Monday, November 25, 2013

CAMP, a different approach

CAMP protects users from malware binaries without requiring (a-priori) knowledge of the binary augmenting whitelists and blacklists with a content-agnostic reputation system.

CAMP is composed of two parts: client (Google Chrome Web Browser) and Google Servers where client connect to download blacklist, whitelist and sends a request to CAMP's reputation service.

How the client works

  1. The browser tries to determine if a download came from a malicious site by checking the download URL against a list of URLs known as "malware distribution" using Google's SafeBrowsing API.
  2. The browser checks locally against a dynamically updated list of trusted domains and trusted binary signers to determine if the downloads are benign.
  3. The browser extracts content-agnostic features from the download and sends a request to CAMP's reputation service for downloads that don't match any of the local lists. 
  4. If a malicious download is requested and detected, Google Chrome warning the users giving her two options: Block or Pass the download.
The features sends to Google CAMP Server will be:
  • The URL and IP of the server hosting the download.
  • Any referrer URL and IP encountered when starting the download.
  • The size of the download and her hash.
  • The signature attached to the download including the signer and any certificate chain leading to it.
  • The browser will never send the binary itself reducing the privacy impact.
How the CAMP servers works

The reputation system makes a decision based if either the URL or the content hash is known to be malicious for each client request.

"The reputation verdict is computed by a reputation metric calculated by a binary circuit from the client request and any reputation data that is referenced by the reputation system, , e.g. how many known benign or
malicious binaries are hosted on a given IP address, etc"


Google selected 2200 binaries unknown by VirusTotal and were processed on a single day. As you know, VirusTotal can check a file with more than 40 antivirus solutions. 

Of these 2200, 1100 were labeled malicious on a single day. They submitted the binaries to VirusTotal, and they waited 10 days.

After 10 days, 99% of the binaries detected by CAMP were detected by 20% or more of AV engines on VirusTotal. Only 12% of the binaries that they detected as clean were also detected by 20% or more of the AV engines.

"The URL classification services mostly disagreed with CAMP when presented with the set of malicious URLs. Trend-Micro identified about 11% as malicious, Safe Browsing about 8.5%, Symantec about 8% and Site Advisor about 2.5%. The Malware Domain List did not flag any of them as malicious. However, as with the benign URLs, many of the malicious URLs were not known to the web services. For example, TrendMicro did not know 65% of the URLs that CAMP found to be malicious."

Our personal conclusion

In our opinion, CAMP is a really interesting project and has a new approach to fight with malware but we think it is not an Antivirus as we know it. Camp cannot avoid infection from malicious attachments send by mails, USB infections, frontal attacks using exploits...

Only works with Google Chrome... What's happen if we use Mozilla, Internet Explorer or Safari in our companies or our homes?

Despite this, we believe it is a great achievement to get prevent millions of infections and it is a step forward in the fight against malware

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.