Google Analyzes Four Years of Web-Based Malware

Malware Distributors Increasingly Using IP Cloaking to Avoid Detection

Google has released a new threat report highlighting how a mix of social engineering, IP cloaking and other techniques are keeping attackers on step ahead of some of the most popular security mechanisms on the Web.

The report, “Trends in Circumventing Web-Malware Detection,” analyzes four years of data covering some 160 million Web pages on roughly 8 million sites. As part of their analysis, Google researchers took a look at four of the most popular malware detection technologies on the Web: virtual machine client honeypots, browser emulator client honeypots, domain reputation and antivirus. In each case, attackers have found ways to sneak their way around security defenses, marking another leg in the ongoing race between attackers and vendors.

“We find that Social Engineering is growing and poses challenges to VM-based honeypots,” the report states. “JavaScript obfuscation that interacts heavily with the DOM can be used to evade both Browser Emulators and AV engines. In operational settings, AV Engines also suffer significantly from both false positives and false negatives. Finally, we see a rise in IP cloaking to thwart content-based detection schemes.”

In a joint blog post, Google Security Team members Lucas Ballard and Niels Provos noted that while social engineering is a popular Modus operandi for attackers, drive-by downloads are much more common. According to their analysis, attackers are quick to switch to new and more reliable exploits to avoid detection, and that most vulnerabilities are exploited only for a short period of time until new ones become available. A prominent exception is the MDAC vulnerability which is present in most exploit kits.

Additionally, malware distributors are increasingly turning to IP cloaking to avoid detection, they wrote.

“The concept behind cloaking is simple: serve benign content to detection systems, but serve malicious content to normal web page visitors,” they blogged. “Over the years, we have seen more malicious sites engaging in IP cloaking. To bypass the cloaking defense, we run our scanners in different ways to mimic regular user traffic.”

According to the report, there were more than 200,000 sites infected by cloaking domains in August 2009 – a peak that coincided with a large scale attack known as Gumblar that actively cloaked Google’s scanners.

“Despite evasive tactics, we show that adopting a multi-pronged approach can improve detection rates. We hope that these observations will be useful to the research community,” the report states.

The report can be viewed here.

Security Resource: Vulnerability Management Buyer’s Checklist: Key Questions to Ask