Sorin Mustaca Avira
download slides (PDF)
Most new malware spreads these days via emails with various contents. Because the emails are so well crafted, it is sometimes not possible to mark them as spam, thus meaning that they reach users' inboxes. The only way to block access to the malware is to block the target URLs contained in the emails in a generic way, without knowing from the beginning the reason why it is blocked. Such a powerful and dynamic system needs a very good control and monitoring centre in order to be maintainable.
URLCheck is a system developed by Avira in order to manage from a single point the malware and phishing URLs gathered from multiple sources. This is the natural evolution of the system described in the article 'Delivering reliable protection against phishing websites' published in Virus Bulletin, May 2008.
These URLs are used to create updates for several of Avira's web-filtering products. I will describe the challenges we faced while creating this system, the benefits it brings, and finally some results of its functionality. The challenges were actually caused by the differences between the sources we used: the URLs detected by our own anti-phishing product, PhishTank, LCheck (an internal system dealing only with malware URLs) and Clean-MX. The only thing these sources have in common is the fact that they have an URL which should be blocked. Other challenges we faced were the errors and special situations these services produced: invalid data, service unavailable, false positives. The system has to deal with these special situations.