Sie sind auf Seite 1von 11

BROWSER

SECURITY COMPARATIVE ANALYSIS


Socially Engineered Malware Blocking

Randy Abrams, Jayendra Pathak, Orlando Barrera, Dipti Ghimire

Tested Products
Qihoo 360 Safe Browser Version: 6.3.1.132, Proxy Version: 21.0.1180.89
Firefox Version: 27.0.1
Google Chrome Version: 33.0.1750
Internet Explorer Version: 11.0.9600.16384
Kingsoft Liebao Browser Version: 4.5.37.6837
Opera Version: 19.0.1326.63
Safari Version: 5.1.7 (7534.57.2)
Sogou Explorer: 4.2.6.10812

Environment
Operating System: Windows 8.1 Enterprise with Windows Defender disabled
Security Stack: Testing Methodology V1.5

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

Overview
Eight leading browsers, including three from China, were tested against the Security Stack: Testing Methodology
V1.5, using 657 samples of socially engineered malware (SEM) that were captured over 14 days in NSS Labs unique
live testing harness. SEM attacks use several different methods to deceive users into downloading malicious
software, but the browser is the primary vector for delivery of SEM and therefore is the first line of defense against
such attacks.

Internet Explorer

99.9%
85.1%

Liebao Browser

70.7%

Chrome

60.1%

Sogou Explorer
Opera
360 Safe Browser

28.8%
6.3%

Firefox

4.2%

Safari

4.1%
0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

Figure 1 Average Block Rate for SEM

Figure 1 demonstrates that Internet Explorer blocked 99.9% of the SEM that was used in this test. Internet Explorer
provides SEM protection by using a combination of SmartScreen URL filtering and App Rep, a technology that
requires no knowledge of whether an application is harmful or benign. Chrome, which placed third, uses URL
filtering and an application reputation system called Download Protection. Both App Rep and Download Protection
1
are content-agnostic malware protection (CAMP) technologies.
The Chinese browser, Liebao, by Kingsoft placed second, despite the browsers lack of a CAMP technology. Sogou
Explorer, another browser from China, placed fourth, scoring more than 30 percentage points higher than the
fifth-place browser.

Microsoft Takes Scammers to CAMP. NSS Labs. https://www.nsslabs.com/reports/microsoft-takes-scammers-camp

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

NSS Labs Findings

Microsoft Internet Explorer provides SEM protection that is superior to all other tested browsers and many
endpoint protection (EPP) products.
Cloud-based EPP file scanning can provide substantial SEM protection when integrated into a browser.
The Google Safe Browsing API does not provide adequate SEM protection.
The Chinese browsers tested are viable and demonstrate the ability to compete on technical merit.

NSS Labs Recommendations

Learn to identify social engineering attacks in order to maximize protection against SEM and other social
engineering attacks.
Use caution when sharing links from friends and other trusted contacts, such as banks. Waiting just one day
before clicking on a link can significantly reduce risk
Enterprises should review current NSS reports when selecting browsers. Do not assume the browser market is
static.

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

Table of Contents
Environment ........................................................................................................................... 1
Overview ................................................................................................................................ 2
NSS Labs Findings .................................................................................................................... 3
NSS Labs Recommendations ................................................................................................... 3
Analysis .................................................................................................................................. 5
Protection Metrics .................................................................................................................. 5
Zero-Hour Protection ................................................................................................................................... 5
Average Time to Block .................................................................................................................................. 7
The Death of the Safe Browsing API for SEM Protection ............................................................................. 8
Consistency of Protection over Time ........................................................................................................... 9
The Chinese Browsers ................................................................................................................................ 10
Education Is a Component of SEM Protection ........................................................................................... 10
Contact Information .............................................................................................................. 11

Table of Figures
Figure 1 Average Block Rate for SEM ......................................................................................................................... 2
Figure 2 SEM URL Response Histogram ..................................................................................................................... 6
Figure 3 Average Time to Block ................................................................................................................................. 7
Figure 4 Limitations of the Safe Browsing API ........................................................................................................... 8
Figure 5 SEM Protection of Products Using the Safe Browsing API ........................................................................... 9
Figure 6 SEM Protection over Time ........................................................................................................................... 9
Figure 7 SEM Protection over Time Chinese Browsers ......................................................................................... 10

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

Analysis
For several years, the use of social engineering has accounted for the bulk of cyberattacks against consumers and
enterprises. SEM attacks use a dynamic combination of factors such as social media, hijacked email accounts, false
notification of computer problems, and other deceptions to encourage users to download the malware.
Cybercriminals use hijacked email accounts to take advantage of the implicit trust between contacts and deceive
victims into believing that links to malicious files are trustworthy. Hijacked social media accounts are used in the
same way as hijacked email accounts. In the case of social networks, however, the circle becomes wider: friends
and even friends of friends risk being deceived.
Social engineering tactics may use pop-up messages advising users that, for example, their computers are infected;
their computers require optimizing; their computers require updates to Windows; or that they should install
applications, such as Adobe Flash Player. Once malware is installed, victims are vulnerable to identity theft, bank
account compromise, and other potentially devastating consequences.
During NSS testing, Internet Explorer provided the highest level of SEM protection of all browsers. This is because
of its use of SmartScreen and Application Reputation technology (App Rep). Chromes Download Protection had
elevated it to second place in three tests from 2011 to 2013, but in this test, Liebao Browser achieved the second
place ranking, outperforming Chrome by more than 14 percentage points in the average block rate. Unlike Internet
Explorer and Chrome, the Liebao Browser does not use an application reputation system but instead takes
advantage of the same cloud-based file scanning system that is used by Kingsoft Antivirus, and it does so with
considerable efficacy.
Qihoos 360 Safe Browser relies on Qihoos anti-malware technology to boost its SEM protection, but this
technology is not integrated into the browser itself. All of the browsers, including the 360 Safe Browser, were
tested for their stand-alone SEM blocking abilities. It should be noted that NSS tested the Chinese language version
of the 360 Safe Browser. Qihoo has advised that the English language version of the browser integrates the cloud-
based anti-malware protection that is used in the Qihoo EPP product.

Protection Metrics
The average SEM block rate is a key metric against which browsers are tested. Consistency of protection, the
amount of time required to add protection for new threats, and zero-day protection are also important metrics,
and they are included in this report.

Zero-Hour Protection
Immediate protection against new threats is critical. As sites that host SEM are discovered, they are taken down,
often within a relatively short amount of time. Products that fail to add protection in a timely manner may be too
late to counter the threat.
Figure 2 reveals that the 98% zero-hour protection provided by Internet Explorer is 24 points higher than any other
browser. By the end of the seventh day of testing, Internet Explorer was maintaining a 14% lead over every other
browser. Chrome was in second place for SEM protection from for zero-hour until the fourth day, at which point

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware


Liebao browser had sufficient protection to equal and marginally surpass Chrome. Sogou Explorer began with a
41% zero-hour block-rate and substantially increased its response time by the end of the first day.
The zero-hour block rates of the fifth through eighth place browsers (Opera, 360 Safe Browser, Firefox, and Safari)
are significantly lacking. Operas results range from 18.7% (zero-hour blocking) to 33% (after 7 days). The 360 Safe
Browser began at zero hour with more than double the block rate of Firefox or Safari, and by the end of the
seventh days, it had retained a similar advantage.
100%
90%
80%
Coverage

70%
60%
50%
40%
30%
20%
10%
0%

0-hr

1d

2d

3d

4d

5d

6d

7d

Total

Internet Explorer 11

98.3%

99.5%

99.5%

99.5%

99.5%

99.5%

99.5%

99.5%

99.5%

Chrome

75.2%

79.6%

81.7%

82.6%

82.6%

83.7%

84.0%

84.2%

84.5%

Liebao Browser

69.3%

76.1%

78.1%

81.3%

83.0%

84.2%

84.6%

84.9%

85.8%

Sogou Explorer

41.1%

63.2%

68.5%

70.2%

71.1%

71.5%

72.0%

72.0%

72.9%

Opera

18.7%

23.6%

30.6%

31.5%

32.4%

32.7%

33.2%

33.2%

33.8%

360 Safe Browser

8.4%

9.1%

9.1%

9.7%

10.2%

10.4%

10.7%

10.8%

11.0%

Firefox

4.0%

4.0%

4.1%

4.1%

4.4%

4.4%

4.4%

4.7%

4.7%

Safari

3.0%

3.8%

3.8%

4.1%

4.1%

4.4%

4.4%

4.4%

4.7%


Figure 2 SEM URL Response Histogram

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

Average Time to Block


Safari
Firefox
Opera
360 Safe Browser
Sogou Explorer
Kingsoh Liebao Browser
Chrome
Internet Explorer

32.13
29.81
21.73
19.50
13.73
12.91
3.77
0.07
0

10

15

20

25

30

35

Hours

Figure 3 Average Time to Block

Figure 3 reveals that Internet Explorer requires an average of less than 5 minutes to block new SEM. At over 3
hours and 45 minutes, Chrome has the next best average time to block. Only Firefox and Safari take longer than
one day on average to block malware. Opera, which requires less than a day to add SEM protection, outperforms
browsers using Googles Safe Browsing API.

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

The Death of the Safe Browsing API for SEM Protection


Figure 4 compares the use of URL filtering versus CAMP in Internet Explorer and Chrome. Without its Download
Protection technology, Chrome would place second to last. Application reputation systems will sometimes block
programs that are legitimate but rarely encountered. Only 2.9% of the SEM blocking performed by Internet
Explorer relies on application reputation, but 65% of the SEM blocking performed by Chrome relies on application
reputation. Chomes reliance on application reputation is understandable when viewed alongside the results of
NSS testing from 2009 to this current test, since all tests confirm that the Safe Browsing API is ineffective in
2
blocking SEM.

Internet Explorer

99.9%

Internet Explorer
(URL/CAMP)

97.0%

70.7%

Chrome

Chrome
(URL/CAMP)

2.9%

4.2%
0%

66.5%
10%

20%

URL Reputation

30%

40%

50%

60%

70%

80%

90%

100%

Application Reputation / Download Protection


Figure 4 Limitations of the Safe Browsing API

Evolutions in Browser Security. NSS Labs. https://www.nsslabs.com/reports/evolutions-browser-security

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware


Figure 5 compares the Safe Browsing API products. Without Download Protection, Chromes performance is almost
identical to that of Firefox and Safari.
100%
Chrome

90%
80%

Firefox

70%
60%
50%

Test Average = 58%

Safari

40%
Chrome w/
o Download
Protection

30%
20%

Test
Average

10%
0%


Figure 5 SEM Protection of Products Using the Safe Browsing API

Consistency of Protection over Time


Throughout the test, new URLs hosting SEM were added, and URLs that were no longer reachable, or that were no
longer delivering SEM, were removed. Figure 6 shows the consistency of protection of the tested browsers
throughout the testing period.

100%
90%

Internet
Explorer

80%

Liebao
Browser
Chrome

70%
60%
50%

Test Average = 58%

Sogou
Explorer
Opera

40%

360 Safe
Browser

30%

Firefox

20%

Safari

10%

Test
Average

0%


Figure 6 SEM Protection over Time

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware


Liebao Browser placed second, rarely dropping below 80% SEM protection. Chrome and Sogou Explorer both
placed above the test average. Throughout the test, Internet Explorer blocked consistently at 100%, with some
barely perceptible dips.

The Chinese Browsers


100%
90%
80%
70%

360 Safe
Browser

Test Average = 58%

60%
Test
Average

50%
40%

Liebao
Browser

30%
20%
10%

Sogou
Explorer

0%


Figure 7 SEM Protection over Time Chinese Browsers

Figure 7 compares the performance of the Chinese browsers. Liebao Browser demonstrated superior SEM
protection, while Sogou Explorer, in second place, provided a level of protection slightly above the average of all of
the browsers tested. Although the Chinese version of the 360 Safe Browser relies on external anti-malware
protection, NSS has been advised that the English language version of the 360 Safe Browser incorporates cloud-
based SEM protection technology. Further testing will be required to validate the claim and quantify the additional
protection.

Education Is a Component of SEM Protection


Users who are able to identify social engineering attacks rely less on technology for protection against such
attacks. Technology will sometimes fail, but those users who can identify social engineering attacks will remain
protected regardless of the method used to attempt social engineering.

10

NSS Labs

Browser Security Comparative Analysis Socially Engineered Malware

Test Methodology
Security Stack: Test Methodology v1.5
A copy of the test methodology is available on the NSS Labs website at www.nsslabs.com.

Contact Information
NSS Labs, Inc.
206 Wild Basin Rd
Building A, Suite 200
Austin, TX 78746
+1 (512) 961-5300
info@nsslabs.com
www.nsslabs.com


This and other related documents available at: www.nsslabs.com. To receive a licensed copy or report misuse,
please contact NSS Labs at +1 (512) 961-5300 or sales@nsslabs.com

2014 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval
system,
or transmitted without the express written consent of the authors.

Please note that access to or use of this report is conditioned on the following:

1. The information in this report is subject to change by NSS Labs without notice.
2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not
guaranteed. All use of and reliance on this report are at the readers sole risk. NSS Labs is not liable or responsible for any
damages, losses, or expenses arising from any error or omission in this report.
3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT ARE DISCLAIMED AND
EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT
DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE
POSSIBILITY THEREOF.
4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or
software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no
errors or defects in the products or that the products will meet the readers expectations, requirements, needs, or
specifications, or that they will operate without interruption.
5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned
in this report.
6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of
their respective owners.

11

Das könnte Ihnen auch gefallen