The ghost in the browser analysis of web based malware
This presentation is the property of its rightful owner.
Sponsored Links
1 / 21

The Ghost In The Browser Analysis of Web-based Malware PowerPoint PPT Presentation


  • 60 Views
  • Uploaded on
  • Presentation posted in: General

The Ghost In The Browser Analysis of Web-based Malware. Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. 鲍由之 11,23,2010. Overview. Aim to present the state of malware on the Web and emphasize the importance of this rising threat.

Download Presentation

The Ghost In The Browser Analysis of Web-based Malware

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


The ghost in the browser analysis of web based malware

The Ghost In The Browser Analysis of Web-based Malware

Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu

Google, Inc.

鲍由之

11,23,2010


Overview

Overview

  • Aim

    to present the state of malware on the Web and emphasize the importance of this rising threat.

  • Phase 1: observing the malware behavior when visiting malicious URLs and discover if malware binaries are being downloaded as a result of visiting a URL.

  • Phase 2: keeping detailed statistics about detected web pages and keep track of identified malware binaries for later analysis.

  • Furthermore examining how malware takes advantage of browser vulnerabilities to install itself on users’ computers.


Phase 1 detecting

Phase 1: Detecting

  • Definition of malicious web page

    • Causing the automatic installation of software without the user’s knowledge or consent.


Method

Method

  • MapReduceHeuristical URL

    Extraction:

  • Rating

    • No details


Results of detecting

Results of Detecting

  • Increasing amount of base per day because of optimizations


Categories

Categories

  • Four different aspects of content control responsible for enabling browser exploitation:

    • advertising

    • third-party widgets

    • user contributed content

    • web server security


Web server security

Web Server Security

  • Adversary gains control of a server

  • May changed over time


User contributed content

User Contributed Content

  • Blogs, comments, etc.

  • Example: a poll


Advertising

Advertising

Trust


Third party widgets

Third-Party Widgets

  • Counter


Exploitation

Exploitation

  • Finding vulnerable network services and remotely exploiting them.

    • e.g. worms

    • NAT & Firewalls


The ghost in the browser analysis of web based malware

  • Drive-by-download

    • Javascript, VB, Flash, pdf

    • <javascript> <iframe> tag

    • systematically catalogs the computing environment, instead of blindly trying

  • Tricking the User

    • Social engineering

      • Adult movie


Phase 2 trend and statistics

Phase 2: Trend and Statistics

  • To capture the evolution of all these characteristics over a twelve month period and present an estimate of the current status of malware on the web.

  • Obfuscation

  • Classification

  • Remotely Linked Exploits

  • Distribution of Binaries Across Domains

  • Malware Evolution


The ghost in the browser analysis of web based malware

  • Obfuscation

    • Decoding

  • Classification

    • Trojan

    • Adware

    • Unknown/Obfused

    • Assuming that two binaries are different if their cryptographic digests are different.


The ghost in the browser analysis of web based malware

  • Remotely Linked Exploits

    • Easy to change

    • May lead to bottleneck or a single point of failure

    • The top graph presents the number of unique web pages pointing to a malicious URL and for all of such URLs.


The ghost in the browser analysis of web based malware

  • Distribution of Binaries Across Domains

    • To avoid bottleneck or a single point of failure mentioned above


The ghost in the browser analysis of web based malware

  • Malware Evolution

    • the majority of malicious URLs change binaries infrequently.

    • However, a small percentage of URLs change their binaries almost every hour.


Expection

Expection

  • The majority of malware is no longer spreading via remote exploitation but rather as we indicated in this paper via web-based infection.


Conclusion

Conclusion

  • An intro to malwares which is popular during the internet at present

    • No specific details about any tech

    • Appears to be a statistical report

    • No care about specific vulnerabilities but rather about how many URLs on the Internet are capable of compromising users.

  • BASE: A huge amount of data because of its privilege


The ghost in the browser analysis of web based malware

  • we assumed that two binaries are different if their cryptographic digests are different.

  • If the majority of URLs on a site are malicious, the whole site, or a path component of the site, might be labeled as harmful when shown as a search result.

  • For each URL, we score the analysis run by assigning individual scores to each recorded component.


The ghost in the browser analysis of web based malware

  • Q&A

  • Thank you


  • Login