ABSTRACT
Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks.
Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.
- S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing sql injection attacks using dynamic candidate evaluations. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 12--24, New York, NY, USA, 2007. ACM. Google ScholarDigital Library
- L. Beijing Rising International Software Co. Internet security report for china mainland, 2009 h1. http://it.rising.com.cn/new2008/News/NewsInfo/2009-07-21/1248160663d53890.shtml, November 2008.Google Scholar
- P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 5137 of Lecture Notes in Computer Science, pages 23--43. Springer Berlin / Heidelberg, 2008. Google ScholarDigital Library
- D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of Vulnerability-Based signatures. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 2--16. IEEE Computer Society, 2006. Google ScholarDigital Library
- M. Cruz. Most abused infection vector. http://blog.trendmicro.com/most-abused-infection-vector/, December 2008.Google Scholar
- W. Cui, M. Peinado, H. J. Wang, and M. E. Locasto. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 252--266, Washington, DC, USA, 2007. IEEE Computer Society. Google ScholarDigital Library
- D. Dagon, G. Gu, C. P. Lee, and W. Lee. A taxonomy of botnet structures. Computer Security Applications Conference, Annual, 0:325--339, 2007.Google ScholarCross Ref
- M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with javascript. In WOOT '08: Proceedings of the 2nd USENIX Workshop on Offensive Technologies, July 2008. Google ScholarDigital Library
- O. Day, B. Palmen, and R. Greenstadt. Reinterpreting the DisclosureDebate for web infections. In Managing Information Risk and the Economics of Security, pages 1--19. Springer US, 2009.Google ScholarCross Ref
- W. Dormann and D. Plakosh. Vulnerability detection in activex controls through automated fuzz test. http://www.cert.org/archive/pdf/dranzer.pdf, 2008.Google Scholar
- J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In OSDI '08: Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation, December 2008. Google ScholarDigital Library
- B. Dutertre and L. D. Moura. The yices smt solver. Technical report, SRI International, 2006.Google Scholar
- M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In DIMVA '09: Proceedings of the 6th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, July 2009. Google ScholarDigital Library
- B. Feinstein and D. Peck. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. http://mirror.fpux.com/HackerCons/BlackHat_2007/BlackHat/Presentations/Feinstien_and_Peck/Whitepaper/bh-usa-07-feinstien_and_peck-WP.pdf, 2007.Google Scholar
- C. Grier, S. Tang, and S. T. King. Secure web browsing with the op web browser. Security and Privacy, IEEE Symposium on, 0:402--416, 2008. Google ScholarDigital Library
- W. G. J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In ASE '05: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174--183, New York, NY, USA, 2005. ACM. Google ScholarDigital Library
- W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In SIGSOFT '06/FSE-14: Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, pages 175--185, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- G. Inc. Google safe browsing api. http://code.google.com/apis/safebrowsing/.Google Scholar
- C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: an empirical analysis of spam marketing conversion. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 3--14, New York, NY, USA, 2008. ACM. Google ScholarDigital Library
- U. C. S. Lab. Wepawet. http://wepawet.iseclab.org/.Google Scholar
- D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 24(2):115--139, 2006. Google ScholarDigital Library
- T. Moore and R. Clayton. An empirical analysis of the current state of phishing attack and defence. In WEIS '07: Proceedings of the Sixth Workshop on the Economics of Information Security, 2007.Google Scholar
- Mozilla. Spidermonkey (javascript-c) engine. http://www.mozilla.org/js/spidermonkey/, 2009.Google Scholar
- J. Nazario. Phoneyc: A virtual client honeypot. In LEET '09: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, 2009. Google ScholarDigital Library
- A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Security and Privacy in the Age of Ubiquitous Computing, volume 181 of IFIP International Federation for Information Processing, pages 295--307. Springer Boston, 2005.Google ScholarCross Ref
- T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection, volume 3858 of Lecture Notes in Computer Science, pages 124--145. Springer Berlin / Heidelberg, 2006. Google ScholarDigital Library
- J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20--27, 2004. Google ScholarDigital Library
- M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. In Recent Advances in Intrusion Detection, volume 4637 of Lecture Notes in Computer Science, pages 87--106. Springer Berlin / Heidelberg, 2007. Google ScholarDigital Library
- M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology, 2(4):257--274, February 2007.Google ScholarCross Ref
- T. H. Project. Know your enemy: Malicious web servers, August 2007.Google Scholar
- N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Security '08: Proceedings of the 17th Usenix Security Symposium, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 4--4, Berkeley, CA, USA, 2007. USENIX Association. Google ScholarDigital Library
- P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In Security '09: Proceedings of the 18th USENIX Security Symposium, 2009. Google ScholarDigital Library
- C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web, 1(3):11, 2007. Google ScholarDigital Library
- Secunia. 2008 report. http://secunia.com/gfx/Secunia2008Report.pdf, 2008.Google Scholar
- R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS '09: Proceedings of the 16th Annual Network & Distributed System Security Symposium, San Diego, CA, Februry 2009.Google Scholar
- M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. Security and Privacy, IEEE Symposium on, 0:94--109, 2009. Google ScholarDigital Library
- A. Sotirov. Heap feng shui in javascript. http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html, 2008.Google Scholar
- R. Steenson and C. Seifert. Capture-hpc client honeypot / honeyclient. https://projects.honeynet.org/capture-hpc/.Google Scholar
- Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 372--382, New York, NY, USA, 2006. ACM. Google ScholarDigital Library
- T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract pay load execution. In Recent Advances in Intrusion Detection, volume 2516 of Lecture Notes in Computer Science, pages 274--291. Springer Berlin / Heidelberg, 2002. Google ScholarDigital Library
- W3Counter. Global web stats. 2009.Google Scholar
- H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In Security '09: 19th USENIX Security Symposium, August 2009. Google ScholarDigital Library
- H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM Comput. Commun. Rev., 34(4):193--204, 2004. Google ScholarDigital Library
- Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA, 2006.Google Scholar
- Y.-M. Wang, R. Roussev, C. Verbowski, A. Johnson, M.-W. Wu, Y. Huang, and S.-Y. Kuo. Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In LISA '04: Proceedings of the 18th USENIX conference on System administration, pages 33--46, Berkeley, CA, USA, 2004. USENIX Association. Google ScholarDigital Library
- J. Wolf. Heap spraying with actionscript. http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html, 2009.Google Scholar
- B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009. Google ScholarDigital Library
- J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economyon the chinese web. In Managing Information Risk and the Economics of Security, pages 1--20. Springer US, 2009.Google ScholarCross Ref
Index Terms
- Preventing drive-by download via inter-module communication monitoring
Recommendations
ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
WWW '11: Proceedings of the 20th international conference on World wide webA drive-by download attack occurs when a user visits a webpage which attempts to automatically download malware without the user's consent. Attackers sometimes use a malware distribution network (MDN) to manage a large number of malicious webpages, ...
BLADE: an attack-agnostic approach for preventing drive-by malware infections
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityWeb-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel ...
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability AssessmentDrive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a ...
Comments