Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07.

Published byDylan Floyd Modified over 9 years ago

Similar presentations

Presentation on theme: "A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07."— Presentation transcript:

1 A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07

2 A Quick Joke… “I caught a little of that computer virus that’s been going around… I haven’t been myself since” www.CartoonStock.com

3 Overview vs. User visits website Web spyware infects computer Computer is unhappy

4 Background Spyware study Infected 80% of AOL users 93 spyware components (known) Goals Locate spyware on the internet Gather Internet spyware statistics Quantitative analysis of spyware-laden content on the web

5 Outline What is spyware? Crawling the web Web executables Drive-by downloads Results Improvements

6 Definition Spyware – software that collects personal information about users No user knowledge Spyware techniques: Log keystrokes Collect web history Scan documents on hard disk

7 Types of Spyware Spyware-infected executables Content-type header URL extension Drive-by downloads Malicious web content Produce event triggers

8 Part I: Executable files Finding executables Content-type (HTTP header) contains.exe URL contains.exe,.cab, or.msi Hidden executables Embedded file (.zip) URL hidden in JavaScript Missed executables Hidden URL on dynamic page

9 Part I: Executable files DL, install, run in a clean VM Tool to automate installer framework EULA agreements Radio buttons and check boxes Analyze file Ad-Aware software Log identifies spyware program

10 Web Crawling Heritrix public domain Web crawler Search 2,500+ web sites c|net’s download.com for DL executables Randomly selected web sites Google keyword search Depth of 3 links Find.exe hosted on separate Web servers

11 Changing Spyware Environment 2 separate program crawls May, October 2005 Generated list of crawling seeds Most recent anti-spyware program used October crawl detect mores vulnerabilities

12 Executable Results 2 separate program crawls May 2005 – 18 million URLs Oct 2005 – 22 million URLs No appreciable change in spyware One site dropped # of infected executables

13 Executable Results Overall spyware 3.8% in May 2005 4.4% in Oct 2005 Individual programs 82 in May 2005 89 in Oct 2005

14 Infected Executables May 2005October 2005

15 Web Categories Web categories infected with spyware

16 Spyware Functions Spyware-infected executables Contain various spyware functions Executables may have multiple functions

17 Spyware Upgrades Spyware-infected executables May have multiple spyware functions 1,294 infected.exe found in Oct 2005 880 detected 414 variants

18 Blacklisting Spyware Block clients from accessing listed sites Done by firewall or proxy Blacklisting is ineffective

19 Part II: Drive-by Downloads Spyware from visiting a web page Javascript embedded in HTML Modifies files System/registry Render web pages with unmodified browser

20 Event Triggers for DB-DLs Event occurs that matches a trigger Trigger Conditions Process creation File activity (creation) Suspicious process (file modification) Registry file modified Browser/OS crash

21 Complex Web Content “Time Bomb” attack Speed up virtual time of guest OS JavaScript when page closes Fetch a clean URL before closing Pop-up windows Allow all to open before closing

22 IE Browser Configuration Security-related IE dialog boxes

23 Drive-by Results 3 web crawls May 2005 – 45K URLs Oct 2005 – Same URLs Oct 2005 – New URLs Decrease in infectious URLs Increase in unique spyware programs

24 Drive-by Results

25 Origin of Drive-by DLs Top 6 web categories (IE): Pirate sites Celebrity Music Adult Games Wallpaper

26 Spyware Top 10 May 2005October 2005

27 Spyware Top 10 May 2005October 2005

28 Spyware Trends Decline in total # of spyware programs Increase of anti-spyware tools Automated patch installations Lawsuits against spyware distributors

29 IE vs Firefox Security Internet Explorer v6 186 - cfg_y 92 - cfg_n Firefox v1.0.6 36 - cfg_y 0 - cfg_n

30 Drive-by Summary Performed 3 URL crawls Reduction in % of domains hosting DB-DLs Small # of domains host majority of infectious links Drive-by DLs attempted in 0.4% of URLs Drive-by attacks in 0.2% of URLs

31 Strengths Analysis method Studies density of spyware on the Web Produces spyware trends over time Calculated frequency of spyware on web Distinguished security prompts (y/n) Found 14% of spyware is malicious Density of spyware is substantial

32 Weaknesses Missed executables URL hidden in JavaScript, dynamic page Limited by what Ad-Aware is able to detect Method weakness Different anti-spyware programs (May/Oct) Did not crawl entire web Cannot relate density of spyware on the Web and the presence of threats on desktops

33 Improvements Test multiple browsers Additional anti-spyware programs Crawl more URLs Find geographic patterns of hosts

34 Questions? Ask me! Reasons to ask questions: Class discussion is 20% of your grade You can’t leave until 5:45 anyway Of the two of us, I’m probably the only one that read the entire paper (except Dr. Zou)

Download ppt "A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07."

Similar presentations

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,

AUTOMATED DISCOVERY OF PARAMETER POLLUTION VULNERABILITIES IN WEB APPLICATIONS Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda,
Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.

Configuring Windows Vista Security Lesson 8. Skills Matrix Technology SkillObjective DomainObjective # Setting Up Users Configure and troubleshoot parental.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
AVG Internet Security 7.5 Product presentation.

AVG Internet Security 7.5 Product presentation.
AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.

AVG 8.5 Product Line Welcome to a safe world …. | Page 2 Contents  Components Overview  Product Line Overview  AVG 8.0 Boxes.
A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.

A Crawler-based Study of Spyware on the Web Author: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, Henry M.Levy Presented At: NDSS, 2006 Prepared.
Spyware! THE BAD, THE WORSE, AND THE Ugly … ARE ALL INDICATIONS THAT SPYWARE MAY BE TAKING OVER YOUR COMPUTER!

Spyware! THE BAD, THE WORSE, AND THE Ugly … ARE ALL INDICATIONS THAT SPYWARE MAY BE TAKING OVER YOUR COMPUTER!
Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.
Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.

Automated Web Patrol with Strider Honey Monkeys Y.Wang, D.Beck, S.Chen, S.King, X.Jiang, R.Roussev, C.Verbowski Microsoft Research, Redmond Justin Miller.
Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.

Network Security. Network security starts from authenticating any user. Once authenticated, firewall enforces access policies such as what services are.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Spring 2008 www.umsl.edu/~iclabs. Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.

Spring Definitions  Virus  A virus is a piece of computer code that attaches itself to a program or file so it can spread.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.

Similar presentations

Ads by Google