Presentation is loading. Please wait.

Presentation is loading. Please wait.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

Published byBrett Walker Modified over 9 years ago

Similar presentations

Presentation on theme: "11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29."— Presentation transcript:

1 11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang Email: M98570015@mail.ntou.edu.tw 2010/3/29

2 References N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, “The ghost in the browser: Analysis of web-based malware,” in Hot- Bots’07. Cambridge: Usenix, 2007. 2

3 3 Outline Introduction Detecting dangerous web pages Exploitation mechanisms Trends and statistics Conclusion

4 4 Introduction Computer users have become the target of an underground economy that  infects hosts with malware or adware for financial gain Visit to an infected web site enables the attacker to detect vulnerabilities host The paper aim is to present  the state of malware on the Web  emphasize the importance of this rising threat

5 Difference We believe that such web-based malware behavior is similar to our traditional understanding of botnets Web-based malware infections are  pull-based infection Traditional botnets that use  push-based infection 5

6 Personal computer security HTML code is then used as a vehicle Personal computer seems to be the weakest link in these transactions Usually neither  Managed  Updated Enable adversary to insert small pieces of HTML in web pages 6

7 Definition of malicious It causes the automatic installation of software without the user’s knowledge or consent. Automatic installation of a malware binary called ◦ drive-by-download 7

8 8 Analyze We do not attempt to investigate the actual behavior But rather identify the mechanisms used to introduce the software into the system via the Browser Analyzed the URSs  in-depth analysis:4.5 million URLs  450,000 URLs launching drive-by-downloads  another 700, 000 URLs that seemed malicous

9 Architecture 9

10 Four Prevalent Mechanisms Used to inject malicious content on popular web sites:  web server security  user contributed content  advertising  third-party widgets Scripting support  Javascript  Visual Basic Script  Flash 10

11 A example of insert the script 11

12 Exploit Code Obfuscation To make reverse engineering and detection harder by  popular anti-virus  web analysis tools Authors of malware try to  camouflage their code  using multiple layers of obfuscation 12

13 Change of iframe First noticed iframes in October 2006 pointing to “fdghewrtewrtyrew.biz” Switched to “wsfgfdgrtyhgfd.net” in November 2006 Then to “statrafongon. Biz” in December 2006 13

14 Tricking the User Entice users to install malware  entice users to install malware  copyrighted software or media  adult videos Click that may displaying the following message:  Windows Media Player cannot play video file. Click here to download missing Video ActiveX Object. 14

15 Malware Classification To classify the different types of malware by popular anti-virus software. We have the following malware threat families:  Trojan  Adware  Unknown/Obfuscated 15

16 Number of malware binaries 16

17 Exploitation mechanisms Adversaries try to get as many sites linking Same binary tends to be hosted on more than one server at the same time Accessible under many different URLs 17

18 Distribution of binaries across domains 18

19 One case of multiple URLs In one case, at least 412 different top- level domains were used to host a file called: ◦ open-for-instant-access-now.exe Counting the number of different URLs ◦ appeared in about 3200 different subdomains 19

20 Providers of Adware The most common providers of Adware ◦ Trymedia ◦ NewDotNet Providers typically arrives bundled with other software Offered monetary incentives for including adware in software 20

21 One interesting example This organization would pay web masters for compromising users ◦ iframemoney.org Offering $7 for every10,000 unique views Don’t accept traffic from  Russia, Ukraine,China, Japan 21

22 Malware Evolution As many anti-virus engines rely on creating signatures from malware samples Adversaries can prevent detection by changing binaries more frequently By measuring the change rate of binaries  pre-identified malicious URLs  many of the malicious URLs are too short-lived 22

23 Change rate of binaries 23

24 24 Conclusion We present the status and evolution of malware We showed that malware binary change frequently Malware binaries are often distributed across a large number of URLs and domains

25 Questions 25

26 26

Download ppt "11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29."

Similar presentations

TrustPort Net Gateway Web traffic protection. WWW.TRUSTPORT.COM Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.

TrustPort Net Gateway Web traffic protection. Keep It Secure Contents Latest security threats spam and malware Advantages of entry point.
Thank you to IT Training at Indiana University Computer Malware.

Thank you to IT Training at Indiana University Computer Malware.
Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.

Alex Crowell, Rutgers University Computer Science and Mathematics Advisor: Prof. Danfeng Yao, Computer Science Department.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.

CHAPTER 2 KNOW YOUR VILLAINS. Who writes it: Malware writers vary in age, income level, location, social/peer interaction, education level, likes, dislikes.
AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.

AVG- Protecting those who are vulnerable.  Free Anti-Virus Software ◦ J.R. Smith President of AVG oversees a lineup of antivirus products used by 110.
3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.

3 Section C: Installing Software and Upgrades  Web Apps  Mobile Apps  Local Applications  Portable Software  Software Upgrades and Updates  Uninstalling.
Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.

Threat Overview: The Italian Job / HTML_IFRAME.CU June 18, 2007.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Threats To A Computer Network

Threats To A Computer Network
Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.

Web Based Attacks SymantecDefense Fantastic Four Casey Ford Mike Lombardo Ragnar Olson Maninder Singh.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.

LEARN THE QUICK AND EASY WAY! VISUAL QUICKSTART GUIDE HTML and CSS 8th Edition Chapter 21: Publishing Your Pages on the Web.
Quiz Review.

Quiz Review.
Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.

Lesson 46: Using Information From the Web copy and paste information from a Web site print a Web page download information from a Web site customize Web.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Chapter Nine Maintaining a Computer Part III: Malware.

Chapter Nine Maintaining a Computer Part III: Malware.
SHASHANK MASHETTY Email security. Introduction Electronic mail most commonly referred to as email or e- mail. Electronic mail is one of the most commonly.

SHASHANK MASHETTY security. Introduction Electronic mail most commonly referred to as or e- mail. Electronic mail is one of the most commonly.
Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Internet Safety Basics Being responsible -- and safer -- online Visit age-appropriate sites Minimize chatting with strangers. Think critically about.

Similar presentations

Ads by Google