Greetz from academe: Content-Agnostic Malware Protection

2013-06-03

John Aycock

University of Calgary, Canada
Editor: Helen Martin

Abstract

There is often a disconnect between academic security research and anti-malware industry research – in both directions. Dr John Aycock, Associate Professor at the Department of Computer Science, University of Calgary, embarks on a new regular feature in which each month he will pick some of the work going on in academic circles and summarize the key points. This month: Content-Agnostic Malware Protection.


There is often a disconnect between academic security research and anti-malware industry research – in both directions. This month, Dr John Aycock, Associate Professor at the Department of Computer Science, University of Calgary, embarks on a new regular feature in which each month he will pick some of the work going on in academic circles and summarize the key points. Ed.

One of the things that has repeatedly struck me, in the decade that I’ve been involved with the AV community, is the huge rift that exists between industry and academia. On the one hand, I’ve seen industry presentations that overlook work done – sometimes years before – by academic researchers. On the other hand, I’ve seen academic papers in reputable publications that make naïve statements about how AV products work, or that completely ignore previous industry work.

What I want to do with this regular feature is to help with one side of the equation. Each month, I’ll highlight some recent academic work that bears relevance to the AV community.

It seems fair to start with the paper I was looking at when the idea came to me.

CAMP: Content-Agnostic Malware Protection

‘CAMP: Content-Agnostic Malware Protection’ [1] was presented at NDSS, the Network and Distributed System Security Symposium [2], in February 2013, and published by the organizer of the event, the Internet Society. The five authors (although perhaps ‘campers’ would be a better term) are all affiliated with Google.

As a glimpse into academic publishing, NDSS itself is a well-established venue: this year was the 20th time the Symposium had been run, and it has a consistently low acceptance rate for papers – just under 19% this year. Full papers are submitted for review, so when referees read and rank the papers they are essentially judging the finished product.

In summary, what CAMP does is extend Google’s Chrome browser. When a user downloads a binary when using Chrome+CAMP, the browser decides if the binary is naughty or nice by applying three checks. First, it uses a blacklist, where the binary’s URL is compared against a list of known malicious URLs. Second, a whitelist comes into play; domains and code signers that have refrained from pumping out malware for three months are whitelisted. The first two checks are performed locally and, arguably, the underlying basis of these lists is one of reputation. Finally, if no definitive decision can be made based on the first two checks, attributes of the binary and its location are launched into the cloud for a reputation assessment with a more global view.

Academic papers should always give enough detail for the work to be repeated, in theory, and the CAMP paper doesn’t disappoint; there are many goodies to be mined from the paper both about CAMP’s implementation and about its extremely high accuracy.

The paper rang a bell for me when I read it, because it reminded me of a very interesting talk I heard at VB2009 by researchers from Symantec about detecting malware with... wait for it... reputation [3]. The CAMP paper doesn’t cite this work, but it does mention Microsoft’s SmartScreen Application Reputation system in IE 9 [4], [5]. The authors characterize SmartScreen as ‘closely related to our work’, which is academic-speak for ‘let the hair splitting begin’.

On the surface, Google would appear to be the latecomer to the reputation party, but it could also be seen the other way around: the company’s bread-and-butter PageRank algorithm is really just a type of reputation score, albeit applied in a different context. Context can be critical, of course, and in the meantime I see that a number of related patents and patent applications for reputation-based malware detection have appeared. A quick search for a few of the usual suspects turned up some Symantec patents for malware detection [6], [7] and reducing false positives [8] with reputation, and some Microsoft patent applications for reputation based malware detection [9], [10]. (I should point out that I’m not a lawyer, and I’m not making any judgement about the claims of these patents. I’m mentioning them merely to connect up some related work.)

Reputation seems to be here to stay. Given the title of this column, I should probably end the first instalment with a shout-out to my academic homies or something, but so far they have all been strangely reluctant to disclose their handles; for now, I’ll have to stick with the secret academic handshake.

Bibliography

[1] Rajab, M. A.; Ballard, L.; Lutz, M.; Mavrommatis, P.; Provos, N. CAMP: Content-Agnostic Malware Protection. 20th Annual Network & Distributed System Security Symposium, 2013.

[3] Nachenberg, C.; Ramzan, Z.; Seshadri, V. Reputation: A new chapter in malware protection. 19th Virus Bulletin Conference, 2009. http://www.virusbtn.com/conference/vb2009/abstracts/NachenbergSeshadriRamzan.xml.

[4] Colvin, R. ‘Stranger Danger’ – Introducing SmartScreen Application Reputation. http://blogs.msdn.com/b/ie/archive/2010/10/13/stranger-danger-introducing-smartscreen-application-reputation.aspx, October 2010.

[5] Haber, J. SmartScreen Application Reputation in IE9. http://blogs.msdn.com/b/ie/archive/2011/05/17/smartscreen-174-application-reputation-in-ie9.aspx, May 2011.

[6] Glick, A.; Graf, N.; Smith, S. Systems and methods for using reputation data to detect packed malware. United States Patent #8,336,100, December 2012. http://www.google.com/patents/US8336100.

[7] Nachenberg, C. S. Systems and methods for using reputation data to detect shared-object-based security threats. United States Patent #8,225,406, July 2012. http://www.google.co.uk/patents/US8225406.

[8] Nachenberg, C. S.; Griffin, K. E. Reputation based identification of false positive malware detections. United States Patent #8,312,537, November 2012. http://www.google.co.uk/patents/US8312537.

[9] Oliver, D. et al. Reputation checking of executable programs. United States Patent Application #20120192275, July 2012. http://www.google.com/patents/US20120192275.

[10] Franczyk, R.; Hulten, G.; Meek, C. A.; Newman, A.; Rehfuss, S.; Scarrow, J. Application reputation service. United States Patent Application #20100005291, January 2010. http://www.google.com/patents/US20100005291.

twitter.png
fb.png
linkedin.png
hackernews.png
reddit.png

 

Latest articles:

Fighting Fire with Fire

In 1989, Joe Wells encountered his first virus: Jerusalem. He disassembled the virus, and from that moment onward, was intrigued by the properties of these small pieces of self-replicating code. Joe Wells was an expert on computer viruses, was partly…

Run your malicious VBA macros anywhere!

Kurt Natvig wanted to understand whether it’s possible to recompile VBA macros to another language, which could then easily be ‘run’ on any gateway, thus revealing a sample’s true nature in a safe manner. In this article he explains how he recompiled…

Dissecting the design and vulnerabilities in AZORult C&C panels

Aditya K Sood looks at the command-and-control (C&C) design of the AZORult malware, discussing his team's findings related to the C&C design and some security issues they identified during the research.

Excel Formula/Macro in .xlsb?

Excel Formula, or XLM – does it ever stop giving pain to researchers? Kurt Natvig takes us through his analysis of a new sample using the xlsb file format.

Decompiling Excel Formula (XF) 4.0 malware

Office malware has been around for a long time, but until recently Excel Formula (XF) 4.0 was not something researcher Kurt Natvig was very familiar with. In this article Kurt allows us to learn with him as he takes a deeper look at XF 4.0.


Bulletin Archive

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.