Thursday, June 10, 2010

Comparison of Malware protections: Google Safe Browsing, Microsoft SmartScreen, etc.

All modern web browsers now include protections for malware. They include a list of known malicious URLs, and compare each address visited by the user against this list. If the URL is recognized as malicious, a warning message is displayed in place of the HTML page. They also protect against Phishing sites, but I won't dive into this feature during this post.

SmartScreen Filter warning in Internet Explorer


Chrome, Safari and Firefox 3.x use Google SafeBrowsing, while Internet Explorer 8 has SmartScreen Filters and Opera includes lists from Netcraft and TRUSTe. Note that it took Safari more than 20 minutes for SafeBrowsing to start working after I upgraded from Safari 4. It did not show any warning, informing that malware protection was disabled while it was retrieving the database.

Safari waning message

I was wondering how well these protections work against current threats. Since antivirus doesn't perform well against viruses spread through fake AV pages, fake videos, or against malicious jar files, I wondered if these browser block lists would keep users safe against current spam SEO attacks.

I've tried a few domains for each type of attack, using each browser. All the malicious domains were directly identified from within Google search results, using popular search terms.

Protection against fake AV pages

I first tried various new fake AV domains as well as subdomains for xorg.pl (hostguard-31p.xorg.pl, hostguard-47p.xorg.pl, ubersaving26.xorg.pl, etc.), a domain that has hosted fake AV pages for months.

Browser New domains blocked Xorg.pl subdomains blocked
Firefox 3.6 7/75/5
Internet Explorer 8 2/7 0/5
Opera 10.5 0/7 0/5

Google Safe Browsing is very good at blocking fake AV pages. We report to Google on fake AV domains we identify, which they don't block, but we're noticing that there are fewer and fewer which they don't already block.

Protection against fake video codecs

This type of malicious pages seem to have staged a come back and we're seeing them more and more frequently since last week-end. In this scenario, the user is tricked into downloading an executable disguised as a video codec or new flash version.

Browser Urls blocked
Firefox 3.6 2/6
Internet Explorer 8 5/6
Opera 10.5 0/6

Internet Explorer did a great job at flagging the fake video sites. Google Safe browsing, surprisingly had a very low rate of success.

Protection against Java/PDF/Flash exploits

The number of Java exploits has also increased dramatically over the past few weeks.

BrowserUrls blocked
Firefox 3.62/4
Internet Explorer 81/4
Opera 10.50/4

Opera did not flag any of the malicious sites. Their security blacklists may be targeting phishing only. To make sure the security notification worked, I attempted to visit a phishing site and Opera did warn me.

Opera phishing warning


-- Julien

1 comment:

volatileacid said...

Smart screen from Micro$haft is shit. On numerous occasions, I submit immediately fraudulent and unscrupulous phishing websites the minute I get them on email.. (yes I know, sad) - but whereas the google safe browsing that comes with Firefox blocks sites really quick... the M$haft equivalent Smartscreen, does nothing for hours on end.