Trapping unknown malware in a context web

Numaan Huq Sophos
Peter Szabo Sophos

The escalation of web-based threats triggered the adoption of URL blocklists and web-object scanning techniques in anti-virus products. Often, these techniques are employed in isolation, applying traditional on-access/on-demand scans for downloaded web content and blocklists for URLs, with little to no context sharing between the two layers. In this paper we demonstrate combining URL information e.g. keywords, patterns, paths, etc. with file properties to create web-context detections (WCD). WCD targets malware from web sources for which we have no file detections or URL reputation information.

We discuss how WCD:

• Proactively detects files based on web source. Scanning in context of a web source allows creation of broader and more effective detections.
• Is effective against threats such as 0-days, malware, C&C traffic, etc.
• Uses unstructured patterns such as keywords, file properties, paths, etc. and is more resilient to file and URL morphing than traditional pattern/sequential evaluations.
• Performs better than traditional URL blocklists in cases like compromised sites.
• Resists field testing by malware authors.

Using almost a year's worth of attack data, we describe some WCD detection strategies for popular threats like 0-days, compromised sites and exploit kits. In conclusion, we demonstrate that WCD can be used to plug the detection gap between file detections and URL blocklists.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.