All iFRAMEs Point to US Niels Provos and Panayiotis Mavrommatis Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium 1 / 22
Dec 27, 2015
All iFRAMEs Point to US
Niels Provos and Panayiotis Mavrommatis Google Inc.
Moheeb Abu Rajab and Fabian MonroseJohns Hopkins University
17th USENIX Security Symposium
1 / 22
Introduction[1/3]
The WWW is a criminal’s preferred pathway for spreading malware.
Two kinds of delivering web-malware Social engineering Drive-by download
URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.
2 / 22
Introduction[2/3]
Drive-by download
Via iFRAMEs
Scripts exploits browser and trig-gers downloads
3 / 22
Introduction[3/3]
Drive-by downloadLanding sitecafe.naver.com
Distribution sitewww.malware.-com
4 / 22
Infrastructure and Methodol-ogy[1/4]
Workflow
5 / 22
Infrastructure and Methodol-ogy[2/4]
Pre-processing phase Inspect URLs from repository and iden-
tify the ones that trigger drive-by down-loads
Mapreduce and machine-learning framework
Pre-process a billion of pages daily Choose 1 million URLs for verification
phase
6 / 22
Infrastructure and Methodol-ogy[3/4]
Verification phase Large scale web-honeynet
Runs a large number of MS Windows im-ages in VM
Unpatched version of Internet Explorer Multiple anti-virus engines
Loads a clean Windows image then visit the candidate URL
Monitor the system behavior for abnor-mal state chnages
7 / 22
Infrastructure and Methodol-ogy[4/4]
Malware distribution networks The set of malware delivery trees from
all the landing site that lead to a particu-lar malware distribution site.
Inspecting the Referer header and HTTP request
In some case, URLs contain randomly generated strings, apply heuristics based algorithm.
8 / 22
Prevalence of drive-by down-loads[1/3]
Summary of collected data
9 / 22
Prevalence of drive-by down-loads[2/3]
Geographic locality
The correlation between the location of a distribution site and the landing sties
10 / 22
Prevalence of drive-by down-loads[3/3]
Impact on the end-users
Average 1.3%
11 / 22
Malicious content injection[1/2]
Web server software
A significant fraction were running out-date versions of software.
12 / 22
Malicious content injection[2/2]
Drive-by download via AD
13 / 22
The rate of landing site per distribu-tion site
Malicious distribution infra-structure[1/3]
14 / 22
Property of malware distribution sites IP
Malicious distribution infra-structure[2/3]
58.* -- 61.*209.* -- 221.*
15 / 22
The number of unique binaries down-loaded from each malware distribu-tion site
Malicious distribution infra-structure[3/3]
16 / 22
The number of downloaded exe-cutable as a result of visiting a mali-cious URL
Post Infection Impact[1/4]
Average 8
17 / 22
The number of processes started af-ter visiting a malicious URL
Post Infection Impact[2/4]
18 / 22
Registry changes after visiting 57.5% of the landing page
Post Infection Impact[3/4]
19 / 22
Network activity of the virtual ma-chine post infection
Post Infection Impact[4/4]
20 / 22
Network activity of the virtual ma-chine post infection
Anti-virus engine detection rates
21 / 22
Large web scale data collection in-frastructure
In-depth analysis of over 66 million URLs
Reveals that the scope of the prob-lem is significant
Anti-virus engines are lacking in their ability to protect against drive-by downloads
Conclusion
22 / 22
Extra-Authors
Niels Provos Senior staff engineer,
Google inc Web-based malware DDOS
Panayiotis Mavrommatis Software engineer, Google
inc Security Distributed computing
23 / 18
Drive-by download via AD
Malware delivered via Ads exhibits longer de-livery chain
Extra-Malicious content injec-tion[2/5]
24 / 18