trends in circumventing web-malware detection utsa moheeb abu rajab, lucas ballard, nav jagpal,...
TRANSCRIPT
Trends in Circumventing Web-Malware Detection
UTSA
Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis,Daisuke Nojiri, Niels Provos, Ludwig Schmidt
Present by Li Xu
2
Detecting Malicious Web Sites
Which pages are safe URLs for end users?
• Safe URL?
• Web exploit?
• Spam-advertised site?
• Phishing site?
URL = Uniform Resource Locator
http://www.bfuduuioo1fp.mobi/ws/ebayisapi.dll
http://fblight.com
http://mail.ru
http://www.sigkdd.org/kdd2009/index.html
This page is reference to Justin Ma’s slides
3
Problem in a Nutshell
Different classes of URLs Benign, spam, phishing, exploits, scams... For now, distinguish benign vs. malicious
facebook.com fblight.com
This page is reference to Justin Ma’s slides
4
State of the Practice
Current approaches– Virtual Machine Honeypots.– Browser Emulation.– Reputation Based Detection.– Signature Based Detection.
Arms race
How does adversaries respond & what techniques have been
used to bypass detection.
5
Google System
6
Data Collection
Data Set I, is the data that is generated by ouroperational pipeline, i.e., the output of PageScorer. It was generated by processing 1.6 billion distinct web ∼pages collected be-tween December 1, 2006 and April 1, 2011.
Data Set II,sample pages from data set I suspicious1% of other “non- suspicious” pages uniformly at random from the same time period. rescore the original HTTP responses a fixed version of PageScorer
7
8
Attacks on client honeypot
9
Exploits encountered on the web
10
Javascript funtion calls
11
DOM fuctions
12
Malware distribution chain length
13
Cloaking sites & 2 methods comparation
14
2 methods comparation
15
16
Social Engineering is growing and poses challenges to VM-based honeypots
JavaScript obfuscation that interacts heavily with the DOM can be used to evade both Browser Emulators and AV engines.
AV Engines also suffer significantly from both false positives and false negatives.
Finally, we see a rise in IP cloaking to thwart content-based detection schemes
Summary
17
As our analysis is based on sites rather than individual web pages, we compute theaverage value for sites on which we encounter multiple web pages in a given month.
Granularity
UTSA
Thank You
LI XU