1 / 24

All iFRAMEs Point to US

Niels Provos and Panayiotis Mavrommatis G o o g l e Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium. All iFRAMEs Point to US. Introduction [1/3]. The WWW is a criminal’s preferred pathway for spreading malware.

kohana
Download Presentation

All iFRAMEs Point to US

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NielsProvos and Panayiotis Mavrommatis Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17th USENIX Security Symposium All iFRAMEs Point to US

  2. Introduction[1/3] • The WWW is a criminal’s preferred pathway for spreading malware. • Two kinds of delivering web-malware • Social engineering • Drive-by download • URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.

  3. Introduction[2/3] • Drive-by download Via iFRAMEs Scripts exploits browser and triggers downloads

  4. Introduction[3/3] • Drive-by download Landing site cafe.naver.com Distribution site www.malware.com

  5. Infrastructure and Methodology[1/4] • Workflow

  6. Infrastructure and Methodology[2/4] • Pre-processing phase • Inspect URLs from repository and identify the ones that trigger drive-by downloads • Mapreduce and machine-learning framework • Pre-process a billion of pages daily • Choose 1 million URLs for verification phase

  7. Infrastructure and Methodology[3/4] • Verification phase • Large scale web-honeynet • Runs a large number of MS Windows images in VM • Unpatched version of Internet Explorer • Multiple anti-virus engines • Loads a clean Windows image then visit the candidate URL • Monitor the system behavior for abnormal state chnages

  8. Infrastructure and Methodology[4/4] • Malware distribution networks • The set of malware delivery trees from all the landing site that lead to a particular malware distribution site. • Inspecting the Referer header and HTTP request • In some case, URLs contain randomly generated strings, apply heuristics based algorithm.

  9. Prevalence of drive-by downloads[1/3] • Summary of collected data

  10. Prevalence of drive-by downloads[2/3] • Geographic locality • The correlation between the location of a distribution site and the landing sties

  11. Prevalence of drive-by downloads[3/3] • Impact on the end-users • Average 1.3%

  12. Malicious content injection[1/2] • Web server software • A significant fraction were running outdate versions of software.

  13. Malicious content injection[2/2] • Drive-by download via AD

  14. Malicious distribution infrastructure[1/3] • The rate of landing site per distribution site

  15. Malicious distribution infrastructure[2/3] • Property of malware distribution sites IP 58.* -- 61.* 209.* -- 221.*

  16. Malicious distribution infrastructure[3/3] • The number of unique binaries downloaded from each malware distribution site

  17. Post Infection Impact[1/4] • The number of downloaded executable as a result of visiting a malicious URL Average 8

  18. Post Infection Impact[2/4] • The number of processes started after visiting a malicious URL

  19. Post Infection Impact[3/4] • Registry changes after visiting 57.5% of the landing page

  20. Post Infection Impact[4/4] • Network activity of the virtual machine post infection

  21. Anti-virus engine detection rates • Network activity of the virtual machine post infection

  22. Conclusion • Large web scale data collection infrastructure • In-depth analysis of over 66 million URLs • Reveals that the scope of the problem is significant • Anti-virus engines are lacking in their ability to protect against drive-by downloads

  23. Extra-Authors • NielsProvos • Senior staff engineer, Google inc • Web-based malware • DDOS • Panayiotis Mavrommatis • Software engineer, Google inc • Security • Distributed computing

  24. Extra-Malicious content injection[2/5] • Drive-by download via AD • Malware delivered via Ads exhibits longer delivery chain

More Related