research-article

ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads

Authors:
Junjie Zhang

Georgia Institute of Technology, Atlanta, GA, USA

Georgia Institute of Technology, Atlanta, GA, USA
View Profile

,
Christian Seifert

Microsoft Bing, Redmond, WA, USA

Microsoft Bing, Redmond, WA, USA
View Profile

,
Jack W. Stokes

Microsoft Research, Redmond, WA, USA

Microsoft Research, Redmond, WA, USA
View Profile

,
Wenke Lee

Georgia Institute of Technology, Atlanta, GA, USA

Georgia Institute of Technology, Atlanta, GA, USA
View Profile

WWW '11: Proceedings of the 20th international conference on World wide webMarch 2011Pages 187–196https://doi.org/10.1145/1963405.1963435

Published:28 March 2011Publication History

WWW '11: Proceedings of the 20th international conference on World wide web

Pages 187–196

ABSTRACT

A drive-by download attack occurs when a user visits a webpage which attempts to automatically download malware without the user's consent. Attackers sometimes use a malware distribution network (MDN) to manage a large number of malicious webpages, exploits, and malware executables. In this paper, we provide a new method to determine these MDNs from the secondary URLs and redirect chains recorded by a high-interaction client honeypot. In addition, we propose a novel drive-by download detection method. Instead of depending on the malicious content used by previous methods, our algorithm first identifies and then leverages the URLs of the MDN's central servers, where a central server is a common server shared by a large percentage of the drive-by download attacks in the same MDN. A set of regular expression-based signatures are then generated based on the URLs of each central server. This method allows additional malicious webpages to be identified which launched but failed to execute a successful drive-by download attack. The new drive-by detection system named ARROW has been implemented, and we provide a large-scale evaluation on the output of a production drive-by detection system. The experimental results demonstrate the effectiveness of our method, where the detection coverage has been boosted by 96% with an extremely low false positive rate.

References

Hackers use twitter api to trigger malicious scripts. http://blog.unmaskparasites.com/2009/11/11/hackers-use-twitter-api-to-trigger-malicious-scripts/, 2009.Google Scholar
A. Moshchuk, T. Bragin, S. D. Gribble, and H. M. Levy. A crawler-based study of spyware on the web. In Proc. NDSS, 2006.Google Scholar
C. Seifert and R. Steenson. Capture - honeypot client (capture-hpc). https://projects.honeynet.org/capture-hpc, 2006.Google Scholar
C. Seifert, I. Welch and P. Komisarczuk. Honeyc - the low-interaction client honeypot. In Proc. NZCSRCS, 2007.Google Scholar
C. Seifert, R. Steenson, T. Holz, B. Yuan and M. A. Davis. Know your enemy: Malicious web servers. http://www.honeynet.org/papers/mws/, 2007.Google Scholar
J. Nazario. Phoneyc: A virtual client honeypot. In Proc. LEET, 2009. Google ScholarDigital Library
J. Newsome, B. Karp and D. Song. Polygraph: automatically generating signatures for polymorphic worms. In Proc. IEEE Symposium on Security and Privacy, 2005. Google ScholarDigital Library
J. W. Stokes, R. Andersen, C. Seifert and K. Chellapilla. Webcop: Locating neighborhoods of malware on the web. In Proc. USENIX LEET, 2010. Google ScholarDigital Library
L. Lu, V. Yegneswaran, P. Porras and W. Lee. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proc. ACM CCS, 2010. Google ScholarDigital Library
M. Cova, C. Kruegel and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proc. WWW, 2010. Google ScholarDigital Library
Michael Bailey, Jon Oberheide, Jon Andersen, Z. Morley Mao, Farnam Jahanian and Jose Nazario. Automated classification and analysis of internet malware. In Proc. RAID, 2007. Google ScholarDigital Library
N. Provos, P. Mavrommatis, M. Abu Rajab and F. Monrose. All your iframes points to us. In Proc. USENIX SECURITY, 2008. Google ScholarDigital Library
R. Perdisci, I. Corona, D. Dagon and W. Lee. Detecting malicious flux service networks through passive analysis of recursive dns traces. In Proc. ACSAC, 2009. Google ScholarDigital Library
R. Perdisci, W. Lee and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proc. NSDI, 2010. Google ScholarDigital Library
S. Singh, C. Estan, G. Varghese and S. Savage. Automated worm fingerprinting. In Proc. USENIX OSDI, 2004. Google ScholarDigital Library
T. Holz, C. Gorecki, K. Rieck, F. C. Freiling. Measuring and detecting fast-flux service networks. In Proc. NDSS, 2008.Google Scholar
The Honeynet Project. Know your enemy: Fast-flux service networks; an ever changing enemy. http://www.honeynet.org/papers/ff/, 2007.Google Scholar
U. Bayer, P. Milani, C. Hlauschek, C. Kruegel and E. Kirda. Scalable, behavior-based malware clustering. In Proc. NDSS, 2009.Google Scholar
V. Yegneswaran, J. T. Giffin, P. Barford and S. Jha. An architecture for generating semantics-aware signatures. In Proc. USENIX SECURITY, 2005. Google ScholarDigital Library
Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen and S. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proc. NDSS, 2006.Google Scholar
Y. Xie, F. Yu, K. Achan, R. Panigraphy, G. Hulten and I. Osipkov. Spamming botnets: Signatures and characteristics. In Proc. ACM SIGCOMM, 2008. Google ScholarDigital Library
Z. Li, M. Sanghi, B. Chavez, Y. Chen and M. Kao. Hamsa: Fast signature generation for zero-day polymorphic worms with provable attack resilience. In Proc. IEEE Symposium on Security and Privacy, 2006. Google ScholarDigital Library

Index Terms

ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

BLADE: an attack-agnostic approach for preventing drive-by malware infections
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel ...
Read More
Detecting malicious landing pages in Malware Distribution Networks
DSN '13: Proceedings of the 2013 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Drive-by download attacks attempt to compromise a victim's computer through browser vulnerabilities. Often they are launched from Malware Distribution Networks (MDNs) consisting of landing pages to attract traffic, intermediate redirection servers, and ...
Read More
Spamming botnets: signatures and characteristics

In this paper, we focus on characterizing spamming botnets by leveraging both spam payload and spam server traffic properties. Towards this goal, we developed a spam signature generation framework called AutoRE to detect botnet-based spam emails and ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
WWW '11: Proceedings of the 20th international conference on World wide web
March 2011
840 pages
ISBN:9781450306324
DOI:10.1145/1963405
General Chairs:
S. Sadagopan
IIIT-Bangalore, India
,
Krithi Ramamritham
IIT-Bombay, India
,
Arun Kumar
IBM Research, India
,
M. P. Ravindra
Infosys E & R, India
,
Program Chairs:
Elisa Bertino
Purdue University, USA
,
Ravi Kumar
Yahoo! Research, USA
Copyright © 2011 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 28 March 2011
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
detection
drive-by download
malware distribution network
signature generation
Qualifiers
- research-article
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 61
  Total Citations
  View Citations
- 694
  Total Downloads
- Downloads (Last 12 months)22
- Downloads (Last 6 weeks)3
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads

WWW '11: Proceedings of the 20th international conference on World wide web

ABSTRACT

References

Cited By

Index Terms

Recommendations

BLADE: an attack-agnostic approach for preventing drive-by malware infections

Detecting malicious landing pages in Malware Distribution Networks

Spamming botnets: signatures and characteristics