Numaan Huq Sophos
Peter Szabo Sophos
The escalation of web-based threats triggered the adoption of URL blocklists and web-object scanning techniques in anti-virus products. Often, these techniques are employed in isolation, applying traditional on-access/on-demand scans for downloaded web content and blocklists for URLs, with little to no context sharing between the two layers. In this paper we demonstrate combining URL information e.g. keywords, patterns, paths, etc. with file properties to create web-context detections (WCD). WCD targets malware from web sources for which we have no file detections or URL reputation information.
We discuss how WCD:
Using almost a year's worth of attack data, we describe some WCD detection strategies for popular threats like 0-days, compromised sites and exploit kits. In conclusion, we demonstrate that WCD can be used to plug the detection gap between file detections and URL blocklists.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.