Malware Blacklist


1. Summary

Web-based threats are the primary vector of malware infections. Legitimate websites get hacked by cyber-criminals who break into servers that are not patched or have a weak password. They are able to inject malicious scripts in the content of the webpage.
Users browsing such a compromised websites are victims of what is called a drive-by download. A malicious piece of software gets automatically downloaded and executed on their PC without their approval or knowledge.

Unfortunately, traditional Antivirus software fails at protecting against most web-based infections as malware authors are constantly getting better at avoiding detection.
In order to better understand such threats, we designed a system that replicates the end-user experience, using proprietary technology. We provide detection of malicious websites and analysis of their payloads.

2. Technology overview

- URL feeds
The size and constant change of the Internet makes it very difficult to identify the relevant domains that will be used to attack end users. Our first effort is to categorize and prioritize URLs to maximize the chances of encountering malicious activity. We constantly update the source of URLs we are going to analyze based on where they are coming from and their potential to contain malware.

- HoneyPot analysis
The second step is to actively browse each URL we suspect, using the exact same configuration as an end-user would have. This process is automated, but to the malware authors it really appears as though this is an actual person going to such or such site. Each HoneyPot is wired to a Database to report its findings. When a malicious site triggers an exploit, we monitor exactly where it came from and the impact on the system, usually resulting in the download and execution of a malware binary.

- URL validation
Not all online activities we detect are necessarily malicious in nature. Some websites may download files onto the system that are not malware. Therefore, we must confirm each URL before we can blacklist it. In order to achieve that, we use a combination of static and dynamic analysis. The drive-by download is analyzed by our proprietary heuristic engine and ran within a Sandbox.

- Reporting
Once we have confirmed that the exploit payload is malicious, we proceed to blacklist the URL that triggered it as well as the URL where it is hosted. Typically, we have a website (most of the time a legitimate one) that contains exploit code, and another URL that is used by the bad guys to host the intended malicious payload. We archive both sources (html code and malware binary) to keep a record of the detected malicious activity as well as the malware run-time analysis.
Additionally, we gather more data regarding the URLs in order to provide an extensive intelligence report. In particular, we catalog their: IP address, ASN, country, ISP and domain name registrar.

All Rights Reserved - Copyright © 2011 ParetoLogic Inc.