Social engineering malware: Google puts the advances made by IE9 into perspective

While NSS Labs has congratulated IE9 in the fight against malware carried by social engineering, Google points out that in the referenced study only 2% of the malware found on the web is referenced.

A recent NSS Labs study crowned Internet Explorer 9 as the best browser in the fight against social engineered malware on the Web. Typically, the example is of a web page where the user is requested to install a fake antivirus or malicious plugin. Compared to other browsers, IE9 was a long way ahead thanks to their SmartScreen filter and Applications Reputation.

Google has now responded though, publishing their own security report which contains some aspects that are formed as a response to NSS Lab’s conclusions. While this kind of social engineering has increased in Google’s view, they point out that it is "important to keep things in perspective" as this increase of "of sites calling on social engineering comprises only 2% of all sites which distribute malware".

This isn’t the first time that Google has responded to an NSS Labs comparison study, with it becoming something of a tradition. As in the past, Google insists on the fact that the most widely used practice on the Web (98%) by a large margin is the installation of malware from malicious pages which exploit a vulnerability in a browser or plugin (Drive-by Download).

NSS Labs must have felt that a response was coming from Google, as in their report NSS Labs congratulated Google for the addition of social engineering malware protection in their Chrome browser (Chrome now blocks 13.2% of malware compared to 3% a year ago), writing "we see the addition of this as proof that even though Google has taken to talking down out previous test results, the Chrome engineering team has nevertheless been working hard to attack this known issue".

The report titled "Trends in Circumventing Web-Malware Detection" by Google (PDF) is based on the analysis of four years of data collected from 160 million web pages on close to 8 million sites. It calls on the Safe Browsing service (API) that we find in browsers like Google Chrome and Firefox.

To avoid detection by Safe Browsing, a technique is used by malware programmers – with this method having been used on a more frequent basis recently – with the malware using a benign page (without attack) as a front for detection systems when a request is made to the Safe Browsing system), but which then calls malicious content to the page being visited by the browser.

According to Google, the mechanisms used to spread these exploits are known to be "increasingly complex and evasive" with it recommending to use multiple protection methods to improve detection rates.