In Section 2, we discussed different approaches for detecting malicious
web pages. Just as these approaches are being improved, adversaries
are becoming more skilled at hiding malicious content. To
better understand how adversaries attempt to stay under the radar,
we present an overview of common tactics that we encounter.
Social engineering has emerged as a growing malware distribution
vector [18]. In social engineering attacks, the user is asked to
install a malware binary under false pretenses. Social engineering
attacks challenge automated detection systems by requiring arbitrarily
complex interaction before delivering the payload; interaction
that can be difficult to simulate algorithmically.
Attacks that target specific software configurations can also challenge
VM honeypots that employ a VM image with a different OS,
browser, or set of plugins. Even if one deploys multiple VMimages
with different software components, selecting the image to scan a
target page is challenging [3], and resource limitations might reduce
the number of times a page can be scanned with different configurations.
To evade browser emulators, AV engines, or manual analysis,
adversaries can test for idiosyncratic properties of the browser and