260 likes | 637 Vues
Niels Provos and Panayiotis Mavrommatis G o o g l e Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium. All iFRAMEs Point to US. Introduction [1/3]. The WWW is a criminal’s preferred pathway for spreading malware.
E N D
NielsProvos and Panayiotis Mavrommatis Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17th USENIX Security Symposium All iFRAMEs Point to US
Introduction[1/3] • The WWW is a criminal’s preferred pathway for spreading malware. • Two kinds of delivering web-malware • Social engineering • Drive-by download • URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.
Introduction[2/3] • Drive-by download Via iFRAMEs Scripts exploits browser and triggers downloads
Introduction[3/3] • Drive-by download Landing site cafe.naver.com Distribution site www.malware.com
Infrastructure and Methodology[1/4] • Workflow
Infrastructure and Methodology[2/4] • Pre-processing phase • Inspect URLs from repository and identify the ones that trigger drive-by downloads • Mapreduce and machine-learning framework • Pre-process a billion of pages daily • Choose 1 million URLs for verification phase
Infrastructure and Methodology[3/4] • Verification phase • Large scale web-honeynet • Runs a large number of MS Windows images in VM • Unpatched version of Internet Explorer • Multiple anti-virus engines • Loads a clean Windows image then visit the candidate URL • Monitor the system behavior for abnormal state chnages
Infrastructure and Methodology[4/4] • Malware distribution networks • The set of malware delivery trees from all the landing site that lead to a particular malware distribution site. • Inspecting the Referer header and HTTP request • In some case, URLs contain randomly generated strings, apply heuristics based algorithm.
Prevalence of drive-by downloads[1/3] • Summary of collected data
Prevalence of drive-by downloads[2/3] • Geographic locality • The correlation between the location of a distribution site and the landing sties
Prevalence of drive-by downloads[3/3] • Impact on the end-users • Average 1.3%
Malicious content injection[1/2] • Web server software • A significant fraction were running outdate versions of software.
Malicious content injection[2/2] • Drive-by download via AD
Malicious distribution infrastructure[1/3] • The rate of landing site per distribution site
Malicious distribution infrastructure[2/3] • Property of malware distribution sites IP 58.* -- 61.* 209.* -- 221.*
Malicious distribution infrastructure[3/3] • The number of unique binaries downloaded from each malware distribution site
Post Infection Impact[1/4] • The number of downloaded executable as a result of visiting a malicious URL Average 8
Post Infection Impact[2/4] • The number of processes started after visiting a malicious URL
Post Infection Impact[3/4] • Registry changes after visiting 57.5% of the landing page
Post Infection Impact[4/4] • Network activity of the virtual machine post infection
Anti-virus engine detection rates • Network activity of the virtual machine post infection
Conclusion • Large web scale data collection infrastructure • In-depth analysis of over 66 million URLs • Reveals that the scope of the problem is significant • Anti-virus engines are lacking in their ability to protect against drive-by downloads
Extra-Authors • NielsProvos • Senior staff engineer, Google inc • Web-based malware • DDOS • Panayiotis Mavrommatis • Software engineer, Google inc • Security • Distributed computing
Extra-Malicious content injection[2/5] • Drive-by download via AD • Malware delivered via Ads exhibits longer delivery chain