Abstract
Web-based malware is a growing threat to today's Internet security. Attacks of this type are prevalent and lead to serious security consequences. Millions of malicious URLs are used as distribution channels to propagate malware all over the Web. After being infected, victim systems fall in the control of attackers, who can utilize them for various cyber crimes such as stealing credentials, spamming, and distributed denial-of-service attacks. Moreover, it has been observed that traditional security technologies such as firewalls and intrusion detection systems have only limited capability to mitigate this new problem.
In this article, we survey the state-of-the-art research regarding the analysis of—and defense against—Web-based malware attacks. First, we study the attack model, the root cause, and the vulnerabilities that enable these attacks. Second, we analyze the status quo of the Web-based malware problem. Third, three categories of defense mechanisms are discussed in detail: (1) building honeypots with virtual machines or signature-based detection system to discover existing threats; (2) using code analysis and testing techniques to identify the vulnerabilities of Web applications; and (3) constructing reputation-based blacklists or smart sandbox systems to protect end-users from attacks. We show that these three categories of approaches form an extensive solution space to the Web-based malware problem. Finally, we compare the surveyed approaches and discuss possible future research directions.
- Aho, A. V., Sethi, R., and Ullman, J. D. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman Publishing, Boston, MA. Google ScholarDigital Library
- Akritidis, P., Markatos, E., Polychronakis, M., and Anagnostakis, K. 2005. Stride: Polymorphic sled detection through instruction sequence analysis. In Proceedings of the 20th IFIP International Conference on Security and Privacy in the Age of Ubiquitous Computing. R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura, Eds., Springer, 375--391.Google Scholar
- Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium. Google ScholarDigital Library
- Bai, Y. and Kobayashi, H. 2003. Intrusion detection systems: Technology and development. In Proceedings of the 17th International Conference on Advanced Information Networking and Applications (AINA'03). 710--715. Google ScholarDigital Library
- Bailey, M., Cooke, E., Jahanian, F., Xu, Y., and Karir, M. 2009. A survey of botnet technology and defenses. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 299--304. Google ScholarDigital Library
- Bailey, M., Oberheide, J., Andersen, J., Mao, Z. M., Jahanian, F., and Nazario, J. 2007. Automated classification and analysis of internet malware. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID'07). Springer, 178--197. Google ScholarDigital Library
- Balduzzi, M., Gimenez, C. T., Balzarotti, D., and Kirda, E. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
- Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 387--401. Google ScholarDigital Library
- Bau, J., Bursztein, E., Gupta, D., and Mitchell, J. 2010. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the IEEE Symposium on Security and Privacy (SP'10). IEEE Computer Society, Los Alamitos, CA, 332--345. Google ScholarDigital Library
- Beck, D., Vo, B., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'05). IEEE Computer Society, Los Alamitos, CA, 368--377. Google ScholarDigital Library
- Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. Exposure: Finding malicious domains using passive dns analysis. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
- Bind Vulnerabilities. 1998. Multiple vulnerabilities in bind. ftp://info.cert.org/pub/cert advisories/CA-98.05.bind problems.Google Scholar
- Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., and Wang, L. 2010. On the analysis of the zeus botnet crimeware toolkit. In Proceedings of the 8th Annual International Conference on Privacy, Security and Trust (PST'10). 31--38.Google Scholar
- Chang, J., Venkatasubramanian, K., West, A. G., Kannan, S., Sokolsky, O., Kim, M. J., and Lee, I. 2011. Tomato: A trustworthy code mashup development tool. In Proceedings of the 5th International Workshop on Web APIs and Service Mashups (MASHUPS'11). Google ScholarDigital Library
- Christodorescu, M., Jha, S., Maughan, D., Song, D., and Wang, C. 2007. Malware Detection. Springer. Google ScholarDigital Library
- Chrome Malware. 2010. New drive-by attack targets google chrome users. http://downloadsquad.switched.com/2010/04/20/new-drive-by-attack-targets-google-chrome-users/.Google Scholar
- Chugh, R., Meister, J. A., Jhala, R., and Lerner, S. 2009. Staged information ow for javascript. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'09). ACM Press, New York, 50--62. Google ScholarDigital Library
- Cova, M., Kruegel, C., and Vigna, G. 2010a. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th International Conference on World Wide Web (WWW'10). ACM Press, New York, 281--290. Google ScholarDigital Library
- Cova, M., Leita, C., Thonnard, O., Keromytis, A., and Dacier, M. 2010b. An analysis of rogue av campaigns. In Proceedings of the 13th International Conference on Recent Advances in Intrusion Detection. S. Jha, R. Sommer, and C. Kreibich, Eds., Lecture Notes in Computer Science, vol. 6307, Springer, 442--463. Google ScholarDigital Library
- Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 350--364. Google ScholarDigital Library
- Crites, S., Hsu, F., and Chen, H. 2008. Omash: Enabling secure web mashups via object abstractions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08). ACM Press, New York, 99--108. Google ScholarDigital Library
- Curtsinger, C., Livshits, B., Zorn, B., and Seifert, C. 2010. Zozzle: Low-overhead mostly static javascript malware detection. Tech. rep. MSR-TR-2010-156, Microsoft Research.Google Scholar
- Daniel, M., Honoroff, J., and Miller, C. 2008. Engineering heap overow exploits with javascript. In Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA, 1:1--1:6. Google ScholarDigital Library
- Dasient Report. 2010. Dasient q3 malware update: Web-based malware infections double since last year, malvertising attacks continue over summer. http://blog.dasient.com/2010/11/normal.html.Google Scholar
- Feily, M., Shahrestani, A., and Ramadass, S. 2009. A survey of botnet and botnet detection. In Proceedings of the 3rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE'09). 268--273. Google ScholarDigital Library
- Feinstein, B. and Peck, D. 2007. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. In Proceedings of BlackHat USA. https://www.blackhat.com/presentations/bh-usa-07/Feinstein_and_Peck/Whitepaper/bh-usa-07-feinstein_and_peck-WP.pdf.Google Scholar
- Fleizach, C., Liljenstam, M., Johansson, P., Voelker, G. M., and Mehes, A. 2007. Can you infect me now? Malware propagation in mobile phone networks. In Proceedings of the ACM Workshop on Recurring Malcode (WORM'07). ACM Press, New York, 61--68. Google ScholarDigital Library
- Ganesh, V., Leek, T., and Rinard, M. 2009. Taint-based directed whitebox fuzzing. In Proceedings of the 31st International Conference on Software Engineering (ICSE'09). IEEE Computer Society, Los Alamitos, CA, 474--484. Google ScholarDigital Library
- Garetto, M., Gong, W., and Towsley, D. 2003. Modeling malware spreading dynamics. In Proceedings of the 22nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM'03). IEEE 1869--1879.Google Scholar
- Garfinkel, S. and Spafford, G. 2001. Web Security, Privacy and Commerce 2nd Ed. O'Reilly and Associates, Sebastopol, CA. Google ScholarDigital Library
- Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., and Sisalem, D. 2006. Survey of security vulnerabilities in session initiation protocol. IEEE Comm. Surv. Tutorials 8, 68--81. Google ScholarDigital Library
- Google Safe Browsing Project. 2011. Google safe browsing api homepage. http://code.google.com/apis/safebrowsing/.Google Scholar
- Google Web Index. 2008. We knew the web was big. http://googleblog.blogspot.com/2008/07/we-knew-web-was-big.html.Google Scholar
- Grier, C., Tang, S., and King, S. T. 2008. Secure web browsing with the op web browser. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 402--416. Google ScholarDigital Library
- Guarnieri, S. and Livshits, B. 2009. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the 18th Conference on USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, 151--168. Google ScholarDigital Library
- Gulli, A. and Signorini, A. 2005. The indexable web is more than 11.5 billion pages. In Proceedings of the Special Interest Tracks and Posters of the 14th International Conference on World Wide Web (WWW'05). ACM Press, New York, 902--903. Google ScholarDigital Library
- Halfond, W. G., Viegas, J., and Orso, A. 2006. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering.Google Scholar
- Hosseinpour, F., Bakar, K., Hardoroudi, A., and Kazazi, N. 2010. Survey on artificial immune system as a bio-inspired technique for anomaly based intrusion detection systems. In Proceedings of the 2nd International Conference on Intelligent Networking and Collaborative Systems (INCOS'10). 323--324. Google ScholarDigital Library
- Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. 2004. Securing web application code by static analysis and runtime protection. In Proceedings of the 13th International Conference on World Wide Web (WWW'04). ACM Press, New York, 40--52. Google ScholarDigital Library
- Idika, N. and Mathur, A. P. 2010. A survey of malware detection techniques. Tech. rep. 286, Purdue University, Department of Computer Science. http://www.internetworldstats.com/stats.htm.Google Scholar
- Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16th International Conference on World Wide Web (WWW'07). ACM Press, New York, 611--620. Google ScholarDigital Library
- Jacob, G., Debar, H., and Filiol, E. 2008. Behavioral detection of malware: From a survey towards an established taxonomy. J. Comput. Virol. 4, 251--266.Google ScholarCross Ref
- Jain, S., Shafique, F., Djeric, V., and Goel, A. 2008. Application-level isolation and recovery with solitude. In Proceedings of the 3rd ACM SIGOPS/EuroSys European Conference on Computer Systems (Eurosys'08). ACM Press, New York, 95--107. Google ScholarDigital Library
- Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16th International Conference on World Wide Web (WWW'07). ACM Press, New York, 601--610. Google ScholarDigital Library
- Joshi, A., King, S. T., Dunlap, G. W., and Chen, P. M. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20th ACM Symposium on Operating Systems Principles (SOSP'05). ACM Press, New York, 91--104. Google ScholarDigital Library
- Jovanovic, N., Kruegel, C., and Kirda, E. 2006a. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 258--263. Google ScholarDigital Library
- Jovanovic, N., Kruegel, C., and Kirda, E. 2006b. Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS'06). ACM Press, New York, 27--36. Google ScholarDigital Library
- Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS'08). 3--14. Google ScholarDigital Library
- Kirda, E., Kruegel, C., Vigna, G., and Jovanovic, N. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In Proceedings of the ACM Symposium on Applied Computing (SAC'06). ACM Press, New York, 330--337. Google ScholarDigital Library
- Kruegel, C. and Vigna, G. 2003. Anomaly detection of web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS'03). ACM Press, New York, 251--261. Google ScholarDigital Library
- Lam, M. S., Martin, M., Livshits, B., and Whaley, J. 2008. Securing web applications with static and dynamic information flow tracking. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM'08). ACM Press, New York, 3--12. Google ScholarDigital Library
- Lawton, G. 2007. Web 2.0 creates security challenges. Comput. 40, 10, 13--16. Google ScholarDigital Library
- Li, C., Jiang, W., and Zou, X. 2009. Botnet: Survey and case study. In Proceedings of the 4th International Conference on Innovative Computing, Information and Control (ICICIC'09). 1184--1187.Google Scholar
- Li, P., Salour, M., and Su, X. 2008. A survey of internet worm detection and containment. IEEE Comm. Surv. Tutorials 10, 1, 20--35. Google ScholarDigital Library
- Li, Z., Tang, Y., Cao, Y., Rastogi, V., Chen, Y., and Liu, B. 2011. Webshield: Enabling various web defense techniques without client side modifications. In Proceedings of the 18th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
- Lin, K.-J. 2007. Building web 2.0. Comput. 40, 5, 101--102.Google ScholarDigital Library
- Lu, L., Yegneswaran, V., Porras, P., and Lee, W. 2010. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS'10). ACM Press, New York, 440--450. Google ScholarDigital Library
- Lunt, T. F. 1993. A survey of intrusion detection techniques. Comput. Secur. 12, 4, 405--418. Google ScholarDigital Library
- Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. 2009. Beyond blacklists: Learning to detect malicious websites from suspicious urls. In Proceedings of the 15th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD'09). ACM Press, New York, 1245--1254. Google ScholarDigital Library
- Magazinius, J., Askarov, A., and Sabelfeld, A. 2010. A lattice-based approach to mashup security. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10). ACM Press, New York, 15--23. Google ScholarDigital Library
- Marhusin, M., Cornforth, D., and Larkin, H. 2008. An overview of recent advances in intrusion detection. In Proceedings of the 8th IEEE International Conference on Computer and Information Technology (CIT'08). 432--437.Google Scholar
- Moser, A., Kruegel, C., and Kirda, E. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP'07). IEEE Computer Society, Los Alamitos, CA, 231--245. Google ScholarDigital Library
- Moshchuk, A., Bragin, T., Deville, D., Gribble, S. D., and Levy, H. M. 2007. Spyproxy: Execution-based detection of malicious web content. In Proceedings of the 16th USENIX Security Symposium. USENIX Association, Berkeley, CA, 3:1--3:16. Google ScholarDigital Library
- Moshchuk, E., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware on the web. In Proceedings of Network and Distributed System Security Symposium (NDSS'06).Google Scholar
- Motoyama, M., Levchenko, K., Kanich, C., Mccoy, D., Voelker, G. M., and Savage, S. 2010. Re: Captchas: Understanding captcha-solving services in an economic context. In Proceedings of the 19th USENIX Conference on Security. USENIX Association, Berkeley, CA, 28--28. Google ScholarDigital Library
- Mukherjee, B., Heberlein, L., and Levitt, K. 1994. Network intrusion detection. IEEE Netw. 8, 3, 26--41. Google ScholarDigital Library
- Murali, A. and Rao, M. 2005. A survey on intrusion detection approaches. In Proceedings of the 1st International Conference on Information and Communication Technologies (ICICT'05). 233--240.Google Scholar
- Nazario, J. 2009. Phoneyc: A virtual client honeypot. In Proceedings of the 2nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09). USENIX Association, Berkeley, CA, 6--6. Google ScholarDigital Library
- Ormerod, T., Wang, L., Debbabi, M., Youssef, A., Binsalleeh, H., Boukhtouta, A., and Sinha, P. 2010. Defaming botnet toolkits: A bottom-up approach to mitigating the threat. In Proceedings of the 1st International Conference on Emerging Security Information Systems and Technologies (SECURWARE'10). 195--200. Google ScholarDigital Library
- Peng, T., Leckie, C., and Ramamohanarao, K. 2007. Survey of network-based defense mechanisms countering the dos and ddos problems. ACM Comput. Surv. 39, 1. Google ScholarDigital Library
- Polychronakis, M., Anagnostakis, K. G., and Markatos, E. P. 2007. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID'07). Springer, 87--106. Google ScholarDigital Library
- Polychronakis, M., Mavrommatis, P., and Provos, N. 2008. Ghost turns zombie: exploring the life cycle of web-based malware. In Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, Berkeley, CA, 11:1--11:8. Google ScholarDigital Library
- Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iframes point to us. In Proceedings of the USENIX Security Symposium. 1--16. Google ScholarDigital Library
- Provos, N., Mcnamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser analysis of web-based malware. In Proceedings of the 1st Conference on the 1st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA, 4--4. Google ScholarDigital Library
- Qing, S. and Wen, W. 2005. A survey and trends on internet worms. Comput. Secur. 24, 4, 334--346.Google ScholarDigital Library
- Ratanaworabhan, P., Livshits, B., and Zorn, B. 2009. Nozzle: A defense against heap-spraying code injection attacks. In Proceedings of the 18th Conference on USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, 169--186. Google ScholarDigital Library
- Rbn Study. 2007. Russian business network study. http://www.bizeul.org/files/RBN study.pdf.Google Scholar
- Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the 7th Symposium on Operating Systems Design and Implementation (OSDI'06). USENIX Association, Berkeley, CA, 61--74. Google ScholarDigital Library
- Reis, C. and Gribble, S. D. 2009. Isolating web programs in modern browser architectures. In Proceedings of the 4th ACM European Conference on Computer Systems (EuroSys'09). ACM Press, New York, 219--232. Google ScholarDigital Library
- Rfc-2828. 2000. IETF RFC 2828. http://tools.ietf.org/html/rfc2828/.Google Scholar
- Rieck, K., Krueger, T., and Dewald, A. 2010. Cujo: Efficient detection and prevention of drive-by-download attacks. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'10). Google ScholarDigital Library
- Roesch, M. 1999. Snort - Lightweight intrusion detection for networks. In Proceedings of the 13th USENIX Conference on System Administration (LISA'99). USENIX Association, Berkeley, CA, 229--238. Google ScholarDigital Library
- Rubin, A. and Geer, D. E., J. 1998. A survey of web security. Comput. 31, 9, 34--41. Google ScholarDigital Library
- Sabahi, F. and Movaghar, A. 2008. Intrusion detection: A survey. In Proceedings of the 3rd International Conference on Systems and Networks Communications (ICSNC'08). 23--26. Google ScholarDigital Library
- Sabbouh, M., Higginson, J., Semy, S., and Gagne, D. 2007. Web mashup scripting language. In Proceedings of the 16th International Conference on World Wide Web (WWW'07). ACM Press, New York, 1305--1306. Google ScholarDigital Library
- Sabelfeld, A. and Myers, A. C. 2003. Language-based information-ow security. IEEE J. Selected Areas Comm. 21, 1. Google ScholarDigital Library
- Sadoddin, R. and Ghorbani, A. 2006. Alert correlation survey: Framework and techniques. In Proceedings of the International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST'06). ACM Press, New York, 37:1--37:10. Google ScholarDigital Library
- Saxena, P., Akhawe, D., Hanna, S., Mao, F., Mccamant, S., and Song, D. 2010a. A symbolic execution framework for javascript. In Proceedings of the IEEE Symposium on Security and Privacy (SP'10). IEEE Computer Society, Los Alamitos, CA, 513--528. Google ScholarDigital Library
- Saxena, P., Hanna, S., Poosankam, P., and Song, D. 2010b. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
- Schmidt, A.-D., Schmidt, H.-G., Batyuk, L., Clausen, J., Camtepe, S., Albayrak, S., and Yildizli, C. 2009. Smartphone malware evolution revisited: Android next target? In Proceedings of the 4th International Conference on Malicious and Unwanted Software (MALWARE'09). 1--7.Google Scholar
- Seifert, C., Welch, I., and Komisarczuk, P. 2009. Identification of malicious web pages through analysis of underlying dns and web server relationships. In Proceedings of the 33rd IEEE Conference on Local Computer Networks. 935--941.Google Scholar
- Shabtai, A., Moskovitch, R., Elovici, Y., and Glezer, C. 2009. Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Inf. Secur. Tech. Rep. 14, 16--29. Google ScholarDigital Library
- Siddiqui, M., Wang, M. C., and Lee, J. 2008. A survey of data mining techniques for malware detection using file features. In Proceedings of the 46th Annual Southeast Regional Conference on XX (ACM-SE'08). ACM Press, New York, 509--510. Google ScholarDigital Library
- Sidiroglou, S., Ioannidis, J., Keromytis, A., and Stolfo, S. 2005. An email worm vaccine architecture. In Proceedings of the 1st Information Security Practice and Experience Conference. R. Deng, F. Bao, H. Pang, and J. Zhou, Eds., Lecture Notes in Computer Science, vol. 3439, Springer, 97--108. Google ScholarDigital Library
- Song, C., Zhuge, J., Han, X., and Ye, Z. 2010. Preventing drive-by download via inter-module communication monitoring. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10). ACM Press, New York, 124--134. Google ScholarDigital Library
- Sotirov, A. 2007. Heap feng shui in javascript. In Proceedings of the BlackHat Europe Security Conference.Google Scholar
- Sotirov, A. and Dowd, M. 2008. Bypassing browser memory protections. In Proceedings of the BlackHat Security Conference.Google Scholar
- Su, Z. and Wassermann, G. 2006. The essence of command injection attacks in web applications. In Conference Record of the 33rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'06). ACM Press, New York, 372--382. Google ScholarDigital Library
- Tipton, H. 2009. Information Security Management Handbook. Vol. 3, 6th Ed. CRC Press, Boca Raton, FL. Google ScholarDigital Library
- Top Ten Project. 2011. OWASP top ten project. http://www.owasp.org/.Google Scholar
- Toth, T. and Kruegel, C. 2002. Accurate buffer overfow detection via abstract payload execution. In Proceedings of the 5th International Conference on Recent Advances in Intrusion Detection (RAID'02). Springer, 274--291. Google ScholarDigital Library
- Vinod, P., Laxmi, V., and Gaur, M. 2009. Survey on malware detection methods. In Proceedings of the 3rd Annual IIT Kanpur Hacker's Workshop.Google Scholar
- Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. 2004. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM Comput. Comm. Rev. 34, 193--204. Google ScholarDigital Library
- Wang, Y., Beck, D., Jiang, X., and Roussev, R. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
- Wang, Y., Verbowski, C., Dunagan, J., Chen, Y., Wang, H. J., and Yuan, C. 2003. Strider: A black-box, state-based approach to change and configuration management and support. In Proceedings of the 17th USENIX Conference on System Administration (LISA'03). 159--172. Google ScholarDigital Library
- Wassermann, G. and Su, Z. 2007. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'07). ACM Press, New York, 32--41. Google ScholarDigital Library
- Wassermann, G. and Su, Z. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30th International Conference on Software Engineering (ICSE'08). ACM Press, New York, 171--180. Google ScholarDigital Library
- Wilhelm, J. and Chiueh, T.-C. 2007. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the 10th International Conference on Recent Advances in Intrusion Detection (RAID'07). Springer, 219--235. Google ScholarDigital Library
- Xie, Y. and Aiken, A. 2006. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15th USENIX Security Symposium. Vol. 15, USENIX Association, Berkeley, CA. Google ScholarDigital Library
- You, I. and Yim, K. 2010. Malware obfuscation techniques: A brief survey. In Proceedings of the International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA'10). IEEE Computer Society, Los Alamitos, CA, 297--300. Google ScholarDigital Library
- Yue, C. and Wang, H. 2009. Characterizing insecure javascript practices on the web. In Proceedings of the 18th International Conference on World Wide Web (WWW'09). ACM Press, New York, 961--970. Google ScholarDigital Library
- Zeidanloo, H., Shooshtari, M., Amoli, P., Safari, M., and Zamani, M. 2010. A taxonomy of botnet detection techniques. In Proceedings of the 3rd IEEE International Conference on Computer Science and Information Technology (ICCSIT'10). Vol 2, 158--162.Google Scholar
- Zhu, Z., Lu, G., Chen, Y., Fu, Z., Roberts, P., and Han, K. 2008. Botnet research survey. In Proceedings of the 32nd Annual IEEE International Computer Software and Applications Conference (COMPSAC'08). 967--972. Google ScholarDigital Library
Index Terms
- Analyzing and defending against web-based malware
Recommendations
Active Credential Leakage for Observing Web-Based Attack Cycle
RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145A user who accesses a compromised website is usually redirected to an adversary's website and forced to download malware. Additionally, the adversary steals the user's credentials by using information-stealing malware. Furthermore, the adversary may try ...
HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle
A web user who falsely accesses a compromised website is usually redirected to an adversary's website and is forced to download malware after being exploited. Additionally, the adversary steals the user's credentials by using information-leaking ...
Web-based malware propagation
CERIAS '10: Proceedings of the 11th Annual Information Security SymposiumThe Internet is becoming an increasingly popular attack vector used by cyber criminals to infect computers for malicious purposes. It is estimated that over 10% of legitimate websites are infected with malware. The purpose of studying web-based malware ...
Comments