SlideShare a Scribd company logo

2012 ab is-your-browser-putting-you-at-risk

Комсс Файквэе
Комсс Файквэе

safe browser

Technology
1 of 13
Download to read offline
  ANALYSIS  BRIEF  –  September  2012   IS  YOUR  BROWSER  PUTTING  YOU  AT  RISK?     PART  1  –  GENERAL  MALWARE  BLOCKING     Authors  -­‐  Bob  Walder,  Francisco  Artes,  Stefan  Frei,  Ken  Baylor,  Jayendra  Pathak,   Vikram  Phatak     Overview   The  ineffectiveness  of  Web  browser  security  is  one  of  the  most  common  reasons  for  malware  infection.  Browsers   offer  a  direct  and  unique  route  for  infection,  bypassing  corporate  protection  layers  and  bringing  malware  deep  into   the  corporate  environment,  often  protecting  it  from  detection  using  SSL.  Browsers  must  provide  a  strong  layer  of   defense  from  malware,  rather  than  defer  to  operating  system  antimalware  solutions.  This  series  examines  the   effectiveness  of  leading  browsers  to  block  malware.   The  four  leading  browsers  were  tested  against  three  million  samples  of  real  world  malicious  software.  Major   discrepancies  were  noted  in  their  ability  to  block  malware.  Data  represented  in  this  report  was  captured  over  one   hundred  and  seventy-­‐five  (175)  days  through  NSS  Labs’  unique  live  testing  harness,  and  provides  in-­‐depth  insight   into  the  built-­‐in  protection  capabilities  of  modern  browsers,  including  Chrome,  Firefox,  Internet  Explorer,  and   Safari.   This  series  of  papers  will  examine  the  ability  of  the  four  leading  browsers  to  block  each  of  the  five  main  purposes   of  malware  and  malware  monetization.  Monetization  of  malware  is  achieved  by  multiple  means,  including  click   fraud,  fake  antivirus,  account  /  password  theft,  bank/financial  fraud,  and  gaming  fraud.    Collectively  they  account   for  billions  of  dollars  worth  of  corporate  and  consumer  theft  per  year,  yet  browsers  vary  widely  in  their  ability  to   block  malware,  despite  adverse  effects  on  business  and  individual  users  alike.   Tested  Products   • Apple  Safari  5   • Google  Chrome  15  -­‐  19     • Microsoft  Internet  Explorer  9   • Mozilla  Firefox  7  –  13   Over  3,000,000  test  cases  were  used  in  the  data  sampling  captured  via  NSS  Labs’  unique  live  testing  harness.    An   initial  sample  set  of  227,841  unique  and  suspicious  URLs  entered  the  system;  84,396  were  found  active  and   malicious  and  met  the  criteria  for  entry  into  the  test.  In  total  3,038,324  test  runs  were  performed  by  the  four   browsers  against  these  unique  84,396  URLs  –  resulting  in  over  750,000  tests  cases  per  browser.  
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Testing  was  repeated  every  six  (6)  hours  until  the  target  URL  was  no  longer  active.  Samples  that  did  not  pass  the   validation  criteria  were  removed,  including  false  positives  and  adware.  Ultimately,  1,407,233  URL  test  cases  passed   the  post-­‐validation  process  and  are  included  in  the  results.    Each  sample  payload  was  validated  internally.    MD5   hashes  of  samples  were  submitted  to  VirusTotal  and  the  resulting  scanner  reports  were  then  used  to  classify   malware  types.  Additionally,  the  test  samples  were  verified  by  multiple  independent  external  sources  to  confirm   distribution  accuracy  and  malware  classification.     100% 80% 60% Firefox 40% Chrome Internet Explorer 20% Safari 0%   Figure 1 – Malware Block Rate Over Time with 10-Day Moving Average (higher % is better) During  the  testing  period,  Internet  Explorer  maintained  a  malware  block  rate  of  95%  while  Firefox  and  Safari’s   block  rate  remained  just  under  6%.  Over  the  same  time  period,  Chrome’s  block  rate  varied  from  13%  to  just  over   74%.  This  could  be  attributed  to  changing  protection  tactics  over  time  that  is  indicative  of  the  ongoing  battle   between  antimalware  developers  and  malicious  actors.     NSS  Lab  Findings:   • Browsers  offer  the  largest  attack  surface  in  most  enterprise  networks  and  are  the  most  common  vector   for  malware  installations     • The  use  of  SSL  by  browsers  presents  additional  problems  to  enterprises  since  it  offers  the  opportunity  to   bypass  many  layers  of  corporate  security  protection   • The  leading  browsers  show  a  significant  variance  in  their  ability  to  block  malware.   • Given  the  increasing  mobility  of  users  and  devices,  blocking  malware  is  not  only  extremely  important,  but   potentially  the  only  means  of  reducing  risk  when  outside  of  the  corporate  perimeter  of  protection.     • Web  browsing  is  the  primary  attack  vector  of  criminals  attempting  to  monetize  malware,  using  a  variety   of  means,  including  click  fraud,  fake  antivirus,  account  /  password  theft,  bank/financial  fraud,  and  gaming   fraud.       ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     2      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     • The  tolerance  of  browsers  with  low  malware  block  rates  may  present  undue  risk  to  an  organization.     NSS  Labs  Recommendations:   • Users  should  evaluate  browser  security  as  part  of  their  layered  security  strategy.     • Enterprises  should  perform  a  risk  analysis  of  the  browsers  in  the  organization  and  remove  those  with   unjustified  high  risk  where  possible.   • Enterprise  and  individual  users  should  use  the  findings  in  this  report  to  assist  in  the  selection  of  the   browser  most  appropriate  to  their  protection  needs.  However,  malware  infection  rather  than  exploits   were  the  subject  of  this  test,  and  readers  should  not  draw  conclusions  based  upon  this  analysis  brief   alone.     Analysis   As  the  most  widely  used  and  ubiquitous  means  of  accessing  the  Internet,  web  browsers  are  uniquely  positioned  to   filter  and  stop  malware  at  an  early  stage.  This  capability  becomes  even  more  important  given  the  increasing   mobility  of  devices,  which  means  corporate  perimeter  and  network  protection  services  cannot  always  be  relied   upon.   To  complement  traditional  defenses  and  to  address  the  highly  dynamic  nature  of  current  attacks  and  attack   distribution  methods,  modern  web  browsers  employ  technologies  to  block  access  to  malicious  URLs  before  loading   the  content.  Blocking  access  to  malicious  URLs  is  a  formidable  first  line  of  defense,  since  it  provides  complete   protection  against  malware  entering  the  system.  However,  little  is  known  or  published  on  the  effectiveness  of  web   browser’s  internal  blocking  technology  and  performance.   This  analysis  examines  the  ability  of  four  different  web  browsers  to  protect  users  from  malware  downloads,  also   known  as  socially-­‐engineered  malware.1  Modern  web  browsers  offer  an  added  layer  of  protection  against  these   threats  by  leveraging  in-­‐the-­‐cloud,  reputation-­‐based  mechanisms  to  warn  users  of  potential  infection.  However,   not  all  vendors  have  taken  the  same  approach.       Browser  protection  contains  two  main  functional  components.  The  foundation  is  an  “in-­‐the-­‐cloud”  reputation-­‐ based  system  which  scours  the  Internet  for  malicious  web  sites  and  categorizes  content  accordingly,  either  by   adding  it  to  a  black  or  white  list,  or  assigning  a  score  (depending  on  the  vendor’s  approach.)  This  categorization   may  be  performed  manually,  automatically,  or  using  both  methods.  Some  vendors  will  utilize  feedback  from  user   agents  on  their  customers’  endpoints  to  report  back  to  the  reputation  system  automatically,  providing  information   relevant  to  the  trustworthiness,  or  otherwise,  of  applications  and  files  downloaded  from  the  Internet.  The  second   functional  component  resides  within  the  web  browser  itself,  and  requests  reputation  information  from  the  in-­‐the-­‐ cloud  systems  about  specific  URLs  and  then  enforces  warning  and  blocking  functions.                                                                                                                                       1 Exploits that install malware without the user being aware (also referred to as “drive-by downloads”) are not included in this particular study. ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     3      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     When  results  are  returned  that  a  site  is  “bad,”  the  web  browser  redirects  the  user  to  a  warning  message  or  page   informing  that  the  URL  is  malicious.  In  the  event  that  the  URL  links  to  a  download,  the  web  browser  instructs  the   user  that  the  content  is  likely  malicious  and  that  the  download  should  be  cancelled.  Conversely,  when  a  website  is   determined  to  be  “good,”  the  web  browser  takes  no  action  and  the  user  is  unaware  that  a  security  check  was   performed.                      Internet  Explorer  Warning                                                                                                                Chrome  Warning                       Firefox  Warning                               Safari  Warning   Figure  1  –  Browser  Warnings Functionality  unique  to  Chrome   NSS  Labs  determined  that  Safe  Browsing  API  v2  includes  additional  functionality  that  has  been  integrated  into   Chrome,  but  not  Firefox  or  Safari.    This  functionality  provides  reputation  services  for  executable  files,  or  as  Google   describes  them  “malicious  downloads”.     Figure  2  -­‐  Chrome  Safe  Browsing  Warning   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     4      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Malware  Block  Performance   Each  browser’s  individual  block  performance  was  tracked  over  time  and  mapped  by  malware  purpose.  When   aggregated  an  overall  block  rate  of  all  collected  malware  by  browser  was  developed.    A  browser’s  overall  block   rate  is  defined  as  the  percentage  of  successful  blocks  divided  by  the  total  number  of  test  cases.  With  tests   conducted  every  6  hours,  a  URL  that  was  online  for  48  hours  will  be  tested  8  times.  A  browser  blocking  it  on  6  (out   of  a  maximum  8)  test  runs  will  achieve  a  block  rate  of  75%.  Figure  3  shows  the  overall  block  performance  of  the   four  browsers  tested.  As  expected,  since  Firefox  and  Safari  using  the  same  technology  they  achieve  similar  block   rates.  However,  the  large  difference  of  the  average  block  rate  between  browsers  is  noteworthy,  with  results   ranging  from  4.7%  up  to  94%.   Chrome 27.6% Firefox 5.0% Internet Explorer 94.0% Safari 4.7% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%   Figure  3  –  Overall  Malware  Block  Rate  by  Browser  (higher  %  is  better)   To  assess  the  effectiveness  of  different  blocking  technologies,  the  NSS  test  harness  also  records  the  mechanism   that  blocked  access  to  a  URL.   Of  the  three  browsers  using  Google’s  Safe  Browsing  API,  Chrome  is  the  only  one  to  also  utilize  Google’s  malicious   download  technology.    Figure  4  shows  the  block  performance  of  the  URL  blocking  component  and  the  additional   download  block  component  used  only  by  Google’s  Chrome.  The  URL  blocking  performance  of  these  three  Safe   Browsing  browsers  was  consistent  at  around  5%.  Google’s  malicious  download  protection  proved  to  be  almost  five   times  more  effective  than  URL  blocking  alone.    As  seen  in  Figure  ,  it  increases  overall  blocking  performance  by  28%   compared  to  URL  blocking  alone,  and  accounts  for  the  majority  of  the  blocking  performance  of  Google  Chrome.     The  core  protection  technology  in  Internet  Explorer  is  SmartScreen,  which  provides  URL-­‐based  protection  from   attacks  via  an  integrated  cloud-­‐based  URL-­‐reputation  service.  SmartScreen  also  works  with  Download  Manager  to   prevent  malicious  downloads.     ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     5      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Chrome! 4.6% 23.0% Firefox! 5.0% Internet Explorer! 94.0% Safari! 4.7% 0%! 10%! 20%! 30%! 40%! 50%! 60%! 70%! 80%! 90%! 100%! Safari! Internet Explorer! Firefox! Chrome! SmartScreen! 94.0%! SafeBrowsing! 4.7%! 5.0%! 4.6%! Malicious Download! 0.0%! 0.0%! 23.0%!   Figure  4  –  Blocking  technologies  used  by  browsers  (higher  %  is  better)   Time  to  block  Malicious  Sites     Every  time  a  new  campaign  is  launched  by  malicious  actors,  it  is  vital  that  it  is  detected  as  quickly  as  possible  by   security  solutions  deployed  in  the  enterprise.  The  following  response  time  graph  shows  how  long  it  took  each  of   the  browsers  to  block  a  threat  once  it  was  introduced  into  the  test  cycle.  Cumulative  protection  rates  are   calculated  each  day  until  blocked.             100% 90% 80% 70% 60% Block Rate Internet Explorer 50% Chrome 40% Firefox 30% Safari 20% 10% 0% 0 5 10 15 20 25 30 Days   Figure  5  -­‐  Time  to  Block  Malicious  Sites   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     6      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Days   Firefox   Chrome   Internet  Explorer   Safari   1   4%   20%   91%   4%   2   5%   22%   92%   4%   3   5%   23%   92%   4%   4   5%   24%   92%   4%   5   5%   25%   93%   4%   6   5%   25%   93%   5%   7   5%   26%   93%   5%   10   5%   27%   93%   5%   15   5%   28%   94%   5%   20   5%   28%   94%   5%   25   5%   28%   94%   5%   30   5%   28%   94%   5%   Table  1-­‐  Time  to  Block  Malicious  Sites     Ultimately,  the  results  reveal  significant  variations  in  the  abilities  of  the  browsers  to  protect  against  malware.   Chrome  provides  more  protection  than  Safari  or  Firefox  using  the  Safe  Browsing  feed,  apparently  due  to  its   malicious  download  protection.    Trends  show  minor  differences  between  Firefox  and  Safari.       Results  from  these  tests  indicate  that  the  four  browsers  vary  both  in  their  approach  and  effectiveness  in  blocking   different  malware  categories.  It  was  decided  to  further  categorize  the  malware  behind  the  suspicious  URLs  to   measure  the  browser’s  block  performance  for  each  class  of  malware.   The  ability  of  the  four  leading  browsers  to  block  each  of  the  five  main  purposes  of  malware:  click  fraud,   banking/financial  fraud,  fake  antivirus,  password/account  theft  and  game  fraud  was  examined  and  will  be  detailed   in  subsequent  papers  in  this  series.     Reading  List   Analysis  Brief:  Did  Google  Pull  a  Fast  One  on  Firefox  and  Safari  Users?     ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     7      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Appendix  A  –  Methodology   Client  Host  Description   All  tested  browser  software  was  installed  on  identical  virtual  machines  with  the  following  specifications:     Microsoft  Windows  7   2GB  RAM   40GB  hard  drive   Browser  machines  were  tested  prior  to,  and  during,  the  test  to  ensure  proper  functionality.  Browsers  were  given   full  access  to  the  Internet  to  enable  them  to  visit  live  sites.     Tested  Browsers   The  browsers,  or  products  under  test,  were  obtained  independently  by  NSS  Labs.  Generally,  available  software   releases  were  used  in  all  cases.  Each  product  was  updated  to  the  most  current  version  available  at  the  time  testing   began.  The  following  is  a  current  list  of  the  web  browsers  that  were  tested:     TM • Google  Chrome  v15-­‐19   ® ® • Microsoft  Internet  Explorer  9     ® ® • Mozilla  Firefox  v7-­‐13   ® • Safari  v5.   Once  testing  began,  the  product  version  was  monitored  and  new  updates  were  applied  in  a  realistic  patching   methodology.  As  a  new  version  of  a  browser  was  made  publicly  available  during  the  testing  window,  NSS  would   begin  updating  the  test  harness  machines  and  run  both  versions  in  parallel  over  the  course  of  a  two-­‐week  phase-­‐ out  of  the  prior  version  of  the  browser.    This  maintained  the  integrity  of  the  virtual  instances  that  were  under  test   while  allowing  for  fresh  instances  to  start  with  the  new  browser  version.  This  test  relied  upon  Internet  access  for   the  reputation  systems  and  access  to  live  content.  Generally,  there  is  a  configurable  separation  between  software   updates  and  database  or  signature  updates,  to  draw  analogies  from  anti-­‐virus,  intrusion  prevention,  and  general   software  practices.     Network  Description   The  browsers  were  tested  for  their  ability  to  protect  the  client  in  “connected”  use  cases.  Thus,  the  tests  consider   and  analyze  the  effectiveness  of  browser  protection  in  NSS  Labs’  real-­‐world,  live  Internet  testing  harness.   The  host  system  had  one  network  interface  card  (NIC)  and  was  connected  to  the  network  via  a  1Gb  switch  port.   For  the  purposes  of  this  test,  NSS  Labs  utilized  384  desktop  systems  each  running  a  web  browser.  Results  were   recorded  into  a  MySQL  database.   Test  Duration   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     8      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     NSS  Labs’  browser  test  was  performed  continuously  (24  x  7)  for  175  days.  Throughout  the  duration  of  the  test,  new   URLs  were  added  as  they  were  discovered.   Test  Frequency     Over  the  course  of  the  test,  each  URL  was  run  through  the  test  harness  every  six  hours.  Regardless  of  success  or   failure,  NSS  Labs  continued  to  attempt  to  download  a  malware  sample  with  the  web  browser  for  the  duration  of   the  test.   Collect New Suspicious Malicous Sites from Sources Pre-Filter, Validate, Results Collected & Prune & Archive Archived Sites Test Clients Visit Site Distribute to Test & Record Block/Allow Clients   Sample  Sets  for  Malware  URLs   Freshness  of  malware  sites  is  a  key  attribute  of  this  type  of  test.  In  order  to  utilize  the  freshest,  most   representative  URLs,  NSS  Labs  received  a  broad  range  of  samples  from  a  number  of  different  sources.     Sources   NSS  Labs  operates  its  own  network  of  spam  traps  and  honeypots.  These  e-­‐mail  accounts  with  high-­‐volume  traffic   yield  thousands  of  unique  e-­‐mails  and  URLs  per  day.  In  addition,  NSS  Labs  maintains  relationships  with  other   independent  security  researchers,  networks,  and  security  companies  that  provide  access  to  URLs  and  malicious   content.  Sample  sets  contain  malicious  URLs  distributed  via:  e-­‐mail,  instant  messaging,  social  networks,  and   malicious  websites.  No  content  is  used  from  the  tested  parties.       Malicious  URLs  targeting  users  throughout  the  globe  are  identified  and  selected  for  inclusion  in  this  test.    Users  are   defined  as  individuals  residing  within  the  North  America,  South  American,  European,  and  Asia-­‐Pacific  regions,   including:  Argentina,  Australia,  Austria,  Brazil,  Canada,  China,  France,  Germany,  India,  Italy,  Japan,  Indonesia,   Mexico,  New  Zealand,  Singapore,  Spain,  South  Korea,  Sweden,  Thailand,  the  United  Kingdom,  the  United  States  of   America,  and  Vietnam.    This  report  is  comprised  only  of  data  from  the  United  States  of  America  samples;  future   papers  will  include  the  additional  data.  The  ultimate  determinant  of  whether  or  not  a  malicious  URL  is  included  in   this  test  is  its  participation  in  a  malware  campaign  targeting  users.    Lastly,  just  because  a  malicious  URL  is  included   in  a  campaign  targeting  an  Asia-­‐Pacific  or  a  North  American  user  does  not  mean  that  the  URL  is  not  used  in  other   campaigns  targeting  users  from  other  regions.   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     9      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Exploits  containing  malware  payloads  (exploits  plus  malware),  also  known  as  “clickjacking”  or  “drive-­‐by   downloads”  are  excluded  from  the  test.  Every  effort  is  made  to  consider  submissions  that  reflect  a  real-­‐world   distribution  of  malware—categorically,  geographically,  and  by  platform.       In  addition,  NSS  Labs  maintains  a  collection  of  “clean  URLs”  which  includes  sites  from  Yahoo,  Amazon,  Microsoft,   Google,  NSS  Labs,  major  banks,  and  others.  Periodically,  clean  URLs  are  run  through  the  system  to  verify  that  the   browsers  are  not  over-­‐blocking.   Catalog  URLs   New  sites  are  added  to  the  URL  consideration  set  as  soon  as  possible.  The  date  and  time  each  sample  is  introduced   is  noted.  Most  sources  are  automatically  and  immediately  inserted,  while  some  methods  require  manual  handling   and  can  be  processed  in  under  30  minutes.  All  items  in  the  consideration  set  are  cataloged  with  a  unique  NSS  Labs   ID,  regardless  of  their  validity.  This  enables  correct  tracking  of  effectiveness  of  sample  sources.   Confirm  Sample  Presence  of  URLs   Time  is  of  the  essence  since  the  objective  is  to  test  the  effectiveness  against  the  freshest  possible  malware  sites.   Given  the  nature  of  the  feeds,  and  the  velocity  of  change,  it  is  not  possible  to  validate  each  site  in  depth  before  the   test,  since  the  sites  could  quickly  disappear.  Thus,  each  of  the  test  items  is  given  a  cursory  review  to  verify  it  is   present  and  accessible  on  the  live  Internet.     In  order  to  be  included  in  the  execution  set,  URLs  must  be  live  during  the  test  iteration.  At  the  beginning  of  each   test  cycle,  the  availability  of  the  URL  is  confirmed  by  ensuring  that  the  site  can  be  reached  and  is  active,  such  that  a   non-­‐404  web  page  is  returned.   This  validation  occurs  within  minutes  of  receiving  the  samples  from  NSS  sources.  Note:  These  classifications  are   further  validated  after  the  test,  and  URLs  are  reclassified  and/or  removed  accordingly.   Archive  active  URL  content   The  active  URL  content  is  downloaded  and  saved  to  an  archive  server  with  a  unique  NSS  ID  number.  This  enables   NSS  Labs  to  preserve  the  URL  content  for  control  and  validation  purposes.     Dynamically  Execute  Each  URL   A  client  automation  utility  requests  each  of  the  URLs  deemed  “present”  (based  upon  results  of  the  test  described   in  Section  5.4)  via  each  of  the  web  browsers  in  the  test.  NSS  Labs  records  whether  or  not  the  malware  is   downloaded  and  if  the  download  attempt  triggers  a  warning  from  the  browser’s  malware  protection.   Scoring  and  Recording  the  results   The  resulting  response  is  recorded  as  either  “Allowed”  or  “Blocked  and  Warned.”     Success:  NSS  Labs  defines  success  based  upon  a  web  browser  successfully  preventing  malware  from  being   downloaded  and  correctly  issuing  a  warning.   Failure:  NSS  Labs  defines  a  failure  based  upon  a  web  browser  failing  to  prevent  the  malware  from  being   downloaded  and/or  failing  to  issue  a  warning.   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     10      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Pruning   Throughout  the  test,  lab  engineers  review  and  remove  non-­‐conforming  URLs  and  content  from  the  test  execution   set.  For  example,  a  URL  that  was  initially  classified  as  malware,  but  that  has  since  been  replaced  with  a  generic   splash  page,  will  be  removed  from  the  test.   If  a  URL  sample  becomes  unavailable  for  download  during  the  course  of  the  test,  the  sample  is  removed  from  the   test  collection  for  that  iteration.  NSS  Labs  continually  verifies  each  sample’s  presence  (availability  for  download)   and  adds/removes  each  sample  from  the  test  set  accordingly.  Should  a  malware  sample  be  unavailable  for  a  test   iteration  and  then  become  available  again  for  a  subsequent  iteration,  it  will  be  added  back  into  the  test  collection.   Unavailable  samples  are  not  included  in  calculations  of  success  or  failure  by  a  web  browser.   Post-­‐Test  Validation   Post-­‐test  validation  enables  NSS  Labs  to  reclassify  and  even  remove  samples  that  were  either  not  malicious  or  not   available  before  the  test  started.  NSS  Labs  uses  two  different  commercial  sandboxes  to  prune  and  validate  the   ® malware  (Sunbelt’s  CWSandbox  and  Norman  Analyzer).  Further  validation  is  performed  using  proprietary  tools,   system  instrumentation,  and  code  analysis  as  needed.       ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     11      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     NSS  Labs  Test  Environment  and  Methodology   NSS  Labs  has  created  a  complex  “live”  test  environment  and  methodology  to  assess  the  protective  capabilities  of   Internet  browsers  under  the  most  real-­‐world  conditions  possible,  while  also  maintaining  control  and  verification  of   the  procedures.   The  purpose  of  the  study  was  to  determine  how  well  current  web  browsers  protect  users  from  the  most  prevalent   malware  threats  on  the  Internet  today.  A  key  aspect  in  any  test  of  this  nature  is  the  timing.  Given  the  rapid  rate   and  aggression  with  which  criminals  propagate  and  manipulate  malicious  websites,  a  key  objective  is  to  ensure   that  the  “freshest”  sites  possible  are  included  in  the  test.   NSS  Labs  has  developed  a  unique  proprietary  “Live  Testing”  harness  and  methodology.  As  part  of  this   methodology,  NSS  Labs  continually  collects  web-­‐based  threats  from  multiple  sources,  including  partners  and  NSS’   own  servers  and  high-­‐interaction  honeynets.  Potential  threats  are  vetted  algorithmically  before  being  inserted  into   the  test  queue;  threats  are  being  inserted  and  vetted  continually.  Unique  in  this  procedure  is  that  NSS  Labs   validates  the  samples  before  and  after  the  test.  Actual  testing  of  the  threats  is  repeated  every  six  hours  and  starts   with  validation  of  the  site’s  existence  and  conformance  to  the  test  definition.     All  tests  are  executed  in  a  highly  controlled  manner,  and  results  are  meticulously  recorded  and  archived  at  each   interval.   Figure  2  -­‐  NSS  Test  Framework   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     12      
NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Contact  Information   NSS  Labs,  Inc.   6207  Bee  Caves  Road,  Suite  350   Austin,  TX  78746  USA   +1  (512)  961-­‐5300   info@nsslabs.com   www.nsslabs.com       This  analysis  brief  was  produced  as  part  of  NSS  Labs’  independent  testing  information  services.  Leading  products   were  tested  at  no  cost  to  the  vendor,  and  NSS  Labs  received  no  vendor  funding  to  produce  this  analysis  brief.   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.  No  part  of  this  publication  may  be  reproduced,  photocopied,  stored  on  a  retrieval     system,  or  transmitted  without  the  express  written  consent  of  the  authors.       Please  note  that  access  to  or  use  of  this  report  is  conditioned  on  the  following:     1.    The  information  in  this  report  is  subject  to  change  by  NSS  Labs  without  notice.     2.    The  information  in  this  report  is  believed  by  NSS  Labs  to  be  accurate  and  reliable  at  the  time  of  publication,  but  is  not   guaranteed.  All  use  of  and  reliance  on  this  report  are  at  the  reader’s  sole  risk.  NSS  Labs  is  not  liable  or  responsible  for  any     damages,  losses,  or  expenses  arising  from  any  error  or  omission  in  this  report.   3.    NO  WARRANTIES,  EXPRESS  OR  IMPLIED  ARE  GIVEN  BY  NSS  LABS.  ALL  IMPLIED  WARRANTIES,  INCLUDING  IMPLIED   WARRANTIES  OF  MERCHANTABILITY,  FITNESS  FOR  A  PARTICULAR  PURPOSE,  AND  NON-­‐INFRINGEMENT  ARE  DISCLAIMED  AND   EXCLUDED  BY  NSS  LABS.  IN  NO  EVENT  SHALL  NSS  LABS  BE  LIABLE  FOR  ANY  CONSEQUENTIAL,  INCIDENTAL  OR  INDIRECT   DAMAGES,  OR  FOR  ANY  LOSS  OF  PROFIT,  REVENUE,  D ATA,  COMPUTER  PROGRAMS,  OR  OTHER  ASSETS,  EVEN  IF  ADVISED  OF  THE   POSSIBILITY  THEREOF.   4.    This  report  does  not  constitute  an  endorsement,  recommendation,  or  guarantee  of  any  of  the  products  (hardware  or   software)  tested  or  the  hardware  and  software  used  in  testing  the  products.  The  testing  does  not  guarantee  that  there  are  no   errors  or  defects  in  the  products  or  that  the  products  will  meet  the  reader’s  expectations,  requirements,  needs,  or   specifications,  or  that  they  will  operate  without  interruption.     5.    This  report  does  not  imply  any  endorsement,  sponsorship,  affiliation,  or  verification  by  or  with  any  organizations  mentioned   in  this  report.     6.    All  trademarks,  service  marks,  and  trade  names  used  in  this  report  are  the  trademarks,  service  marks,  and  trade  names  of   their  respective  owners.     ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     13      

Recommended

Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning TechnologyOPSWAT
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware surveyeSAT Journals
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 

Recommended

Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning TechnologyOPSWAT
 
Android mobile platform security and malware survey
Android mobile platform security and malware surveyAndroid mobile platform security and malware survey
Android mobile platform security and malware surveyeSAT Journals
 
Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Volume 2-issue-6-2037-2039
Volume 2-issue-6-2037-2039Editor IJARCET
 
Mobile Malware
Mobile MalwareMobile Malware
Mobile MalwareMartin Holovský
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 
IRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET- Android Malware Detection System
IRJET- Android Malware Detection SystemIRJET Journal
 
The Modern Malware Review March 2013
The Modern Malware Review March 2013The Modern Malware Review March 2013
The Modern Malware Review March 2013- Mark - Fullbright
 
Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsLondon School of Cyber Security
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security Ioannis Aligizakis, M.Sc.
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013 Комсс Файквэе
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions www.ijeijournal.com
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Scott Brown
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Usebrittanyjespersen
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Josh Castellano
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirusAshish Gautam
 
Alice in warningland: A Large Scale Study of Browser Security Warnings
Alice in warningland: A Large Scale Study of Browser Security WarningsAlice in warningland: A Large Scale Study of Browser Security Warnings
Alice in warningland: A Large Scale Study of Browser Security WarningsMeghna Singhal
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection LatoBrian Stoner
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
2012 browser phishing
2012 browser phishing2012 browser phishing
2012 browser phishingКомсс Файквэе
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Quick Heal Technologies Ltd.
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 

More Related Content

What's hot

A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupSymantec
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionWayne Huang
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Scott Brown
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsAnatoliy Tkachev
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threatsMartin Holovský
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Josh Castellano
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirusAshish Gautam
 
Alice in warningland: A Large Scale Study of Browser Security Warnings
Alice in warningland: A Large Scale Study of Browser Security WarningsAlice in warningland: A Large Scale Study of Browser Security Warnings
Alice in warningland: A Large Scale Study of Browser Security WarningsMeghna Singhal
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection LatoBrian Stoner
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 

What's hot (18)

Advanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA EnvironmentsAdvanced Threat Detection in ICS – SCADA Environments
Advanced Threat Detection in ICS – SCADA Environments
 
2016 Trends in Security
2016 Trends in Security 2016 Trends in Security
2016 Trends in Security
 
The modern-malware-review-march-2013
The modern-malware-review-march-2013 The modern-malware-review-march-2013
The modern-malware-review-march-2013
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
 
International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)International Journal of Engineering Inventions (IJEI)
International Journal of Engineering Inventions (IJEI)
 
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack GroupWHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
WHITE PAPER▶ Symantec Security Response Presents:The Waterbug Attack Group
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
 
Scaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware InfectionScaling Web 2.0 Malware Infection
Scaling Web 2.0 Malware Infection
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
Hii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutionsHii assessing the_effectiveness_of_antivirus_solutions
Hii assessing the_effectiveness_of_antivirus_solutions
 
Methods Hackers Use
Methods Hackers UseMethods Hackers Use
Methods Hackers Use
 
Modern malware and threats
Modern malware and threatsModern malware and threats
Modern malware and threats
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
 
Sandbox Technology in AntiVirus
Sandbox Technology in AntiVirusSandbox Technology in AntiVirus
Sandbox Technology in AntiVirus
 
Alice in warningland: A Large Scale Study of Browser Security Warnings
Alice in warningland: A Large Scale Study of Browser Security WarningsAlice in warningland: A Large Scale Study of Browser Security Warnings
Alice in warningland: A Large Scale Study of Browser Security Warnings
 
DeepContentInspection Lato
DeepContentInspection LatoDeepContentInspection Lato
DeepContentInspection Lato
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
 

Similar to 2012 ab is-your-browser-putting-you-at-risk

Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016rajeshnikam
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools usedZoe Gilbert
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)Scott Sutherland
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Ricardo Resnik
 
Ransomware : Challenges and best practices
Ransomware : Challenges and best practices Ransomware : Challenges and best practices
Ransomware : Challenges and best practices EyesOpen Association
 
Next Gen Firewall buyer's guide
Next Gen Firewall buyer's guideNext Gen Firewall buyer's guide
Next Gen Firewall buyer's guideManage IT Africa
 
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:Nancy Nimmegeers
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021IJMER
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37Felipe Prado
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityOnline Business
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyserTim Youm
 

Similar to 2012 ab is-your-browser-putting-you-at-risk (20)

2012 browser phishing
2012 browser phishing2012 browser phishing
2012 browser phishing
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
Web app penetration testing best methods tools used
Web app penetration testing best methods tools usedWeb app penetration testing best methods tools used
Web app penetration testing best methods tools used
 
CTAP
CTAPCTAP
CTAP
 
How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)How to Build and Validate Ransomware Attack Detections (Secure360)
How to Build and Validate Ransomware Attack Detections (Secure360)
 
What the fuzz
What the fuzzWhat the fuzz
What the fuzz
 
Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.Cyber Security protection by MultiPoint Ltd.
Cyber Security protection by MultiPoint Ltd.
 
Ransomware : Challenges and best practices
Ransomware : Challenges and best practices Ransomware : Challenges and best practices
Ransomware : Challenges and best practices
 
Next Gen Firewall buyer's guide
Next Gen Firewall buyer's guideNext Gen Firewall buyer's guide
Next Gen Firewall buyer's guide
 
Spyware
SpywareSpyware
Spyware
 
Browsers comparison
Browsers comparisonBrowsers comparison
Browsers comparison
 
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
IMPAKT: Verdediging aangaan t.o.v. (on)bekende ransomware:
 
CYBER THREAT ASSESSMENT
CYBER THREAT ASSESSMENTCYBER THREAT ASSESSMENT
CYBER THREAT ASSESSMENT
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
 
CTAP
CTAPCTAP
CTAP
 
160415 lan and-wan-ctap
160415 lan and-wan-ctap160415 lan and-wan-ctap
160415 lan and-wan-ctap
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37
 
En msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurityEn msft-scrty-cntnt-e book-cybersecurity
En msft-scrty-cntnt-e book-cybersecurity
 
Unified application security analyser
Unified application security analyserUnified application security analyser
Unified application security analyser
 

More from Комсс Файквэе

Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgКомсс Файквэе
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingКомсс Файквэе
 

More from Комсс Файквэе (20)

Ksb 2013 ru
Ksb 2013 ruKsb 2013 ru
Ksb 2013 ru
 
Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013Rp quarterly-threat-q3-2013
Rp quarterly-threat-q3-2013
 
Rp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xgRp data breach-investigations-report-2013-en_xg
Rp data breach-investigations-report-2013-en_xg
 
Apwg trends report_q2_2013
Apwg trends report_q2_2013Apwg trends report_q2_2013
Apwg trends report_q2_2013
 
Mobile threat report_q3_2013
Mobile threat report_q3_2013Mobile threat report_q3_2013
Mobile threat report_q3_2013
 
Scimp paper
Scimp paperScimp paper
Scimp paper
 
Ey giss-under-cyber-attack
Ey giss-under-cyber-attackEy giss-under-cyber-attack
Ey giss-under-cyber-attack
 
Hta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijackingHta t07-did-you-read-the-news-http-request-hijacking
Hta t07-did-you-read-the-news-http-request-hijacking
 
Analitika web 2012_positive_technologies
Analitika web 2012_positive_technologiesAnalitika web 2012_positive_technologies
Analitika web 2012_positive_technologies
 
B istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-usB istr main-report_v18_2012_21291018.en-us
B istr main-report_v18_2012_21291018.en-us
 
Threat report h1_2013
Threat report h1_2013Threat report h1_2013
Threat report h1_2013
 
B intelligence report-08-2013.en-us
B intelligence report-08-2013.en-usB intelligence report-08-2013.en-us
B intelligence report-08-2013.en-us
 
Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2Dtl 2013 q2_home.1.2
Dtl 2013 q2_home.1.2
 
Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012Rp quarterly-threat-q1-2012
Rp quarterly-threat-q1-2012
 
Kaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_reportKaspersky lab av_test_whitelist_test_report
Kaspersky lab av_test_whitelist_test_report
 
Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2Dtl 2012 kl-app_ctl1.2
Dtl 2012 kl-app_ctl1.2
 
Panda labs annual-report-2012
Panda labs annual-report-2012Panda labs annual-report-2012
Panda labs annual-report-2012
 
H02 syllabus
H02 syllabusH02 syllabus
H02 syllabus
 
Course reader-title
Course reader-titleCourse reader-title
Course reader-title
 
Rp threat-predictions-2013
Rp threat-predictions-2013Rp threat-predictions-2013
Rp threat-predictions-2013
 

Recently uploaded

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 

Recently uploaded (20)

"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 

2012 ab is-your-browser-putting-you-at-risk

  • 1.   ANALYSIS  BRIEF  –  September  2012   IS  YOUR  BROWSER  PUTTING  YOU  AT  RISK?     PART  1  –  GENERAL  MALWARE  BLOCKING     Authors  -­‐  Bob  Walder,  Francisco  Artes,  Stefan  Frei,  Ken  Baylor,  Jayendra  Pathak,   Vikram  Phatak     Overview   The  ineffectiveness  of  Web  browser  security  is  one  of  the  most  common  reasons  for  malware  infection.  Browsers   offer  a  direct  and  unique  route  for  infection,  bypassing  corporate  protection  layers  and  bringing  malware  deep  into   the  corporate  environment,  often  protecting  it  from  detection  using  SSL.  Browsers  must  provide  a  strong  layer  of   defense  from  malware,  rather  than  defer  to  operating  system  antimalware  solutions.  This  series  examines  the   effectiveness  of  leading  browsers  to  block  malware.   The  four  leading  browsers  were  tested  against  three  million  samples  of  real  world  malicious  software.  Major   discrepancies  were  noted  in  their  ability  to  block  malware.  Data  represented  in  this  report  was  captured  over  one   hundred  and  seventy-­‐five  (175)  days  through  NSS  Labs’  unique  live  testing  harness,  and  provides  in-­‐depth  insight   into  the  built-­‐in  protection  capabilities  of  modern  browsers,  including  Chrome,  Firefox,  Internet  Explorer,  and   Safari.   This  series  of  papers  will  examine  the  ability  of  the  four  leading  browsers  to  block  each  of  the  five  main  purposes   of  malware  and  malware  monetization.  Monetization  of  malware  is  achieved  by  multiple  means,  including  click   fraud,  fake  antivirus,  account  /  password  theft,  bank/financial  fraud,  and  gaming  fraud.    Collectively  they  account   for  billions  of  dollars  worth  of  corporate  and  consumer  theft  per  year,  yet  browsers  vary  widely  in  their  ability  to   block  malware,  despite  adverse  effects  on  business  and  individual  users  alike.   Tested  Products   • Apple  Safari  5   • Google  Chrome  15  -­‐  19     • Microsoft  Internet  Explorer  9   • Mozilla  Firefox  7  –  13   Over  3,000,000  test  cases  were  used  in  the  data  sampling  captured  via  NSS  Labs’  unique  live  testing  harness.    An   initial  sample  set  of  227,841  unique  and  suspicious  URLs  entered  the  system;  84,396  were  found  active  and   malicious  and  met  the  criteria  for  entry  into  the  test.  In  total  3,038,324  test  runs  were  performed  by  the  four   browsers  against  these  unique  84,396  URLs  –  resulting  in  over  750,000  tests  cases  per  browser.  
  • 2. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Testing  was  repeated  every  six  (6)  hours  until  the  target  URL  was  no  longer  active.  Samples  that  did  not  pass  the   validation  criteria  were  removed,  including  false  positives  and  adware.  Ultimately,  1,407,233  URL  test  cases  passed   the  post-­‐validation  process  and  are  included  in  the  results.    Each  sample  payload  was  validated  internally.    MD5   hashes  of  samples  were  submitted  to  VirusTotal  and  the  resulting  scanner  reports  were  then  used  to  classify   malware  types.  Additionally,  the  test  samples  were  verified  by  multiple  independent  external  sources  to  confirm   distribution  accuracy  and  malware  classification.     100% 80% 60% Firefox 40% Chrome Internet Explorer 20% Safari 0%   Figure 1 – Malware Block Rate Over Time with 10-Day Moving Average (higher % is better) During  the  testing  period,  Internet  Explorer  maintained  a  malware  block  rate  of  95%  while  Firefox  and  Safari’s   block  rate  remained  just  under  6%.  Over  the  same  time  period,  Chrome’s  block  rate  varied  from  13%  to  just  over   74%.  This  could  be  attributed  to  changing  protection  tactics  over  time  that  is  indicative  of  the  ongoing  battle   between  antimalware  developers  and  malicious  actors.     NSS  Lab  Findings:   • Browsers  offer  the  largest  attack  surface  in  most  enterprise  networks  and  are  the  most  common  vector   for  malware  installations     • The  use  of  SSL  by  browsers  presents  additional  problems  to  enterprises  since  it  offers  the  opportunity  to   bypass  many  layers  of  corporate  security  protection   • The  leading  browsers  show  a  significant  variance  in  their  ability  to  block  malware.   • Given  the  increasing  mobility  of  users  and  devices,  blocking  malware  is  not  only  extremely  important,  but   potentially  the  only  means  of  reducing  risk  when  outside  of  the  corporate  perimeter  of  protection.     • Web  browsing  is  the  primary  attack  vector  of  criminals  attempting  to  monetize  malware,  using  a  variety   of  means,  including  click  fraud,  fake  antivirus,  account  /  password  theft,  bank/financial  fraud,  and  gaming   fraud.       ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     2      
  • 3. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     • The  tolerance  of  browsers  with  low  malware  block  rates  may  present  undue  risk  to  an  organization.     NSS  Labs  Recommendations:   • Users  should  evaluate  browser  security  as  part  of  their  layered  security  strategy.     • Enterprises  should  perform  a  risk  analysis  of  the  browsers  in  the  organization  and  remove  those  with   unjustified  high  risk  where  possible.   • Enterprise  and  individual  users  should  use  the  findings  in  this  report  to  assist  in  the  selection  of  the   browser  most  appropriate  to  their  protection  needs.  However,  malware  infection  rather  than  exploits   were  the  subject  of  this  test,  and  readers  should  not  draw  conclusions  based  upon  this  analysis  brief   alone.     Analysis   As  the  most  widely  used  and  ubiquitous  means  of  accessing  the  Internet,  web  browsers  are  uniquely  positioned  to   filter  and  stop  malware  at  an  early  stage.  This  capability  becomes  even  more  important  given  the  increasing   mobility  of  devices,  which  means  corporate  perimeter  and  network  protection  services  cannot  always  be  relied   upon.   To  complement  traditional  defenses  and  to  address  the  highly  dynamic  nature  of  current  attacks  and  attack   distribution  methods,  modern  web  browsers  employ  technologies  to  block  access  to  malicious  URLs  before  loading   the  content.  Blocking  access  to  malicious  URLs  is  a  formidable  first  line  of  defense,  since  it  provides  complete   protection  against  malware  entering  the  system.  However,  little  is  known  or  published  on  the  effectiveness  of  web   browser’s  internal  blocking  technology  and  performance.   This  analysis  examines  the  ability  of  four  different  web  browsers  to  protect  users  from  malware  downloads,  also   known  as  socially-­‐engineered  malware.1  Modern  web  browsers  offer  an  added  layer  of  protection  against  these   threats  by  leveraging  in-­‐the-­‐cloud,  reputation-­‐based  mechanisms  to  warn  users  of  potential  infection.  However,   not  all  vendors  have  taken  the  same  approach.       Browser  protection  contains  two  main  functional  components.  The  foundation  is  an  “in-­‐the-­‐cloud”  reputation-­‐ based  system  which  scours  the  Internet  for  malicious  web  sites  and  categorizes  content  accordingly,  either  by   adding  it  to  a  black  or  white  list,  or  assigning  a  score  (depending  on  the  vendor’s  approach.)  This  categorization   may  be  performed  manually,  automatically,  or  using  both  methods.  Some  vendors  will  utilize  feedback  from  user   agents  on  their  customers’  endpoints  to  report  back  to  the  reputation  system  automatically,  providing  information   relevant  to  the  trustworthiness,  or  otherwise,  of  applications  and  files  downloaded  from  the  Internet.  The  second   functional  component  resides  within  the  web  browser  itself,  and  requests  reputation  information  from  the  in-­‐the-­‐ cloud  systems  about  specific  URLs  and  then  enforces  warning  and  blocking  functions.                                                                                                                                       1 Exploits that install malware without the user being aware (also referred to as “drive-by downloads”) are not included in this particular study. ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     3      
  • 4. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     When  results  are  returned  that  a  site  is  “bad,”  the  web  browser  redirects  the  user  to  a  warning  message  or  page   informing  that  the  URL  is  malicious.  In  the  event  that  the  URL  links  to  a  download,  the  web  browser  instructs  the   user  that  the  content  is  likely  malicious  and  that  the  download  should  be  cancelled.  Conversely,  when  a  website  is   determined  to  be  “good,”  the  web  browser  takes  no  action  and  the  user  is  unaware  that  a  security  check  was   performed.                      Internet  Explorer  Warning                                                                                                                Chrome  Warning                       Firefox  Warning                               Safari  Warning   Figure  1  –  Browser  Warnings Functionality  unique  to  Chrome   NSS  Labs  determined  that  Safe  Browsing  API  v2  includes  additional  functionality  that  has  been  integrated  into   Chrome,  but  not  Firefox  or  Safari.    This  functionality  provides  reputation  services  for  executable  files,  or  as  Google   describes  them  “malicious  downloads”.     Figure  2  -­‐  Chrome  Safe  Browsing  Warning   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     4      
  • 5. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Malware  Block  Performance   Each  browser’s  individual  block  performance  was  tracked  over  time  and  mapped  by  malware  purpose.  When   aggregated  an  overall  block  rate  of  all  collected  malware  by  browser  was  developed.    A  browser’s  overall  block   rate  is  defined  as  the  percentage  of  successful  blocks  divided  by  the  total  number  of  test  cases.  With  tests   conducted  every  6  hours,  a  URL  that  was  online  for  48  hours  will  be  tested  8  times.  A  browser  blocking  it  on  6  (out   of  a  maximum  8)  test  runs  will  achieve  a  block  rate  of  75%.  Figure  3  shows  the  overall  block  performance  of  the   four  browsers  tested.  As  expected,  since  Firefox  and  Safari  using  the  same  technology  they  achieve  similar  block   rates.  However,  the  large  difference  of  the  average  block  rate  between  browsers  is  noteworthy,  with  results   ranging  from  4.7%  up  to  94%.   Chrome 27.6% Firefox 5.0% Internet Explorer 94.0% Safari 4.7% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%   Figure  3  –  Overall  Malware  Block  Rate  by  Browser  (higher  %  is  better)   To  assess  the  effectiveness  of  different  blocking  technologies,  the  NSS  test  harness  also  records  the  mechanism   that  blocked  access  to  a  URL.   Of  the  three  browsers  using  Google’s  Safe  Browsing  API,  Chrome  is  the  only  one  to  also  utilize  Google’s  malicious   download  technology.    Figure  4  shows  the  block  performance  of  the  URL  blocking  component  and  the  additional   download  block  component  used  only  by  Google’s  Chrome.  The  URL  blocking  performance  of  these  three  Safe   Browsing  browsers  was  consistent  at  around  5%.  Google’s  malicious  download  protection  proved  to  be  almost  five   times  more  effective  than  URL  blocking  alone.    As  seen  in  Figure  ,  it  increases  overall  blocking  performance  by  28%   compared  to  URL  blocking  alone,  and  accounts  for  the  majority  of  the  blocking  performance  of  Google  Chrome.     The  core  protection  technology  in  Internet  Explorer  is  SmartScreen,  which  provides  URL-­‐based  protection  from   attacks  via  an  integrated  cloud-­‐based  URL-­‐reputation  service.  SmartScreen  also  works  with  Download  Manager  to   prevent  malicious  downloads.     ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     5      
  • 6. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Chrome! 4.6% 23.0% Firefox! 5.0% Internet Explorer! 94.0% Safari! 4.7% 0%! 10%! 20%! 30%! 40%! 50%! 60%! 70%! 80%! 90%! 100%! Safari! Internet Explorer! Firefox! Chrome! SmartScreen! 94.0%! SafeBrowsing! 4.7%! 5.0%! 4.6%! Malicious Download! 0.0%! 0.0%! 23.0%!   Figure  4  –  Blocking  technologies  used  by  browsers  (higher  %  is  better)   Time  to  block  Malicious  Sites     Every  time  a  new  campaign  is  launched  by  malicious  actors,  it  is  vital  that  it  is  detected  as  quickly  as  possible  by   security  solutions  deployed  in  the  enterprise.  The  following  response  time  graph  shows  how  long  it  took  each  of   the  browsers  to  block  a  threat  once  it  was  introduced  into  the  test  cycle.  Cumulative  protection  rates  are   calculated  each  day  until  blocked.             100% 90% 80% 70% 60% Block Rate Internet Explorer 50% Chrome 40% Firefox 30% Safari 20% 10% 0% 0 5 10 15 20 25 30 Days   Figure  5  -­‐  Time  to  Block  Malicious  Sites   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     6      
  • 7. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Days   Firefox   Chrome   Internet  Explorer   Safari   1   4%   20%   91%   4%   2   5%   22%   92%   4%   3   5%   23%   92%   4%   4   5%   24%   92%   4%   5   5%   25%   93%   4%   6   5%   25%   93%   5%   7   5%   26%   93%   5%   10   5%   27%   93%   5%   15   5%   28%   94%   5%   20   5%   28%   94%   5%   25   5%   28%   94%   5%   30   5%   28%   94%   5%   Table  1-­‐  Time  to  Block  Malicious  Sites     Ultimately,  the  results  reveal  significant  variations  in  the  abilities  of  the  browsers  to  protect  against  malware.   Chrome  provides  more  protection  than  Safari  or  Firefox  using  the  Safe  Browsing  feed,  apparently  due  to  its   malicious  download  protection.    Trends  show  minor  differences  between  Firefox  and  Safari.       Results  from  these  tests  indicate  that  the  four  browsers  vary  both  in  their  approach  and  effectiveness  in  blocking   different  malware  categories.  It  was  decided  to  further  categorize  the  malware  behind  the  suspicious  URLs  to   measure  the  browser’s  block  performance  for  each  class  of  malware.   The  ability  of  the  four  leading  browsers  to  block  each  of  the  five  main  purposes  of  malware:  click  fraud,   banking/financial  fraud,  fake  antivirus,  password/account  theft  and  game  fraud  was  examined  and  will  be  detailed   in  subsequent  papers  in  this  series.     Reading  List   Analysis  Brief:  Did  Google  Pull  a  Fast  One  on  Firefox  and  Safari  Users?     ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     7      
  • 8. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Appendix  A  –  Methodology   Client  Host  Description   All  tested  browser  software  was  installed  on  identical  virtual  machines  with  the  following  specifications:     Microsoft  Windows  7   2GB  RAM   40GB  hard  drive   Browser  machines  were  tested  prior  to,  and  during,  the  test  to  ensure  proper  functionality.  Browsers  were  given   full  access  to  the  Internet  to  enable  them  to  visit  live  sites.     Tested  Browsers   The  browsers,  or  products  under  test,  were  obtained  independently  by  NSS  Labs.  Generally,  available  software   releases  were  used  in  all  cases.  Each  product  was  updated  to  the  most  current  version  available  at  the  time  testing   began.  The  following  is  a  current  list  of  the  web  browsers  that  were  tested:     TM • Google  Chrome  v15-­‐19   ® ® • Microsoft  Internet  Explorer  9     ® ® • Mozilla  Firefox  v7-­‐13   ® • Safari  v5.   Once  testing  began,  the  product  version  was  monitored  and  new  updates  were  applied  in  a  realistic  patching   methodology.  As  a  new  version  of  a  browser  was  made  publicly  available  during  the  testing  window,  NSS  would   begin  updating  the  test  harness  machines  and  run  both  versions  in  parallel  over  the  course  of  a  two-­‐week  phase-­‐ out  of  the  prior  version  of  the  browser.    This  maintained  the  integrity  of  the  virtual  instances  that  were  under  test   while  allowing  for  fresh  instances  to  start  with  the  new  browser  version.  This  test  relied  upon  Internet  access  for   the  reputation  systems  and  access  to  live  content.  Generally,  there  is  a  configurable  separation  between  software   updates  and  database  or  signature  updates,  to  draw  analogies  from  anti-­‐virus,  intrusion  prevention,  and  general   software  practices.     Network  Description   The  browsers  were  tested  for  their  ability  to  protect  the  client  in  “connected”  use  cases.  Thus,  the  tests  consider   and  analyze  the  effectiveness  of  browser  protection  in  NSS  Labs’  real-­‐world,  live  Internet  testing  harness.   The  host  system  had  one  network  interface  card  (NIC)  and  was  connected  to  the  network  via  a  1Gb  switch  port.   For  the  purposes  of  this  test,  NSS  Labs  utilized  384  desktop  systems  each  running  a  web  browser.  Results  were   recorded  into  a  MySQL  database.   Test  Duration   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     8      
  • 9. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     NSS  Labs’  browser  test  was  performed  continuously  (24  x  7)  for  175  days.  Throughout  the  duration  of  the  test,  new   URLs  were  added  as  they  were  discovered.   Test  Frequency     Over  the  course  of  the  test,  each  URL  was  run  through  the  test  harness  every  six  hours.  Regardless  of  success  or   failure,  NSS  Labs  continued  to  attempt  to  download  a  malware  sample  with  the  web  browser  for  the  duration  of   the  test.   Collect New Suspicious Malicous Sites from Sources Pre-Filter, Validate, Results Collected & Prune & Archive Archived Sites Test Clients Visit Site Distribute to Test & Record Block/Allow Clients   Sample  Sets  for  Malware  URLs   Freshness  of  malware  sites  is  a  key  attribute  of  this  type  of  test.  In  order  to  utilize  the  freshest,  most   representative  URLs,  NSS  Labs  received  a  broad  range  of  samples  from  a  number  of  different  sources.     Sources   NSS  Labs  operates  its  own  network  of  spam  traps  and  honeypots.  These  e-­‐mail  accounts  with  high-­‐volume  traffic   yield  thousands  of  unique  e-­‐mails  and  URLs  per  day.  In  addition,  NSS  Labs  maintains  relationships  with  other   independent  security  researchers,  networks,  and  security  companies  that  provide  access  to  URLs  and  malicious   content.  Sample  sets  contain  malicious  URLs  distributed  via:  e-­‐mail,  instant  messaging,  social  networks,  and   malicious  websites.  No  content  is  used  from  the  tested  parties.       Malicious  URLs  targeting  users  throughout  the  globe  are  identified  and  selected  for  inclusion  in  this  test.    Users  are   defined  as  individuals  residing  within  the  North  America,  South  American,  European,  and  Asia-­‐Pacific  regions,   including:  Argentina,  Australia,  Austria,  Brazil,  Canada,  China,  France,  Germany,  India,  Italy,  Japan,  Indonesia,   Mexico,  New  Zealand,  Singapore,  Spain,  South  Korea,  Sweden,  Thailand,  the  United  Kingdom,  the  United  States  of   America,  and  Vietnam.    This  report  is  comprised  only  of  data  from  the  United  States  of  America  samples;  future   papers  will  include  the  additional  data.  The  ultimate  determinant  of  whether  or  not  a  malicious  URL  is  included  in   this  test  is  its  participation  in  a  malware  campaign  targeting  users.    Lastly,  just  because  a  malicious  URL  is  included   in  a  campaign  targeting  an  Asia-­‐Pacific  or  a  North  American  user  does  not  mean  that  the  URL  is  not  used  in  other   campaigns  targeting  users  from  other  regions.   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     9      
  • 10. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Exploits  containing  malware  payloads  (exploits  plus  malware),  also  known  as  “clickjacking”  or  “drive-­‐by   downloads”  are  excluded  from  the  test.  Every  effort  is  made  to  consider  submissions  that  reflect  a  real-­‐world   distribution  of  malware—categorically,  geographically,  and  by  platform.       In  addition,  NSS  Labs  maintains  a  collection  of  “clean  URLs”  which  includes  sites  from  Yahoo,  Amazon,  Microsoft,   Google,  NSS  Labs,  major  banks,  and  others.  Periodically,  clean  URLs  are  run  through  the  system  to  verify  that  the   browsers  are  not  over-­‐blocking.   Catalog  URLs   New  sites  are  added  to  the  URL  consideration  set  as  soon  as  possible.  The  date  and  time  each  sample  is  introduced   is  noted.  Most  sources  are  automatically  and  immediately  inserted,  while  some  methods  require  manual  handling   and  can  be  processed  in  under  30  minutes.  All  items  in  the  consideration  set  are  cataloged  with  a  unique  NSS  Labs   ID,  regardless  of  their  validity.  This  enables  correct  tracking  of  effectiveness  of  sample  sources.   Confirm  Sample  Presence  of  URLs   Time  is  of  the  essence  since  the  objective  is  to  test  the  effectiveness  against  the  freshest  possible  malware  sites.   Given  the  nature  of  the  feeds,  and  the  velocity  of  change,  it  is  not  possible  to  validate  each  site  in  depth  before  the   test,  since  the  sites  could  quickly  disappear.  Thus,  each  of  the  test  items  is  given  a  cursory  review  to  verify  it  is   present  and  accessible  on  the  live  Internet.     In  order  to  be  included  in  the  execution  set,  URLs  must  be  live  during  the  test  iteration.  At  the  beginning  of  each   test  cycle,  the  availability  of  the  URL  is  confirmed  by  ensuring  that  the  site  can  be  reached  and  is  active,  such  that  a   non-­‐404  web  page  is  returned.   This  validation  occurs  within  minutes  of  receiving  the  samples  from  NSS  sources.  Note:  These  classifications  are   further  validated  after  the  test,  and  URLs  are  reclassified  and/or  removed  accordingly.   Archive  active  URL  content   The  active  URL  content  is  downloaded  and  saved  to  an  archive  server  with  a  unique  NSS  ID  number.  This  enables   NSS  Labs  to  preserve  the  URL  content  for  control  and  validation  purposes.     Dynamically  Execute  Each  URL   A  client  automation  utility  requests  each  of  the  URLs  deemed  “present”  (based  upon  results  of  the  test  described   in  Section  5.4)  via  each  of  the  web  browsers  in  the  test.  NSS  Labs  records  whether  or  not  the  malware  is   downloaded  and  if  the  download  attempt  triggers  a  warning  from  the  browser’s  malware  protection.   Scoring  and  Recording  the  results   The  resulting  response  is  recorded  as  either  “Allowed”  or  “Blocked  and  Warned.”     Success:  NSS  Labs  defines  success  based  upon  a  web  browser  successfully  preventing  malware  from  being   downloaded  and  correctly  issuing  a  warning.   Failure:  NSS  Labs  defines  a  failure  based  upon  a  web  browser  failing  to  prevent  the  malware  from  being   downloaded  and/or  failing  to  issue  a  warning.   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     10      
  • 11. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Pruning   Throughout  the  test,  lab  engineers  review  and  remove  non-­‐conforming  URLs  and  content  from  the  test  execution   set.  For  example,  a  URL  that  was  initially  classified  as  malware,  but  that  has  since  been  replaced  with  a  generic   splash  page,  will  be  removed  from  the  test.   If  a  URL  sample  becomes  unavailable  for  download  during  the  course  of  the  test,  the  sample  is  removed  from  the   test  collection  for  that  iteration.  NSS  Labs  continually  verifies  each  sample’s  presence  (availability  for  download)   and  adds/removes  each  sample  from  the  test  set  accordingly.  Should  a  malware  sample  be  unavailable  for  a  test   iteration  and  then  become  available  again  for  a  subsequent  iteration,  it  will  be  added  back  into  the  test  collection.   Unavailable  samples  are  not  included  in  calculations  of  success  or  failure  by  a  web  browser.   Post-­‐Test  Validation   Post-­‐test  validation  enables  NSS  Labs  to  reclassify  and  even  remove  samples  that  were  either  not  malicious  or  not   available  before  the  test  started.  NSS  Labs  uses  two  different  commercial  sandboxes  to  prune  and  validate  the   ® malware  (Sunbelt’s  CWSandbox  and  Norman  Analyzer).  Further  validation  is  performed  using  proprietary  tools,   system  instrumentation,  and  code  analysis  as  needed.       ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     11      
  • 12. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     NSS  Labs  Test  Environment  and  Methodology   NSS  Labs  has  created  a  complex  “live”  test  environment  and  methodology  to  assess  the  protective  capabilities  of   Internet  browsers  under  the  most  real-­‐world  conditions  possible,  while  also  maintaining  control  and  verification  of   the  procedures.   The  purpose  of  the  study  was  to  determine  how  well  current  web  browsers  protect  users  from  the  most  prevalent   malware  threats  on  the  Internet  today.  A  key  aspect  in  any  test  of  this  nature  is  the  timing.  Given  the  rapid  rate   and  aggression  with  which  criminals  propagate  and  manipulate  malicious  websites,  a  key  objective  is  to  ensure   that  the  “freshest”  sites  possible  are  included  in  the  test.   NSS  Labs  has  developed  a  unique  proprietary  “Live  Testing”  harness  and  methodology.  As  part  of  this   methodology,  NSS  Labs  continually  collects  web-­‐based  threats  from  multiple  sources,  including  partners  and  NSS’   own  servers  and  high-­‐interaction  honeynets.  Potential  threats  are  vetted  algorithmically  before  being  inserted  into   the  test  queue;  threats  are  being  inserted  and  vetted  continually.  Unique  in  this  procedure  is  that  NSS  Labs   validates  the  samples  before  and  after  the  test.  Actual  testing  of  the  threats  is  repeated  every  six  hours  and  starts   with  validation  of  the  site’s  existence  and  conformance  to  the  test  definition.     All  tests  are  executed  in  a  highly  controlled  manner,  and  results  are  meticulously  recorded  and  archived  at  each   interval.   Figure  2  -­‐  NSS  Test  Framework   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     12      
  • 13. NSS  Labs   Analysis  Brief  –  Is  Your  Browser  Putting  You  At  Risk?  Part  1     Contact  Information   NSS  Labs,  Inc.   6207  Bee  Caves  Road,  Suite  350   Austin,  TX  78746  USA   +1  (512)  961-­‐5300   info@nsslabs.com   www.nsslabs.com       This  analysis  brief  was  produced  as  part  of  NSS  Labs’  independent  testing  information  services.  Leading  products   were  tested  at  no  cost  to  the  vendor,  and  NSS  Labs  received  no  vendor  funding  to  produce  this  analysis  brief.   ©  2012  NSS  Labs,  Inc.  All  rights  reserved.  No  part  of  this  publication  may  be  reproduced,  photocopied,  stored  on  a  retrieval     system,  or  transmitted  without  the  express  written  consent  of  the  authors.       Please  note  that  access  to  or  use  of  this  report  is  conditioned  on  the  following:     1.    The  information  in  this  report  is  subject  to  change  by  NSS  Labs  without  notice.     2.    The  information  in  this  report  is  believed  by  NSS  Labs  to  be  accurate  and  reliable  at  the  time  of  publication,  but  is  not   guaranteed.  All  use  of  and  reliance  on  this  report  are  at  the  reader’s  sole  risk.  NSS  Labs  is  not  liable  or  responsible  for  any     damages,  losses,  or  expenses  arising  from  any  error  or  omission  in  this  report.   3.    NO  WARRANTIES,  EXPRESS  OR  IMPLIED  ARE  GIVEN  BY  NSS  LABS.  ALL  IMPLIED  WARRANTIES,  INCLUDING  IMPLIED   WARRANTIES  OF  MERCHANTABILITY,  FITNESS  FOR  A  PARTICULAR  PURPOSE,  AND  NON-­‐INFRINGEMENT  ARE  DISCLAIMED  AND   EXCLUDED  BY  NSS  LABS.  IN  NO  EVENT  SHALL  NSS  LABS  BE  LIABLE  FOR  ANY  CONSEQUENTIAL,  INCIDENTAL  OR  INDIRECT   DAMAGES,  OR  FOR  ANY  LOSS  OF  PROFIT,  REVENUE,  D ATA,  COMPUTER  PROGRAMS,  OR  OTHER  ASSETS,  EVEN  IF  ADVISED  OF  THE   POSSIBILITY  THEREOF.   4.    This  report  does  not  constitute  an  endorsement,  recommendation,  or  guarantee  of  any  of  the  products  (hardware  or   software)  tested  or  the  hardware  and  software  used  in  testing  the  products.  The  testing  does  not  guarantee  that  there  are  no   errors  or  defects  in  the  products  or  that  the  products  will  meet  the  reader’s  expectations,  requirements,  needs,  or   specifications,  or  that  they  will  operate  without  interruption.     5.    This  report  does  not  imply  any  endorsement,  sponsorship,  affiliation,  or  verification  by  or  with  any  organizations  mentioned   in  this  report.     6.    All  trademarks,  service  marks,  and  trade  names  used  in  this  report  are  the  trademarks,  service  marks,  and  trade  names  of   their  respective  owners.     ©  2012  NSS  Labs,  Inc.  All  rights  reserved.     13