As Mom always said, if you hang around with the wrong crowd, you’ll get a bad reputation. Now that theory is being used to detect unfriendly software.
The race between anti-malware vendors and the bad guys has become closer in recent years. Sometimes the crooks edge ahead: They develop something nasty and turn it loose, anti-malware vendors create and release detections to head it off, malware authors respond, and the dance goes on.
The trouble is, malware has changed. It was originally designed for destruction or mischief, and it was easy to tell if a computer had been infected. But now the goal is profit – stealing banking credentials and credit card numbers, and heisting other corporate and personal information that can be sold – so it pays to be sneaky.
The longer a compromised system stays infected, the better the result for the malware author. Consequently, malware developers now work very hard to make their wares undetectable. And their releases are more frequent.
That means the old signature-based detections can't cut it any more as the sole means of detection. By their very nature, they're too slow for today's high-velocity environment, since they rely on the vendor receiving and deconstructing samples of each new piece of malware, and discovering identifying features to use to detect them. Those features go into a signature file, which is distributed to customers.
Believe it or not, it was once good enough to distribute signatures weekly, or even less often. Now, hourly or more may not be enough. So vendors decided on a new approach.
At first, they considered blacklisting – creating lists of known bad files to block. But there are so many new files popping up that it's nearly impossible to keep track. Then they considered “whitelisting,” which lists known good files, and blocks everything else, but encountered the same problem.
It was time for a rethink. With their vast networks of customers worldwide, anti-malware vendors such as Symantec, McAfee, Trend Micro and Kaspersky realized that the answer was in front of them: gather anonymous information on the files their customers use (with their consent, of course) and, based on that information, give each new file a user receives or installs a score reflecting how likely it is that the file is safe. In effect, it's determining whether the file has a good reputation.
When you have 175 million endpoints to consult, and a database of 2.5 billion files (as Symantec does), chances are a file that's new to one user has been used somewhere else, and its nature has been determined.
Each file is evaluated on age, publisher, country of origin, number of users and usage patterns, as well as information received from software publishers on the legitimate files they've released, and the data is used to assign a reputation rating. Once a popular program is tagged as safe, the antivirus scanner need never examine it again unless it changes.
A brand new file is flagged as “unknown,” and the user asked to make the decision whether to trust it. If that file happens to be, say, a new version of Microsoft Word, the user will trust it, and over the next few hours or days, others will install and trust it and its reputation will become positive. But if a copy of a file becomes corrupt or infected by malware, it won't match the known good file, and will be branded suspect and blocked.
The same logic can be applied to websites, according to McAfee. New domains are more suspect than established ones, for example, and sites that have historically been purveyors of malware are likely unsafe as well.
When a tsunami hit Japan earlier this year, hundreds of new domains were registered within hours and started spewing malware attached to scams claiming to be relief fundraisers. Based on their reputations, those sites and the files they sent out were flagged as suspicious and users were warned against touching them. As Mom would say, “Put that down, you don't know where it's been!”
Reputations are not static. If a previously good website becomes infected, not only will the anti-malware software detect and block the suspicious files it attempts to pass on, the site's reputation will take a hit. That means users will be warned that it is potentially dangerous to visit. Once it is successfully cleaned up, it will again become flagged as safe.
Virtually all major anti-malware vendors have added reputation-based detection to their products. There's no magic bullet for nailing malware, but reputation-based detection is but another layer, albeit an important one, in the defence.