1 / 10

A Crawler-based Study of Spyware in the Web

A Crawler-based Study of Spyware in the Web. Alex Moshchuk , Tanya Bragin, Steve Gribble, Hank Levy. Why measure spyware?. Understand the problem before defending against it Many unanswered questions What’s the spyware density on the web? Where do people get spyware?

mada
Download Presentation

A Crawler-based Study of Spyware in the Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Crawler-based Study of Spyware in the Web Alex Moshchuk, Tanya Bragin, Steve Gribble, Hank Levy

  2. Why measure spyware? • Understand the problem before defending against it • Many unanswered questions • What’s the spyware density on the web? • Where do people get spyware? • How many spyware variants are out there? • What kinds of threats does spyware pose? • New ideas and tools • Detection • Prevention

  3. Approach • Large-scale study of spyware on the Web • Crawl “interesting” portions of the web • Download content • Determine if it is malicious • Use virtual machines • Two strategies: • Executable study • Find executables with known spyware • Drive-by download study • Find web pages with drive-by downloads

  4. Analyzing Executables • Web crawler collects a pool of executabes • For each: • Clone a clean virtual machine • 10-node VM cluster, 4 VMs per node • Automatically install executable • Run analysis to see what changed • Currently, an anti-spyware tool (Ad-Aware) • Average analysis time – 90 sec. per executable

  5. Analyzing Drive-by Downloads • Evaluate the safety of browsing the web • Automatic virtual browsing • Render pages in a real browser inside clean VM • Internet Explorer • Define triggers for suspicious browsing activity • Process creation • Files written outside browser temp. folders • Suspicious registry modifications • Run anti-spyware check only when trigger fires

  6. Executable Study Results • Crawled 32 million pages in 10000 domains • Downloaded 26,000 executables • Found spyware in 13.5% of them • 6% installed three or more spyware variants • 142 unique spyware threats • Only 29 found more than 20 times

  7. Infection of Executables • Visit a site and download a program • What’s the chance that you got spyware?

  8. Drive-by Download Results • 5.5% of pages we examined carried drive-by downloads • 1.4% exploit browser vulnerabilities

  9. Types of spyware • Quantify the kinds of threats posed by spyware • Consider five spyware functions • What’s the chance a spyware program contains each function?

  10. Summary • Lots of bad stuff on the web • 1 in 8 programs is infected with spyware • 1 in 18 web pages has a spyware drive-by download • Most of it is just annoying (Adware) • But a significant fraction poses big risks • Spyware companies target specific popular content • Few spyware variants are encountered in practice • More details: • A Crawler-based Study of Spyware in the Web – NDSS06

More Related