skip to main content
10.1145/1755688.1755705acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article

Preventing drive-by download via inter-module communication monitoring

Published: 13 April 2010 Publication History

Abstract

Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number one infection vector of malware [5]. The downloaded malware may steal the users' personal identification and password. They may also join botnet to send spams, host phishing site or launch distributed denial of service attacks.
Generally, these attacks rely on successful exploits of the vulnerabilities in web browsers or their plug-ins. Therefore, we proposed an inter-module communication monitoring based technique to detect malicious exploitation of vulnerable components thus preventing the vulnerability being exploited. We have implemented a prototype system that was integrated into the most popular web browser Microsoft Internet Explorer. Experimental results demonstrate that, on our test set, by using vulnerability-based signature, our system could accurately detect all attacks targeting at vulnerabilities in our definitions and produced no false positive. The evaluation also shows the performance penalty is kept low.

References

[1]
S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing sql injection attacks using dynamic candidate evaluations. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 12--24, New York, NY, USA, 2007. ACM.
[2]
L. Beijing Rising International Software Co. Internet security report for china mainland, 2009 h1. http://it.rising.com.cn/new2008/News/NewsInfo/2009-07-21/1248160663d53890.shtml, November 2008.
[3]
P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 5137 of Lecture Notes in Computer Science, pages 23--43. Springer Berlin / Heidelberg, 2008.
[4]
D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of Vulnerability-Based signatures. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 2--16. IEEE Computer Society, 2006.
[5]
M. Cruz. Most abused infection vector. http://blog.trendmicro.com/most-abused-infection-vector/, December 2008.
[6]
W. Cui, M. Peinado, H. J. Wang, and M. E. Locasto. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 252--266, Washington, DC, USA, 2007. IEEE Computer Society.
[7]
D. Dagon, G. Gu, C. P. Lee, and W. Lee. A taxonomy of botnet structures. Computer Security Applications Conference, Annual, 0:325--339, 2007.
[8]
M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with javascript. In WOOT '08: Proceedings of the 2nd USENIX Workshop on Offensive Technologies, July 2008.
[9]
O. Day, B. Palmen, and R. Greenstadt. Reinterpreting the DisclosureDebate for web infections. In Managing Information Risk and the Economics of Security, pages 1--19. Springer US, 2009.
[10]
W. Dormann and D. Plakosh. Vulnerability detection in activex controls through automated fuzz test. http://www.cert.org/archive/pdf/dranzer.pdf, 2008.
[11]
J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In OSDI '08: Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation, December 2008.
[12]
B. Dutertre and L. D. Moura. The yices smt solver. Technical report, SRI International, 2006.
[13]
M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In DIMVA '09: Proceedings of the 6th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, July 2009.
[14]
B. Feinstein and D. Peck. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. http://mirror.fpux.com/HackerCons/BlackHat_2007/BlackHat/Presentations/Feinstien_and_Peck/Whitepaper/bh-usa-07-feinstien_and_peck-WP.pdf, 2007.
[15]
C. Grier, S. Tang, and S. T. King. Secure web browsing with the op web browser. Security and Privacy, IEEE Symposium on, 0:402--416, 2008.
[16]
W. G. J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In ASE '05: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174--183, New York, NY, USA, 2005. ACM.
[17]
W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In SIGSOFT '06/FSE-14: Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, pages 175--185, New York, NY, USA, 2006. ACM.
[18]
G. Inc. Google safe browsing api. http://code.google.com/apis/safebrowsing/.
[19]
C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: an empirical analysis of spam marketing conversion. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 3--14, New York, NY, USA, 2008. ACM.
[20]
U. C. S. Lab. Wepawet. http://wepawet.iseclab.org/.
[21]
D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 24(2):115--139, 2006.
[22]
T. Moore and R. Clayton. An empirical analysis of the current state of phishing attack and defence. In WEIS '07: Proceedings of the Sixth Workshop on the Economics of Information Security, 2007.
[23]
Mozilla. Spidermonkey (javascript-c) engine. http://www.mozilla.org/js/spidermonkey/, 2009.
[24]
J. Nazario. Phoneyc: A virtual client honeypot. In LEET '09: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, 2009.
[25]
A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Security and Privacy in the Age of Ubiquitous Computing, volume 181 of IFIP International Federation for Information Processing, pages 295--307. Springer Boston, 2005.
[26]
T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection, volume 3858 of Lecture Notes in Computer Science, pages 124--145. Springer Berlin / Heidelberg, 2006.
[27]
J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20--27, 2004.
[28]
M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. In Recent Advances in Intrusion Detection, volume 4637 of Lecture Notes in Computer Science, pages 87--106. Springer Berlin / Heidelberg, 2007.
[29]
M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology, 2(4):257--274, February 2007.
[30]
T. H. Project. Know your enemy: Malicious web servers, August 2007.
[31]
N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Security '08: Proceedings of the 17th Usenix Security Symposium, pages 1--15, Berkeley, CA, USA, 2008. USENIX Association.
[32]
N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots'07: Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pages 4--4, Berkeley, CA, USA, 2007. USENIX Association.
[33]
P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In Security '09: Proceedings of the 18th USENIX Security Symposium, 2009.
[34]
C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web, 1(3):11, 2007.
[35]
Secunia. 2008 report. http://secunia.com/gfx/Secunia2008Report.pdf, 2008.
[36]
R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS '09: Proceedings of the 16th Annual Network & Distributed System Security Symposium, San Diego, CA, Februry 2009.
[37]
M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. Security and Privacy, IEEE Symposium on, 0:94--109, 2009.
[38]
A. Sotirov. Heap feng shui in javascript. http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html, 2008.
[39]
R. Steenson and C. Seifert. Capture-hpc client honeypot / honeyclient. https://projects.honeynet.org/capture-hpc/.
[40]
Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 372--382, New York, NY, USA, 2006. ACM.
[41]
T. Toth and C. Kruegel. Accurate buffer overflow detection via abstract pay load execution. In Recent Advances in Intrusion Detection, volume 2516 of Lecture Notes in Computer Science, pages 274--291. Springer Berlin / Heidelberg, 2002.
[42]
W3Counter. Global web stats. 2009.
[43]
H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In Security '09: 19th USENIX Security Symposium, August 2009.
[44]
H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM Comput. Commun. Rev., 34(4):193--204, 2004.
[45]
Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA, 2006.
[46]
Y.-M. Wang, R. Roussev, C. Verbowski, A. Johnson, M.-W. Wu, Y. Huang, and S.-Y. Kuo. Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In LISA '04: Proceedings of the 18th USENIX conference on System administration, pages 33--46, Berkeley, CA, USA, 2004. USENIX Association.
[47]
J. Wolf. Heap spraying with actionscript. http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html, 2009.
[48]
B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.
[49]
J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economyon the chinese web. In Managing Information Risk and the Economics of Security, pages 1--20. Springer US, 2009.

Cited By

View all
  • (2018)RAPIDProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274735(313-326)Online publication date: 3-Dec-2018
  • (2018)BrowserGuard2: A Solution for Drive-by-Download AttacksProceeding of the Second International Conference on Microelectronics, Computing & Communication Systems (MCCS 2017)10.1007/978-981-10-8234-4_59(739-750)Online publication date: 31-Jul-2018
  • (2016)Cyber attacks, countermeasures, and protection schemes — A state of the art survey2016 10th International Conference on Software, Knowledge, Information Management & Applications (SKIMA)10.1109/SKIMA.2016.7916194(37-44)Online publication date: 2016
  • Show More Cited By

Index Terms

  1. Preventing drive-by download via inter-module communication monitoring

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security
      April 2010
      363 pages
      ISBN:9781605589367
      DOI:10.1145/1755688
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 13 April 2010

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. ActiveX
      2. drive-by download
      3. inter-module communication
      4. intrusion detection
      5. malicious script

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ASIA CCS '10
      Sponsor:

      Acceptance Rates

      ASIACCS '10 Paper Acceptance Rate 25 of 166 submissions, 15%;
      Overall Acceptance Rate 418 of 2,322 submissions, 18%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)9
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 16 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2018)RAPIDProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274735(313-326)Online publication date: 3-Dec-2018
      • (2018)BrowserGuard2: A Solution for Drive-by-Download AttacksProceeding of the Second International Conference on Microelectronics, Computing & Communication Systems (MCCS 2017)10.1007/978-981-10-8234-4_59(739-750)Online publication date: 31-Jul-2018
      • (2016)Cyber attacks, countermeasures, and protection schemes — A state of the art survey2016 10th International Conference on Software, Knowledge, Information Management & Applications (SKIMA)10.1109/SKIMA.2016.7916194(37-44)Online publication date: 2016
      • (2015)Survey on cyberspace securityScience China Information Sciences10.1007/s11432-015-5433-458:11(1-43)Online publication date: 13-Nov-2015
      • (2015)Malicious File Hash Detection and Drive-by Download AttacksProceedings of the Second International Conference on Computer and Communication Technologies10.1007/978-81-322-2517-1_63(661-669)Online publication date: 5-Sep-2015
      • (2014)JShieldProceedings of the 30th Annual Computer Security Applications Conference10.1145/2664243.2664256(466-475)Online publication date: 8-Dec-2014
      • (2014)UAC: A Lightweight and Scalable Approach to Detect Malicious Web PagesModern Trends and Techniques in Computer Science10.1007/978-3-319-06740-7_21(241-261)Online publication date: 6-May-2014
      • (2013)Analyzing and defending against web-based malwareACM Computing Surveys10.1145/2501654.250166345:4(1-35)Online publication date: 30-Aug-2013
      • (2013)PhishLiveProceedings of the 14th international conference on Passive and Active Measurement10.1007/978-3-642-36516-4_24(239-249)Online publication date: 18-Mar-2013
      • (2013)Moving Target Defense for Cloud Infrastructures: Lessons from BotnetsHigh Performance Cloud Auditing and Applications10.1007/978-1-4614-3296-8_2(35-64)Online publication date: 1-Aug-2013
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media