and this, and you try to detect that," he says.

Google's own real-world test -- deploying the system to 200 million Chrome users over six months -- found that CAMP could detect 98.6 percent of malware flagged by a virtual-machine-based analysis platform. In addition, it detected some 5 million malicious files every month that had escaped detection by other solutions. The researchers were not available for comment on the paper by publication time.

[Nonmalicious insiders add a lot of risk when IT gives them too much access and not enough education. See Overprivileged, Well-Meaning, And Dangerous.]

In many ways, CAMP is an answer to Microsoft's SmartScreen, a technology that Microsoft built into its Internet Explorer and the latest version of its operating system, Windows 8. SmartScreen is largely responsible for Internet Explorer 8's and 9's superior performance in blocking malicious downloads in tests run by security consultancy NSS Labs in 2011. Yet SmartScreen has worried some privacy-conscious users because it sends characteristics of every file it evaluates to Microsoft's servers.

While Microsoft did not comment directly on Google's research, the company did argue that it's necessary to send data back to its service to evaluate downloaded files.

"In order to deliver file reputation, information about the files is sent to our reputation services," the company said in a statement sent to Dark Reading. "This feature has been extremely successful in helping users make better trust decisions and helping protect their privacy by helping to prevent inadvertent installation of malware."

Unlike Microsoft's solution, CAMP attempts to detect locally whether any downloaded file is malicious, before passing characteristics of the file to its server-based analysis system. First, the system checks the binary against a blacklist -- in this case, Google's Safe Browsing API. If that check doesn't returns a positive result, and if the file has the potential to be malicious, CAMP will check a whitelist to see whether the binary is a known good file.

Only after those two checks fail does the local client extract features from the downloaded file and pass that fingerprint of the file to CAMP's server infrastructure. The researchers found that the Web browser contacts the CAMP service in only about 30 percent of cases, which enhances privacy, they argue in their paper.

"User privacy is an important goal for CAMP," the researchers stated. "Verifying the content type of the file and that it neither matches blacklists nor whitelists drastically limits the number of downloads for which a remote server is contacted."

The CAMP service renders a reputation -- benign, malicious, or unknown -- for a file based on the information provided by the client and reputation data measure during certain time windows, including daily, weekly, and quarterly measurements. Information about the download URL, the Internet address of the download server, any referrer information, the size and hash value of the download, and any certificates used to sign the file are sent to Google to calculate a reputation score.

CAMP's 99-percent success rate trounced four antivirus products, which individually detected at most only 25 percent of the malicious files and collectively detected about 40 percent, the researchers stated. URL classification services -- such as McAfee's SiteAdvisor, Symantec's Safe Web, and Google's own Safe Browsing -- fared even worse, detecting at most only 11 percent of the URLs from which malicious files were downloaded.

The Google researchers who authored the paper -- including Moheeb Abu Rajab and Niels Provos -- decided to focus on executables downloaded by the user, not on malicious files that attempted to exploit a user's system. This choice will likely limit the applicability of the technology, Vigilant's James says.

"They are only dealing with certain variables," he says. "They are not discussing exploits. If there is an exploit, Google Chrome might not even know that it is downloading a binary," and so an attacker could bypass the system.

In addition, the relevance of the research may be limited to consumers and small businesses. While the results are impressive, most companies should not allow employees to download and run executables, says Anup Ghosh, CEO and founder of endpoint-protection firm Invincea.

"I would use the blacklist and the whitelist and be done with it," Ghosh says. "If it's not on either of those lists; it is in the unknown case, and as an enterprise user, I should not be running those."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Dave F
Dave F,
User Rank: Apprentice
4/12/2013 | 6:16:00 PM
re: Google Uses Reputation To Detect Malicious Downloads
Google products are good, but speaking of reputation, Doesn't Google have a reputation of making 'advanced' use of your personal to benifit their bottom line?
User Rank: Apprentice
4/12/2013 | 3:01:41 PM
re: Google Uses Reputation To Detect Malicious Downloads
It seems to me that having a browser, like Chrome, scanning my harddrive and viewing the programs and stuff I've downloaded is the sign of malicious software.-

I want a browser that is not allowed to look anywhere except the folder it's running from, nor can any application PDF, Flash, whatever, loaded by the browser look anywhere.- Now that would be secure.-
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.