Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Uses Reputation To Detect Malicious Downloads

Posted by samzenpus on from the If-you-lie-down-with-dogs-you-get-up-with-fleas dept.

CowboyRobot writes "Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services. The system, known as Content-Agnostic Malware Protection or CAMP, triages up to 70 percent of executable files on a user's system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (pdf) presented at the Network and Distributed System Security Symposium (NDSS) in February. While the system uses a blacklist and whitelist on the user's computer to initially detect known good or bad files, the CAMP service utilizes a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download."

61 comments

  1. Google ... by Anonymous Coward · · Score: 2, Insightful

    Google, we want to scan your computer for you too. All that other stuff we find ... you know, the personal stuff or the illegal downloads or copyrighted stuff ... we promise not to see it.

    1. Re:Google ... by CodeReign · · Score: 1

      Google Desktop search was by far one of the best tools for desktop searching I've ever used. I really actually enjoyed the integration into my normal search results (when it worked).

      I do see your concern though.

  2. Business karma by jbmartin6 · · Score: 4, Interesting

    It is interesting to see how karma works in the business world. Microsoft has been doing this for quite some time, with a few differences in implementation. But when Microsoft does it, we see that they are spying on us. When Google plays catch up, it grabs headlines for fighting malware.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Business karma by Lisias · · Score: 1

      Funny thing is that Google, indeed, makes a living using user (meta)data, while Microsoft just wants to sell you software.

      The fox guarding the henhouse?

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
    2. Re:Business karma by Anonymous Coward · · Score: 0

      No doubt. Like I really want to send any company a hash of each of my data files plus additional meta data.

    3. Re:Business karma by Anonymous Coward · · Score: 0

      Actually, both want userdata to onsell to advertisers. Microsoft also sells it to law enforcement agencies.

    4. Re:Business karma by BlindMaster · · Score: 1

      Microsoft is willing to give back to the public? I think that is the difference.

    5. Re:Business karma by 14erCleaner · · Score: 4, Informative

      As TFA notes, Microsoft sends information on all scanned files back to a central server, but Google does local evaluation and only sends back info on suspected malware. From a privacy standpoint, there's a big difference between the two.

      --
      Have you read my blog lately?
    6. Re:Business karma by Anonymous Coward · · Score: 0

      They'll need all the positive astroturf they can get.

      The allies are starting to form up. Google, Red Hat, Blackberry and EarthLink are going to take the patent battle to them and Apple. Serves the evil pricks right.

      http://www.linuxandlife.com/2013/04/google-red-hat-blackberry-and-earthlink.html

    7. Re:Business karma by LordLimecat · · Score: 3, Insightful

      This is the huge irony of Microsoft et al trying to create panic over Google's privacy issues; of all the large online service providers, Google is up there as one of the best in regards to reliability, privacy, etc.

      But no, lets all ditch Google for Bing because of privacy issues. Everyone knows that Bing is lots better (when theyre not cooperating with the Chinese gov't).

    8. Re:Business karma by Anonymous Coward · · Score: 0

      The difference is that google does this on closed machines and analyzes their behavior, while microsoft uses the machines of its users to get to those results.

    9. Re:Business karma by Anonymous Coward · · Score: 0

      It is interesting to see how karma works in the business world. Microsoft has been doing this for quite some time, with a few differences in implementation. But when Microsoft does it, we see that they are spying on us. When Google plays catch up, it grabs headlines for fighting malware.

      True, true. But I ask: how many times has Microsoft fucked customers over and raised rates in a monopolistic-like behavior pattern (even though they do not fit the exact description of monopoly)? Now how many times has Google done the same, but not fucked "customers" over?

    10. Re:Business karma by jbmartin6 · · Score: 1

      TFA says Google's implementation first checks a local cache of known good and bad files. All other files get the info sent to Google for evaluation. That's a lot wider than "only sends back info on suspected malware". As I said, a difference in implementation, and one that certainly makes sense even just considering network and server resources. But there are no details given on what gets into the whitelist. Google can leave anything it wants to track off the whitelist, just like Microsoft could do all sort of implausible things with the data from SmartScreen. Your apparent assumption that Google is more trustworthy than Microsoft is, as I observed, a matter of karma.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  3. Microsoft calls this SmartScreen by lseltzer · · Score: 2

    It's only in Windows 8, but Microsoft does the same thing.

    1. Re:Microsoft calls this SmartScreen by game+kid · · Score: 1

      Except that, on IE, I've definitely had downloads SmartScreen'd (and even a few blocked by the same) on Windows 7 (and I forget if I did on Vista as well). Less-frequently downloaded stuff (like, say, MAME versions released within the day and obscure SourceForge stuff or whatnot) trigger dialogs as well, because SmartScreen takes note of what (.exes, in particular, but other stuff I think) gets downloaded, how often, and which of those get reported as unsafe.

      --
      You can hold down the "B" button for continuous firing.
    2. Re:Microsoft calls this SmartScreen by Anonymous Coward · · Score: 0

      There's a difference in user experience between "unknown" and "known malicious" (and of course "known good"). Microsoft has need doing this for years with very positive results.

      Note that on Windows 7, you were seeing it because you were using IE. (tee-hee)

    3. Re:Microsoft calls this SmartScreen by qaz123 · · Score: 1

      SmartScreen just counts the number of downloads. You can compile a Hello World application, put it on your website and SmartScreen will warn anyone that your file is "potentially dangerous" until it reaches a certan number of downloads. This applies even to signed files. Very bad thing for those who tries to sell their software online

    4. Re:Microsoft calls this SmartScreen by tepples · · Score: 1

      This applies even to signed files.

      I've read that it's less likely to apply to signed files if you've released other files that have "reache[d] a certa[i]n number of downloads" under the same certificate.

    5. Re:Microsoft calls this SmartScreen by Anonymous Coward · · Score: 0

      That is a really annoying style of notation.

    6. Re:Microsoft calls this SmartScreen by lseltzer · · Score: 1

      Like I said, it's on Windows 8. On Windows 7 SmartScreen only has reputation on sites, not files. A file that Microsoft has never seen before can rightfully be judged as suspicious. If it's something you know is OK, for instance because you compiled the program, then you know more than they do.

    7. Re:Microsoft calls this SmartScreen by lseltzer · · Score: 1

      Right, if you distribute software then you should sign the files and the reputation of the file will follow the reputation of the key.

  4. False positives? by pablomme · · Score: 3, Insightful

    1% of false negatives is good, but how about false positives?

    --
    The state you are in while your HEAD is detached... - wait, what?
    1. Re:False positives? by dcollins117 · · Score: 4, Funny

      1% of false negatives is good, but how about false positives?

      That's the other 99%

    2. Re:False positives? by Alarash · · Score: 1

      Oh is it? http://www.networkworld.com/community/node/82769/

    3. Re:False positives? by Anonymous Coward · · Score: 0

      A different kind of zombie apocalypse.

    4. Re:False positives? by Anonymous Coward · · Score: 0

      I did my taxes online this year, with IE9 set to default settings. I couldn't, for the life of me, download the tax files, not even after adding the tax site to the safe list. IE gave no error message and no reason for the block. I installed Firefox, worked out of the box. So to speak, because there is no box. It's fricking free. When is Microsoft going to realize that people working for free make better software than their commercial one?

    5. Re:False positives? by qaz123 · · Score: 1

      IE is free too.
      Also, I doubt Firefox developers work for free

  5. Re:I do pretty much the same here... apk by Anonymous Coward · · Score: 0

    You've lost some weight.

  6. Re:You lost vs. myself LONG ago... apk by Anonymous Coward · · Score: 0

    ha ha you nailed them to the wall m but i think the animosity( did i spell that right?) you are thinking yolu may be experiencing is prololy due to the MASSIVE SPAM WAR YOU BROUGHT HERE FROR US TO ENJOY AD INFINITUM
    other than that you were correct

  7. Same process I've been using for about 4 years. by idbeholda · · Score: 1

    http://tot-ltd.org/techinf.html

    NSRL is also a pretty good site to get a comprehensive whitelist from. Best of all, the whitelist database is free, and used for forensic file analysis. The only mildly difficult part is sometimes keeping up with the release of new malware, but that's why I implement several other databases, including one based on API calls in known hostile applications. The really interesting thing with API groups, is that you can identify which piece of new malware most likely belongs to a specific family. So far, I've had no false positives on whitelisted files checked against the API database. ( http://www.tot-ltd.org/API )

  8. Re:You lost vs. myself LONG ago... apk by fazey · · Score: 1

    take another look at that... it looks like he was replying to it...

  9. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 0

    Tell us, Peter, by trolls, do you mean the OTHER people in your head?

  10. Scarier warning for self-signed certs by tepples · · Score: 1

    Theoretically, distributing software using a self-signed certificate, as is done on Android, would create a "key continuity" situation that would allow "the reputation of the file [to] follow the reputation of the key". But I was under the impression that the warnings for downloading software with a self-signed certificate were even sterner than the warnings for distributing completely unsigned software. So what should a hobbyist software developer do to avoid a recurring fee of $100 to $200 per platform per year?

  11. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 1

    You are the most consistently annoying creature on the internet. There are people worse than you, just like cancer is worse than psoriasis, but you're more like the latter: pervasive, annoying, and always cropping up when one has mostly forgotten about it. You are that indeterminate, continuous itching that slowly erodes someone's mood until they consider cutting off a part of themselves just to stop it for a while.

    And like psoriasis, you're auto-immune and not fully understood by science. Slashdot continuously makes it worse by scratching that itch over and over again. It's not smart. It just encourages the disease. But everybody's got a limit to their patience.

    There is no cure for you. But at least, when slashdot dies, you will die with it, and there will be peace.

  12. Re:Jeremiah Cornelius blew it by Anonymous Coward · · Score: 0

    Why do you talk about yourself in the third person sometimes?

  13. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 0

    You think the death of Slashdot will stop APK? He's been doing this on Usenet & later on various tech websites for at least 20 years. Not even 4chan is safe. He's not just a troll, he's discovered a power level beyond trolling.

  14. Why submit as ac Jeremiah Cornelius? by Anonymous Coward · · Score: 0

    We know it's you doing those spam posts http://slashdot.org/comments.pl?sid=3581857&cid=43276741 and you fail at disproving apk's points that custom hosts files can give users of them better speed, security, reliability, and even anonymity to a degree here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539

    1. Re:Why submit as ac Jeremiah Cornelius? by Anonymous Coward · · Score: 0

      Paul, please do me a small favor and SHUT THE FUCK UP.

    2. Re:Why submit as ac Jeremiah Cornelius? by Anonymous Coward · · Score: 0

      Shut up, Paul.

  15. Re:Jeremiah Cornelius blew it by Anonymous Coward · · Score: 0

    Why're you so off topic?

  16. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 0

    You boys can't seem to: You can't validly disprove apk's points http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 on how hosts files can give users more speed, security, reliability, and even anonymity to an extent online. The only "power level" apk has discovered is how to make you act the fool stumbling around trying to get the better of him and you fail it.

  17. "Re-Rinse, Re-Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 0

    http://tech.slashdot.org/comments.pl?sid=3626185&cid=43401051

    * :)

    APK

    P.S.=> Face facts, & accept 1 thing: YOU are far too technically weak to EVER "get the better of me" (and you know it, I know it, + so does anyone else reading with 1/2 a brain... & all your unjustifiable downmods that can't disprove that custom hosts files yield better online speed, security, reliability, + even anonymity (to an extent) for end-users of them, as I stated here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 which "the trolling likes of you" are clearly unable to disprove validly on computing-tech based grounds... you, FAIL!)

    ... apk

  18. "Re-Rinse/Re-Lather, & Repeat", troll... apk by Anonymous Coward · · Score: 0

    You just plain LOST vs. myself, long ago -> http://tech.slashdot.org/comments.pl?sid=3626185&cid=43401051

    * :)

    (Since you're clearly unable to disprove my points on custom hosts files being of value to end-users of them for better online speed, security, reliability, & even anonymity to an extent as well...).

    LMAO - no, instead, you show us that "the best you got" = zero in unjustifiable downmods & NOT disproving my points on a computing tech level... period!

    APK

    P.S.=> Face facts, & accept 1 thing: YOU are far too technically weak to EVER "get the better of me" (and you know it, I know it, + so does anyone else reading with 1/2 a brain... & all your unjustifiable downmods that can't disprove that custom hosts files yield better online speed, security, reliability, + even anonymity (to an extent) for end-users of them, as I stated here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 which "the trolling likes of you" are clearly unable to disprove validly on computing-tech based grounds... you, FAIL!)

    ... apk

  19. Jeremiah Cornelius = troll (fact)... apk by Anonymous Coward · · Score: 0

    Jeremiah Cornelius spammed this all March 2013 http://slashdot.org/comments.pl?sid=3581857&cid=43276741 , and was caught in that link, by mistakenly submitting that as his registered user account instead of his usual 100's of ac submittals of it he did. This shows us all how weak trolls like JC are against facts apk put out in favor of custom hosts files gaining users of them added speed, security, reliability, and even anonymity as well as those same trolls frustration at being defeated so easily by apk every single time since they are unable to validly disprove apk's points (to the point of all trolls have is computing technically unjustifiable downmods & failed illogical off topic ad hominem attacks, nothing more). Jeremiah Cornelius = pitiful (and weak).

    1. Re:Jeremiah Cornelius = troll (fact)... apk by Anonymous Coward · · Score: 0

      Shut up, Paul.

  20. Re:"Re-Rinse/Re-Lather, & Repeat", troll... ap by Anonymous Coward · · Score: 0

    Shut up, Paul.

  21. Re:"Re-Rinse, Re-Lather, & Repeat" troll... ap by Anonymous Coward · · Score: 0

    Shut up, Paul.

  22. Re:Jeremiah Cornelius blew it by Anonymous Coward · · Score: 0

    Shut up, Paul

  23. Re:You consistently FAIL by Anonymous Coward · · Score: 0

    Shut up, Paul

  24. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 0

    SHUT UP, PAUL

  25. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 0

    SHUT UP, PAUL

  26. Re:Jeremiah Cornelius blew it by Anonymous Coward · · Score: 0

    SHUT UP, PAUL