Google Report: How Web Attackers Evade Malware Detection
Posted in: Legal, Privacy & Security at 19/08/2011 19:03
Attackers increasingly are engaging in "IP cloaking" to infect Web visitors, where they bypass malware detection systems by serving them clean pages while they drop malware on visitors to the site, according to a new report by Google's security team.
"Over the years, we have seen more malicious sites engaging in IP cloaking. To bypass the cloaking defense, we run our scanners in different ways to mimic regular user traffic," said Lucas Ballard and Niels Provos of the Google Security Team, in a blog post yesterday.
Four Years of Web Malware by Lucas Ballard and Niels Provos, Google Security Team
Google's Safe Browsing initiative has been protecting users from web pages that install malware for over five years now. Each day we show around 3 million malware warnings to over four hundred million users whose browsers implement the Safe Browsing API. Like other service providers, we are engaged in an arms race with malware distributors. Over time, we have adapted our original system to incorporate new detection algorithms that allow us to keep pace. We recently completed an analysis of four years of data that explores the evasive techniques that malware distributors employ. We compiled the results in a technical report, entitled "Trends in Circumventing Web-Malware Detection."
Below are a few of the research highlights, but we recommend reviewing the full report for details on our methodology and measurements. The analysis covers approximately 160 million web pages hosted on approximately 8 million sites.