Presentation is loading. Please wait.

Presentation is loading. Please wait.

All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.

Published byJuliana Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs."— Presentation transcript:

1 All Your iFRAMEs Point to Us Cheng Wei

2 Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs Point to Us The presentation by YouZhi Bao

3 Motivation Generally improve safety of web browsing Report owners of malicious nets to authorities Study distribution of malicious sites Study relationship between user browsing habits and exposure to malware. Study Malware Distribution Network

4 Introduction What is a drive-by download and why should we even care? Malware delivery: – Social engineering(attackers use various social engineering techiques to entice visitors of a website to download and run malware.) – Browser vulnerabilities(automatically download and run),luer users to connect to malicious servers.

5 Injection techniques Adversaries use a number of techniques to inject content under their control into benign websites.(adversaries exploit web servers via vulnerable scripting applications,use invisible HTML components(IFrames) to hide the injected content.) Advertisements(Adversary inject content into) -Particularly dangerous as they target popular sites -75% of malicious landing sites delivered malware via ads Another common is to use websites that allow users to contribute their own content.Such as, use of forum, blogs or advertisements to inject exploit URL (we focus on this)

6 What is the characteristic of malicious sites?

7 Infrastructure and Methodology Our primary goal is to identify malicious web sites and help improve the safety of Internet. Useful terms: Malicious URL: denote URLs that initiates drive-by download when users visit them Landing site: group of URLs according to top level domain names,we refer to the resulting set as the landing sites. Distribution site: host of the malicious payload (loaded via an IFRAME or a script from a remote site)

8 Preprocessing phase our goal is to inspect URLs from this repository and identify the ones that trigger drive-by downloads. Web repository maintained by Google (exhausive inspection of each URL in repository is expensive due to large number of URLs in the repository,so we use light-weight techiques to extract URLs that are likey malicious then subject them to verification phase) For each website extract: – Out of place iFrames – Obfuscated JavaScript – iFrames to known distribution sites Pages that proceed to more expensive verification process: – Those labeled as suspicious from the above procedure (1 million / day) – Random selection of several hundred thousands URLS – URL reported to

9 Pre-processing Phase – Extract several features and translate them into a likelihood score using machine learning framework Map-reduce 5-fold cross-validation These URLs are randomly sampled from popular URLs as well as from the global index. We also process URLs reported by users. 1 billion -> 1 million

10 Preprocessing phase

11 Verification Process this phrase aims to verify whether a candidate URL from pre- processing phase is malicious. – Equipment: a large scale web-honeynet runs Microsoft Windows images in virtual machine. – Method: Execution based heuristics &results from Anti- virus engine(to detect malicious URL) – for each visited URL,we run VM for 2 minutes and monitor system behavior for abnormal state changes Heuristics score: the number of create process; the number of observed registry changes; the number of file system changes Met threshold: suspicious

12 Constructing the Malware Distribution Network Malware distribution network=> set of malware delivery trees from the landing site (leafs & nodes) to the distribution site (root) Used the ‘Referer’ header from requests( To construct the delivery tree,we extract edges that connecting these nodes by inspecting the Referer header from Http requests.) – A set of malware delivery trees, which consists of landing sites(leaf), hop points and distribution site(root) – REFER headers in HTTP request

13 Constructing the Malware Distribution Network

14 Prevalence of drive-by downloads 1.3% of the overall incoming search queries in Google returns at least one malicious result based on data collected over a period of 10 months From the top 1 million URLs appearing in Google search engine results, about 6,000 belong to sites that are verified as malicious (the most popular landing page had rank of 1.588)

15 4 Prevalence of Drive-by Downloads Jan 2011 - Oct 2011 6000 in top 1 million, uniformly distributed

16 Geographic locality of web based malware Above founding provide Evidence of poor security practices from administrators (running outdated and/or unpatched versions of web server software) Correlation between distribution site and landing site,we see that the malware distribution networks are highly localized within common geographical boundaries.

17 Malware Distribution Infrastructure 45% of the detected malware distribution sites used only a single landing site at a time. 70% of the malware distribution sites have IP addresses within 58.* -- 61.* and 209.* -- 221.* network ranges.

18 Impact of browsing habits DMOZ: knowledge base(measure prevalence of malicious websites across different website functional categories for about 50% of URLs) Random selection of 7.2 million URLs mapped to corresponding DMOZ category

19 Detecting malicious Emails

20 Malicious content Injection: Drive-by Downloads via Ads Majority of web advertisements are distributed in the form of third party content to the advertising web site. A web page is only as secure as its weakest component! Insecure Ad content posses risk(even if the web page itself does not contain any exploits,insecure Ad content poses a risk to advertising web sites) Frequent fact: – An advertiser sells advertising space => to another advertising company => who sells the advertising space to and other company and so it goes… Somewhere along the chain something can go wrong

21 Related Work This paper differs from all of these works in that it offers a far more comprehensive analysis of the different aspects of the problem posed by web-based malware, including an examination of its prevalence, the structure of the distribution networks, and the major driving forces.

22 Conclusion Our study uses a large scale of data collectiion infrastructure that continuously detects and monitors the behavior of websites that perpetrate drive-by downloads. our analysis reveals several forms of relations between some distribution sites and networks. we show that merely avoiding the dark corners of the Internet does not limit exposure to malware(even the anti-virus engines are lacking in their ability to protect against drive-by downloads)

23 Thank you Questions ?

Download ppt "All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs."

Similar presentations

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
1.Understand the decision-making process of consumer purchasing online. 2.Describe how companies are building one-to-one relationships with customers.

1.Understand the decision-making process of consumer purchasing online. 2.Describe how companies are building one-to-one relationships with customers.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
2010.11.22 資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.

資安新聞簡報 報告者:劉旭哲、曾家雄. Spam down, but malware up 報告者:劉旭哲.
The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.
Chapter 1: Introduction to Web

Chapter 1: Introduction to Web
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
1 Spyware, Adware, and Browser Hijacking. ECE 41122 Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

1 Spyware, Adware, and Browser Hijacking. ECE Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

Similar presentations

Ads by Google