research-article

Analyzing and defending against web-based malware

Authors:
Jian Chang

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

,
Krishna K. Venkatasubramanian

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

,
Andrew G. West

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

,
Insup Lee

University of Pennsylvania, Philadelphia, PA

University of Pennsylvania, Philadelphia, PA
View Profile

Authors Info & Claims

ACM Computing Surveys Volume 45 Issue 4Article No.: 49pp 1–35https://doi.org/10.1145/2501654.2501663

Published:30 August 2013Publication History

ACM Computing Surveys

Abstract

Web-based malware is a growing threat to today's Internet security. Attacks of this type are prevalent and lead to serious security consequences. Millions of malicious URLs are used as distribution channels to propagate malware all over the Web. After being infected, victim systems fall in the control of attackers, who can utilize them for various cyber crimes such as stealing credentials, spamming, and distributed denial-of-service attacks. Moreover, it has been observed that traditional security technologies such as firewalls and intrusion detection systems have only limited capability to mitigate this new problem.

In this article, we survey the state-of-the-art research regarding the analysis of—and defense against—Web-based malware attacks. First, we study the attack model, the root cause, and the vulnerabilities that enable these attacks. Second, we analyze the status quo of the Web-based malware problem. Third, three categories of defense mechanisms are discussed in detail: (1) building honeypots with virtual machines or signature-based detection system to discover existing threats; (2) using code analysis and testing techniques to identify the vulnerabilities of Web applications; and (3) constructing reputation-based blacklists or smart sandbox systems to protect end-users from attacks. We show that these three categories of approaches form an extensive solution space to the Web-based malware problem. Finally, we compare the surveyed approaches and discuss possible future research directions.

References

Aho, A. V., Sethi, R., and Ullman, J. D. 1986. Compilers: Principles, Techniques, and Tools. Addison-Wesley Longman Publishing, Boston, MA. Google ScholarDigital Library
Akritidis, P., Markatos, E., Polychronakis, M., and Anagnostakis, K. 2005. Stride: Polymorphic sled detection through instruction sequence analysis. In Proceedings of the 20^th IFIP International Conference on Security and Privacy in the Age of Ubiquitous Computing. R. Sasaki, S. Qing, E. Okamoto, and H. Yoshiura, Eds., Springer, 375--391.Google Scholar
Antonakakis, M., Perdisci, R., Dagon, D., Lee, W., and Feamster, N. 2010. Building a dynamic reputation system for DNS. In Proceedings of the 19^th USENIX Security Symposium. Google ScholarDigital Library
Bai, Y. and Kobayashi, H. 2003. Intrusion detection systems: Technology and development. In Proceedings of the 17^th International Conference on Advanced Information Networking and Applications (AINA'03). 710--715. Google ScholarDigital Library
Bailey, M., Cooke, E., Jahanian, F., Xu, Y., and Karir, M. 2009. A survey of botnet technology and defenses. In Proceedings of the Cybersecurity Applications and Technology Conference for Homeland Security (CATCH'09). 299--304. Google ScholarDigital Library
Bailey, M., Oberheide, J., Andersen, J., Mao, Z. M., Jahanian, F., and Nazario, J. 2007. Automated classification and analysis of internet malware. In Proceedings of the 10^th International Conference on Recent Advances in Intrusion Detection (RAID'07). Springer, 178--197. Google ScholarDigital Library
Balduzzi, M., Gimenez, C. T., Balzarotti, D., and Kirda, E. 2011. Automated discovery of parameter pollution vulnerabilities in web applications. In Proceedings of the 18^th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
Balzarotti, D., Cova, M., Felmetsger, V., Jovanovic, N., Kirda, E., Kruegel, C., and Vigna, G. 2008. Saner: Composing static and dynamic analysis to validate sanitization in web applications. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 387--401. Google ScholarDigital Library
Bau, J., Bursztein, E., Gupta, D., and Mitchell, J. 2010. State of the art: Automated black-box web application vulnerability testing. In Proceedings of the IEEE Symposium on Security and Privacy (SP'10). IEEE Computer Society, Los Alamitos, CA, 332--345. Google ScholarDigital Library
Beck, D., Vo, B., and Verbowski, C. 2005. Detecting stealth software with strider ghostbuster. In Proceedings of the International Conference on Dependable Systems and Networks (DSN'05). IEEE Computer Society, Los Alamitos, CA, 368--377. Google ScholarDigital Library
Bilge, L., Kirda, E., Kruegel, C., and Balduzzi, M. 2011. Exposure: Finding malicious domains using passive dns analysis. In Proceedings of the 18^th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
Bind Vulnerabilities. 1998. Multiple vulnerabilities in bind. ftp://info.cert.org/pub/cert advisories/CA-98.05.bind problems.Google Scholar
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., and Wang, L. 2010. On the analysis of the zeus botnet crimeware toolkit. In Proceedings of the 8^th Annual International Conference on Privacy, Security and Trust (PST'10). 31--38.Google Scholar
Chang, J., Venkatasubramanian, K., West, A. G., Kannan, S., Sokolsky, O., Kim, M. J., and Lee, I. 2011. Tomato: A trustworthy code mashup development tool. In Proceedings of the 5^th International Workshop on Web APIs and Service Mashups (MASHUPS'11). Google ScholarDigital Library
Christodorescu, M., Jha, S., Maughan, D., Song, D., and Wang, C. 2007. Malware Detection. Springer. Google ScholarDigital Library
Chrome Malware. 2010. New drive-by attack targets google chrome users. http://downloadsquad.switched.com/2010/04/20/new-drive-by-attack-targets-google-chrome-users/.Google Scholar
Chugh, R., Meister, J. A., Jhala, R., and Lerner, S. 2009. Staged information ow for javascript. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'09). ACM Press, New York, 50--62. Google ScholarDigital Library
Cova, M., Kruegel, C., and Vigna, G. 2010a. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19^th International Conference on World Wide Web (WWW'10). ACM Press, New York, 281--290. Google ScholarDigital Library
Cova, M., Leita, C., Thonnard, O., Keromytis, A., and Dacier, M. 2010b. An analysis of rogue av campaigns. In Proceedings of the 13^th International Conference on Recent Advances in Intrusion Detection. S. Jha, R. Sommer, and C. Kreibich, Eds., Lecture Notes in Computer Science, vol. 6307, Springer, 442--463. Google ScholarDigital Library
Cox, R. S., Gribble, S. D., Levy, H. M., and Hansen, J. G. 2006. A safety-oriented platform for web applications. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 350--364. Google ScholarDigital Library
Crites, S., Hsu, F., and Chen, H. 2008. Omash: Enabling secure web mashups via object abstractions. In Proceedings of the 15^th ACM Conference on Computer and Communications Security (CCS'08). ACM Press, New York, 99--108. Google ScholarDigital Library
Curtsinger, C., Livshits, B., Zorn, B., and Seifert, C. 2010. Zozzle: Low-overhead mostly static javascript malware detection. Tech. rep. MSR-TR-2010-156, Microsoft Research.Google Scholar
Daniel, M., Honoroff, J., and Miller, C. 2008. Engineering heap overow exploits with javascript. In Proceedings of the 2^nd Conference on USENIX Workshop on Offensive Technologies. USENIX Association, Berkeley, CA, 1:1--1:6. Google ScholarDigital Library
Dasient Report. 2010. Dasient q3 malware update: Web-based malware infections double since last year, malvertising attacks continue over summer. http://blog.dasient.com/2010/11/normal.html.Google Scholar
Feily, M., Shahrestani, A., and Ramadass, S. 2009. A survey of botnet and botnet detection. In Proceedings of the 3^rd International Conference on Emerging Security Information, Systems and Technologies (SECURWARE'09). 268--273. Google ScholarDigital Library
Feinstein, B. and Peck, D. 2007. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. In Proceedings of BlackHat USA. https://www.blackhat.com/presentations/bh-usa-07/Feinstein_and_Peck/Whitepaper/bh-usa-07-feinstein_and_peck-WP.pdf.Google Scholar
Fleizach, C., Liljenstam, M., Johansson, P., Voelker, G. M., and Mehes, A. 2007. Can you infect me now&quest; Malware propagation in mobile phone networks. In Proceedings of the ACM Workshop on Recurring Malcode (WORM'07). ACM Press, New York, 61--68. Google ScholarDigital Library
Ganesh, V., Leek, T., and Rinard, M. 2009. Taint-based directed whitebox fuzzing. In Proceedings of the 31^st International Conference on Software Engineering (ICSE'09). IEEE Computer Society, Los Alamitos, CA, 474--484. Google ScholarDigital Library
Garetto, M., Gong, W., and Towsley, D. 2003. Modeling malware spreading dynamics. In Proceedings of the 22^nd Annual Joint Conference of the IEEE Computer and Communications Societies (INFOCOM'03). IEEE 1869--1879.Google Scholar
Garfinkel, S. and Spafford, G. 2001. Web Security, Privacy and Commerce 2^nd Ed. O'Reilly and Associates, Sebastopol, CA. Google ScholarDigital Library
Geneiatakis, D., Dagiuklas, T., Kambourakis, G., Lambrinoudakis, C., Gritzalis, S., Ehlert, S., and Sisalem, D. 2006. Survey of security vulnerabilities in session initiation protocol. IEEE Comm. Surv. Tutorials 8, 68--81. Google ScholarDigital Library
Google Safe Browsing Project. 2011. Google safe browsing api homepage. http://code.google.com/apis/safebrowsing/.Google Scholar
Google Web Index. 2008. We knew the web was big. http://googleblog.blogspot.com/2008/07/we-knew-web-was-big.html.Google Scholar
Grier, C., Tang, S., and King, S. T. 2008. Secure web browsing with the op web browser. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 402--416. Google ScholarDigital Library
Guarnieri, S. and Livshits, B. 2009. Gatekeeper: Mostly static enforcement of security and reliability policies for javascript code. In Proceedings of the 18^th Conference on USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, 151--168. Google ScholarDigital Library
Gulli, A. and Signorini, A. 2005. The indexable web is more than 11.5 billion pages. In Proceedings of the Special Interest Tracks and Posters of the 14^th International Conference on World Wide Web (WWW'05). ACM Press, New York, 902--903. Google ScholarDigital Library
Halfond, W. G., Viegas, J., and Orso, A. 2006. A classification of sql-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering.Google Scholar
Hosseinpour, F., Bakar, K., Hardoroudi, A., and Kazazi, N. 2010. Survey on artificial immune system as a bio-inspired technique for anomaly based intrusion detection systems. In Proceedings of the 2^nd International Conference on Intelligent Networking and Collaborative Systems (INCOS'10). 323--324. Google ScholarDigital Library
Huang, Y.-W., Yu, F., Hang, C., Tsai, C.-H., Lee, D.-T., and Kuo, S.-Y. 2004. Securing web application code by static analysis and runtime protection. In Proceedings of the 13^th International Conference on World Wide Web (WWW'04). ACM Press, New York, 40--52. Google ScholarDigital Library
Idika, N. and Mathur, A. P. 2010. A survey of malware detection techniques. Tech. rep. 286, Purdue University, Department of Computer Science. http://www.internetworldstats.com/stats.htm.Google Scholar
Jackson, C. and Wang, H. J. 2007. Subspace: Secure cross-domain communication for web mashups. In Proceedings of the 16^th International Conference on World Wide Web (WWW'07). ACM Press, New York, 611--620. Google ScholarDigital Library
Jacob, G., Debar, H., and Filiol, E. 2008. Behavioral detection of malware: From a survey towards an established taxonomy. J. Comput. Virol. 4, 251--266.Google ScholarCross Ref
Jain, S., Shafique, F., Djeric, V., and Goel, A. 2008. Application-level isolation and recovery with solitude. In Proceedings of the 3^rd ACM SIGOPS/EuroSys European Conference on Computer Systems (Eurosys'08). ACM Press, New York, 95--107. Google ScholarDigital Library
Jim, T., Swamy, N., and Hicks, M. 2007. Defeating script injection attacks with browser-enforced embedded policies. In Proceedings of the 16^th International Conference on World Wide Web (WWW'07). ACM Press, New York, 601--610. Google ScholarDigital Library
Joshi, A., King, S. T., Dunlap, G. W., and Chen, P. M. 2005. Detecting past and present intrusions through vulnerability-specific predicates. In Proceedings of the 20^th ACM Symposium on Operating Systems Principles (SOSP'05). ACM Press, New York, 91--104. Google ScholarDigital Library
Jovanovic, N., Kruegel, C., and Kirda, E. 2006a. Pixy: A static analysis tool for detecting web application vulnerabilities (short paper). In Proceedings of the IEEE Symposium on Security and Privacy. IEEE Computer Society, Los Alamitos, CA, 258--263. Google ScholarDigital Library
Jovanovic, N., Kruegel, C., and Kirda, E. 2006b. Precise alias analysis for static detection of web application vulnerabilities. In Proceedings of the Workshop on Programming Languages and Analysis for Security (PLAS'06). ACM Press, New York, 27--36. Google ScholarDigital Library
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G. M., Paxson, V., and Savage, S. 2008. Spamalytics: An empirical analysis of spam marketing conversion. In Proceedings of the 15^th ACM Conference on Computer and Communications Security (CCS'08). 3--14. Google ScholarDigital Library
Kirda, E., Kruegel, C., Vigna, G., and Jovanovic, N. 2006. Noxes: A client-side solution for mitigating cross-site scripting attacks. In Proceedings of the ACM Symposium on Applied Computing (SAC'06). ACM Press, New York, 330--337. Google ScholarDigital Library
Kruegel, C. and Vigna, G. 2003. Anomaly detection of web-based attacks. In Proceedings of the 10^th ACM Conference on Computer and Communications Security (CCS'03). ACM Press, New York, 251--261. Google ScholarDigital Library
Lam, M. S., Martin, M., Livshits, B., and Whaley, J. 2008. Securing web applications with static and dynamic information flow tracking. In Proceedings of the ACM SIGPLAN Symposium on Partial Evaluation and Semantics-Based Program Manipulation (PEPM'08). ACM Press, New York, 3--12. Google ScholarDigital Library
Lawton, G. 2007. Web 2.0 creates security challenges. Comput. 40, 10, 13--16. Google ScholarDigital Library
Li, C., Jiang, W., and Zou, X. 2009. Botnet: Survey and case study. In Proceedings of the 4^th International Conference on Innovative Computing, Information and Control (ICICIC'09). 1184--1187.Google Scholar
Li, P., Salour, M., and Su, X. 2008. A survey of internet worm detection and containment. IEEE Comm. Surv. Tutorials 10, 1, 20--35. Google ScholarDigital Library
Li, Z., Tang, Y., Cao, Y., Rastogi, V., Chen, Y., and Liu, B. 2011. Webshield: Enabling various web defense techniques without client side modifications. In Proceedings of the 18^th Annual Network and Distributed System Security Symposium (NDSS'11).Google Scholar
Lin, K.-J. 2007. Building web 2.0. Comput. 40, 5, 101--102.Google ScholarDigital Library
Lu, L., Yegneswaran, V., Porras, P., and Lee, W. 2010. Blade: An attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17^th ACM Conference on Computer and Communications Security (CCS'10). ACM Press, New York, 440--450. Google ScholarDigital Library
Lunt, T. F. 1993. A survey of intrusion detection techniques. Comput. Secur. 12, 4, 405--418. Google ScholarDigital Library
Ma, J., Saul, L. K., Savage, S., and Voelker, G. M. 2009. Beyond blacklists: Learning to detect malicious websites from suspicious urls. In Proceedings of the 15^th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (KDD'09). ACM Press, New York, 1245--1254. Google ScholarDigital Library
Magazinius, J., Askarov, A., and Sabelfeld, A. 2010. A lattice-based approach to mashup security. In Proceedings of the 5^th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10). ACM Press, New York, 15--23. Google ScholarDigital Library
Marhusin, M., Cornforth, D., and Larkin, H. 2008. An overview of recent advances in intrusion detection. In Proceedings of the 8^th IEEE International Conference on Computer and Information Technology (CIT'08). 432--437.Google Scholar
Moser, A., Kruegel, C., and Kirda, E. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy (SP'07). IEEE Computer Society, Los Alamitos, CA, 231--245. Google ScholarDigital Library
Moshchuk, A., Bragin, T., Deville, D., Gribble, S. D., and Levy, H. M. 2007. Spyproxy: Execution-based detection of malicious web content. In Proceedings of the 16^th USENIX Security Symposium. USENIX Association, Berkeley, CA, 3:1--3:16. Google ScholarDigital Library
Moshchuk, E., Bragin, T., Gribble, S. D., and Levy, H. M. 2006. A crawler-based study of spyware on the web. In Proceedings of Network and Distributed System Security Symposium (NDSS'06).Google Scholar
Motoyama, M., Levchenko, K., Kanich, C., Mccoy, D., Voelker, G. M., and Savage, S. 2010. Re: Captchas: Understanding captcha-solving services in an economic context. In Proceedings of the 19^th USENIX Conference on Security. USENIX Association, Berkeley, CA, 28--28. Google ScholarDigital Library
Mukherjee, B., Heberlein, L., and Levitt, K. 1994. Network intrusion detection. IEEE Netw. 8, 3, 26--41. Google ScholarDigital Library
Murali, A. and Rao, M. 2005. A survey on intrusion detection approaches. In Proceedings of the 1^st International Conference on Information and Communication Technologies (ICICT'05). 233--240.Google Scholar
Nazario, J. 2009. Phoneyc: A virtual client honeypot. In Proceedings of the 2^nd USENIX Conference on Large-Scale Exploits and Emergent Threats: Botnets, Spyware, Worms, and More (LEET'09). USENIX Association, Berkeley, CA, 6--6. Google ScholarDigital Library
Ormerod, T., Wang, L., Debbabi, M., Youssef, A., Binsalleeh, H., Boukhtouta, A., and Sinha, P. 2010. Defaming botnet toolkits: A bottom-up approach to mitigating the threat. In Proceedings of the 1^st International Conference on Emerging Security Information Systems and Technologies (SECURWARE'10). 195--200. Google ScholarDigital Library
Peng, T., Leckie, C., and Ramamohanarao, K. 2007. Survey of network-based defense mechanisms countering the dos and ddos problems. ACM Comput. Surv. 39, 1. Google ScholarDigital Library
Polychronakis, M., Anagnostakis, K. G., and Markatos, E. P. 2007. Emulation-based detection of non-self-contained polymorphic shellcode. In Proceedings of the 10^th International Conference on Recent Advances in Intrusion Detection (RAID'07). Springer, 87--106. Google ScholarDigital Library
Polychronakis, M., Mavrommatis, P., and Provos, N. 2008. Ghost turns zombie: exploring the life cycle of web-based malware. In Proceedings of the 1^st USENIX Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, Berkeley, CA, 11:1--11:8. Google ScholarDigital Library
Provos, N., Mavrommatis, P., Rajab, M. A., and Monrose, F. 2008. All your iframes point to us. In Proceedings of the USENIX Security Symposium. 1--16. Google ScholarDigital Library
Provos, N., Mcnamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. 2007. The ghost in the browser analysis of web-based malware. In Proceedings of the 1^st Conference on the 1^st Workshop on Hot Topics in Understanding Botnets. USENIX Association, Berkeley, CA, 4--4. Google ScholarDigital Library
Qing, S. and Wen, W. 2005. A survey and trends on internet worms. Comput. Secur. 24, 4, 334--346.Google ScholarDigital Library
Ratanaworabhan, P., Livshits, B., and Zorn, B. 2009. Nozzle: A defense against heap-spraying code injection attacks. In Proceedings of the 18^th Conference on USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, 169--186. Google ScholarDigital Library
Rbn Study. 2007. Russian business network study. http://www.bizeul.org/files/RBN study.pdf.Google Scholar
Reis, C., Dunagan, J., Wang, H. J., Dubrovsky, O., and Esmeir, S. 2006. Browsershield: Vulnerability-driven filtering of dynamic html. In Proceedings of the 7^th Symposium on Operating Systems Design and Implementation (OSDI'06). USENIX Association, Berkeley, CA, 61--74. Google ScholarDigital Library
Reis, C. and Gribble, S. D. 2009. Isolating web programs in modern browser architectures. In Proceedings of the 4^th ACM European Conference on Computer Systems (EuroSys'09). ACM Press, New York, 219--232. Google ScholarDigital Library
Rfc-2828. 2000. IETF RFC 2828. http://tools.ietf.org/html/rfc2828/.Google Scholar
Rieck, K., Krueger, T., and Dewald, A. 2010. Cujo: Efficient detection and prevention of drive-by-download attacks. In Proceedings of the Annual Computer Security Applications Conference (ACSAC'10). Google ScholarDigital Library
Roesch, M. 1999. Snort - Lightweight intrusion detection for networks. In Proceedings of the 13^th USENIX Conference on System Administration (LISA'99). USENIX Association, Berkeley, CA, 229--238. Google ScholarDigital Library
Rubin, A. and Geer, D. E., J. 1998. A survey of web security. Comput. 31, 9, 34--41. Google ScholarDigital Library
Sabahi, F. and Movaghar, A. 2008. Intrusion detection: A survey. In Proceedings of the 3^rd International Conference on Systems and Networks Communications (ICSNC'08). 23--26. Google ScholarDigital Library
Sabbouh, M., Higginson, J., Semy, S., and Gagne, D. 2007. Web mashup scripting language. In Proceedings of the 16^th International Conference on World Wide Web (WWW'07). ACM Press, New York, 1305--1306. Google ScholarDigital Library
Sabelfeld, A. and Myers, A. C. 2003. Language-based information-ow security. IEEE J. Selected Areas Comm. 21, 1. Google ScholarDigital Library
Sadoddin, R. and Ghorbani, A. 2006. Alert correlation survey: Framework and techniques. In Proceedings of the International Conference on Privacy, Security and Trust: Bridge the Gap Between PST Technologies and Business Services (PST'06). ACM Press, New York, 37:1--37:10. Google ScholarDigital Library
Saxena, P., Akhawe, D., Hanna, S., Mao, F., Mccamant, S., and Song, D. 2010a. A symbolic execution framework for javascript. In Proceedings of the IEEE Symposium on Security and Privacy (SP'10). IEEE Computer Society, Los Alamitos, CA, 513--528. Google ScholarDigital Library
Saxena, P., Hanna, S., Poosankam, P., and Song, D. 2010b. Flax: Systematic discovery of client-side validation vulnerabilities in rich web applications. In Proceedings of the 17^th Annual Network and Distributed System Security Symposium (NDSS).Google Scholar
Schmidt, A.-D., Schmidt, H.-G., Batyuk, L., Clausen, J., Camtepe, S., Albayrak, S., and Yildizli, C. 2009. Smartphone malware evolution revisited: Android next target&quest; In Proceedings of the 4^th International Conference on Malicious and Unwanted Software (MALWARE'09). 1--7.Google Scholar
Seifert, C., Welch, I., and Komisarczuk, P. 2009. Identification of malicious web pages through analysis of underlying dns and web server relationships. In Proceedings of the 33^rd IEEE Conference on Local Computer Networks. 935--941.Google Scholar
Shabtai, A., Moskovitch, R., Elovici, Y., and Glezer, C. 2009. Detection of malicious code by applying machine learning classifiers on static features: A state-of-the-art survey. Inf. Secur. Tech. Rep. 14, 16--29. Google ScholarDigital Library
Siddiqui, M., Wang, M. C., and Lee, J. 2008. A survey of data mining techniques for malware detection using file features. In Proceedings of the 46^th Annual Southeast Regional Conference on XX (ACM-SE'08). ACM Press, New York, 509--510. Google ScholarDigital Library
Sidiroglou, S., Ioannidis, J., Keromytis, A., and Stolfo, S. 2005. An email worm vaccine architecture. In Proceedings of the 1^st Information Security Practice and Experience Conference. R. Deng, F. Bao, H. Pang, and J. Zhou, Eds., Lecture Notes in Computer Science, vol. 3439, Springer, 97--108. Google ScholarDigital Library
Song, C., Zhuge, J., Han, X., and Ye, Z. 2010. Preventing drive-by download via inter-module communication monitoring. In Proceedings of the 5^th ACM Symposium on Information, Computer and Communications Security (ASIACCS'10). ACM Press, New York, 124--134. Google ScholarDigital Library
Sotirov, A. 2007. Heap feng shui in javascript. In Proceedings of the BlackHat Europe Security Conference.Google Scholar
Sotirov, A. and Dowd, M. 2008. Bypassing browser memory protections. In Proceedings of the BlackHat Security Conference.Google Scholar
Su, Z. and Wassermann, G. 2006. The essence of command injection attacks in web applications. In Conference Record of the 33^rd ACM SIGPLAN-SIGACT Symposium on Principles of Programming Languages (POPL'06). ACM Press, New York, 372--382. Google ScholarDigital Library
Tipton, H. 2009. Information Security Management Handbook. Vol. 3, 6^th Ed. CRC Press, Boca Raton, FL. Google ScholarDigital Library
Top Ten Project. 2011. OWASP top ten project. http://www.owasp.org/.Google Scholar
Toth, T. and Kruegel, C. 2002. Accurate buffer overfow detection via abstract payload execution. In Proceedings of the 5^th International Conference on Recent Advances in Intrusion Detection (RAID'02). Springer, 274--291. Google ScholarDigital Library
Vinod, P., Laxmi, V., and Gaur, M. 2009. Survey on malware detection methods. In Proceedings of the 3^rd Annual IIT Kanpur Hacker's Workshop.Google Scholar
Wang, H. J., Guo, C., Simon, D. R., and Zugenmaier, A. 2004. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM Comput. Comm. Rev. 34, 193--204. Google ScholarDigital Library
Wang, Y., Beck, D., Jiang, X., and Roussev, R. 2006. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium (NDSS).Google Scholar
Wang, Y., Verbowski, C., Dunagan, J., Chen, Y., Wang, H. J., and Yuan, C. 2003. Strider: A black-box, state-based approach to change and configuration management and support. In Proceedings of the 17^th USENIX Conference on System Administration (LISA'03). 159--172. Google ScholarDigital Library
Wassermann, G. and Su, Z. 2007. Sound and precise analysis of web applications for injection vulnerabilities. In Proceedings of the ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI'07). ACM Press, New York, 32--41. Google ScholarDigital Library
Wassermann, G. and Su, Z. 2008. Static detection of cross-site scripting vulnerabilities. In Proceedings of the 30^th International Conference on Software Engineering (ICSE'08). ACM Press, New York, 171--180. Google ScholarDigital Library
Wilhelm, J. and Chiueh, T.-C. 2007. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the 10^th International Conference on Recent Advances in Intrusion Detection (RAID'07). Springer, 219--235. Google ScholarDigital Library
Xie, Y. and Aiken, A. 2006. Static detection of security vulnerabilities in scripting languages. In Proceedings of the 15^th USENIX Security Symposium. Vol. 15, USENIX Association, Berkeley, CA. Google ScholarDigital Library
You, I. and Yim, K. 2010. Malware obfuscation techniques: A brief survey. In Proceedings of the International Conference on Broadband, Wireless Computing, Communication and Applications (BWCCA'10). IEEE Computer Society, Los Alamitos, CA, 297--300. Google ScholarDigital Library
Yue, C. and Wang, H. 2009. Characterizing insecure javascript practices on the web. In Proceedings of the 18^th International Conference on World Wide Web (WWW'09). ACM Press, New York, 961--970. Google ScholarDigital Library
Zeidanloo, H., Shooshtari, M., Amoli, P., Safari, M., and Zamani, M. 2010. A taxonomy of botnet detection techniques. In Proceedings of the 3^rd IEEE International Conference on Computer Science and Information Technology (ICCSIT'10). Vol 2, 158--162.Google Scholar
Zhu, Z., Lu, G., Chen, Y., Fu, Z., Roberts, P., and Han, K. 2008. Botnet research survey. In Proceedings of the 32^nd Annual IEEE International Computer Software and Applications Conference (COMPSAC'08). 967--972. Google ScholarDigital Library

Index Terms

Analyzing and defending against web-based malware
1. Security and privacy
  1. Network security
  2. Systems security
    1. Operating systems security

Recommendations

Active Credential Leakage for Observing Web-Based Attack Cycle
RAID 2013: Proceedings of the 16th International Symposium on Research in Attacks, Intrusions, and Defenses - Volume 8145

A user who accesses a compromised website is usually redirected to an adversary's website and forced to download malware. Additionally, the adversary steals the user's credentials by using information-stealing malware. Furthermore, the adversary may try ...
Read More
HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle

A web user who falsely accesses a compromised website is usually redirected to an adversary's website and is forced to download malware after being exploited. Additionally, the adversary steals the user's credentials by using information-leaking ...
Read More
Web-based malware propagation
CERIAS '10: Proceedings of the 11th Annual Information Security Symposium

The Internet is becoming an increasingly popular attack vector used by cyber criminals to infect computers for malicious purposes. It is estimated that over 10% of legitimate websites are infected with malware. The purpose of studying web-based malware ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Published in

ACM Computing Surveys Volume 45, Issue 4
August 2013
490 pages
ISSN:0360-0300
EISSN:1557-7341
DOI:10.1145/2501654
Issue’s Table of Contents

Copyright © 2013 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 August 2013
- Revised: 1 August 2012
- Accepted: 1 August 2012
- Received: 1 October 2011
Published in csur Volume 45, Issue 4

Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
Web-based malware
Qualifiers
- research-article
- Research
- Refereed
Conference
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 31
  Total Citations
  View Citations
- 3,039
  Total Downloads
- Downloads (Last 12 months)70
- Downloads (Last 6 weeks)10
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Analyzing and defending against web-based malware

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Active Credential Leakage for Observing Web-Based Attack Cycle

HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle

Web-based malware propagation

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF Format

eReader

Digital Edition

Caption

Analyzing and defending against web-based malware

ACM Computing Surveys

Abstract

References

Cited By

Index Terms

Recommendations

Active Credential Leakage for Observing Web-Based Attack Cycle

HoneyCirculator: distributing credential honeytoken for introspection of web-based attack cycle

Web-based malware propagation

Comments

Login options

Full Access

Published in

Sponsors

In-Cooperation

Publisher

Publication History

Permissions

Check for updates

Author Tags

Qualifiers

Conference

Funding Sources

Article Metrics

Other Metrics

PDF Format

eReader

Digital Edition

Share this Publication link

Share on Social Media