1. Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium 1 / 22

2. Introduction [1/3]  The WWW is a criminal’s preferred pathway for spreading malware.  Two kinds of delivering web-malware  Social engineering  Drive-by download  URLs that attempt to exploit their visitors and cause malware to be installed and run automatically. 2 / 22

3. Introduction [2/3]  Drive-by download Via iFRAMEs Scripts exploits browser and triggers downloads 3 / 22

4. Introduction [3/3]  Drive-by download Landing site cafe.naver.com Distribution site www.malware.com 4 / 22

5. Infrastructure and Methodology [1/4]  Workflow 5 / 22

6. Infrastructure and Methodology [2/4]  Pre-processing phase  Inspect URLs from repository and identify the ones that trigger drive-by downloads  Mapreduce and machine-learning framework  Pre-process a billion of pages daily  Choose 1 million URLs for verification phase 6 / 22

7. Infrastructure and Methodology [3/4]  Verification phase  Large scale web-honeynet  Runs a large number of MS Windows images in VM  Unpatched version of Internet Explorer  Multiple anti-virus engines  Loads a clean Windows image then visit the candidate URL  Monitor the system behavior for abnormal state chnages 7 / 22

8. Infrastructure and Methodology [4/4]  Malware distribution networks  The set of malware delivery trees from all the landing site that lead to a particular malware distribution site.  Inspecting the Referer header and HTTP request  In some case, URLs contain randomly generated strings, apply heuristics based algorithm. 8 / 22

9. Prevalence of drive-by downloads [1/3]  Summary of collected data 9 / 22

10. Prevalence of drive-by downloads [2/3]  Geographic locality  The correlation between the location of a distribution site and the landing sties 10 / 22

11. Prevalence of drive-by downloads [3/3]  Impact on the end-users  Average 1.3% 11 / 22

12. Malicious content injection [1/2]  Web server software  A significant fraction were running outdate versions of software. 12 / 22

13. Malicious content injection [2/2]  Drive-by download via AD 13 / 22

14.  The rate of landing site per distribution site Malicious distribution infrastructure [1/3] 14 / 22

15.  Property of malware distribution sites IP Malicious distribution infrastructure [2/3] 58.* -- 61.* 209.* -- 221.* 15 / 22

16.  The number of unique binaries downloaded from each malware distribution site Malicious distribution infrastructure [3/3] 16 / 22

17.  The number of downloaded executable as a result of visiting a malicious URL Post Infection Impact [1/4] Average 8 17 / 22

18.  The number of processes started after visiting a malicious URL Post Infection Impact [2/4] 18 / 22

19.  Registry changes after visiting 57.5% of the landing page Post Infection Impact [3/4] 19 / 22

20.  Network activity of the virtual machine post infection Post Infection Impact [4/4] 20 / 22

21.  Network activity of the virtual machine post infection Anti-virus engine detection rates 21 / 22

22.  Large web scale data collection infrastructure  In-depth analysis of over 66 million URLs  Reveals that the scope of the problem is significant  Anti-virus engines are lacking in their ability to protect against drive-by downloads Conclusion 22 / 22

23. Extra-Authors  Niels Provos  Senior staff engineer, Google inc  Web-based malware  DDOS  Panayiotis Mavrommatis  Software engineer, Google inc  Security  Distributed computing 23 / 18

24.  Drive-by download via AD  Malware delivered via Ads exhibits longer delivery chain Extra-Malicious content injection [2/5] 24 / 18