niels provos and panayiotis mavrommatis google google inc. moheeb abu rajab and fabian monrose johns...
TRANSCRIPT
All iFRAMEs Point to US
Niels Provos and Panayiotis Mavrommatis Google Inc.
Moheeb Abu Rajab and Fabian MonroseJohns Hopkins University
17th USENIX Security Symposium
1 / 22
Introduction[1/3]
The WWW is a criminal’s preferred pathway for spreading malware.
Two kinds of delivering web-malware Social engineering Drive-by download
URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.
2 / 22
Introduction[2/3]
Drive-by download
Via iFRAMEs
Scripts exploits browser and trig-gers downloads
3 / 22
Introduction[3/3]
Drive-by downloadLanding sitecafe.naver.com
Distribution sitewww.malware.-com
4 / 22
Infrastructure and Methodol-ogy[1/4]
Workflow
5 / 22
Infrastructure and Methodol-ogy[2/4]
Pre-processing phase Inspect URLs from repository and iden-
tify the ones that trigger drive-by down-loads
Mapreduce and machine-learning framework
Pre-process a billion of pages daily Choose 1 million URLs for verification
phase
6 / 22
Infrastructure and Methodol-ogy[3/4]
Verification phase Large scale web-honeynet
Runs a large number of MS Windows im-ages in VM
Unpatched version of Internet Explorer Multiple anti-virus engines
Loads a clean Windows image then visit the candidate URL
Monitor the system behavior for abnor-mal state chnages
7 / 22
Infrastructure and Methodol-ogy[4/4]
Malware distribution networks The set of malware delivery trees from
all the landing site that lead to a particu-lar malware distribution site.
Inspecting the Referer header and HTTP request
In some case, URLs contain randomly generated strings, apply heuristics based algorithm.
8 / 22
Prevalence of drive-by down-loads[1/3]
Summary of collected data
9 / 22
Prevalence of drive-by down-loads[2/3]
Geographic locality
The correlation between the location of a distribution site and the landing sties
10 / 22
Prevalence of drive-by down-loads[3/3]
Impact on the end-users
Average 1.3%
11 / 22
Malicious content injection[1/2]
Web server software
A significant fraction were running out-date versions of software.
12 / 22
Malicious content injection[2/2]
Drive-by download via AD
13 / 22
The rate of landing site per distribu-tion site
Malicious distribution infra-structure[1/3]
14 / 22
Property of malware distribution sites IP
Malicious distribution infra-structure[2/3]
58.* -- 61.*209.* -- 221.*
15 / 22
The number of unique binaries down-loaded from each malware distribu-tion site
Malicious distribution infra-structure[3/3]
16 / 22
The number of downloaded exe-cutable as a result of visiting a mali-cious URL
Post Infection Impact[1/4]
Average 8
17 / 22
The number of processes started af-ter visiting a malicious URL
Post Infection Impact[2/4]
18 / 22
Registry changes after visiting 57.5% of the landing page
Post Infection Impact[3/4]
19 / 22
Network activity of the virtual ma-chine post infection
Post Infection Impact[4/4]
20 / 22
Network activity of the virtual ma-chine post infection
Anti-virus engine detection rates
21 / 22
Large web scale data collection in-frastructure
In-depth analysis of over 66 million URLs
Reveals that the scope of the prob-lem is significant
Anti-virus engines are lacking in their ability to protect against drive-by downloads
Conclusion
22 / 22
Extra-Authors
Niels Provos Senior staff engineer,
Google inc Web-based malware DDOS
Panayiotis Mavrommatis Software engineer, Google
inc Security Distributed computing
23 / 18
Drive-by download via AD
Malware delivered via Ads exhibits longer de-livery chain
Extra-Malicious content injec-tion[2/5]
24 / 18