Google Chrome Using Reputation To Detect Malicious Downloads
Google Chrome is using data about websites, IP addresses, and domains to detect 99 percent of malicious executables downloaded by users — outperforming antivirus and URL-reputation services
The system, known as Content Agnostic Malware Protection (CAMP), triages up to 70 percent of executable files on a user’s system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis.
While Chrome’s system uses a blacklist and whitelist on the user’s computer to initially detect known good or bad files, the CAMP service uses a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download.
CAMP bridges the gap between blacklists and whitelists by augmenting both approaches with a reputation system that is applied to unknown content. The approach should improve the security of Google Chrome users because it’s interfering with one of the primary ways that cybercriminals attempt to infect systems.
Google’s own real-world test — deploying the system to 200 million Chrome users over six months — found that CAMP could detect 98.6 percent of malware flagged by a virtual-machine-based analysis platform. In addition, it detected some 5 million malicious files every month that had escaped detection by other solutions.
In many ways, CAMP is an answer to Microsoft’s SmartScreen, a technology that Microsoft built into its Internet Explorer and the latest version of its operating system, Windows 8. SmartScreen is largely responsible for Internet Explorer 8’s and 9’s superior performance in blocking malicious downloads. Yet SmartScreen has worried some privacy-conscious users because it sends characteristics of every file it evaluates to Microsoft’s servers.
Unlike Microsoft’s solution, CAMP attempts to detect locally whether any downloaded file is malicious, before passing characteristics of the file to its server-based analysis system. First, the system checks the binary against a blacklist — in this case, Google’s Safe Browsing API. If that check doesn’t returns a positive result, and if the file has the potential to be malicious, CAMP will check a whitelist to see whether the binary is a known good file.
The CAMP service renders a reputation — benign, malicious, or unknown — for a file based on the information provided by the client and reputation data measure during certain time windows, including daily, weekly, and quarterly measurements. Information about the download URL, the Internet address of the download server, any referrer information, the size and hash value of the download, and any certificates used to sign the file are sent to Google to calculate a reputation score.
CAMP’s 99-percent success rate surpassed four antivirus products, which individually detected at most only 25 percent of the malicious files and collectively detected about 40 percent (Google has chosen NOT to mention the Antivirus products tested). Other detection services — such as McAfee’s SiteAdvisor, Symantec’s Safe Web, and Google’s own Safe Browsing — fared even worse, detecting at most only 11 percent of the URLs from which malicious files were downloaded.
The relevance of this solution may be limited to consumers and small businesses. While the Google Chrome results are impressive, most companies should not be allowing employees to download and run executables anyway. The weakest link in security protection is the end user!