Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Slides:

Advertisements

Similar presentations

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Advertisements

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

Hulk: Eliciting Malicious Behavior in Browser Extensions

By Hiranmayi Pai Neeraj Jain

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Typo-Squatting: a Nuisance or a Threat to Your Traffic? Mishari Almishari.

Understanding and Detecting Malicious Web Advertising

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Lesson 4: Web Browsing.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Incident Response Updated 03/20/2015

Norman SecureSurf Protect your users when surfing the Internet.

Basic Computer Security Sankardas Roy Department of Computing and Information Sciences Kansas State University.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 Spyware, Adware, and Browser Hijacking. ECE Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

A Crawler-based Study of Spyware in the Web Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy.

All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.

A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.

Supplied on \web site. on January 10 th, 2008 Reducing Risk Through Incremental Malware Detection January 2008.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Fostering worldwide interoperabilityGeneva, July 2009 How to counter web-based attacks on the Internet in Korea Heung Youl YOUM Chairman of Korea.

Cloak and Dagger: Dynamics of Web Search Cloaking David Y. Wang, Stefan Savage, and Geoffrey M. Voelker University of California, San Diego 左昌國 Seminar.

Universiti Utara Malaysia Chapter 3 Introduction to ASP.NET 3.5.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.

Not So Fast Flux Networks for Concealing Scam Servers Theodore O. Cochran; James Cannady, Ph.D. Risks and Security of Internet and Systems (CRiSIS), 2010.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Spamscatter: Characterizing Internet Scam Hosting Infrastructure By D. Anderson, C. Fleizach, S. Savage, and G. Voelker Presented by Mishari Almishari.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma

Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu – Google First Workshop on Hot Topics in Understanding Botnets (HotBots.

Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos.

Understand Malware LESSON Security Fundamentals.

A Multifaceted Approach to Understanding the Botnet Phenomenon Aurthors: Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Publication: Internet.

A Framework for Detection and Measurement of Phishing Attacks Reporter: Li, Fong Ruei National Taiwan University of Science and Technology 2/25/2016 Slide.

Web Design Terminology Unit 2 STEM. 1. Accessibility – a web page or site that address the users limitations or disabilities 2. Active server page (ASP)

Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Computer Security Keeping you and your computer safe in the digital world.

Customer Profile: If you have tech savvy customers, having your site secured for mobile users is recommended. Business Needs: With the growing number.

CSCE 548 Student Presentation Ryan Labrador

A lustrum of malware network communication: Evolution & insights

Lesson 4: Web Browsing.

Software Applications for end-users

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

Malicious Advertisements

Lesson 4: Web Browsing.

Exploring DOM-Based Cross Site Attacks

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report Niels Provos Panayiotis Mavrommatis Moheeb Abu Rajab Fabian Monrose

Outline Purpose Background Information Data Collection Results Post-Infection Impact Related Work Conclusions Strengths and Weaknesses

Purpose Analysis of malware using malicious URLs collected over a ten month period. Identify malware trends. Raise questions about the security practices employed by site administrators.

Background Information

Techniques for Delivering Web-Malware 1. Attackers use websites in order to encourage visitors of the site to download and run malware. 2. “Drive-by Downloads” – Attackers target browser vulnerabilities in order to automatically download and run a malicious binary upon visiting the website (unknown to the user).

Definitions Landing pages and malicious URLs – URLs that initiate drive-by downloads when users visit them. Landing sites - Sites with top level domain names. Distribution site – A remote site that hosts malicious payloads. iFRAME – An html element that makes it possible to embed html inside another HTML document.

Existing Malware Installation Strategies Remote exploitation of vulnerable network services Connection to malicious servers Inject malicious content into benign websites Exploit scripting applications

Malicious Binary Injection Techniques Lure web users to connect to malicious servers that deliver exploits. (target vulnerabilities of web browsers or plugins) Inject content into benign websites : Exploit vulnerable scripting applications (p.4) Generally a link that redirects to malicious website that hosts the script to exploit browser. oInvisible HTML components (0 pixel iFRAMES) to hide injected content. Use websites that allow users to contribute content.

Drive-by Download.p.5

Data Collection Infrastructure and Methodology Pre-Processing Verification

Inspect URLs in google repository and determine which trigger drive-by downloads.

Pre-Processing Phase Mapreduce framework to process billions of websites. Uses certain features to identify these sites: “out of place” iFRAMES Obfuscated javascript iFRAMES to known distribution sites One billion sites analyzed daily, 1 million pass on to verification phase.

Verification Phase Determines whether URL from pre-processing phase is malicious. Web honeynet: Execution-based heuristics Anti-virus engines Criteria: Must meet threshold One http response must be marked malicious by the anti-virus scanner A url that has met threshold, but has no incoming payload is marked as suspicious. One million scanned, 25,000 marked malicious per day.

Constructing Malware Distribution Networks Analysis of recorded network traces. Combine malware delivery trees Live for 1 year Focus on drive-by downloads

Results

Data Collection Summary 10 month period 3 million malicious URLs found on 180,000 landing sites. Over 9,000 distribution sites Data Collection Period January - October 2007 Total URLs checked in-depth66,534,330 Total suspicious landing URLs3,385,889 Total malicious landing URLs3,427,590 Total malicious landing sites181,699 Total distribution sites9,340

Impact on Users At least 1 malicious URL returned in results (approx. 1.3% of overall search queries) Most popular landing page has a rank of 1,588 Of top 1 million URLs, 6,000 verified malicious during inspection.

Malware Hosting Site Distribution by Country

Malware Landing Site Distribution by Country

Random URL Sample

Malicious URLs by Subject Percentage of landing sites

Malicious Content Injection Web malware is not tied to browsing habits. Drive-by downloads can be triggered in benign websites: Compromised Web server Third party contributed content

Webserver Software Outdated software with known vulnerabilities Increased risk of content control by server exploitation. Ads 2% of landing sites 12% overall search content returned landing pages with malicious content. Short-lived compared to other malicious content-injecting techniques 75% have long delivery chains (50% with over six steps)

Properties of Malware Distribution Infrastructure Size Networks that use only 1 landing site Networks that have multiple landing sites IP Space Locality Concentrated on limited number of /8 prefixes. 70% malware distribution sites 58.*--62.* and 209.*--221.* Similar for scam hosting infrastructure 50% of landing sites Distribution of Malware Binaries Across Domains Hosting: 90% Single IP Address, 10% Multiple IP addresses Sub-folders of DNS name: 512j.com/akgy 512j.com/alavin 512j.com/anti mihanblog.com/abadan2 or mihanblog.com/askbox

Properties of Malware Distribution Infrastructure Examination of overlapping landing sites. 80% of distributions networks share at least 1 landing page. Multiple iFRAMES linking to different malware distribution sites. 25% of malware distribution share at least one binary. Binaries less frequently shared between distribution sites compared to landing sites.

Post-Infection Impact

Most Frequently Contacted Ports

Post-Infection Downloaded Executables Launched Processes Registry Changes

Anti-Virus Engine Detection Rates Pull-based delivery system Evaluate detection rates of well known anti-virus engines against suspected malware samples. Average of 70% for best engine (Even best anti-virus engine with latest definitions fail to cover significant percentage of web malware) False Positives – 6%

Related Work Honeypots – Moshschuk et al. Decrease in links to spyware labeled executables over time. Provos et al. And Seifert et al. Raised awareness of threats posed by drive-by downloads. Wang et al. Exploits in Internet Explorer on Windows XP. 200/17,000 URLs dangerous Malware Detection by Dynamic Tainting Analysis Insight into mechanisms malware installs itself and operates.

Conclusions 1.3% of incoming search queries on google return at least one link to a malicious site. Users lured into malware distribution networks by content in online Ads. Avoiding “dark corners” of the Internet does not limit exposure to malware. Anti-virus engines are lacking.

Strengths and Weaknesses Useful survey about malware installation. Broad data range Only examines google database For the most part, evaluation was automated and due to the broad scope, there is a lot missing in the analysis. Did not explain acronymns

References All Your iFRAMEs Point to Us. Niels Provos and Panayiotis Mavrommatis, Moheeb Abu Rajab, Fabian Monrose. 17th USENIX Security Symposium (Security'08), San Jose, CA, All Your iFRAMEs Point to Us