Keeping abreast of Web malware delivery techniques

One of the crucial things that Google must do to keep making Internet users use its search engine is to keep an eye on the many ways that cyber criminals employ to spread malware and to try to thwart those attacks.

“Each day we show around 3 million malware warnings to over four hundred million users whose browsers implement the Safe Browsing API,” say the Google Security Team researchers. “Like other service providers, we are engaged in an arms race with malware distributors.”

To make their efforts known, they have published the results of an analysis of four years of data regarding these attacks collected by Google’s Web malware detection technologies (Virtual Machine client honeypots, Browser Emulator client honeypots, Classification based on domain reputation, and Anti-Virus engines).

The conclusions are as follows:

  • Over the last few years, almost any browser including support for technologies such as Flash, Java, PDF or QuickTime has been susceptible to so called drive-by download attacks that allow adversaries to run arbitrary software on a vulnerable computer system.
  • Social engineering has emerged as a growing malware distribution vector.”However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware,” say the researchers.
  • Sites that exploit vulnerabilities in browsers and plugins to trigger a drive-by download are way more common. Attackers often update the exploit as new vulnerabilities become known, and most vulnerabilities are taken advantage of during a short period.
  • IP cloaking – a detection evasion technique that allows malicious content to be cloaked from scanners and detectors but available to normal visitors – has gained in popularity because it’s easy to implement and is very effective.

For more details about the malware trends and the techniques that Google uses to block these attacks, the report is available here.

Don't miss