LAST-MINUTE PAPER: MUTE - Malware URL Tracking and Exchange
Costin Raiu Kaspersky Lab
Jong Purisima GFI Software
Tony Lee Microsoft
Philipp Wolf Avira
The current model of URL exchange has followed the file exchange scheme, which is done either via FTP or email and
requires each sharing entity to establish and connect with all the other entities (1:n) to receive all malicious URLs. The
URLs are usually sent in emails or transferred in text files. The industry exchange standard from IEEE ICSG for URLs (as well
as other meta-data) was published in 2010, and calls for a robust and efficient URL sharing framework and process.
With the ever-growing volume of malware samples, the industry has already realized that the exchanging of files can no longer be
done in the same way as was done 10 years ago. To save bandwidth, the 'Norman standard of sharing files' was
introduced a long while ago. More and more vendors are switching to the standard, which allows the sharing
partners to download only the files that are actually new and unknown to them. What still remains with this standard is
the fact that each vendor has to set up its own server that will be used to share with the others. Furthermore, each vendor
has to connect to multiple servers to download the malware samples from there. Although there have been suggestions to centralize
the file-sharing scheme, this would require enormous amounts of web storage and bandwidth, which would
not be cost effective.
URL exchanges, on the other hand, are miniscule in size in comparison with file exchanges and require more time-sensitive
sharing. With bandwidth and storage costs expected to be very low, a centralized solution would be more efficient and
convenient to all parties involved.
MUTE is an effort to simplify the tracking and exchanging of malicious URLs. A project was initiated by members of MUTE
(Malicious URL Tracking and Exchange), which started off as a discussion list among various anti-malware companies.
Through these discussions, the members have realized that a more efficient sharing mechanism can be achieved
which can help to protect customers from malicious websites much faster.
MUTE is an open source project developed to bring URL exchange to the next level. The objective is to connect to a single
interface to submit and receive malicious URLs. This is done with a centralized scheme; it provides the capability to
manage whitelists, blacklists, categorization into malware families, and statistics on a much wider scale.
Currently in beta, the following is a short list of the other features of MUTE:
del.icio.us digg this
- Single point of contact to share URLs, just one format to parse
- IEEE ICSG meta-data standard compatible format
- Automatic classification rules into malware families
- Whitelisting that can be filtered automatically
- HTTP POST/SOAP support for easy integration into systems
- Query functionalities
- Exporting functionalities
- Various statistics
- Anti-leeching feature that throttles access to members who do not share fairly
- Search interface allowing complex searches in the database