Slide 1

Presentation by Kathleen Stoeckle

All Your iFRAMEs Point to Us17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical ReportNiels Provos Panayiotis Mavrommatis Moheeb Abu Rajab Fabian MonroseOutlinePurposeBackground InformationData CollectionResultsPost-Infection ImpactRelated WorkConclusionsStrengths and Weaknesses

PurposeAnalysis of malware using malicious URLs collected over a ten month period.

Identify malware trends.

Raise questions about the security practices employed by site administrators.Background Information Techniques for Delivering Web-Malware1. Attackers use websites in order to encourage visitors of the site to download and run malware.

2. Drive-by Downloads Attackers target browser vulnerabilities in order to automatically download and run a malicious binary upon visiting the website (unknown to the user).

DefinitionsLanding pages and malicious URLs URLs that initiate drive-by downloads when users visit them.Landing sites - Sites with top level domain names. Distribution site A remote site that hosts malicious payloads.iFRAME An html element that makes it possible to embed html inside another HTML document.Existing Malware Installation StrategiesRemote exploitation of vulnerable network services

Connection to malicious servers

Inject malicious content into benign websitesExploit scripting applications

Malicious Binary Injection TechniquesLure web users to connect to malicious servers that deliver exploits. (target vulnerabilities of web browsers or plugins)

Inject content into benign websites:Exploit vulnerable scripting applications (p.4)Generally a link that redirects to malicious website that hosts the script to exploit browser.Invisible HTML components (0 pixel iFRAMES) to hide injected content.

Use websites that allow users to contribute content. Drive-by Download.p.5

Data CollectionInfrastructure and Methodology

Pre-Processing

Verification Inspect URLs in google repository and determine which trigger drive-by downloads.

Pre-Processing PhaseMapreduce framework to process billions of websites.

Uses certain features to identify these sites:out of place iFRAMESObfuscated javascriptiFRAMES to known distribution sites

One billion sites analyzed daily, 1 million pass on to verification phase.Verification PhaseDetermines whether URL from pre-processing phase is malicious.Web honeynet:Execution-based heuristicsAnti-virus enginesCriteria:Must meet thresholdOne http response must be marked malicious by the anti-virus scannerA url that has met threshold, but has no incoming payload is marked as suspicious.One million scanned, 25,000 marked malicious per day.Constructing Malware Distribution NetworksAnalysis of recorded network traces.

Combine malware delivery trees

Live for 1 year

Focus on drive-by downloads

Results Data Collection Summary10 month period3 million malicious URLs found on 180,000 landing sites.Over 9,000 distribution sites

Data Collection Period January - October 2007Total URLs checked in-depth66,534,330Total suspicious landing URLs3,385,889Total malicious landing URLs3,427,590Total malicious landing sites181,699Total distribution sites9,340Impact on UsersAt least 1 malicious URL returned in results (approx. 1.3% of overall search queries)

Most popular landing page has a rank of 1,588

Of top 1 million URLs, 6,000 verified malicious during inspection.Malware Hosting Site Distribution by CountryMalware Landing Site Distribution by Country

Random URL SampleMalicious URLs by SubjectPercentage of landing sitesMalicious Content InjectionWeb malware is not tied to browsing habits.

Drive-by downloads can be triggered in benign websites:Compromised Web serverThird party contributed content

Webserver SoftwareOutdated software with known vulnerabilitiesIncreased risk of content control by server exploitation.

Ads2% of landing sites12% overall search content returned landing pages with malicious content.Short-lived compared to other malicious content-injecting techniques75% have long delivery chains (50% with over six steps)Properties of Malware Distribution InfrastructureSizeNetworks that use only 1 landing siteNetworks that have multiple landing sitesIP Space LocalityConcentrated on limited number of /8 prefixes.70% malware distribution sites 58.*--62.* and 209.*--221.*Similar for scam hosting infrastructure50% of landing sitesDistribution of Malware Binaries Across DomainsHosting: 90% Single IP Address, 10% Multiple IP addressesSub-folders of DNS name:512j.com/akgy512j.com/alavin512j.com/antimihanblog.com/abadan2 or mihanblog.com/askbox

Properties of Malware Distribution InfrastructureExamination of overlapping landing sites.

80% of distributions networks share at least 1 landing page.

Multiple iFRAMES linking to different malware distribution sites.

25% of malware distribution share at least one binary.

Binaries less frequently shared between distribution sites compared to landing sites.Post-Infection Impact Most Frequently Contacted PortsPost-Infection

Downloaded ExecutablesLaunched ProcessesRegistry ChangesAnti-Virus Engine Detection RatesPull-based delivery system

Evaluate detection rates of well known anti-virus engines against suspected malware samples.

Average of 70% for best engine (Even best anti-virus engine with latest definitions fail to cover significant percentage of web malware)

False Positives 6%Related WorkHoneypots Moshschuk et al.Decrease in links to spyware labeled executables over time. Provos et al. And Seifert et al.Raised awareness of threats posed by drive-by downloads.Wang et al. Exploits in Internet Explorer on Windows XP. 200/17,000 URLs dangerousMalware Detection by Dynamic Tainting AnalysisInsight into mechanisms malware installs itself and operates.

Conclusions1.3% of incoming search queries on google return at least one link to a malicious site.

Users lured into malware distribution networks by content in online Ads.

Avoiding dark corners of the Internet does not limit exposure to malware.

Anti-virus engines are lacking.

Strengths and WeaknessesUseful survey about malware installation. Broad data range

Only examines google databaseFor the most part, evaluation was automated and due to the broad scope, there is a lot missing in the analysis.Did not explain acronymnsReferencesAll Your iFRAMEs Point to Us. Niels Provos and Panayiotis Mavrommatis, Moheeb Abu Rajab, Fabian Monrose. 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008.