Google recently published a report based on its research into identifying malicious websites. The company routinely flags malicious websites as part of its attempts to warn search engine users of potential dangers, but this report suggests that hackers are using new methods to avoid flagging.
Many methods exist to discover malware, and the report dissects four of these methods:
Virtual machine (VM) honeypots
Virtual machines can be used to test websites for malware. When the testing is complete, VMs can easily be restored to a clean state. The problem with VM as a detector is examined in the report:
…social engineering is an emerging attack trend that could potentially limit the effectiveness of VM-based detection schemes… . Social engineering attacks make VM-based detection harder since malicious payloads appear only after user interaction with the browser.
Browser Emulator Client Honeypots
Browser emulators are similar to VM honeypots in that they create a fake environment in which to monitor malware activity. More sophisticated threats will only run when they are executed outside of an emulated environment.
Classification based on domain reputation
Analyzing the hosting of a website and the DNS can detect websites that are hosted on known malicious domains. The problem is that IPs can be hidden and domains can be rotated frequently.
Your anti-virus software can detect the signatures of malware, but can sometimes miss threats that are “packed”—threats need to be unpacked before anti-virus engines can recognize the signature. By then, it is too late.
Ultimately, the report recommends a “multifaceted” approach to detecting malware. Where one method fails, another can pick up the slack.
You can read Google’s full report and the suggested countermeasures here.
You can read another summary of the report’s findings here.
Interested in starting a career in IT? Achieve your degree and certifications at Stanbridge College. For more information, visit Stanbridge College IT programs online.