Malicious File Hash Detection and Drive-by Download Attacks

Malicious web content has become the essential tool used by cybercriminals to accomplish their attacks on the Internet. In addition, attacks that target web clients, in comparison to infrastructure components, have become prevalent. Malware drive-by downloads are a recent challenge, as their spread appears to be increasing substantially in malware distribution attacks. In this paper we present our methodology for detecting any malicious file downloaded by one of the network hosts. Our detection method is based on a blacklist of malicious file hashes. We process the network traffic, analyze all connections, and calculate MD5, SHA1, and SHA256 hash for each new file seen being transferred over a connection. Then we match the calculated hashes with the blacklist. The blacklist of malicious file hashes is automatically updated each day and the detection is in the real time.

[1]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[2]  Ronaldo M. Salles,et al.  Botnets: A survey , 2013, Comput. Networks.

[3]  Chengyu Song,et al.  Preventing drive-by download via inter-module communication monitoring , 2010, ASIACCS '10.

[4]  Yi-Chun Yeh,et al.  BrowserGuard: A Behavior-Based Solution to Drive-by-Download Attacks , 2011, IEEE Journal on Selected Areas in Communications.

[5]  Niels Provos,et al.  The Ghost in the Browser: Analysis of Web-based Malware , 2007, HotBots.

[6]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[7]  Selvakumar Manickam,et al.  A Comparative Study of Alert Correlations for Intrusion Detection , 2013, 2013 International Conference on Advanced Computer Science Applications and Technologies.

[8]  Andreas Dewald,et al.  Forschungsberichte der Fakultät IV – Elektrotechnik und Informatik C UJO : Efficient Detection and Prevention of Drive-by-Download Attacks , 2010 .

[9]  Wouter Joosen,et al.  BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks , 2010, ESSoS.

[10]  Christian Seifert,et al.  Cost-effective Detection of Drive-by-Download Attacks  with Hybrid Client Honeypots , 2010 .

[11]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[12]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2008, CCS.

[13]  Wenke Lee,et al.  ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads , 2011, WWW.