CAMP for Chrome catches 99% of malware, Google says

Google researchers have developed a combined client- and server-side system that uses blacklisting, whitelisting and the characteristics of an executable file to catch nearly 99% of all malicious downloads.

The content-agnostic malware protection system, called CAMP, was described in a research paper presented in February at the Network and Distributed System Security Symposium. The system for the Chrome browser is meant to address the inherent weaknesses of using whitelisting and blacklisting as a defense against malicious binaries.

"In practice, these approaches continue to provide value for popular binaries at either extreme of maliciousness -- the current large outbreak of malware, the benign binaries shipped with an OS -- but bridging the gap between whitelist and blacklist detection for Web malware remains a significant challenge," according to the research paper from Moheeb Abu Rajab, Lucas Ballard, Noe Lutz, Panayiotis Mavrommatis and Niels Provos.

The researchers claim that 70% of the time CAMP can catch malicious downloads on the computer, with the remainder requiring deeper analysis on a Google server. Keeping the analysis as much as possible on the client is important in protecting user privacy.

When cloud-based antivirus systems are used, binaries are typically uploaded to the cloud for examination, resulting in a much greater loss of privacy, Google said.

"While CAMP also moves detection of malware into the cloud, it reduces the privacy impact by employing whitelists so that most download URLs stay within the browser and do not need to be sent to a third party," the paper says. "Binary payloads never leave the browser."

The use of the browser instead of a remote server for some tasks is a key difference between CAMP and Microsoft's SmartScreen technology. The latter is used in Internet Explorer to protect against malicious downloads and links.Ã'Â

In terms of detection rates, major antivirus engines detect between 35% and 70% of malware binaries, while CAMP's success rater is 98.6%, the paper said. During a six-month evaluation period, Google tested CAMP on the Windows computers of 200 million users, and identified about 5 million malicious downloads each month.

The system first compares downloads against a whitelist of known benign executables and a blacklist of known malware. The latter also involves communicating with Google's server-based Safe Browsing service.

[Also see: 10 ways to secure browsing in the enterprise]

If a clear determination cannot be made using the lists, then CAMP begins the analysis, which starts with the browser gathering characteristics of the binary. They would include the final download URL and the IP address of the server hosting the download, as well as the size of the binary, its content hashes and certificates attached to it.

The browser also logs the URL that referred the computer user to the download. This is important, because the URL can be examined to determine whether it is part of a chain of URL redirects set up to hide the original. Multiple referrals are a good indicator of malware.

Once all the information is gathered, it is sent to Google's servers, which analyze the information and decide whether the binary is benign, malicious or unknown. The ruling is passed on to the browser, which provides a notification to the user.

However, Lance James, chief scientist at application security vendor Vigilant, said that as an overall security system, CAMP falls short because it does not catch malware that exploits vulnerabilities within the browser.

Such malware often gets into a computer by email recipients being tricked into clicking on a malware-carrying attachment.

"[CAMP] may be able to see 99% of malware downloaded through the browser, but they won't see 99% of malware that is never seen by the browser," James said. "There's a big blind spot and that's a problem."

Google acknowledges that browser-exploiting malware is not the focus of the system. "CAMP is specifically designed to protect from user-initiated malware downloads, e.g. distributed by means of social engineering, that do not involve browser exploitation," researcher Moheeb Abu Rajab said.

While CAMP may have a 99% success rate today, once it became a feature in Chrome, cybercriminals would change techniques and tactics in order to avoid detection, James said. "Once this is out there, that 99% will not really matter anymore," James said. "It's a cat-and-mouse game."

Rajab's response to an email query did not address how CAMP would adapt to changes in cybercriminals' tactics.

Nevertheless, Google claimed in the research paper that CAMP outperformed major antivirus products, as well as Web services such as McAfee's Site Advisor and Symantec's Safeweb.

Google introduced in Chrome this year filtering for websites that contain malicious downloads. The malware-carrying sites are detected and downloads blocked through Google's Safe Browsing service.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags CAMPapplicationsbrowserlegalampsoftwaredata protectionchromecybercrimeData Protection | MalwareGoogle

More about GoogleLanceMcAfee AustraliaMicrosoftSymantec

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts