Reputation Based Detection of Socially Engineered Malware
Moheeb Abu Rajab
ver the last two years, we saw the prevalence of drive-by downloads declining. Browsers are generally becoming more secure making it harder to deliver malware by exploiting vulnerabilities. Furthermore, protection efforts such as Google’s Safe Browsing have successfully detected and protected users from many of these attacks. In response, adversaries have turned their attention to social engineering as another major vector for distributing malware. Rather than exploiting browser vulnerabilities, adversaries employ various tricks to deceive users into downloading malware. Social engineering poses different detection challenges as the lack of exploits makes it harder to detect. Furthermore, adversaries use highly agile serving infrastructure reducing the effectiveness of blacklist based defences. In this talk, we present our recent effort to protect users from socially engineered malware. We provide an overview of a large scale operational system that protects users from malware downloads using a reputation-based approach. Rather than exporting a blacklist, we developed a whitelist of domains that host the majority of benign downloads. For downloads, not in the whitelist, we developed a server-based reputation scheme that predicts the likelihood that a binary is malicious without requiring access to the binary content. This service currently protects millions of Google Chrome users against malware downloads. We present some interesting insights about the prominent strains of malware we are seeing in the wild.