LAST-MINUTE PAPER: MUTE - Malware URL Tracking and Exchange

Costin Raiu Kaspersky Lab
Jong Purisima GFI Software
Nick Bilogorskiy
Tony Lee Microsoft
Philipp Wolf Avira

The current model of URL exchange has followed the file exchange scheme, which is done either via FTP or email and requires each sharing entity to establish and connect with all the other entities (1:n) to receive all malicious URLs. The URLs are usually sent in emails or transferred in text files. The industry exchange standard from IEEE ICSG for URLs (as well as other meta-data) was published in 2010, and calls for a robust and efficient URL sharing framework and process.

With the ever-growing volume of malware samples, the industry has already realized that the exchanging of files can no longer be done in the same way as was done 10 years ago. To save bandwidth, the 'Norman standard of sharing files' was introduced a long while ago. More and more vendors are switching to the standard, which allows the sharing partners to download only the files that are actually new and unknown to them. What still remains with this standard is the fact that each vendor has to set up its own server that will be used to share with the others. Furthermore, each vendor has to connect to multiple servers to download the malware samples from there. Although there have been suggestions to centralize the file-sharing scheme, this would require enormous amounts of web storage and bandwidth, which would not be cost effective.

URL exchanges, on the other hand, are miniscule in size in comparison with file exchanges and require more time-sensitive sharing. With bandwidth and storage costs expected to be very low, a centralized solution would be more efficient and convenient to all parties involved.

MUTE is an effort to simplify the tracking and exchanging of malicious URLs. A project was initiated by members of MUTE (Malicious URL Tracking and Exchange), which started off as a discussion list among various anti-malware companies. Through these discussions, the members have realized that a more efficient sharing mechanism can be achieved which can help to protect customers from malicious websites much faster.

MUTE is an open source project developed to bring URL exchange to the next level. The objective is to connect to a single interface to submit and receive malicious URLs. This is done with a centralized scheme; it provides the capability to manage whitelists, blacklists, categorization into malware families, and statistics on a much wider scale.

Currently in beta, the following is a short list of the other features of MUTE:

  • Single point of contact to share URLs, just one format to parse
  • IEEE ICSG meta-data standard compatible format
  • Automatic classification rules into malware families
  • Whitelisting that can be filtered automatically
  • HTTP POST/SOAP support for easy integration into systems
  • Query functionalities
  • Exporting functionalities
  • Various statistics
  • Anti-leeching feature that throttles access to members who do not share fairly
  • Search interface allowing complex searches in the database

 del.icio.us  digg this! digg this

Quick Links

Poll
Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 24 comments

AusCert2014

Virus Bulletin
In this month's magazine:
  • VBSpam comparative review March 2014
  • VB100 comparative review on Ubuntu Server 12.04LTS
  • The shape of things to come
  • Threat intelligence sharing: tying one hand behind our backs
  • The curse of Necurs, part 1
  • More fast or more dirty?
  • Tofsee botnet
  • Back to VBA
  • Is the security industry up to the new challenges to come?
  • Greetz from academe: No place to Hyde
Virus Bulletin 04 2014
Subscribe now!

Virus Bulletin currently has 231,335 registered users.