A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 *...
-
Upload
dylan-floyd -
Category
Documents
-
view
216 -
download
1
Transcript of A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 *...
A Crawler-based Study of Spyware on the Web
A.Moshchuk, T.Bragin, D.Gribble, M.LevyNDSS, 2006
* Presented by Justin Miller on 3/6/07
A Quick Joke…
“I caught a little of that computer virus that’s been
going around… I haven’t been myself since”
www.CartoonStock.com
Overview
vs.
User visits websiteWeb spyware infects computerComputer is unhappy
Background
Spyware study Infected 80% of AOL users93 spyware components (known)
GoalsLocate spyware on the internetGather Internet spyware statisticsQuantitative analysis of spyware-laden
content on the web
Outline
What is spyware?Crawling the web
Web executablesDrive-by downloads
ResultsImprovements
Definition
Spyware – software that collects personal information about usersNo user knowledge
Spyware techniques:Log keystrokesCollect web historyScan documents on hard disk
Types of Spyware
Spyware-infected executablesContent-type headerURL extension
Drive-by downloadsMalicious web contentProduce event triggers
Part I: Executable files
Finding executablesContent-type (HTTP header) contains .exeURL contains .exe, .cab, or .msi
Hidden executablesEmbedded file (.zip)URL hidden in JavaScript
Missed executablesHidden URL on dynamic page
Part I: Executable files
DL, install, run in a clean VMTool to automate installer framework
EULA agreementsRadio buttons and check boxes
Analyze fileAd-Aware softwareLog identifies spyware program
Web Crawling
Heritrix public domain Web crawlerSearch 2,500+ web sitesc|net’s download.com for DL executablesRandomly selected web sites
Google keyword searchDepth of 3 linksFind .exe hosted on separate Web servers
Changing Spyware Environment
2 separate program crawlsMay, October 2005Generated list of crawling seeds
Most recent anti-spyware program usedOctober crawl detect mores vulnerabilities
Executable Results
2 separate program crawlsMay 2005 – 18 million URLsOct 2005 – 22 million URLs
No appreciable change in spywareOne site dropped # of infected executables
Executable Results
Overall spyware 3.8% in May 2005 4.4% in Oct 2005
Individual programs 82 in May 2005 89 in Oct 2005
Infected Executables
May 2005 October 2005
Web Categories
Web categories infected with spyware
Spyware Functions
Spyware-infected executablesContain various spyware functionsExecutables may have multiple functions
Spyware Upgrades
Spyware-infected executables May have multiple
spyware functions 1,294 infected .exe
found in Oct 2005 880 detected 414 variants
Blacklisting Spyware
Block clients from accessing listed sitesDone by firewall or proxyBlacklisting is ineffective
Part II: Drive-by Downloads
Spyware from visiting a web pageJavascript embedded in HTML
Modifies filesSystem/registryRender web pages
with unmodified
browser
Event Triggers for DB-DLs
Event occurs that matches a triggerTrigger Conditions
Process creationFile activity (creation)Suspicious process (file modification)Registry file modifiedBrowser/OS crash
Complex Web Content
“Time Bomb” attackSpeed up virtual time of guest OS
JavaScript when page closesFetch a clean URL before closing
Pop-up windowsAllow all to open before closing
IE Browser Configuration
Security-related IE dialog boxes
Drive-by Results
3 web crawlsMay 2005 – 45K URLsOct 2005 – Same URLsOct 2005 – New URLs
Decrease in infectious URLsIncrease in unique spyware programs
Drive-by Results
Origin of Drive-by DLs
Top 6 web categories (IE):Pirate sitesCelebrityMusicAdultGamesWallpaper
Spyware Top 10
May 2005 October 2005
Spyware Top 10
May 2005 October 2005
Spyware Trends
Decline in total # of spyware programs Increase of anti-spyware toolsAutomated patch installationsLawsuits against spyware distributors
IE vs Firefox Security
Internet Explorer v6186 - cfg_y92 - cfg_n
Firefox v1.0.636 - cfg_y0 - cfg_n
Drive-by Summary
Performed 3 URL crawlsReduction in % of domains hosting DB-DLsSmall # of domains host majority of
infectious linksDrive-by DLs attempted in 0.4% of URLsDrive-by attacks in 0.2% of URLs
Strengths
Analysis methodStudies density of spyware on the WebProduces spyware trends over time
Calculated frequency of spyware on webDistinguished security prompts (y/n)
Found 14% of spyware is maliciousDensity of spyware is substantial
Weaknesses
Missed executablesURL hidden in JavaScript, dynamic pageLimited by what Ad-Aware is able to detect
Method weaknessDifferent anti-spyware programs (May/Oct)Did not crawl entire webCannot relate density of spyware on the
Web and the presence of threats on desktops
Improvements
Test multiple browsersAdditional anti-spyware programsCrawl more URLsFind geographic patterns of hosts
Questions?
Ask me!
Reasons to ask questions:Class discussion is 20% of your gradeYou can’t leave until 5:45 anywayOf the two of us, I’m probably the only one
that read the entire paper (except Dr. Zou)