Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

All iFRAMEs Point to US

Niels Provos and Panayiotis Mavrommatis Google Inc.

Moheeb Abu Rajab and Fabian MonroseJohns Hopkins University

17th USENIX Security Symposium

1 / 22

Introduction[1/3]

The WWW is a criminal’s preferred pathway for spreading malware.

Two kinds of delivering web-malware Social engineering Drive-by download

URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.

2 / 22

Introduction[2/3]

Drive-by download

Via iFRAMEs

Scripts exploits browser and trig-gers downloads

3 / 22

Introduction[3/3]

Drive-by downloadLanding sitecafe.naver.com

Distribution sitewww.malware.-com

4 / 22

Infrastructure and Methodol-ogy[1/4]

Workflow

5 / 22

Infrastructure and Methodol-ogy[2/4]

Pre-processing phase Inspect URLs from repository and iden-

tify the ones that trigger drive-by down-loads

Mapreduce and machine-learning framework

Pre-process a billion of pages daily Choose 1 million URLs for verification

phase

6 / 22

Infrastructure and Methodol-ogy[3/4]

Verification phase Large scale web-honeynet

Runs a large number of MS Windows im-ages in VM

Unpatched version of Internet Explorer Multiple anti-virus engines

Loads a clean Windows image then visit the candidate URL

Monitor the system behavior for abnor-mal state chnages

7 / 22

Infrastructure and Methodol-ogy[4/4]

Malware distribution networks The set of malware delivery trees from

all the landing site that lead to a particu-lar malware distribution site.

Inspecting the Referer header and HTTP request

In some case, URLs contain randomly generated strings, apply heuristics based algorithm.

8 / 22

Prevalence of drive-by down-loads[1/3]

Summary of collected data

9 / 22

Prevalence of drive-by down-loads[2/3]

Geographic locality

The correlation between the location of a distribution site and the landing sties

10 / 22

Prevalence of drive-by down-loads[3/3]

Impact on the end-users

Average 1.3%

11 / 22

Malicious content injection[1/2]

Web server software

A significant fraction were running out-date versions of software.

12 / 22

Malicious content injection[2/2]

Drive-by download via AD

13 / 22

The rate of landing site per distribu-tion site

Malicious distribution infra-structure[1/3]

14 / 22

Property of malware distribution sites IP

Malicious distribution infra-structure[2/3]

58.* -- 61.*209.* -- 221.*

15 / 22

The number of unique binaries down-loaded from each malware distribu-tion site

Malicious distribution infra-structure[3/3]

16 / 22

The number of downloaded exe-cutable as a result of visiting a mali-cious URL

Post Infection Impact[1/4]

Average 8

17 / 22

The number of processes started af-ter visiting a malicious URL

Post Infection Impact[2/4]

18 / 22

Registry changes after visiting 57.5% of the landing page

Post Infection Impact[3/4]

19 / 22

Network activity of the virtual ma-chine post infection

Post Infection Impact[4/4]

20 / 22

Network activity of the virtual ma-chine post infection

Anti-virus engine detection rates

21 / 22

Large web scale data collection in-frastructure

In-depth analysis of over 66 million URLs

Reveals that the scope of the prob-lem is significant

Anti-virus engines are lacking in their ability to protect against drive-by downloads

Conclusion

22 / 22

Extra-Authors

Niels Provos Senior staff engineer,

Google inc Web-based malware DDOS

Panayiotis Mavrommatis Software engineer, Google

inc Security Distributed computing

23 / 18

Drive-by download via AD

Malware delivered via Ads exhibits longer de-livery chain

Extra-Malicious content injec-tion[2/5]

24 / 18