URL Malware Detection Using Instrumented Virtual Machine Environments

An instrumented virtual machine environment is a good place to start when performing URL malware detection. This is because the VM can be configured to handle the large amount of URL samples that may come through a cloud security service. For example, a web browser can be tasked to retrieve a URL and perform a rendering of the content. The results can then be analyzed to see if the URL is malicious.

A typical VM analysis environment can take time to launch and run. As such, an attacker may be able to delay the web page refreshing event until the malware analysis is over. Using the appropriate technology, a malicious URL sample can be evaluated and its malware signature generated. In addition, a data appliance can be installed to block network traffic associated with the malicious URL.

To achieve the most efficient use of these resources, a dynamic time allocator can be used to allocate a time period for a malware analysis of a given URL. This technique allows for faster execution of the functions related to a given URL, which in turn reduces the time required to complete the task.

This is a more sophisticated technique than simply assigning a fixed time to a URL sample. Using a more intelligent algorithm, it can be programmed to take into consideration the content of the sample and select a suitable period for a malware analysis.

Another trick is to monitor the browser while rendering the URL. Various user interface (UI) events can be hooked, such as the onbefore, onload, and onclick events. When these events occur, they can be compared to the UI functions that are available in a modern browser to determine if a given URL sample is a gimmick or not.