Google Uses Reputation To Detect Malicious Downloads

CowboyRobot writes "Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services. The system, known as Content-Agnostic Malware Protection or CAMP, triages up to 70 percent of executable files on a user's system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (pdf) presented at the Network and Distributed System Security Symposium (NDSS) in February. While the system uses a blacklist and whitelist on the user's computer to initially detect known good or bad files, the CAMP service utilizes a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download."

Google ...

Google, we want to scan your computer for you too. All that other stuff we find ... you know, the personal stuff or the illegal downloads or copyrighted stuff ... we promise not to see it.

Re:Google ...

[CodeReign]

Google Desktop search was by far one of the best tools for desktop searching I've ever used. I really actually enjoyed the integration into my normal search results (when it worked).

I do see your concern though.

Business karma

[jbmartin6]

It is interesting to see how karma works in the business world. Microsoft has been doing this for quite some time, with a few differences in implementation. But when Microsoft does it, we see that they are spying on us. When Google plays catch up, it grabs headlines for fighting malware.

Re:Business karma

[Lisias]

Funny thing is that Google, indeed, makes a living using user (meta)data, while Microsoft just wants to sell you software.

The fox guarding the henhouse?

Re:Business karma

No doubt. Like I really want to send any company a hash of each of my data files plus additional meta data.

Re:Business karma

Actually, both want userdata to onsell to advertisers. Microsoft also sells it to law enforcement agencies.

Re:Business karma

[BlindMaster]

Microsoft is willing to give back to the public? I think that is the difference.

Re:Business karma

[14erCleaner]

As TFA notes, Microsoft sends information on all scanned files back to a central server, but Google does local evaluation and only sends back info on suspected malware. From a privacy standpoint, there's a big difference between the two.

Re:Business karma

They'll need all the positive astroturf they can get.

The allies are starting to form up. Google, Red Hat, Blackberry and EarthLink are going to take the patent battle to them and Apple. Serves the evil pricks right.

http://www.linuxandlife.com/2013/04/google-red-hat-blackberry-and-earthlink.html

Re:Business karma

[LordLimecat]

This is the huge irony of Microsoft et al trying to create panic over Google's privacy issues; of all the large online service providers, Google is up there as one of the best in regards to reliability, privacy, etc.

But no, lets all ditch Google for Bing because of privacy issues. Everyone knows that Bing is lots better (when theyre not cooperating with the Chinese gov't).

Re:Business karma

The difference is that google does this on closed machines and analyzes their behavior, while microsoft uses the machines of its users to get to those results.

Re:Business karma

It is interesting to see how karma works in the business world. Microsoft has been doing this for quite some time, with a few differences in implementation. But when Microsoft does it, we see that they are spying on us. When Google plays catch up, it grabs headlines for fighting malware.

True, true. But I ask: how many times has Microsoft fucked customers over and raised rates in a monopolistic-like behavior pattern (even though they do not fit the exact description of monopoly)? Now how many times has Google done the same, but not fucked "customers" over?

Re:Business karma

[jbmartin6]

TFA says Google's implementation first checks a local cache of known good and bad files. All other files get the info sent to Google for evaluation. That's a lot wider than "only sends back info on suspected malware". As I said, a difference in implementation, and one that certainly makes sense even just considering network and server resources. But there are no details given on what gets into the whitelist. Google can leave anything it wants to track off the whitelist, just like Microsoft could do all sort of implausible things with the data from SmartScreen. Your apparent assumption that Google is more trustworthy than Microsoft is, as I observed, a matter of karma.

Microsoft calls this SmartScreen

[lseltzer]

It's only in Windows 8, but Microsoft does the same thing.

Re:Microsoft calls this SmartScreen

[game+kid]

Except that, on IE, I've definitely had downloads SmartScreen'd (and even a few blocked by the same) on Windows 7 (and I forget if I did on Vista as well). Less-frequently downloaded stuff (like, say, MAME versions released within the day and obscure SourceForge stuff or whatnot) trigger dialogs as well, because SmartScreen takes note of what (.exes, in particular, but other stuff I think) gets downloaded, how often, and which of those get reported as unsafe.

Re:Microsoft calls this SmartScreen

There's a difference in user experience between "unknown" and "known malicious" (and of course "known good"). Microsoft has need doing this for years with very positive results.

Note that on Windows 7, you were seeing it because you were using IE. (tee-hee)

Re:Microsoft calls this SmartScreen

[qaz123]

SmartScreen just counts the number of downloads. You can compile a Hello World application, put it on your website and SmartScreen will warn anyone that your file is "potentially dangerous" until it reaches a certan number of downloads. This applies even to signed files. Very bad thing for those who tries to sell their software online

Re:Microsoft calls this SmartScreen

[tepples]

This applies even to signed files.

I've read that it's less likely to apply to signed files if you've released other files that have "reache[d] a certa[i]n number of downloads" under the same certificate.

Re:Microsoft calls this SmartScreen

That is a really annoying style of notation.

Re:Microsoft calls this SmartScreen

[lseltzer]

Like I said, it's on Windows 8. On Windows 7 SmartScreen only has reputation on sites, not files. A file that Microsoft has never seen before can rightfully be judged as suspicious. If it's something you know is OK, for instance because you compiled the program, then you know more than they do.

Re:Microsoft calls this SmartScreen

[lseltzer]

Right, if you distribute software then you should sign the files and the reputation of the file will follow the reputation of the key.

False positives?

[pablomme]

1% of false negatives is good, but how about false positives?

Re:False positives?

[dcollins117]

1% of false negatives is good, but how about false positives?

That's the other 99%

Re:False positives?

[Alarash]

Oh is it? http://www.networkworld.com/community/node/82769/

Re:False positives?

A different kind of zombie apocalypse.

Re:False positives?

I did my taxes online this year, with IE9 set to default settings. I couldn't, for the life of me, download the tax files, not even after adding the tax site to the safe list. IE gave no error message and no reason for the block. I installed Firefox, worked out of the box. So to speak, because there is no box. It's fricking free. When is Microsoft going to realize that people working for free make better software than their commercial one?

Re:False positives?

[qaz123]

IE is free too.
Also, I doubt Firefox developers work for free

I do pretty much the same here... apk

Except I completely control it locally @ the fastest level of operations possible (the TCP/IP stack running in PnP designed kernelmode/rpl 0/ring 0 operations) as a filter:

---

APK Hosts File Engine 5.0++ 32/64-bit:

http://start64.com/index.php?option=com_content&view=article&id=5851:apk-hosts-file-engine-64bit-version&catid=26:64bit-security-software&Itemid=74

---

(What custom hosts files do for me in added value for better speed, security, reliability, & even anonymity to an extent is listed there in 16 discrete points...)

* "Auto-Magically" populating & creating a custom hosts file from 14++ reputable & reliable sources for data for protecting vs. known malicious sites/servers/hosts-domains:

http://hosts-file.net/?s=Download
http://www.malwaredomainlist.com/hostslist/hosts.txt
http://www.malware.com.br/cgi/submit?action=list_hosts_win_0000
http://mirror1.malwaredomains.com/files/
http://hostsfile.org/hosts.html
http://someonewhocares.org/hosts/
http://www.malwareurl.com/
http://sysctl.org/cameleon/hosts
http://pgl.yoyo.org/as/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext
http://winhelp2002.mvps.org/hosts.htm
http://hostsfile.mine.nu/downloads/
http://safeweb.norton.com/buzz
https://zeustracker.abuse.ch/monitor.php?filter=lastupdated
http://amada.abuse.ch/palevotracker.php

APK

P.S.=> Best part is, it's not only of value for security, but also for added:

---

1.) Speed (via blocking adbanners as well as bogus sites online, but also via "hardcoding" your favorite sites into it for FASTER IP address resolution locally than from remote DNS servers (which have faults in them, many of which remain unpatched vs. the Kaminsky DNS redirection poisoning flaw, 1/2 a decade++ later AFTER its discovery -> )

2.) Reliability (vs. said unpatched flaw above OR downed remote DNS servers)

3.) To an extent, anonymity (vs. DNS request logs)

---

... apk

Re:I do pretty much the same here... apk

You've lost some weight.

Re:I do pretty much the same here... apk

$10,000 CHALLENGE to Alexander Peter Kowalski

* POOR SHOWING TROLLS, & most especially IF that's the "best you've got" - apparently, it is... lol!

Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.

Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?

Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.

If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.

I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.

Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.

Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.

I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.

If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!

You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusiv

You lost vs. myself LONG ago... apk

You evidence my subject-line when you show us all you're reduced to unjustifiable downmods to my post on hosts files' value to end users in better:

---

A.) Speed
B.) Security
C.) Reliability
D.) Anonymity (to an extent)

---

Online, rather than disproving any points I state in my post on YOUR PART & validly on computing technical grounds... which you are clearly unable to manage. Period.

* You fail in that alone!

And, you know it, I know it, + anyone else reading with 1/2 a brain does also...

(& especially since "the best you've got" is off-topic illogical trolling & unjustifiable invalid downmods vs. facts I posted!)

APK

P.S.=> Bottom-line: Thanks for proving that much for me in your off-topic illogical trolling reply along with the bogus -1 downmod of my post you replied to via AC posts afterwards & yet per my subject-line above, you NEVER, EVER disprove the points I state on custom hosts files value to end users, validly on computing tech grounds!

(Instead, you're merely reduced to downmodding the post, then logging out to preserve your "registered 'luser'" karma for you too, allowing you to do such reprehensibly WEAK replies with bogus downmods)...

... apk

Re:You lost vs. myself LONG ago... apk

ha ha you nailed them to the wall m but i think the animosity( did i spell that right?) you are thinking yolu may be experiencing is prololy due to the MASSIVE SPAM WAR YOU BROUGHT HERE FROR US TO ENJOY AD INFINITUM
other than that you were correct

Re:You lost vs. myself LONG ago... apk

It's Jeremiah Cornelius caught doing it red-handed, here http://slashdot.org/comments.pl?sid=3581857&cid=43276741 and not apk. There's just no denying it, as Jeremiah Cornelius made a mistake and posted those annoying spams by his registered user name (instead of his usual ac ones, and in every post on slashdot for the month of March 2013), merely proving the "best trolls got" is zero vs. apk's points.

Re:You lost vs. myself LONG ago... apk

[fazey]

take another look at that... it looks like he was replying to it...

Same process I've been using for about 4 years.

[idbeholda]

http://tot-ltd.org/techinf.html

NSRL is also a pretty good site to get a comprehensive whitelist from. Best of all, the whitelist database is free, and used for forensic file analysis. The only mildly difficult part is sometimes keeping up with the release of new malware, but that's why I implement several other databases, including one based on API calls in known hostile applications. The really interesting thing with API groups, is that you can identify which piece of new malware most likely belongs to a specific family. So far, I've had no false positives on whitelisted files checked against the API database. ( http://www.tot-ltd.org/API )

whitelist / blacklist

[MUtour]

All of my clients (tourism industry) need a good reputation. However, to get punished by Google would be very hard. It gets many years to get a good reputation, but just a moment to destroy everything. Just like in "real" life. Best regards, Muriel

"Rinse, Lather, & Repeat" troll... apk

Applying unjustifiable downmods to my posts can't hide their truth http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390817 in the value of added speed, security, reliability, & even anonymity to an extent that custom hosts files give end users of them, as well as easy TOTAL local control of that too!

* :)

(Man... "Gee, I wonder WHAT you're SO AFRAID OF?" (lol, NOT!), that you bogusly downmodding trolls constantly make ME look good on via your "hit & run" unjustifiable downmods that lack validity to them which also FAIL to disprove points on gains hosts files give users of them too!)

APK

P.S.=> Point-Blank: "You FAIL" trolls - And, you know it... Just like I know that's "the best you've got" (which is ZERO) vs. facts in my posts you can't validly disprove on computing technical grounds!

(Yes, instead you effetely *try* to "hide them" via your bogus downmods, such as the original one you downmodded -> http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 and the one beneath it also here -> http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390817 thus, simply exposing your continual "fails" on that very account as well... "TRIPLE BONUS" for me yet again trolls, lol!)

... apk - And, you know it... Just like I know that's "the best you've got" (which is ZERO)

Re:"Rinse, Lather, & Repeat" troll... apk

Tell us, Peter, by trolls, do you mean the OTHER people in your head?

Re:"Rinse, Lather, & Repeat" troll... apk

No, trolls in Jeremiah Cornelius caught spamming this all last month http://slashdot.org/comments.pl?sid=3581857&cid=43276741 in March 2013, by his mistakenly submitting that as his registered user account instead of his usual ac ones he did. This shows us all how weak trolls like JC are against facts apk puts out in favor of custom hosts files gaining users of them added speed, security, reliability, and even anonymity as well as those same trolls frustration at being defeated so easily by apk every single time (to the point of all they have is unjustifiable downmods, nothing more).

Re:"Rinse, Lather, & Repeat" troll... apk

You are the most consistently annoying creature on the internet. There are people worse than you, just like cancer is worse than psoriasis, but you're more like the latter: pervasive, annoying, and always cropping up when one has mostly forgotten about it. You are that indeterminate, continuous itching that slowly erodes someone's mood until they consider cutting off a part of themselves just to stop it for a while.

And like psoriasis, you're auto-immune and not fully understood by science. Slashdot continuously makes it worse by scratching that itch over and over again. It's not smart. It just encourages the disease. But everybody's got a limit to their patience.

There is no cure for you. But at least, when slashdot dies, you will die with it, and there will be peace.

Re:"Rinse, Lather, & Repeat" troll... apk

You think the death of Slashdot will stop APK? He's been doing this on Usenet & later on various tech websites for at least 20 years. Not even 4chan is safe. He's not just a troll, he's discovered a power level beyond trolling.

Re:"Rinse, Lather, & Repeat" troll... apk

You boys can't seem to: You can't validly disprove apk's points http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 on how hosts files can give users more speed, security, reliability, and even anonymity to an extent online. The only "power level" apk has discovered is how to make you act the fool stumbling around trying to get the better of him and you fail it.

Re:"Rinse, Lather, & Repeat" troll... apk

SHUT UP, PAUL

Re:"Rinse, Lather, & Repeat" troll... apk

SHUT UP, PAUL

Scarier warning for self-signed certs

[tepples]

Theoretically, distributing software using a self-signed certificate, as is done on Android, would create a "key continuity" situation that would allow "the reputation of the file [to] follow the reputation of the key". But I was under the impression that the warnings for downloading software with a self-signed certificate were even sterner than the warnings for distributing completely unsigned software. So what should a hobbyist software developer do to avoid a recurring fee of $100 to $200 per platform per year?

Jeremiah Cornelius blew it

Submitting 1 of his many March 2013 spams as himself here http://slashdot.org/comments.pl?sid=3581857&cid=43276741 instead of by ac submissions he usually did for those spam posts of his (that fail in discrediting apk as a spammer). Jeremiah Cornelius further exposed himself as a slashdot troll that failed in that just as he does disproving apk's points on hosts files validly on computing tech grounds. Jeremiah Cornelius proves all he has is his off topic illogical invalid trolling like that post in the link above, nothing more.

Re:Jeremiah Cornelius blew it

Why do you talk about yourself in the third person sometimes?

Re:Jeremiah Cornelius blew it

Why're you so off topic?

Re:Jeremiah Cornelius blew it

Shut up, Paul

Re:Jeremiah Cornelius blew it

SHUT UP, PAUL

You consistently FAIL

At disproving apk's points on hosts files giving users more speed, security, reliability, and even anonymity to a degree here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 - you fail, accept it (or doesn't your offtopic illogical further failing ad hominem attack attempts prove that much for us as well?)

Re:You consistently FAIL

Shut up, Paul

Why submit as ac Jeremiah Cornelius?

We know it's you doing those spam posts http://slashdot.org/comments.pl?sid=3581857&cid=43276741 and you fail at disproving apk's points that custom hosts files can give users of them better speed, security, reliability, and even anonymity to a degree here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539

Re:Why submit as ac Jeremiah Cornelius?

Paul, please do me a small favor and SHUT THE FUCK UP.

Re:Why submit as ac Jeremiah Cornelius?

Shut up, Paul.

"Re-Rinse, Re-Lather, & Repeat" troll... apk

http://tech.slashdot.org/comments.pl?sid=3626185&cid=43401051

* :)

APK

P.S.=> Face facts, & accept 1 thing: YOU are far too technically weak to EVER "get the better of me" (and you know it, I know it, + so does anyone else reading with 1/2 a brain... & all your unjustifiable downmods that can't disprove that custom hosts files yield better online speed, security, reliability, + even anonymity (to an extent) for end-users of them, as I stated here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 which "the trolling likes of you" are clearly unable to disprove validly on computing-tech based grounds... you, FAIL!)

... apk

"Re-Rinse/Re-Lather, & Repeat", troll... apk

You just plain LOST vs. myself, long ago -> http://tech.slashdot.org/comments.pl?sid=3626185&cid=43401051

* :)

(Since you're clearly unable to disprove my points on custom hosts files being of value to end-users of them for better online speed, security, reliability, & even anonymity to an extent as well...).

LMAO - no, instead, you show us that "the best you got" = zero in unjustifiable downmods & NOT disproving my points on a computing tech level... period!

APK

P.S.=> Face facts, & accept 1 thing: YOU are far too technically weak to EVER "get the better of me" (and you know it, I know it, + so does anyone else reading with 1/2 a brain... & all your unjustifiable downmods that can't disprove that custom hosts files yield better online speed, security, reliability, + even anonymity (to an extent) for end-users of them, as I stated here http://tech.slashdot.org/comments.pl?sid=3626185&cid=43390539 which "the trolling likes of you" are clearly unable to disprove validly on computing-tech based grounds... you, FAIL!)

... apk

Jeremiah Cornelius = troll (fact)... apk

Jeremiah Cornelius spammed this all March 2013 http://slashdot.org/comments.pl?sid=3581857&cid=43276741 , and was caught in that link, by mistakenly submitting that as his registered user account instead of his usual 100's of ac submittals of it he did. This shows us all how weak trolls like JC are against facts apk put out in favor of custom hosts files gaining users of them added speed, security, reliability, and even anonymity as well as those same trolls frustration at being defeated so easily by apk every single time since they are unable to validly disprove apk's points (to the point of all trolls have is computing technically unjustifiable downmods & failed illogical off topic ad hominem attacks, nothing more). Jeremiah Cornelius = pitiful (and weak).

Re:Jeremiah Cornelius = troll (fact)... apk

Shut up, Paul.

Re:"Re-Rinse/Re-Lather, & Repeat", troll... ap

Shut up, Paul.

Re:"Re-Rinse, Re-Lather, & Repeat" troll... ap

Shut up, Paul.