Google just published its research report of the analysis of four years of data that explores the evasive techniques that malware distributors employ. The company compiled the results in a technical report, entitled “Trends in Circumventing Web-Malware Detection” (embedded below).
The analysis covers approximately 160 million web pages hosted on approximately 8 million sites. “Our report analyzed four years of data to uncover trends in malware distribution on the web, and it demonstrates the ongoing tension between malware distributors and malware detectors,” informs Lucas Ballard and Niels Provos, Google Security Team.
Ballard says that “to help protect Internet users, even those who don’t use Google, we have updated the Safe Browsing infrastructure over the years to incorporate many state-of-the-art malware detection technologies.”
Below are a couple of the research highlights:
Increase in IP Cloaking
“Malware distributors are increasingly relying upon ‘cloaking’ as a technique to evade detection. The concept behind cloaking is simple: serve benign content to detection systems, but serve malicious content to normal web page visitors. Over the years, we have seen more malicious sites engaging in IP cloaking. To bypass the cloaking defense, we run our scanners in different ways to mimic regular user traffic,” notes Google.
“Social Engineering is a malware distribution mechanism that relies on tricking a user into installing malware. Typically, the malware is disguised as an anti-virus product or browser plugin. Social engineering has increased in frequency significantly and is still rising. However, it’s important to keep this growth in perspective — sites that rely on social engineering comprise only 2% of all sites that distribute malware,” Provos added.
Here is the full report, you can download the report for offline reading using the link under this post:
Download Trends in Circumventing Web-Malware Detection here.