Google researchers have developed a combined client- and server-side system that uses blacklisting, whitelisting and the characteristics of an executable file to catch nearly 99% of all malicious downloads.
The content-agnostic malware protection system, called CAMP, was described in a research paper presented in February at the Network and Distributed System Security Symposium. The system for the Chrome browser is meant to address the inherent weaknesses of using whitelisting and blacklisting as a defense against malicious binaries.
"In practice, these approaches continue to provide value for popular binaries at either extreme of maliciousness -- the current large outbreak of malware, the benign binaries shipped with an OS -- but bridging the gap between whitelist and blacklist detection for Web malware remains a significant challenge," according to the research paper from Moheeb Abu Rajab, Lucas Ballard, Noe Lutz, Panayiotis Mavrommatis and Niels Provos.
The researchers claim that 70% of the time CAMP can catch malicious downloads on the computer, with the remainder requiring deeper analysis on a Google server. Keeping the analysis as much as possible on the client is important in protecting user privacy.
When cloud-based antivirus systems are used, binaries are typically uploaded to the cloud for examination, resulting in a much greater loss of privacy, Google said.
"While CAMP also moves detection of malware into the cloud, it reduces the privacy impact by employing whitelists so that most download URLs stay within the browser and do not need to be sent to a third party," the paper says. "Binary payloads never leave the browser."
The use of the browser instead of a remote server for some tasks is a key difference between CAMP and Microsoft's SmartScreen technology. The latter is used in Internet Explorer to protect against malicious downloads and links.Ã'Â
In terms of detection rates, major antivirus engines detect between 35% and 70% of malware binaries, while CAMP's success rater is 98.6%, the paper said. During a six-month evaluation period, Google tested CAMP on the Windows computers of 200 million users, and identified about 5 million malicious downloads each month.
The system first compares downloads against a whitelist of known benign executables and a blacklist of known malware. The latter also involves communicating with Google's server-based Safe Browsing service.
[Also see: 10 ways to secure browsing in the enterprise]
If a clear determination cannot be made using the lists, then CAMP begins the analysis, which starts with the browser gathering characteristics of the binary. They would include the final download URL and the IP address of the server hosting the download, as well as the size of the binary, its content hashes and certificates attached to it.
The browser also logs the URL that referred the computer user to the download. This is important, because the URL can be examined to determine whether it is part of a chain of URL redirects set up to hide the original. Multiple referrals are a good indicator of malware.
Once all the information is gathered, it is sent to Google's servers, which analyze the information and decide whether the binary is benign, malicious or unknown. The ruling is passed on to the browser, which provides a notification to the user.
However, Lance James, chief scientist at application security vendor Vigilant, said that as an overall security system, CAMP falls short because it does not catch malware that exploits vulnerabilities within the browser.
Such malware often gets into a computer by email recipients being tricked into clicking on a malware-carrying attachment.
"[CAMP] may be able to see 99% of malware downloaded through the browser, but they won't see 99% of malware that is never seen by the browser," James said. "There's a big blind spot and that's a problem."
Google acknowledges that browser-exploiting malware is not the focus of the system. "CAMP is specifically designed to protect from user-initiated malware downloads, e.g. distributed by means of social engineering, that do not involve browser exploitation," researcher Moheeb Abu Rajab said.
While CAMP may have a 99% success rate today, once it became a feature in Chrome, cybercriminals would change techniques and tactics in order to avoid detection, James said. "Once this is out there, that 99% will not really matter anymore," James said. "It's a cat-and-mouse game."
Rajab's response to an email query did not address how CAMP would adapt to changes in cybercriminals' tactics.
Nevertheless, Google claimed in the research paper that CAMP outperformed major antivirus products, as well as Web services such as McAfee's Site Advisor and Symantec's Safeweb.
Google introduced in Chrome this year filtering for websites that contain malicious downloads. The malware-carrying sites are detected and downloads blocked through Google's Safe Browsing service.
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.