1 / 33

All Your iFRAMEs Point to Us

All Your iFRAMEs Point to Us. Niels Provos Panayiotis Mavrommatis Moheeb Abu Rajab Fabian Monrose. 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report. Presentation by Kathleen Stoeckle. Outline. Purpose Background Information Data Collection

sela
Download Presentation

All Your iFRAMEs Point to Us

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. All Your iFRAMEs Point to Us NielsProvos Panayiotis MavrommatisMoheeb Abu Rajab Fabian Monrose 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report Presentation by Kathleen Stoeckle

  2. Outline • Purpose • Background Information • Data Collection • Results • Post-Infection Impact • Related Work • Conclusions • Strengths and Weaknesses

  3. Purpose • Analysis of malware using malicious URLs collected over a ten month period. • Identify malware trends. • Raise questions about the security practices employed by site administrators.

  4. Background Information

  5. Techniques for Delivering Web-Malware 1. Attackers use websites in order to encourage visitors of the site to download and run malware. 2. “Drive-by Downloads” – Attackers target browser vulnerabilities in order to automatically download and run a malicious binary upon visiting the website (unknown to the user).

  6. Definitions • Landing pages and malicious URLs – URLs that initiate drive-by downloads when users visit them. • Landing sites - Sites with top level domain names. • Distribution site – A remote site that hosts malicious payloads. • iFRAME – An html element that makes it possible to embed html inside another HTML document.

  7. Existing Malware Installation Strategies • Remote exploitation of vulnerable network services • Connection to malicious servers • Inject malicious content into benign websites • Exploit scripting applications

  8. Malicious Binary Injection Techniques • Lure web users to connect to malicious servers that deliver exploits. (target vulnerabilities of web browsers or plugins) • Inject content into benign websites: • Exploit vulnerable scripting applications (p.4) • Generally a link that redirects to malicious website that hosts the script to exploit browser. • Invisible HTML components (0 pixel iFRAMES) to hide injected content. • Use websites that allow users to contribute content.

  9. Drive-by Download.p.5

  10. Data Collection Infrastructure and Methodology • Pre-Processing • Verification

  11. Inspect URLs in google repository and determine which trigger drive-by downloads.

  12. Pre-Processing Phase • Mapreduce framework to process billions of websites. • Uses certain features to identify these sites: • “out of place” iFRAMES • Obfuscated javascript • iFRAMES to known distribution sites • One billion sites analyzed daily, 1 million pass on to verification phase.

  13. Verification Phase • Determines whether URL from pre-processing phase is malicious. • Web honeynet: • Execution-based heuristics • Anti-virus engines • Criteria: • Must meet threshold • One http response must be marked malicious by the anti-virus scanner • A url that has met threshold, but has no incoming payload is marked as suspicious. • One million scanned, 25,000 marked malicious per day.

  14. Constructing Malware Distribution Networks • Analysis of recorded network traces. • Combine malware delivery trees • Live for 1 year • Focus on drive-by downloads

  15. Results

  16. Data Collection Summary • 10 month period • 3 million malicious URLs found on 180,000 landing sites. • Over 9,000 distribution sites

  17. Impact on Users • At least 1 malicious URL returned in results (approx. 1.3% of overall search queries) • Most popular landing page has a rank of 1,588 • Of top 1 million URLs, 6,000 verified malicious during inspection.

  18. Malware Hosting Site Distribution by Country

  19. Malware Landing Site Distribution by Country

  20. Random URL Sample

  21. Percentage of landing sites Malicious URLs by Subject

  22. Malicious Content Injection • Web malware is not tied to browsing habits. • Drive-by downloads can be triggered in benign websites: • Compromised Web server • Third party contributed content

  23. Webserver Software • Outdated software with known vulnerabilities • Increased risk of content control by server exploitation. • Ads • 2% of landing sites • 12% overall search content returned landing pages with malicious content. • Short-lived compared to other malicious content-injecting techniques • 75% have long delivery chains (50% with over six steps)

  24. Properties of Malware Distribution Infrastructure • Size • Networks that use only 1 landing site • Networks that have multiple landing sites • IP Space Locality • Concentrated on limited number of /8 prefixes. • 70% malware distribution sites 58.*--62.* and 209.*--221.* • Similar for scam hosting infrastructure • 50% of landing sites • Distribution of Malware Binaries Across Domains • Hosting: 90% Single IP Address, 10% Multiple IP addresses • Sub-folders of DNS name: • 512j.com/akgy • 512j.com/alavin • 512j.com/anti • mihanblog.com/abadan2 or mihanblog.com/askbox

  25. Properties of Malware Distribution Infrastructure • Examination of overlapping landing sites. • 80% of distributions networks share at least 1 landing page. • Multiple iFRAMES linking to different malware distribution sites. • 25% of malware distribution share at least one binary. • Binaries less frequently shared between distribution sites compared to landing sites.

  26. Post-Infection Impact

  27. Most Frequently Contacted Ports

  28. Post-Infection • Downloaded Executables • Launched Processes • Registry Changes

  29. Anti-Virus Engine Detection Rates • Pull-based delivery system • Evaluate detection rates of well known anti-virus engines against suspected malware samples. • Average of 70% for best engine (Even best anti-virus engine with latest definitions fail to cover significant percentage of web malware) • False Positives – 6%

  30. Related Work • Honeypots – Moshschuk et al. • Decrease in links to spyware labeled executables over time. • Provos et al. And Seifert et al. • Raised awareness of threats posed by drive-by downloads. • Wang et al. • Exploits in Internet Explorer on Windows XP. 200/17,000 URLs dangerous • Malware Detection by Dynamic Tainting Analysis • Insight into mechanisms malware installs itself and operates.

  31. Conclusions 1.3% of incoming search queries on google return at least one link to a malicious site. Users lured into malware distribution networks by content in online Ads. Avoiding “dark corners” of the Internet does not limit exposure to malware. Anti-virus engines are lacking.

  32. Strengths and Weaknesses • Useful survey about malware installation. • Broad data range • Only examines google database • For the most part, evaluation was automated and due to the broad scope, there is a lot missing in the analysis. • Did not explain acronymns

  33. References • All Your iFRAMEs Point to Us. Niels Provos and Panayiotis Mavrommatis, Moheeb Abu Rajab, Fabian Monrose. 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008.

More Related