1 / 20

A Crawler-based Study of Spyware on the Web

A Crawler-based Study of Spyware on the Web. Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13 th Annual Network and Distributed System Security Symposium ( NDSS 2006) Presented by Hao Cheng, 2006.03. What is Spyware?.

Download Presentation

A Crawler-based Study of Spyware on the Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. LevyUniversity of Washington13th Annual Network and Distributed System Security Symposium (NDSS 2006)Presented by Hao Cheng, 2006.03

  2. What is Spyware? • Spyware (wiki): “a broad category of malicious software designed to intercept or take partial control of a computer’s operation without the informed consent of that machine’s owner or legitimate user”. • no self-replica • keylogging, dialer, Trojan downloader, browser hijacker, adware.

  3. Two types of spyware: • spyware-infected executables: piggy-backed spyware code attached. • drive-by download: exploit vulnerability in user’s browser. from wiki

  4. Contribution • A quantitative analysis of the extent of spyware content in the Web. • Internet point of view, study websites. • have answers to below questions:

  5. . • Crawl webpages • May 2005, 18.2 millions URL • Oct 2005, 21.8 millions URL • Virtual Machine (VM) to sandbox and analyze malicious content • spyware-infected executables: commercial anti-spyware tools • Drive-by download: heuristic triggers

  6. Spyware-Infected • automated solution • determine whether a web object has executable software • download, install, and execute in VM • analyze, identify. • .

  7. steps • Finding executables in web • HTTP header content-type = application/octet-stream • URL has extension (.exe, .cab, .msi) • After downloading, the beginning bits in a file to identify file type. • Automatic Install • use heuristic to simulate common user interaction during the process of installation.

  8. steps • The last step- Analyze • Lavasoft AdAware anti-spyware tool. (use signature within its detection database). • script to launch the installed software and collect the logs generated by the anti-spyware tool. • identify functions of those spywares. • .

  9. Drive-by Download • automated solution • visit potential malicious webpage in unmodified browser in a clean VM • any attempt to break out of security sandbox of browser- suspicious • perform AdAware scan to detect installed spyaware. • .

  10. Complex web content • Complex web content (JavaScript) • Time bomb code (occur in some future): accelerate OS wall-clock 15 times • Page-close code, simulate page-close by fetching a clear webpage to cause code insurgence. • Pop-up code, wait for all pop-up window to finish loading and then closed them in order to trigger any potential codes.

  11. Browser Configuration • IE 6.0 on unpatched XP. • cfg_y, when IE ask for permission, all approved. • cfg_n, refuse all requests for permission. • most malicious, simple visit a webpage will cause infection. • also study Firefox, basically more secure.

  12. System • 10-node cluster • dual-processor, 4GB RAM, 80GB disk • one VM per processor

  13. Performance • 92 second- 1st type spyware • 1-2 second creating a VM • 55 seconds installing and running executables • 35 seconds AdAware Sweep • Analyze 18,782 spywares per day • 11.7 second- 2nd type spyware • 6.3 second- restart a browser and load a single webpage. • 108 second- AdAware pages with trigger (5%) • Analyze 14,768 pages per CPU per day

  14. Executable • over 2,500 web sites • 8 different categories • for each web site, crawl to a depth = 3 from the top page. • Average 6,577 pages per site. • Also crawl “random selected” web sites.

  15. .

  16. . some spyware has multiple functions. • Summary • around 90 distinct executable spyware. • instances spread 4% of domains. • 1 out of 20 executables in web are spyware. • 2 new executable spywares come out per month.

  17. Drive-by Download • webpages selected from different categories,

  18. .

  19. limitation • heavily rely on commercial anti-spyware software. • Many computers are patched, and now less vulnerabilities.

  20. Questions?

More Related