niels provos and panayiotis mavrommatis google google inc. moheeb abu rajab and fabian monrose johns...
TRANSCRIPT
![Page 1: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/1.jpg)
All iFRAMEs Point to US
Niels Provos and Panayiotis Mavrommatis Google Inc.
Moheeb Abu Rajab and Fabian MonroseJohns Hopkins University
17th USENIX Security Symposium
1 / 22
![Page 2: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/2.jpg)
Introduction[1/3]
The WWW is a criminal’s preferred pathway for spreading malware.
Two kinds of delivering web-malware Social engineering Drive-by download
URLs that attempt to exploit their visitors and cause malware to be installed and run automatically.
2 / 22
![Page 3: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/3.jpg)
Introduction[2/3]
Drive-by download
Via iFRAMEs
Scripts exploits browser and trig-gers downloads
3 / 22
![Page 4: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/4.jpg)
Introduction[3/3]
Drive-by downloadLanding sitecafe.naver.com
Distribution sitewww.malware.-com
4 / 22
![Page 5: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/5.jpg)
Infrastructure and Methodol-ogy[1/4]
Workflow
5 / 22
![Page 6: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/6.jpg)
Infrastructure and Methodol-ogy[2/4]
Pre-processing phase Inspect URLs from repository and iden-
tify the ones that trigger drive-by down-loads
Mapreduce and machine-learning framework
Pre-process a billion of pages daily Choose 1 million URLs for verification
phase
6 / 22
![Page 7: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/7.jpg)
Infrastructure and Methodol-ogy[3/4]
Verification phase Large scale web-honeynet
Runs a large number of MS Windows im-ages in VM
Unpatched version of Internet Explorer Multiple anti-virus engines
Loads a clean Windows image then visit the candidate URL
Monitor the system behavior for abnor-mal state chnages
7 / 22
![Page 8: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/8.jpg)
Infrastructure and Methodol-ogy[4/4]
Malware distribution networks The set of malware delivery trees from
all the landing site that lead to a particu-lar malware distribution site.
Inspecting the Referer header and HTTP request
In some case, URLs contain randomly generated strings, apply heuristics based algorithm.
8 / 22
![Page 9: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/9.jpg)
Prevalence of drive-by down-loads[1/3]
Summary of collected data
9 / 22
![Page 10: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/10.jpg)
Prevalence of drive-by down-loads[2/3]
Geographic locality
The correlation between the location of a distribution site and the landing sties
10 / 22
![Page 11: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/11.jpg)
Prevalence of drive-by down-loads[3/3]
Impact on the end-users
Average 1.3%
11 / 22
![Page 12: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/12.jpg)
Malicious content injection[1/2]
Web server software
A significant fraction were running out-date versions of software.
12 / 22
![Page 13: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/13.jpg)
Malicious content injection[2/2]
Drive-by download via AD
13 / 22
![Page 14: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/14.jpg)
The rate of landing site per distribu-tion site
Malicious distribution infra-structure[1/3]
14 / 22
![Page 15: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/15.jpg)
Property of malware distribution sites IP
Malicious distribution infra-structure[2/3]
58.* -- 61.*209.* -- 221.*
15 / 22
![Page 16: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/16.jpg)
The number of unique binaries down-loaded from each malware distribu-tion site
Malicious distribution infra-structure[3/3]
16 / 22
![Page 17: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/17.jpg)
The number of downloaded exe-cutable as a result of visiting a mali-cious URL
Post Infection Impact[1/4]
Average 8
17 / 22
![Page 18: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/18.jpg)
The number of processes started af-ter visiting a malicious URL
Post Infection Impact[2/4]
18 / 22
![Page 19: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/19.jpg)
Registry changes after visiting 57.5% of the landing page
Post Infection Impact[3/4]
19 / 22
![Page 20: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/20.jpg)
Network activity of the virtual ma-chine post infection
Post Infection Impact[4/4]
20 / 22
![Page 21: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/21.jpg)
Network activity of the virtual ma-chine post infection
Anti-virus engine detection rates
21 / 22
![Page 22: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/22.jpg)
Large web scale data collection in-frastructure
In-depth analysis of over 66 million URLs
Reveals that the scope of the prob-lem is significant
Anti-virus engines are lacking in their ability to protect against drive-by downloads
Conclusion
22 / 22
![Page 23: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/23.jpg)
Extra-Authors
Niels Provos Senior staff engineer,
Google inc Web-based malware DDOS
Panayiotis Mavrommatis Software engineer, Google
inc Security Distributed computing
23 / 18
![Page 24: Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium](https://reader035.vdocument.in/reader035/viewer/2022062717/56649e315503460f94b2246d/html5/thumbnails/24.jpg)
Drive-by download via AD
Malware delivered via Ads exhibits longer de-livery chain
Extra-Malicious content injec-tion[2/5]
24 / 18