ABSTRACT
A drive-by download attack occurs when a user visits a webpage which attempts to automatically download malware without the user's consent. Attackers sometimes use a malware distribution network (MDN) to manage a large number of malicious webpages, exploits, and malware executables. In this paper, we provide a new method to determine these MDNs from the secondary URLs and redirect chains recorded by a high-interaction client honeypot. In addition, we propose a novel drive-by download detection method. Instead of depending on the malicious content used by previous methods, our algorithm first identifies and then leverages the URLs of the MDN's central servers, where a central server is a common server shared by a large percentage of the drive-by download attacks in the same MDN. A set of regular expression-based signatures are then generated based on the URLs of each central server. This method allows additional malicious webpages to be identified which launched but failed to execute a successful drive-by download attack. The new drive-by detection system named ARROW has been implemented, and we provide a large-scale evaluation on the output of a production drive-by detection system. The experimental results demonstrate the effectiveness of our method, where the detection coverage has been boosted by 96% with an extremely low false positive rate.
- Hackers use twitter api to trigger malicious scripts. http://blog.unmaskparasites.com/2009/11/11/hackers-use-twitter-api-to-trigger-malicious-scripts/, 2009.Google Scholar
- A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware on the web. In Proc. NDSS, 2006.Google Scholar
- C. Seifert and R. Steenson. Capture - honeypot client (capture-hpc). https://projects.honeynet.org/capture-hpc, 2006.Google Scholar
- C. Seifert, I. Welch and P. Komisarczuk. Honeyc - the low-interaction client honeypot. In Proc. NZCSRCS, 2007.Google Scholar
- C. Seifert, R. Steenson, T. Holz, B. Yuan and M. A. Davis. Know your enemy: Malicious web servers. http://www.honeynet.org/papers/mws/, 2007.Google Scholar
- J. Nazario. Phoneyc: A virtual client honeypot. In Proc. LEET, 2009. Google ScholarDigital Library
- J. Newsome, B. Karp and D. Song. Polygraph: automatically generating signatures for polymorphic worms. In Proc. IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
- J. W. Stokes, R. Andersen, C. Seifert and K. Chellapilla. Webcop: Locating neighborhoods of malware on the web. In Proc. USENIX LEET, 2010. Google ScholarDigital Library
- L. Lu, V. Yegneswaran, P. Porras and W. Lee. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proc. ACM CCS, 2010. Google ScholarDigital Library
- M. Cova, C. Kruegel and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proc. WWW, 2010. Google ScholarDigital Library
- Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian and Jose Nazario. Automated classification and analysis of internet malware. In Proc. RAID, 2007. Google ScholarDigital Library
- N. Provos, P. Mavrommatis, M. Abu Rajab and F. Monrose. All your iframes points to us. In Proc. USENIX SECURITY, 2008. Google ScholarDigital Library
- R. Perdisci, I. Corona, D. Dagon and W. Lee. Detecting malicious flux service networks through passive analysis of recursive dns traces. In Proc. ACSAC, 2009. Google ScholarDigital Library
- R. Perdisci, W. Lee and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proc. NSDI, 2010. Google ScholarDigital Library
- S. Singh, C. Estan, G. Varghese and S. Savage. Automated worm fingerprinting. In Proc. USENIX OSDI, 2004. Google ScholarDigital Library
- T. Holz, C. Gorecki, K. Rieck, F. C. Freiling. Measuring and detecting fast-flux service networks. In Proc. NDSS, 2008.Google Scholar
- The Honeynet Project. Know your enemy: Fast-flux service networks; an ever changing enemy. http://www.honeynet.org/papers/ff/, 2007.Google Scholar
- U. Bayer, P. Milani, C. Hlauschek, C. Kruegel and E. Kirda. Scalable, behavior-based malware clustering. In Proc. NDSS, 2009.Google Scholar
- V. Yegneswaran, J. T. Giffin, P. Barford and S. Jha. An architecture for generating semantics-aware signatures. In Proc. USENIX SECURITY, 2005. Google ScholarDigital Library
- Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen and S. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. NDSS, 2006.Google Scholar
- Y. Xie, F. Yu, K. Achan, R. Panigraphy, G. Hulten and I. Osipkov. Spamming botnets: Signatures and characteristics. In Proc. ACM SIGCOMM, 2008. Google ScholarDigital Library
- Z. Li, M. Sanghi, B. Chavez, Y. Chen and M. Kao. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proc. IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library
Index Terms
- ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
Recommendations
BLADE: an attack-agnostic approach for preventing drive-by malware infections
CCS '10: Proceedings of the 17th ACM conference on Computer and communications securityWeb-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel ...
Detecting malicious landing pages in Malware Distribution Networks
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)Drive-by download attacks attempt to compromise a victim's computer through browser vulnerabilities. Often they are launched from Malware Distribution Networks (MDNs) consisting of landing pages to attract traffic, intermediate redirection servers, and ...
Spamming botnets: signatures and characteristics
In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...
Comments