Detecting malicious landing pages in Malware Distribution Networks

Drive-by download attacks attempt to compromise a victim's computer through browser vulnerabilities. Often they are launched from Malware Distribution Networks (MDNs) consisting of landing pages to attract traffic, intermediate redirection servers, and exploit servers which attempt the compromise. In this paper, we present a novel approach to discovering the landing pages that lead to drive-by downloads. Starting from partial knowledge of a given collection of MDNs we identify the malicious content on their landing pages using multiclass feature selection. We then query the webpage cache of a commercial search engine to identify landing pages containing the same or similar content. In this way we are able to identify previously unknown landing pages belonging to already identified MDNs, which allows us to expand our understanding of the MDN. We explore using both a rule-based and classifier approach to identifying potentially malicious landing pages. We build both systems and independently verify using a high-interaction honeypot that the newly identified landing pages indeed attempt drive-by downloads. For the rule-based system 57% of the landing pages predicted as malicious are confirmed, and this success rate remains constant in two large trials spaced five months apart. This extends the known footprint of the MDNs studied by 17%. The classifier-based system is less successful, and we explore possible reasons.

[1]  Hinrich Schütze,et al.  Introduction to information retrieval , 2008 .

[2]  Jack W. Stokes,et al.  WebCop: Locating Neighborhoods of Malware on the Web , 2010, LEET.

[3]  Stefan Savage,et al.  Cloak and dagger: dynamics of web search cloaking , 2011, CCS '11.

[4]  Collin Jackson Improving browser security policies , 2009 .

[5]  Jose Renau,et al.  Measuring power and temperature from real processors , 2008, 2008 IEEE International Symposium on Parallel and Distributed Processing.

[6]  Sanghamitra Roy,et al.  Analysis and mitigation of NBTI aging in register file: An end-to-end approach , 2011, 2011 12th International Symposium on Quality Electronic Design.

[7]  Martín Abadi,et al.  deSEO: Combating Search-Result Poisoning , 2011, USENIX Security Symposium.

[8]  Benjamin Livshits,et al.  ZOZZLE: Fast and Precise In-Browser JavaScript Malware Detection , 2011, USENIX Security Symposium.

[9]  Emanuele Della Valle,et al.  An Introduction to Information Retrieval , 2013 .

[10]  Guofei Gu,et al.  WebPatrol: automated collection and replay of web-based malware scenarios , 2011, ASIACCS '11.

[11]  P. Gronowski,et al.  Design of an 8-wide superscalar RISC microprocessor with simultaneous multithreading , 2002, 2002 IEEE International Solid-State Circuits Conference. Digest of Technical Papers (Cat. No.02CH37315).

[12]  Sudhanva Gurumurthi,et al.  Recovery Boosting: A Technique to Enhance NBTI Recovery in SRAM Arrays , 2010, 2010 IEEE Computer Society Annual Symposium on VLSI.

[13]  Hiroto Yasuura,et al.  Signal probability control for relieving NBTI in SRAM cells , 2010, 2010 11th International Symposium on Quality Electronic Design (ISQED).

[14]  Trevor Mudge,et al.  MiBench: A free, commercially representative embedded benchmark suite , 2001 .

[15]  Mahmut T. Kandemir,et al.  Increasing register file immunity to transient errors , 2005, Design, Automation and Test in Europe.

[16]  Scott A. Mahlke,et al.  Data Access Partitioning for Fine-grain Parallelism on Multicore Architectures , 2007, 40th Annual IEEE/ACM International Symposium on Microarchitecture (MICRO 2007).

[17]  Paolo Milani Comparetti,et al.  EvilSeed: A Guided Approach to Finding Malicious Web Pages , 2012, 2012 IEEE Symposium on Security and Privacy.

[18]  Resve A. Saleh,et al.  Power Supply Noise in SoCs: Metrics, Management, and Measurement , 2007, IEEE Design & Test of Computers.

[19]  Jörg Henkel,et al.  Self-Immunity Technique to Improve Register File Integrity Against Soft Errors , 2011, 2011 24th Internatioal Conference on VLSI Design.

[20]  Vinod Yegneswaran,et al.  BLADE: an attack-agnostic approach for preventing drive-by malware infections , 2010, CCS '10.

[21]  Geoff Hulten,et al.  Spamming botnets: signatures and characteristics , 2008, SIGCOMM '08.

[22]  Benjamin Livshits,et al.  NOZZLE: A Defense Against Heap-spraying Code Injection Attacks , 2009, USENIX Security Symposium.

[23]  Yu Cao,et al.  Predictive Modeling of the NBTI Effect for Reliable Design , 2006, IEEE Custom Integrated Circuits Conference 2006.

[24]  Marti A. Hearst,et al.  Why phishing works , 2006, CHI.

[25]  Benjamin Livshits,et al.  Rozzle: De-cloaking Internet Malware , 2012, 2012 IEEE Symposium on Security and Privacy.

[26]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[27]  Christopher Krügel,et al.  Detection and analysis of drive-by-download attacks and malicious JavaScript code , 2010, WWW '10.

[28]  Kaushik Roy,et al.  Impact of Negative-Bias Temperature Instability in Nanoscale SRAM Array: Modeling and Analysis , 2007, IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems.

[29]  Kaushik Roy,et al.  NBTI induced performance degradation in logic and memory circuits: how effectively can we approach a reliability solution? , 2008, 2008 Asia and South Pacific Design Automation Conference.

[30]  Wenke Lee,et al.  ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads , 2011, WWW.

[31]  Wenke Lee,et al.  SURF: detecting and measuring search poisoning , 2011, CCS '11.

[32]  James Tandon The OpenRISC processor: open hardware and Linux , 2011 .

[33]  Yu Cao,et al.  Predictive Technology Model for Nano-CMOS Design Exploration , 2006, 2006 1st International Conference on Nano-Networks and Workshops.

[34]  Jose Nazario,et al.  PhoneyC: A Virtual Client Honeypot , 2009, LEET.

[35]  Shuguang Feng,et al.  Cost-efficient soft error protection for embedded microprocessors , 2006, CASES '06.

[36]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[37]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[38]  Yu Cao,et al.  Modeling and minimization of PMOS NBTI effect for robust nanometer design , 2006, 2006 43rd ACM/IEEE Design Automation Conference.

[39]  Radford M. Neal Pattern Recognition and Machine Learning , 2007, Technometrics.

[40]  Christopher D. Manning,et al.  Introduction to Information Retrieval , 2010, J. Assoc. Inf. Sci. Technol..

[41]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[42]  C. Seifert Know Your Enemy: Malicious Web Servers , 2007 .

[43]  Rodolfo Azevedo,et al.  The ArchC Architecture Description Language and Tools , 2005, International Journal of Parallel Programming.

[44]  Benjamin G. Zorn,et al.  Zozzle: Low-overhead Mostly Static JavaScript Malware Detection , 2010 .

[45]  Geoffrey H. Ball,et al.  ISODATA, A NOVEL METHOD OF DATA ANALYSIS AND PATTERN CLASSIFICATION , 1965 .

[46]  Giovanni Vigna,et al.  Prophiler: a fast filter for the large-scale detection of malicious web pages , 2011, WWW.

[47]  Miodrag Potkonjak,et al.  MediaBench: a tool for evaluating and synthesizing multimedia and communications systems , 1997, Proceedings of 30th Annual International Symposium on Microarchitecture.

[48]  A. Chandrakasan,et al.  Analyzing static noise margin for sub-threshold SRAM in 65nm CMOS , 2005, Proceedings of the 31st European Solid-State Circuits Conference, 2005. ESSCIRC 2005..

[49]  Lin Li,et al.  Proactive NBTI mitigation for busy functional units in out-of-order microprocessors , 2010, 2010 Design, Automation & Test in Europe Conference & Exhibition (DATE 2010).

[50]  Tao Jin,et al.  Low power aging-aware register file design by duty cycle balancing , 2012, 2012 Design, Automation & Test in Europe Conference & Exhibition (DATE).

[51]  Ching-Te Chuang,et al.  Impacts of NBTI and PBTI on SRAM static/dynamic noise margins and cell failure probability , 2009, Microelectron. Reliab..

[52]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.