A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.

Slides:

Advertisements

Similar presentations

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Advertisements

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Lesson 4: Web Browsing.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

AVG Internet Security 7.5 Product presentation.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

Spyware! THE BAD, THE WORSE, AND THE Ugly … ARE ALL INDICATIONS THAT SPYWARE MAY BE TAKING OVER YOUR COMPUTER!

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Computer Security and Penetration Testing

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Norman SecureSurf Protect your users when surfing the Internet.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Adware Spyware Anti-Virus Presented by: Forrest Fosheim Network Coordinator Southwest Telecommunications Coop.

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Adware, Spyware, and Malware Anand Dedhia Bharath Raj ECE 4112 Project 28 April 2005.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Protecting Your Computer & Your Information

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

Dynamic Web Pages (Flash, JavaScript)

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 Spyware, Adware, and Browser Hijacking. ECE Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

Networking Security Chapter 8 powered by dj. Chapter Objectives  Explain various security threats  Monitor security in Windows Vista  Explain basic.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Windows Internet Explorer 9 Chapter 1 Introduction to Internet Explorer.

A Crawler-based Study of Spyware in the Web Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy.

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

A Web Crawler Design for Data Mining

How to remove spyware from your PC using Spybot S&D? A SeniorNet Workshop SeniorNet is a service program of the Lutheran Service Society of Western Pennsylvania.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

Zscaler New Interface and Reporting From Saturday 8 th June 2013.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

Downloading defined: Downloading is the process of copying a file (such as a game or utility) from one computer to another across the internet. When you.

Return to the PC Security web page Lesson 5: Dealing with Malware.

Denial of Service (DoS) DoS attacks are aggressive attacks on an individual computer or groups of computers with the intent to deny services to intended.

A CRAWLER BASED STUDY OF SPYWARE ON THE WEB Vijay Savanth The University of Auckland Computer Science Department A. Moshchuk, T.

Module 5: Configuring Internet Explorer and Supporting Applications.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Intelligent Detection of Malicious Script Code CS194, Benson Luk Eyal Reuveni Kamron Farrokh Advisor: Adnan Darwiche Sponsored by Symantec.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

1 Lab 12: Spyware A Window’s User’s Worst Nightmare.

Presenter: Le Quoc Thanh SPYWARE ANALYSIS AND DETECTION.

Shasta Console Operations February 2010 Tony Caleb.

NETWORK SECURITY Definitions and Preventions Toby Wilson.

Microsoft Office 2008 for Mac – Illustrated Unit D: Getting Started with Safari.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,

DEVICE MANAGEMENT AND SECURITY NTM 1700/1702. LEARNING OUTCOMES 1. Students will manipulate multiple platforms and troubleshoot problems when they arise.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Windows Vista Configuration MCTS : Internet Explorer 7.0.

Botnets A collection of compromised machines

Lesson 4: Web Browsing.

Software Applications for end-users

Web Caching? Web Caching:.

Botnets A collection of compromised machines

Dynamic Web Pages (Flash, JavaScript)

Virus Attack Final Presentation

Lesson 4: Web Browsing.

Windows Vista Inside Out

Presentation transcript:

A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07

A Quick Joke… “I caught a little of that computer virus that’s been going around… I haven’t been myself since”

Overview vs. User visits website Web spyware infects computer Computer is unhappy

Background Spyware study Infected 80% of AOL users 93 spyware components (known) Goals Locate spyware on the internet Gather Internet spyware statistics Quantitative analysis of spyware-laden content on the web

Outline What is spyware? Crawling the web Web executables Drive-by downloads Results Improvements

Definition Spyware – software that collects personal information about users No user knowledge Spyware techniques: Log keystrokes Collect web history Scan documents on hard disk

Types of Spyware Spyware-infected executables Content-type header URL extension Drive-by downloads Malicious web content Produce event triggers

Part I: Executable files Finding executables Content-type (HTTP header) contains.exe URL contains.exe,.cab, or.msi Hidden executables Embedded file (.zip) URL hidden in JavaScript Missed executables Hidden URL on dynamic page

Part I: Executable files DL, install, run in a clean VM Tool to automate installer framework EULA agreements Radio buttons and check boxes Analyze file Ad-Aware software Log identifies spyware program

Web Crawling Heritrix public domain Web crawler Search 2,500+ web sites c|net’s download.com for DL executables Randomly selected web sites Google keyword search Depth of 3 links Find.exe hosted on separate Web servers

Changing Spyware Environment 2 separate program crawls May, October 2005 Generated list of crawling seeds Most recent anti-spyware program used October crawl detect mores vulnerabilities

Executable Results 2 separate program crawls May 2005 – 18 million URLs Oct 2005 – 22 million URLs No appreciable change in spyware One site dropped # of infected executables

Executable Results Overall spyware 3.8% in May % in Oct 2005 Individual programs 82 in May in Oct 2005

Infected Executables May 2005October 2005

Web Categories Web categories infected with spyware

Spyware Functions Spyware-infected executables Contain various spyware functions Executables may have multiple functions

Spyware Upgrades Spyware-infected executables May have multiple spyware functions 1,294 infected.exe found in Oct detected 414 variants

Blacklisting Spyware Block clients from accessing listed sites Done by firewall or proxy Blacklisting is ineffective

Part II: Drive-by Downloads Spyware from visiting a web page Javascript embedded in HTML Modifies files System/registry Render web pages with unmodified browser

Event Triggers for DB-DLs Event occurs that matches a trigger Trigger Conditions Process creation File activity (creation) Suspicious process (file modification) Registry file modified Browser/OS crash

Complex Web Content “Time Bomb” attack Speed up virtual time of guest OS JavaScript when page closes Fetch a clean URL before closing Pop-up windows Allow all to open before closing

IE Browser Configuration Security-related IE dialog boxes

Drive-by Results 3 web crawls May 2005 – 45K URLs Oct 2005 – Same URLs Oct 2005 – New URLs Decrease in infectious URLs Increase in unique spyware programs

Drive-by Results

Origin of Drive-by DLs Top 6 web categories (IE): Pirate sites Celebrity Music Adult Games Wallpaper

Spyware Top 10 May 2005October 2005

Spyware Top 10 May 2005October 2005

Spyware Trends Decline in total # of spyware programs Increase of anti-spyware tools Automated patch installations Lawsuits against spyware distributors

IE vs Firefox Security Internet Explorer v cfg_y 92 - cfg_n Firefox v cfg_y 0 - cfg_n

Drive-by Summary Performed 3 URL crawls Reduction in % of domains hosting DB-DLs Small # of domains host majority of infectious links Drive-by DLs attempted in 0.4% of URLs Drive-by attacks in 0.2% of URLs

Strengths Analysis method Studies density of spyware on the Web Produces spyware trends over time Calculated frequency of spyware on web Distinguished security prompts (y/n) Found 14% of spyware is malicious Density of spyware is substantial

Weaknesses Missed executables URL hidden in JavaScript, dynamic page Limited by what Ad-Aware is able to detect Method weakness Different anti-spyware programs (May/Oct) Did not crawl entire web Cannot relate density of spyware on the Web and the presence of threats on desktops

Improvements Test multiple browsers Additional anti-spyware programs Crawl more URLs Find geographic patterns of hosts

Questions? Ask me! Reasons to ask questions: Class discussion is 20% of your grade You can’t leave until 5:45 anyway Of the two of us, I’m probably the only one that read the entire paper (except Dr. Zou)