Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal,...

18
Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig Schmidt Present by Li Xu

TAGS:

Transcript of Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal,...

Page 1: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

Trends in Circumventing Web-Malware Detection

UTSA

Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis,Daisuke Nojiri, Niels Provos, Ludwig Schmidt

Present by Li Xu

Page 2: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

2

Detecting Malicious Web Sites

Which pages are safe URLs for end users?

• Safe URL?

• Web exploit?

• Spam-advertised site?

• Phishing site?

URL = Uniform Resource Locator

http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll

http://fblight.com

http://mail.ru

http://www.sigkdd.org/kdd2009/index.html

This page is reference to Justin Ma’s slides

http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll
http://fblight.com/
http://www.sigkdd.org/kdd2009/index.html
Page 3: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

3

Problem in a Nutshell

Different classes of URLs Benign, spam, phishing, exploits, scams... For now, distinguish benign vs. malicious

facebook.com fblight.com

This page is reference to Justin Ma’s slides

Page 4: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

4

State of the Practice

Current approaches– Virtual Machine Honeypots.– Browser Emulation.– Reputation Based Detection.– Signature Based Detection.

Arms race

How does adversaries respond & what techniques have been

used to bypass detection.

Page 5: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

5

Google System

Page 6: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

6

Data Collection

Data Set I, is the data that is generated by ouroperational pipeline, i.e., the output of PageScorer. It was generated by processing 1.6 billion distinct web ∼pages collected be-tween December 1, 2006 and April 1, 2011.

Data Set II,sample pages from data set I suspicious1% of other “non- suspicious” pages uniformly at random from the same time period. rescore the original HTTP responses a fixed version of PageScorer

Page 7: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

7

Page 8: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

8

Attacks on client honeypot

Page 9: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

9

Exploits encountered on the web

Page 10: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

10

Javascript funtion calls

Page 11: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

11

DOM fuctions

Page 12: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

12

Malware distribution chain length

Page 13: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

13

Cloaking sites & 2 methods comparation

Page 14: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

14

2 methods comparation

Page 15: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

15

Page 16: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

16

Social Engineering is growing and poses challenges to VM-based honeypots

JavaScript obfuscation that interacts heavily with the DOM can be used to evade both Browser Emulators and AV engines.

AV Engines also suffer significantly from both false positives and false negatives.

Finally, we see a rise in IP cloaking to thwart content-based detection schemes

Summary

Page 17: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

17

As our analysis is based on sites rather than individual web pages, we compute theaverage value for sites on which we encounter multiple web pages in a given month.

Granularity

Page 18: Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

UTSA

Thank You

LI XU


Shin’ichi Nojiri and Sergei D. Odintsov- Quantum evolution of Schwarzschild-de Sitter (Nariai) black holes

Shin’ichi Nojiri and Sergei D. Odintsov- Quantum evolution of Schwarzschild-de Sitter (Nariai) black holes

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

The Ghost In The Browser Analysis of Web-based Malware Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang and Nagendra Modadugu Google, Inc. The.

A Multifaceted Approach to Understanding the Botnet …fabian/papers/botnets.pdf · A Multifaceted Approach to Understanding the Botnet Phenomenon Moheeb Abu Rajab Jay Zarfoss Fabian

A Multifaceted Approach to Understanding the Botnet …fabian/papers/botnets.pdf · A Multifaceted Approach to Understanding the Botnet Phenomenon Moheeb Abu Rajab Jay Zarfoss Fabian

Responses of Marine Ecosystems to a Changing Climatecmore.soest.hawaii.edu/.../documents/DenmanHawaii2.pdf · Kenneth Denman, Yukihiro Nojiri, Hans Pörtner The Key Question: What

Responses of Marine Ecosystems to a Changing Climatecmore.soest.hawaii.edu/.../documents/DenmanHawaii2.pdf · Kenneth Denman, Yukihiro Nojiri, Hans Pörtner The Key Question: What

Google Technical Report provos-2008a DRAFT

Google Technical Report provos-2008a DRAFT

Study on Spherical Microlasers Levitated in an Ion Trap · I am grateful to my thesis committee members, Prof. Yoshio Inoue, Prof. Yoichi Nojiri, Prof. Masaoki Furue and Associate

Study on Spherical Microlasers Levitated in an Ion Trap · I am grateful to my thesis committee members, Prof. Yoshio Inoue, Prof. Yoichi Nojiri, Prof. Masaoki Furue and Associate

Detecting Steganographic Content on the Internet · Detecting Steganographic Content on the Internet Niels Provos Peter Honeyman Center for Information Technology Integration University

Detecting Steganographic Content on the Internet · Detecting Steganographic Content on the Internet Niels Provos Peter Honeyman Center for Information Technology Integration University

A Virtual Honeypot Framework · A Virtual Honeypot Framework Niels Provos∗ Google, Inc. niels@google.com Abstract A honeypot is a closely monitored network decoy serving several

A Virtual Honeypot Framework · A Virtual Honeypot Framework Niels Provos∗ Google, Inc. [email protected] Abstract A honeypot is a closely monitored network decoy serving several

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma dhruvs@usc.edu.

Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma [email protected].

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

Norita Kawanaka (KEK) Kunihito Ioka (KEK) Mihoko M. Nojiri (KEK/IPMU)

Norita Kawanaka (KEK) Kunihito Ioka (KEK) Mihoko M. Nojiri (KEK/IPMU)

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON (2006) Jonathan Brant CAP 6135 – Spring 2010 Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose,

A MULTIFACETED APPROACH TO UNDERSTANDING THE BOTNET PHENOMENON (2006) Jonathan Brant CAP 6135 – Spring 2010 Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose,

Koji TSUMURA (NTU Nagoya U.) - KEKresearch.kek.jp/people/nojiri/shingakujyutu/Tsumura.pdf · Koji Tsumura (ntu) POwLHC Comments: Due to the many sources of missing momenta, mass reconstruction

Koji TSUMURA (NTU Nagoya U.) - KEKresearch.kek.jp/people/nojiri/shingakujyutu/Tsumura.pdf · Koji Tsumura (ntu) POwLHC Comments: Due to the many sources of missing momenta, mass reconstruction

Final Summary Report CVR No. 48233511€¦ · • Mr. Mohamed Essam • Eng. Ahmed Mostafa Eng. Moheeb has been the overall coordinator of the development. System engineer Mr. Khalid

Final Summary Report CVR No. 48233511€¦ · • Mr. Mohamed Essam • Eng. Ahmed Mostafa Eng. Moheeb has been the overall coordinator of the development. System engineer Mr. Khalid

NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation

NDSS Symposium · Content Agnostic Malware Protection Moheeb Abu Rajab, Lucas Ballard, Noé Lutz, Panayiotis Mavrommatis and Niels Provos Google Safe Browsing Team. Current Situation

Provos, Matteo Guarnaccia

Provos, Matteo Guarnaccia

SRUTI 2006 Practical Flood Protection (for TCP services) Martin Casado (Stanford) Aditya Akaella (U. Wisconsin Madison) Pei Cao (Stanford) Niels Provos.

SRUTI 2006 Practical Flood Protection (for TCP services) Martin Casado (Stanford) Aditya Akaella (U. Wisconsin Madison) Pei Cao (Stanford) Niels Provos.

Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic

Detecting Steganographic Content on the Internetciti.umich.edu/u/provos/papers/detecting.pdf · Watermarking and steganography differ in another important way: while steganographic