CAMP: Content-Agnostic Malware Protection

In spite of recent advances, the world wide web remains
an important vector for malware installation. Approaches
to evaluating potentially malicious code before execution in a
browser, such as blacklisting or content-based detection are
hindered by an attacker’s ability to easily change hosting domains
or mutate malware binaries. On the other hand, whitelistbased
approaches are challenged by the large, dynamic, and
heterogeneous space of benign binaries that they must track. In
practice these approaches continue to provide value for popular
binaries at either extreme of maliciousness (e.g., the current large
outbreak of malware, the benign binaries shipped with an OS),
but bridging the gap between whitelist and blacklist detection
for web malware remains a significant challenge.
This paper presents CAMP, a content-agnostic malware protection
system based on binary reputation that is designed to
address these shortcomings. CAMP is built into the browser and
determines the reputation of most downloads locally, relying on
server-side reputation data only when a local decision cannot be
made. This paper gives a detailed overview of CAMP and its
architecture and provides an evaluation of the system through
a six-month deployment in which 200 million users of Google
Chrome requested between eight to ten million reputation requests
a day. Our evaluation shows that CAMP exhibits accuracy
close to 99% relative to proprietary VM-based dynamic analysis,
is able to process requests in less than 130 ms on average, and
was able to detect approximately five million intentional malware
downloads per month that were not detected by existing solutions.



The Abuse Sharing Economy: Understanding the Limits of Threat Exchanges

The underground commoditization of compromised hosts suggests a tacit capability where miscreants leverage the same machine—subscribed by multiple criminal ventures—to simultaneously profit from spam, fake account registration, malicious hosting, and other forms of automated abuse. To expedite the detection of these commonly abusive hosts, there are now multiple industry-wide efforts that aggregate abuse reports into centralized threat exchanges. In this work, we investigate the potential benefit of global reputation tracking and the pitfalls therein. We develop our findings from a snapshot of 45 million IP addresses abusing six Google services including Gmail, YouTube, and ReCaptcha between April 7–April 21, 2015. We estimate the scale of end hosts controlled by attackers, expose underground biases that skew the abuse perspectives of individual web services, and examine the frequency that criminals re-use the same infrastructure to attack multiple, heterogeneous services. Our results indicate that an average Google service can block 14% of abusive traffic based on threats aggregated from seemingly unrelated services, though we demonstrate that outright blacklisting incurs an untenable volume of false positives.