All iFRAMEs Point to US

Niels Provos and Panayiotis Mavrommatis Google Inc.

Moheeb Abu Rajab and Fabian MonroseJohns Hopkins University

17th USENIX Security Symposium

1 / 22

Introduction[1/3]

The WWW is a criminal’s preferred pathway for spreading malware.

Two kinds of delivering web-malware Social engineering Drive-by download

URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.

2 / 22

Introduction[2/3]

Drive-by download

Via iFRAMEs

Scripts exploits browser and trig-gers downloads

3 / 22

Introduction[3/3]

Drive-by downloadLanding sitecafe.naver.com

Distribution sitewww.malware.-com

4 / 22

Infrastructure and Methodol-ogy[1/4]

Workflow

5 / 22

Infrastructure and Methodol-ogy[2/4]

Pre-processing phase Inspect URLs from repository and iden-

tify the ones that trigger drive-by down-loads

Mapreduce and machine-learning framework

Pre-process a billion of pages daily Choose 1 million URLs for verification

phase

6 / 22

Infrastructure and Methodol-ogy[3/4]

Verification phase Large scale web-honeynet

Runs a large number of MS Windows im-ages in VM

Unpatched version of Internet Explorer Multiple anti-virus engines

Loads a clean Windows image then visit the candidate URL

Monitor the system behavior for abnor-mal state chnages

7 / 22

Infrastructure and Methodol-ogy[4/4]

Malware distribution networks The set of malware delivery trees from

all the landing site that lead to a particu-lar malware distribution site.

Inspecting the Referer header and HTTP request

In some case, URLs contain randomly generated strings, apply heuristics based algorithm.

8 / 22

Prevalence of drive-by down-loads[1/3]

Summary of collected data

9 / 22

Prevalence of drive-by down-loads[2/3]

Geographic locality

The correlation between the location of a distribution site and the landing sties

10 / 22

Prevalence of drive-by down-loads[3/3]

Impact on the end-users

Average 1.3%

11 / 22

Malicious content injection[1/2]

Web server software

A significant fraction were running out-date versions of software.

12 / 22

Malicious content injection[2/2]

Drive-by download via AD

13 / 22

The rate of landing site per distribu-tion site

Malicious distribution infra-structure[1/3]

14 / 22

Property of malware distribution sites IP

Malicious distribution infra-structure[2/3]

58.* -- 61.*209.* -- 221.*

15 / 22

The number of unique binaries down-loaded from each malware distribu-tion site

Malicious distribution infra-structure[3/3]

16 / 22

The number of downloaded exe-cutable as a result of visiting a mali-cious URL

Post Infection Impact[1/4]

Average 8

17 / 22

The number of processes started af-ter visiting a malicious URL

Post Infection Impact[2/4]

18 / 22

Registry changes after visiting 57.5% of the landing page

Post Infection Impact[3/4]

19 / 22

Network activity of the virtual ma-chine post infection

Post Infection Impact[4/4]

20 / 22

Network activity of the virtual ma-chine post infection

Anti-virus engine detection rates

21 / 22

Large web scale data collection in-frastructure

In-depth analysis of over 66 million URLs

Reveals that the scope of the prob-lem is significant

Anti-virus engines are lacking in their ability to protect against drive-by downloads

Conclusion

22 / 22

Extra-Authors

Niels Provos Senior staff engineer,

Google inc Web-based malware DDOS

Panayiotis Mavrommatis Software engineer, Google

inc Security Distributed computing

23 / 18

Drive-by download via AD

Malware delivered via Ads exhibits longer de-livery chain

Extra-Malicious content injec-tion[2/5]

24 / 18