IE9 versus Chrome: which one blocks malware better?

IE9 versus Chrome: which one blocks malware better?

Summary: Social engineering has become the dominant method of distribution for fake antivirus software these days. Google Chrome puts you at risk: in my testing, malware broke through Chrome's defenses in four clicks. Internet Explorer 9 flags the exact same sites and files as suspicious. What's really going on?

SHARE:

Last week I looked at a fascinating sample of malware that specifically targeted users of Google Chrome. Over the past few days, I’ve been looking more closely at this particular malware attack, which appears to be widespread and extremely persistent.

Social engineering has become the dominant method of distribution for fake antivirus software. And most modern browsers, with one exception, do a terrible job of dealing with this type of threat. Current builds of Chrome display a terrible flaw that puts you at greater risk than its competitors. In my testing, a malware author was able to exploit Chrome in four easy clicks. In stark contrast, Internet Explorer 9 used some new technology to flag the exact same sites and files as suspicious, providing unmistakable warnings that have been shown to stop 95% of these attacks in their tracks.

I’ve captured the experience for both browsers in these two videos and in an accompanying screenshot gallery so you can see for yourself. And if you make it to page 3, you'll read about the new reputation-based technology that's given IE9 the lead.

First a little background. Fake antivirus software has been around for at least seven years, but this category of attack has exploded in popularity among bad guys in recent months. The technique is simple social engineering, and it works by scaring the target into thinking their system has been infected with a virus (or a whole bunch of them) and then offering to fix the problem—for a fee. The fake AV software often downloads additional Trojans and can actually cause the sort of problems it claims to be solving.

Here’s how it goes when you’re using Google Chrome 10 on Windows 7. Notice the attention to detail that the malware authors used in this attack. The dialog boxes and warning screens certainly look like they’re part of Google Chrome. (I recommend clicking the full-screen button in the lower right corner of the video clips below so you can see all the details in each one.)

Now here’s an attack from the same set of search results, this time gathered using Internet Explorer 9. The fake scan is a pretty decent imitation of a Windows 7 security screen. But the result is different.

This particular attack represents the current state of the art for malware distribution. There are probably thousands of legitimate domains that have been hijacked to host these links—they’re the ones that show up in search results. The domains they redirect to are hosting the malware. Over the course of the past four days I have watched these malware domains change over and over again. As one is shut down, another takes its place. And the Trojan executables are mutating very rapidly, perhaps even hourly. Antivirus signatures are not able to detect the mutated strains until they’ve been in the wild for a day, by which time they’ve already been replaced.

This is a huge problem. According to data that Microsoft has gathered from billions of downloads over the past two years, roughly 1 out of every 14 program downloads are later identified as malware.

So how do you stop this sort of attack? Google and Microsoft are taking different approaches, with very different results.

Page 2: Why antivirus software can't keep up -->

<-- Previous page

Zero-day exploits get all the sexy headlines, but social engineering gets most of the results. And the bad guys have figured that out, devising a playbook that is rendering most antivirus software useless.

As I noted last week, a 2010 study by AVG found that social engineering attacks outnumbered direct exploits by a ratio of 4:1. A similar study by Google researchers analyzed fake AV distribution (here’s the full report, in PDF format) and found that up to 90% of all domains involved in distributing fake antivirus software used social engineering techniques.

The example I showed the other day involved a fairly esoteric search term: Silverlight datagrid reorder columns

But that wasn’t just a random, isolated example. With a little research, I was able to find other, similar terms that produced links to compromised sites. When I searched for custom asp datagrid open source, flash 8 datagrid headerrenderer, datagrid perl tk selectionset, or datagrid view column sort event, I found multiple examples of sites that led to fake AV software. Using lists of similar search terms that I culled from some unsavory sources, I am confident that I can reproduce these results with hundreds or even thousands of search terms.

Bing is not immune from this type of “search engine poisoning,” but it appears that the bad guys have done a particularly effective job in targeting Google. For one Google search that I conducted over the weekend, java arraylist checkbox javascript, the top search result led to a compromised malware attack. Here’s the proof:

Google Image search results are even worse. Two image searches I performed at google.com led to poisoned results. Here are the search terms and the results:

  • H628 Logitech Two results in the first 15 were poisoned with malware. A third was suspicious, but whoever planted the attack code on the compromised website had broken the site, so that attack failed.
  • Yuri Gagarin The first Russian cosmonaut was in the news recently for the 50th anniversary of Sputnik. Two images in the first 20 Google Image search results were poisoned with malware, and a third led to a fraudulent online casino. I captured this attack on video as well.

Every one of these attacks follows the same pattern:

  1. You do a search and then click a link in a set of search results.
  2. The link from the search engine results leads to a page on a website that has been taken over by an outside attacker so that it runs a snippet of JavaScript. (If you enter the URL of that page directly, you bypass the redirect and get a mishmash of images and text and search terms.)
  3. The JavaScript redirects your browser to a site that hosts the malware. The landing page runs a social engineering attack—a fake “security scan” that purports to show that your computer is infected with multiple viruses.
  4. When the script finishes running, a dialog box offers to help you “remove” the infections. In reality, just about anything you do at this point will attempt to download the malicious software.

So, what’s a browser maker to do? The malware is so fresh that your up-to-date antivirus software doesn’t detect it yet. Here’s where Chrome and IE9 take very different approaches.

Page 3: How do you disrupt social engineering? -->

<-- Previous page

Google Chrome handles unknown executables the same way Internet Explorer 8 and Firefox do. It allows you to save the file locally, and then you can decide whether to run it. If the social engineering did its job, that means that a significant number of people are going to choose wrong.

Google Chrome frequently allowed me to save what turned out later to be malware. In a few cases I received a warning, but more often the executable file was simply downloaded and allowed to sit in the download bar at the bottom of the browser window. Here are the two download prompts I saw in Google Chrome, taken literally moments apart and representing tiny variations on the exact same dangerous executable.

In some cases, just clicking the plain white background of a hijacked web page caused Chrome to download a file and save it in the Downloads folder. Because this is an executable file simply clicking its entry in the Chrome downloads bar causes it to run. In the video I showed here, that took only four clicks, none of which offered any information to help me make a smart decision.

So how is Internet Explorer 9 different? Every download request gets passed through Microsoft’s SmartScreen filters. Google does something similar. But the IE9 version of SmartScreen includes a new set of algorithms designed to test the reputation of this executable file. Has it been seen before? Is there anything about the file name or the domain that looks suspicious?

In fact, one of the most important questions to ask is this one: Is the executable file digitally signed? Microsoft’s researchers found that roughly 96% of all those red warnings are attached to unsigned, previously unseen files. The algorithm assumes that a file—signed or unsigned—is untrustworthy until it establishes a reputation. No domain or file gets a free pass—not even a new signed release from Microsoft or Google. Every file has to build a reputation.

Update: The following paragraph has been expanded since its initial publication to clarify one important details of the reputation building process. For more details, see this post at the IE blog.

Software developers take note: The quickest way to build a positive reputation is to sign your executable files. Files inherit the reputation of the certificate used to sign them. A well-known, well-trusted digital certificate adds enough reputation credit to give a digitally signed file from a legitimate domain a positive reputation immediately. Unsigned files from unknown domains automatically get red-flagged and typically stay that way.

This approach turns conventional thinking on its head, but from a security perspective it’s the right thing to do. It deals with the problem of “dialog box fatigue" by reserving the most dire warnings for files that are new and unknown. Microsoft says that its data show the risk of being infected with malware from clicking through one of these “unknown file” warnings is at least 25% and possibly as high as 70% on any given day. Legitimate files quickly establish a reputation and no longer produce a warning. Actual malware quickly gets identified within a day or two and is fully blocked around the same time the hosting site gets shut down.

According to data that Microsoft gathered during beta testing of IE9, this approach has had a profound impact on user behavior. Fully 95% of previously undetected malware is now either deleted or not run by the user. The impact on actual infections is equally profound, with Microsoft data showing infection rates have dropped to 1/20th compared to similar rates for IE8.

This kind of improvement isn’t just a matter of clever code. It takes a tremendous investment in back-end services and a huge commitment of resources—people and money—to do the necessary analysis. This is one feature that other browser makers—especially Google—desperately need to copy.

Topics: Browser, Google, Malware, Microsoft, Security, Social Enterprise

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

212 comments
Log in or register to join the discussion
  • RE: IE9 versus Chrome: which one blocks malware better?

    Nice one, Microsoft! Would you call this social re-engineering? IE9 and Windows 7 seems like the start of something new with Microsoft. Both of these pieces of software clearly show that they are at last listening to what their customers need and want, and then going the extra mile. IE9 is genuinely nice. I recommend it to all my Win7-using clients.
    Imrhien
    • Since Chrome = malware ...

      IE9 wins this one hands down though I use neither as I prefer FireFox's AdsBlock, FlashBlock and ScriptBlock for now.
      LBiege
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege <br><br>Second that, still nothing better and for the really paranoid go browsing using your OS of choice in Vbox.
        Alan Smithie
      • Semi-paranoid

        @ Alan Smithie

        If you're only semi-paranoid, you can run the browser in the context of another user account, without even read access to any of your data (and perhaps with another security boundary, e.g. a separate desktop on Windows).
        WilErz
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege

        Chrome is not equal to malware, thank you very much. Chrome does NOTHING that you do not allow it to do, and it now has an ability to turn off the tracking that so many people disliked.
        Lerianis10
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege
        use breadcrumbs software
        Privacy man
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege No Chrome does not have the ablity to turn off tracking. It simply lets a web site know you don't want to be tracked and hopefully the web site says OK. Otherwise you are still being tracked! So, basically only web sites that really care about what you want, will not track you. And the ones that are really wanting to track you, will continue to track you.

        And no one said "Chrome is equal to malware" just that it doesn't do as good of job at protecting you from it.

        Google seams to have done a good brain wash on you . . .
        rmark@...
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege Same here...
        ejhonda
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege

        I used that Stuff a few times and will never go back. Some of my worse and more dangerous infections I got while trusting those tools. IE9 Owns it all and I have only two of the 10 hands down to MS. I still use Orca Browser Primarily, but then I don't go to new websites much, but when I do I definitely open them with IE9 before anything else!!
        Ez_Customs
      • RE: IE9 versus Chrome: which one blocks malware better?

        @Lerianis10

        Your so out of it. Viruses get dominate becuase of that kind of stuff. Users are to lazy to look for the information about a company or file that they see available for download. If this wasn't true then why would this type of infection method be so dominate. Yes Google Doesn't do anything you don't ask it to, but in teh case of redirect to spyware, do you want that? I didn't think so, and when that redirect automatically installs teh base platform for the infection your SOL. Even embeding enough to generate teh Fake scan is enough to say to late, the foundation is there ready to be activated. Just needs teh right conditions to launch. Google Does nothing to stop that. Even the most Savy techs wouldn't be able to stop something new like this. Your comment Lerianis10 is just ludicrous and so far out of the loop you shouldn't even been allowed to display your comment. the IDea isn't to stop the usage, it is about warning you. after that if you choose to use it, thats yoru own stupidity. However google literally does nothing to warn you, what little it does is basically hey a downloaded exe can be dangerous, well we had that level of security sense AOL 2.5
        Ez_Customs
      • RE: IE9 versus Chrome: which one blocks malware better?

        @LBiege I'd like to see this Talkback system written from the ground up with clean code. I get a system error message and every<a href="http://www.tran33m.com/vb/">t</a>hing I've type is gone. I'm sorry for such a negative-contrustive feedback, but I'm done with this buggy Talkback system. Until I can participate in Talkback discussions with lengthly comments, I'd like to see error <a href="http://vb.maas1.com/">m</a>essages with as much technical details as possible; even unhandled exceptions will be great as this Talkback system feels like a beta to me. Plus, even the ones that tell me that the message has been flagged as spam even though that's not the case.
        alasiri11
    • RE: IE9 versus Chrome: which one blocks malware better?

      Google Chrome is renowned to have very poor security, but that's not why people use it. They use it for a simple, quick browsing experience. Internet Explorer has made HUGE leaps forward in security and some analysts are estimating it to be the best in that arena at this point.
      @...
      • Um &quot;renowned&quot; by who

        @shane@... I've heard the opposite. Charlie Miller for one who has been famous for winning pwn2own said that chrome was really hard to hack (vs ie, safari and firefox)
        DevGuy_z
      • RE: IE9 versus Chrome: which one blocks malware better?

        @DevGuy_z

        That is a totally false comment, that guy said it about IE9, Google Chrome wasn't even in teh competition lamer. Go back to the Fan boy blogs, you got Tagged. I read that Article and well frankly I have no intention to prove the accusation because you don't' deserve it! Chrome Browser has and will always Be last in the best. Chrome 10 in comparisons to IE9 Final and FireFox 4 looses in all but 1 area with substantial winnings, and that particular area means nothing to the end user!
        Ez_Customs
      • RE: IE9 versus Chrome: which one blocks malware better?

        @shane@... "Renowned to have very poor security"? According to which MSFT disinformation outlet?
        mejohnsn
    • Message has been deleted.

      zdnet@...
      • RE: IE9 versus Chrome: which one blocks malware better?

        @zdnet@...

        The Menu bar isn't below the tabs! The IE9 64bit launcher is known to crash but why are you using it, there are so few sites on 64bit design that your not benefiting it at all. Your just hating!
        Ez_Customs
      • RE: IE9 versus Chrome: which one blocks malware better?

        @Ez_Customs

        [i]there are so few sites on 64bit design[/i]

        Huh??




        :)
        none none
    • RE: IE9 versus Chrome: which one blocks malware better?

      @Imrhien
      Why recommend it? The test here is truly deceptive because it's only IE which can provide with a highway straight into the core of windows. Crappy security in windows is why you need all those security measures at all.

      Chrome doesn't allow ActiveX why it is a superior choice.
      Don't buy the faulty message in the article, he lies through his teeth because the broken platform is still very much lucrative.
      Mikael_z
      • RE: IE9 versus Chrome: which one blocks malware better?

        @Mikael_z
        You said it well. This article merely looks at one attack vector and only goes part of the way along that vector, completely ignoring the obvious weaknesses in the OS which demands multi-layer security to protect it.

        Put another way, Ed the MS roBott is pretty close in this article to suggesting that with IE9 is so good that the user has no surfing worries and choice of AV or OS are history.

        Ed is either a paid MS shill, or so closed-minded to be not credible, sorry to say. I have to work with MS for 25 years and security is simply not a core concept to them, still, although yes they have made improvements over the years, and yes IE9 is an improvement, but falls short of the security which Chrome with its sandboxing and FF with tools such as Noscript and ABP.
        cavehomme1