Measurement Study on Malicious Web Servers in the .nz Domain

Client-side attacks have become an increasing problem on the Internet today. Malicious web pages launch so-called drive-by-download attacks that are capable to gain complete control of a user's machine by merely having that user visit a malicious web page. Criminals that are behind the majority of these malicious web pages are highly sensitive to location, language and economic trends to increase their return on investment. In this paper, a comprehensive measurement study of malicious web servers on the .nz domain is presented. The risk of drive-by-download attacks has been compared with other domains showing no elevated risk for the .nz domain. However, a comprehensive assessment of the .nz domain showed the existence of malicious web pages across a variety of types of web pages. Blacklisting services showed limited success to protect against such malicious web pages. This is primarily attributed to the highly dynamic nature of malicious web pages. Over a period of eight months, the .nz domain was monitored and continuous shifting of malicious behavior of web pages has been observed. The rates observed show that on average 50% of malicious URLs identified change monthly. The rates pose a challenge to blacklisting services as well as a risk to end users with rapid dissemination of zero-day attacks. Frequent scans of the web are required to obtain a good up-to-date view of the threat landscape.

[1]  Deborah A. Frincke,et al.  Justifying the need for forensically ready protocols: A case study of identifying malicious web servers using client honeypots , 2008 .

[2]  Stefan Frei,et al.  Understanding the web browser threat: examination of vulnerable online web browser populations and the "insecurity iceberg" , 2008 .

[3]  Rachel Greenstadt,et al.  Reinterpreting the Disclosure Debate for Web Infections , 2008, WEIS.

[4]  P. Komisarczuk,et al.  Identification of Malicious Web Pages with Static Heuristics , 2008, 2008 Australasian Telecommunication Networks and Applications Conference.

[5]  Ian Welch,et al.  Technical report, Victoria University of Wellington , 2008 .

[6]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[7]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[8]  Chengyu Song,et al.  Studying Malicious Websites and the Underground Economy on the Chinese Web , 2008, WEIS.

[9]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[10]  C. Seifert Know Your Enemy: Malicious Web Servers , 2007 .

[11]  Deborah A. Frincke,et al.  Drive-by-Downloads , 2010, 2010 43rd Hawaii International Conference on System Sciences.

[12]  Felix C. Freiling,et al.  Measuring and Detecting Fast-Flux Service Networks , 2008, NDSS.

[13]  Stefan Axelsson,et al.  The base-rate fallacy and its implications for the difficulty of intrusion detection , 1999, CCS '99.

[14]  Steven D. Gribble,et al.  A Crawler-based Study of Spyware in the Web , 2006, NDSS.

[15]  Team Cymru,et al.  The Underground Economy: Priceless , 2006, login Usenix Mag..