Tuesday, August 16, 2011

Microsoft's bad reputation(s)

A new report claims that Internet Explorer 9 is far better at blocking socially-engineered malware than other browsers. (This is malware which tricks the user into installing it rather than look for security weakness in software to install automatically.) IE9 is claimed to have a 96% protection rate, and its closest rival only a 13% protection rate.

Normally I'm quite sceptical of reports like this because they often turn out to have been sponsored by the firm that did so well, and that the test proves to have been biased in some way to favour the sponsor's product.
In this case, this doesn't seem to be true. The test is not Microsoft funded and the testing organisation seems to have gathered its own test samples. (However, Trend Micro has contested the findings.)
Microsoft has achieved this success using something it calls SmartScreen URL Reputation and Application Reputation. In other words, they are trying to blacklist every malicious URL that comes into existence, and whitelist every good download that exists on the web. Their users will be warned if a web site is malicious or if a download is known to be good.
How does Microsoft identify malicious URLs? windowsteamblog.com explains:
SmartScreen's reputation systems begin with telemetry feeds: reports from end users, data from third parties, traffic from URLs showing up in e-mail, logs from our services, etc. Some of these feeds contain billions of URLs per day. Other feeds contain URLs that a third party has certified to be known phishing sites, and still others contain little more than the fact that an URL has appeared in spam e-mail messages.
(End users? Does that mean that Microsoft checks every URL Internet Explorer users visit? Well, as Microsoft call it a cloud-based URL-reputation service, I would imagine yes. Cloud based would imply that URLs are sent to the mother ship to be categorised good or bad, or investigated if unknown.)

These feeds are checked largely by an artificial intelligence, but in some cases by human analysts.
we take every URL in every feed and use machine learning to predict the probability that the URL is abusive. At a high level, this involves examining each URL for suspicious substrings (for example, the word "pharmacy" in the URL), looking up the history of the URL–its associated domain, IPs, DNS servers, routers, subnets, ASNs–and combining these into tens of thousands of potentially predictive features for the URL. We then apply models based in machine learning, which pore over these features and separate the abusive URLs from the honest ones. Most of the time, we are confident enough in the findings of our machine learning engine that we can flag a URL as abusive based on this recommendation alone. Sometimes a URL is suspicious but we're not certain; we send many of these suspicious URLs to our analysts for final classification.
Microsoft seems to be being quite aggressive in extending this list of suspected malicious URLs:
With the right evidence, SmartScreen's reputation system will flag whole domains as abusive.

URLs and domains are concepts that let humans refer to computers. But every computer that's directly on the Internet also has a numeric code, called its IP address, that lets other computers refer to it. For example, 109.22.33.142 might be the IP address of the computer that's running the web server that's hosting the canada-pharmacy.us domain. SmartScreen's reputation system tracks these as well and will mark specific web server IP addresses as abusive. SmartScreen will also generalize to other computers "in the neighborhood" of known bad ones. For example, IP addresses are often allocated in blocks, and it's likely that the person who owns 109.22.33.142 also owns 109.22.33.143 and .144 and .145. We use knowledge about the way infrastructure blocks are allocated–into subnets, ASN (Autonomous System Number) blocks, the way message routing works, and more–to figure out what other computers the abusers own, and prevent those abusers from attacking Microsoft customers.

DNS servers are another key to SmartScreen's reputation system. DNS servers translate the URLs that you type into your browser into the IP addresses used by computers. SmartScreen assigns a lower reputation score to DNS servers that seem to know just a little bit too much about abusive domain names.
The aim is to increase the "costs that abusers incur as we dig deeper into their infrastructure".

Source: windowsteamblog.com.

But is Microsoft being too aggressive in blocking URLs, and downloads, because the Application Reputation system is also URL based?
The Sophos nakedsecurity blog contends that there is a 30-75% chance that Application Reputation warnings will be a false positive.
There's certainly evidence that Microsoft is sometimes getting it wrong:
Ever since the release of Internet Explorer 9, we (and other smaller sites) have been plagued by visitors who, when they attempt to download our stationery files, see a strong warning in Internet Explorer 9 about downloading and installing our files. This is worrisome. Even visitors who have been downloading our stationery for over a decade are writing and expressing their concern about the safety of our files.

We’ve changed nothing as far as the way our files are created. The problem lies with Microsoft and Internet Explorer 9′s obviously misnamed, SmartScreen filter.
And concern that Microsoft's aggressive attitude to abusers is damaging legitimate users:
When users who know us and have trusted us for years write us expressing their concern, what do you think users who have just discovered our site are going to do? You’re right: They’re going to leave and never come back. There is nothing we can do about it – Microsoft doesn’t care about the damage this kind of thing causes to small, niche sites like ours. They’re concerned about Microsoft and protecting what’s left of its reputation.
thundercloud.net

The Sophos nakedsecurity blog identifies the problem:
Users think, "If this were truly dangerous, it would have simply been blocked, right?" Microsoft's statistics show that in a real world attack 99% of users did delete the file, but this warning message is still a new phenomenon. It will be interesting to see how many click through over the long run.

Even worse, if up to 75% of the time you get the warning you are downloading a legitimate file, will you continue to pay attention to the warning when it really matters?
The statistics show that at the moment the warnings are causing Internet Explore 9 users to delete legitimate downloads. Internet Explorer 9 users need to be aware of this issue.

Microsoft may be saving you from yourself (to save its reputation?), but handing out some undeserved bad reputations. Don't assume that a SmartScreen download warning mean a file is malware, but don't become complacent and assume a warning is a false-positive too. Get the balance right.

No comments:

Post a Comment