Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Uses Reputation To Detect Malicious Downloads

Posted by samzenpus on from the If-you-lie-down-with-dogs-you-get-up-with-fleas dept.

CowboyRobot writes "Using data about Web sites, IP addresses and domains, researchers find that they can detect 99 percent of malicious executables downloaded by users, outperforming antivirus and URL-reputation services. The system, known as Content-Agnostic Malware Protection or CAMP, triages up to 70 percent of executable files on a user's system, sending attributes of the remaining files that are not known to be benign or malicious to an online service for analysis, according to a paper (pdf) presented at the Network and Distributed System Security Symposium (NDSS) in February. While the system uses a blacklist and whitelist on the user's computer to initially detect known good or bad files, the CAMP service utilizes a number of other characteristics, including the download URL, the Internet address of the server providing the download, the referrer URL, and any certificates attached to the download."

22 of 61 comments (clear)

  1. Google ... by Anonymous Coward · · Score: 2, Insightful

    Google, we want to scan your computer for you too. All that other stuff we find ... you know, the personal stuff or the illegal downloads or copyrighted stuff ... we promise not to see it.

    1. Re:Google ... by CodeReign · · Score: 1

      Google Desktop search was by far one of the best tools for desktop searching I've ever used. I really actually enjoyed the integration into my normal search results (when it worked).

      I do see your concern though.

  2. Business karma by jbmartin6 · · Score: 4, Interesting

    It is interesting to see how karma works in the business world. Microsoft has been doing this for quite some time, with a few differences in implementation. But when Microsoft does it, we see that they are spying on us. When Google plays catch up, it grabs headlines for fighting malware.

    --
    This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
    1. Re:Business karma by Lisias · · Score: 1

      Funny thing is that Google, indeed, makes a living using user (meta)data, while Microsoft just wants to sell you software.

      The fox guarding the henhouse?

      --
      Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
    2. Re:Business karma by BlindMaster · · Score: 1

      Microsoft is willing to give back to the public? I think that is the difference.

    3. Re:Business karma by 14erCleaner · · Score: 4, Informative

      As TFA notes, Microsoft sends information on all scanned files back to a central server, but Google does local evaluation and only sends back info on suspected malware. From a privacy standpoint, there's a big difference between the two.

      --
      Have you read my blog lately?
    4. Re:Business karma by LordLimecat · · Score: 3, Insightful

      This is the huge irony of Microsoft et al trying to create panic over Google's privacy issues; of all the large online service providers, Google is up there as one of the best in regards to reliability, privacy, etc.

      But no, lets all ditch Google for Bing because of privacy issues. Everyone knows that Bing is lots better (when theyre not cooperating with the Chinese gov't).

    5. Re:Business karma by jbmartin6 · · Score: 1

      TFA says Google's implementation first checks a local cache of known good and bad files. All other files get the info sent to Google for evaluation. That's a lot wider than "only sends back info on suspected malware". As I said, a difference in implementation, and one that certainly makes sense even just considering network and server resources. But there are no details given on what gets into the whitelist. Google can leave anything it wants to track off the whitelist, just like Microsoft could do all sort of implausible things with the data from SmartScreen. Your apparent assumption that Google is more trustworthy than Microsoft is, as I observed, a matter of karma.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  3. Microsoft calls this SmartScreen by lseltzer · · Score: 2

    It's only in Windows 8, but Microsoft does the same thing.

    1. Re:Microsoft calls this SmartScreen by game+kid · · Score: 1

      Except that, on IE, I've definitely had downloads SmartScreen'd (and even a few blocked by the same) on Windows 7 (and I forget if I did on Vista as well). Less-frequently downloaded stuff (like, say, MAME versions released within the day and obscure SourceForge stuff or whatnot) trigger dialogs as well, because SmartScreen takes note of what (.exes, in particular, but other stuff I think) gets downloaded, how often, and which of those get reported as unsafe.

      --
      You can hold down the "B" button for continuous firing.
    2. Re:Microsoft calls this SmartScreen by qaz123 · · Score: 1

      SmartScreen just counts the number of downloads. You can compile a Hello World application, put it on your website and SmartScreen will warn anyone that your file is "potentially dangerous" until it reaches a certan number of downloads. This applies even to signed files. Very bad thing for those who tries to sell their software online

    3. Re:Microsoft calls this SmartScreen by tepples · · Score: 1

      This applies even to signed files.

      I've read that it's less likely to apply to signed files if you've released other files that have "reache[d] a certa[i]n number of downloads" under the same certificate.

    4. Re:Microsoft calls this SmartScreen by lseltzer · · Score: 1

      Like I said, it's on Windows 8. On Windows 7 SmartScreen only has reputation on sites, not files. A file that Microsoft has never seen before can rightfully be judged as suspicious. If it's something you know is OK, for instance because you compiled the program, then you know more than they do.

    5. Re:Microsoft calls this SmartScreen by lseltzer · · Score: 1

      Right, if you distribute software then you should sign the files and the reputation of the file will follow the reputation of the key.

  4. False positives? by pablomme · · Score: 3, Insightful

    1% of false negatives is good, but how about false positives?

    --
    The state you are in while your HEAD is detached... - wait, what?
    1. Re:False positives? by dcollins117 · · Score: 4, Funny

      1% of false negatives is good, but how about false positives?

      That's the other 99%

    2. Re:False positives? by Alarash · · Score: 1

      Oh is it? http://www.networkworld.com/community/node/82769/

    3. Re:False positives? by qaz123 · · Score: 1

      IE is free too.
      Also, I doubt Firefox developers work for free

  5. Same process I've been using for about 4 years. by idbeholda · · Score: 1

    http://tot-ltd.org/techinf.html

    NSRL is also a pretty good site to get a comprehensive whitelist from. Best of all, the whitelist database is free, and used for forensic file analysis. The only mildly difficult part is sometimes keeping up with the release of new malware, but that's why I implement several other databases, including one based on API calls in known hostile applications. The really interesting thing with API groups, is that you can identify which piece of new malware most likely belongs to a specific family. So far, I've had no false positives on whitelisted files checked against the API database. ( http://www.tot-ltd.org/API )

  6. Re:You lost vs. myself LONG ago... apk by fazey · · Score: 1

    take another look at that... it looks like he was replying to it...

  7. Scarier warning for self-signed certs by tepples · · Score: 1

    Theoretically, distributing software using a self-signed certificate, as is done on Android, would create a "key continuity" situation that would allow "the reputation of the file [to] follow the reputation of the key". But I was under the impression that the warnings for downloading software with a self-signed certificate were even sterner than the warnings for distributing completely unsigned software. So what should a hobbyist software developer do to avoid a recurring fee of $100 to $200 per platform per year?

  8. Re:"Rinse, Lather, & Repeat" troll... apk by Anonymous Coward · · Score: 1

    You are the most consistently annoying creature on the internet. There are people worse than you, just like cancer is worse than psoriasis, but you're more like the latter: pervasive, annoying, and always cropping up when one has mostly forgotten about it. You are that indeterminate, continuous itching that slowly erodes someone's mood until they consider cutting off a part of themselves just to stop it for a while.

    And like psoriasis, you're auto-immune and not fully understood by science. Slashdot continuously makes it worse by scratching that itch over and over again. It's not smart. It just encourages the disease. But everybody's got a limit to their patience.

    There is no cure for you. But at least, when slashdot dies, you will die with it, and there will be peace.