11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

Slides:



Advertisements
Similar presentations
TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Threats To A Computer Network
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
LittleOrange Internet Security an Endpoint Security Appliance.
LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.
Quiz Review.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Chapter Nine Maintaining a Computer Part III: Malware.
SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.
Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Staying Safe Online Keep your Information Secure.
All Your iFRAMEs Point to Us Niels provos,Panayiotis mavrommatis - Google Inc Moheeb Abu Rajab, Fabian Monrose - Johns Hopkins University Google Technical.
WEBSENSE ® SECURITY LABS™ 2006 Semi-Annual Web Security Trends Report OWASP Presentation November 9, 2006 Jim Young (301)
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.
Fostering worldwide interoperabilityGeneva, July 2009 How to counter web-based attacks on the Internet in Korea Heung Youl YOUM Chairman of Korea.
 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Here is a list of viruses Adware- or advertising-supported software-, is any software package which automatically plays, displays, or downloads advertisements.
Types of Electronic Infection
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Return to the PC Security web page Lesson 5: Dealing with Malware.
Web Attacks— Offense… The Whole Story Yuri & The Cheeseheads Mark Glubisz, Jason Kemble, Yuri Serdyuk, Kandyce Giordano.
All Your iFRAMEs Point to Us Cheng Wei. Acknowledgement This presentation is extended and modified from The presentation by Bruno Virlet All Your iFRAMEs.
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Studying Spamming Botnets Using Botlab 台灣科技大學資工所 楊馨豪 2009/10/201 Machine Learning And Bioinformatics Laboratory.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Malicious Software.
Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.
BACKDOORS By: Himie Freeman, Joey Adkins, Kennedy Williams, and Erin Bethke.
Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu – Google First Workshop on Hot Topics in Understanding Botnets (HotBots.
NETWORK SECURITY Definitions and Preventions Toby Wilson.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
Adware and Browser Hijacker – Symptoms and Preventions /killmalware /u/2/b/ /alexwaston14/viru s-removal/ /channel/UC90JNmv0 nAvomcLim5bUmnA.
DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Android and IOS Permissions Why are they here and what do they want from me?
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.
Computer Security Keeping you and your computer safe in the digital world.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Escalation Of Ad Wars Boosts Malware Delivery
ISYM 540 Current Topics in Information System Management
Various Types of Malware
Risk of the Internet At Home
Home Internet Vulnerabilities
Presentation transcript:

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29

References N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, “The ghost in the browser: Analysis of web-based malware,” in Hot- Bots’07. Cambridge: Usenix,

3 Outline Introduction Detecting dangerous web pages Exploitation mechanisms Trends and statistics Conclusion

4 Introduction Computer users have become the target of an underground economy that  infects hosts with malware or adware for financial gain Visit to an infected web site enables the attacker to detect vulnerabilities host The paper aim is to present  the state of malware on the Web  emphasize the importance of this rising threat

Difference We believe that such web-based malware behavior is similar to our traditional understanding of botnets Web-based malware infections are  pull-based infection Traditional botnets that use  push-based infection 5

Personal computer security HTML code is then used as a vehicle Personal computer seems to be the weakest link in these transactions Usually neither  Managed  Updated Enable adversary to insert small pieces of HTML in web pages 6

Definition of malicious It causes the automatic installation of software without the user’s knowledge or consent. Automatic installation of a malware binary called ◦ drive-by-download 7

8 Analyze We do not attempt to investigate the actual behavior But rather identify the mechanisms used to introduce the software into the system via the Browser Analyzed the URSs  in-depth analysis:4.5 million URLs  450,000 URLs launching drive-by-downloads  another 700, 000 URLs that seemed malicous

Architecture 9

Four Prevalent Mechanisms Used to inject malicious content on popular web sites:  web server security  user contributed content  advertising  third-party widgets Scripting support  Javascript  Visual Basic Script  Flash 10

A example of insert the script 11

Exploit Code Obfuscation To make reverse engineering and detection harder by  popular anti-virus  web analysis tools Authors of malware try to  camouflage their code  using multiple layers of obfuscation 12

Change of iframe First noticed iframes in October 2006 pointing to “fdghewrtewrtyrew.biz” Switched to “wsfgfdgrtyhgfd.net” in November 2006 Then to “statrafongon. Biz” in December

Tricking the User Entice users to install malware  entice users to install malware  copyrighted software or media  adult videos Click that may displaying the following message:  Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object. 14

Malware Classification To classify the different types of malware by popular anti-virus software. We have the following malware threat families:  Trojan  Adware  Unknown/Obfuscated 15

Number of malware binaries 16

Exploitation mechanisms Adversaries try to get as many sites linking Same binary tends to be hosted on more than one server at the same time Accessible under many different URLs 17

Distribution of binaries across domains 18

One case of multiple URLs In one case, at least 412 different top- level domains were used to host a file called: ◦ open-for-instant-access-now.exe Counting the number of different URLs ◦ appeared in about 3200 different subdomains 19

Providers of Adware The most common providers of Adware ◦ Trymedia ◦ NewDotNet Providers typically arrives bundled with other software Offered monetary incentives for including adware in software 20

One interesting example This organization would pay web masters for compromising users ◦ iframemoney.org Offering $7 for every10,000 unique views Don’t accept traffic from  Russia, Ukraine,China, Japan 21

Malware Evolution As many anti-virus engines rely on creating signatures from malware samples Adversaries can prevent detection by changing binaries more frequently By measuring the change rate of binaries  pre-identified malicious URLs  many of the malicious URLs are too short-lived 22

Change rate of binaries 23

24 Conclusion We present the status and evolution of malware We showed that malware binary change frequently Malware binaries are often distributed across a large number of URLs and domains

Questions 25

26