Trapping unknown malware in a context web

Numaan Huq Sophos
Peter Szabo Sophos

The escalation of web-based threats triggered the adoption of URL blocklists and web-object scanning techniques in anti-virus products. Often, these techniques are employed in isolation, applying traditional on-access/on-demand scans for downloaded web content and blocklists for URLs, with little to no context sharing between the two layers. In this paper we demonstrate combining URL information e.g. keywords, patterns, paths, etc. with file properties to create web-context detections (WCD). WCD targets malware from web sources for which we have no file detections or URL reputation information.

We discuss how WCD:

  • Proactively detects files based on web source. Scanning in context of a web source allows creation of broader and more effective detections.
  • Is effective against threats such as 0-days, malware, C&C traffic, etc.
  • Uses unstructured patterns such as keywords, file properties, paths, etc. and is more resilient to file and URL morphing than traditional pattern/sequential evaluations.
  • Performs better than traditional URL blocklists in cases like compromised sites.
  • Resists field testing by malware authors.

Using almost a year's worth of attack data, we describe some WCD detection strategies for popular threats like 0-days, compromised sites and exploit kits. In conclusion, we demonstrate that WCD can be used to plug the detection gap between file detections and URL blocklists.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.



twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.