May 17th, 2011
Social-engineering attacks, like tricking a user into running a malicious program, are far more common than attacks on security vulnerabilities. Application Reputation in IE9 helps protect users from these socially engineered malware attacks. This post offers details about real-world attacks and how these protections work.
For context, recent studies (like this one) show that despite the headlines that exploits of software vulnerabilities get, people browsing the Web are more likely to face a socially engineered attack. Recent articles (like this one) have compared different approaches to protecting people. Application Reputation is a natural extension of the current protections introduced in IE7 & IE8 that block phishing sites and sites that distribute malicious programs.
The Technology of Socially-Engineered Attack and Defense
User-downloaded malware is a huge problem and getting bigger.
Through the SmartScreen Filter, IE has been effective at blocking socially engineered malware attacks and malicious downloads – IE blocks between 2 and 5 million attacks a day for IE8 and IE9 customers. Since the release of IE8, SmartScreen has blocked more than 1.5 billion attempted malware attacks. IE is still the only major production browser to offer this kind of protection from socially engineered malware. From our experience operating these services at scale, we have found that 1 out of every 14 programs downloaded is later confirmed as malware.
Originally, SmartScreen protection was URL-based. IE7 introduced protection from phishing attacks by integrating a cloud-based URL-reputation service. IE8 added another layer of protection, also based on URLs (or Web addresses), to protect users from sites that offered malicious downloads and used social engineering techniques (“Run this to watch movies for free, download this security software to clean your machine, or get great emoticons!”) to get users to download and run them. URL-based protection from socially engineered malware attacks is an important layer of defense for consumers today on the Web.
That said, IE9 adds another layer of defense against socially engineered attacks that now looks at the application being downloaded – this is in addition to the URL-based protection described above. This new layer of protection is called SmartScreen Application Reputation. When it comes to program downloads, other browsers today either warn on every file or don’t warn at all. Neither of these approaches helps the user make a better decision. Application Reputation also addresses a limitation present in all block-based approaches that happens at the beginning of new attacks, before a Web site or program has been identified as malicious.
Using reputation helps protect users from newly released malware programs – pretending to be legitimate software programs – that are not yet detected by existing defense mechanisms. Reputation also enables IE9 to remove unnecessary warnings for downloads with an established positive reputation. Both publishers and individual applications build reputation. For example, a digitally signed application from a well-known publisher that has been widely downloaded has a better reputation than an unsigned application that has not yet been downloaded widely and has just been posted on a newly created Web site.
Anatomy of a Real World Attack
Let’s look at how the feature protected actual IE9 users from one particular attack. The figure shows the download traffic of a very large-scale malware attack (hundreds of thousands of downloads). Application Reputation warned IE9 users about this malicious program from the very moment it hit the Web at Hour 0.
Traditional block-based protection (URL-blocking as well as anti-virus) came in after Hour 11, well after the attack had passed its active period. The download warning within IE about the lack of an application reputation was the only defense that users had. 99% of IE9 users who clicked to download this malicious program chose to delete or not run the program from the Application Reputation unknown program warning.
In this attack, IE9 Application Reputation interrupted the deception of the attack (which was otherwise very convincing) and most users were able to make a great decision on their own. This outcome is exactly why we built SmartScreen Application Reputation into IE9. 99% of users were able to avoid the infection.
This is just one real-world example. Below, we discuss how this trend holds strong in aggregate. Application Reputation is a game changer for protection against socially-engineered malware attacks, which is the largest risk on the Web today.
Early Results: Reputation Informs Better Consumer Decisions
From looking at IE9 usage data, starting from the IE9 beta, we see two main patterns:
Dramatic reduction in malware infections for IE9 users
- Users are choosing to delete or not run malware 95% of the time from the new Application Reputation warnings
- We estimate that Application Reputation will prevent more than 20 Million additional infections per month (on top of existing SmartScreen URL reputation blocks)
Streamlined experience that warns only when the risk is high
- Because programs and publishers can now establish a reputation, 90% of program downloads no longer show browser security warnings when users have SmartScreen enabled
- From our data, the typical user will only see 2 warnings per year
- On any given day, clicking through the “unknown warning” carries a risk between 25% and 70% of malware infection
The reputation that applications and publishers build from actual customers is at the core of how this protection works. Most people would be cautious about buying something online from a complete stranger. Sites like Ebay, Etsy, Angie’s List, and Amazon.com show how people use reputation features to make better trust decisions online.
IE9 applies the concept of community reputation to programs that users download. From the data we’ve collected about user downloads from the browser, 1 out of every 14 programs downloaded is later confirmed as malware. Consumers need information to make better decisions.
IE9 uses an application’s reputation to warn customers about downloads that carry a higher risk because they have not yet established a reputation. More than 50% of programs lacking a reputation are new to the Web on a given day. On a daily basis, 25% to 70% of programs that trigger an Application Reputation warning in IE9 are later confirmed as malware. Programs and publishers that have already built reputation do not show a warning.
Many users rarely or never download programs that don’t already have an established application reputation. When they do, this warning is critical. Users are more likely to pay attention to this warning because it appears infrequently. Users can still choose to download the file. Our data shows that customers are making more informed choices – taking the time to check the source, or confirm it is something they meant to download. With SmartScreen Application Reputation, users are doing a much better job distinguishing between malware and legitimate downloads.
Better Consumer Protection through Data
Our goal is to establish a reputation for the publisher of every program on the Web so that consumers can have a safer and easier experience downloading them. Leading up to the IE9 beta, we analyzed billions of downloads and built a continuous model of application reputation and trust across the Web.
To sustain these coverage rates, we’ve built large-scale, objective intelligence systems that process billions of pieces of information on a daily basis. These systems are constantly building out reputation for new and existing applications and publishers. As of today, there are tens of thousands of publishers and millions of individual applications with an organically established reputation and we’re adding more all day, every day.
Sometimes, some users will see warnings for legitimate software that happens to be new and has not yet established a reputation. From the reports we received from the community, this is a rare exception. A new program from an existing publisher with an established reputation inherits the publisher’s reputation from that publisher’s code signing certificate. New publishers can build their code-signing reputation quickly with every download. Unsigned programs were the cause of 96% of the warnings that consumers have seen to date. The remaining 4% of warnings came from certificates previously associated with malware or certificates that were new and are still building a reputation. Customers can and do make informed choices to click through the warning when they trust the person they are transacting with and expect a download.
How Developers and Publishers Establish Reputation
By following industry best practices, developers can accelerate the process of building a good reputation. For example, signed programs typically build reputation twice as fast as unsigned programs. We recommend digitally signing programs with an Authenticode signature. Making sure that programs are not detected as malware is clearly important as well. The Windows Logo process also helps establish a software publisher’s reputation.
Safer Is Beautiful
SmartScreen Application Reputation is protecting consumers every day.
There are many reasons to recommend your friends and family upgrade to Internet Explorer 9. We think staying safer online is a big one.
—Jeb Haber, Program Manager Lead, SmartScreen