Google has a hugely privileged view of the Internet and it uses that position for all kinds of things, one of which is to collect data and intelligence on malicious Web site behavior and malware trends. In a new report based on four years’ worth of data on site and malware activity, the company found that attackers are now deploying highly specialized evasion and obfuscation techniques that play off what researchers and users do and then adjust and adapt.
The report looks at a number of evasion and defensive techniques employed by attackers and malware distributors and concluded that not only are the bad guys quite skilled at adapting to new behaviors by users and browsers, they’re also doing some of their own innovation. One of the more interesting findings in the report is that socially engineered malware–the kind that uses various tricks to goad users into visiting a site or downloading a file–make up barely two percent of all malware observed by Google. The volume of socially engineered malware has been rising steadily during the course of the last few years, but Google’s engineers said it’s still a tiny piece of the overall picture.
“Our experiments corroborate our hypothesis that malware authors
continue to pursue delivery mechanisms that can confuse different
malware detection systems. We find that Social Engineering is growing
and poses challenges to VM-based honeypots,” the authors say in their report.
Google’s report, “Trends in Circumventing Web-Malware Detection,” also found that attackers have been honing their techniques for executing drive-by download attacks over the course of the four-year period that the researchers studied. The report’s authors, Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos and Ludwig Schmidt, confirmed that the useful life span of a given vulnerability is still quite short. Most vulnerabilities are only exploited for a little while until their usefulness declines and then attackers move on to a new one.
“Our analysis of which vulnerabilities are actively being exploited over
time shows that adversaries quickly switch to new and more reliable
exploits to help avoid detection. Most vulnerabilities are exploited only for a short period of time
until new vulnerabilities become available. A prominent exception is the
MDAC vulnerability which is present in most exploit kits,” Ballard and Provos wrote in a blog post explaining their findings.
The Google researchers also found that more and more attack sites are employing a technique to identify malware-detection and collection systems and then serve them normal content while still giving regular users malicious content. Many such sites use a technique known as IP cloaking that disallows requests from specific IP addresses, shunting them to a benign page rather than a drive-by download site.
“In our operational practice, we continuously monitor compromised web sites and the malicious resources they include. In 2008, we discovered that some malware domains no longer returned malicious payloads to our system but still did so to users. As a result, we developed detection for cloaking. At the time of this writing, IP cloaking contributes significantly to the overall number of malicious web sites found by our system,” the authors wrote in their paper.