research-article

WebPatrol: automated collection and replay of web-based malware scenarios

Authors:

Kevin Zhijie Chen,

Xinhui HanAuthors Info & Claims

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

Pages 186 - 195

https://doi.org/10.1145/1966913.1966938

Published: 22 March 2011 Publication History

Abstract

Traditional remote-server-exploiting malware is quickly evolving and adapting to the new web-centric computing paradigm. By leveraging the large population of (insecure) web sites and exploiting the vulnerabilities at client-side modern (complex) browsers (and their extensions), web-based malware becomes one of the most severe and common infection vectors nowadays. While traditional malware collection and analysis are mainly focusing on binaries, it is important to develop new techniques and tools for collecting and analyzing web-based malware, which should include a complete web-based malicious logic to reflect the dynamic, distributed, multi-step, and multi-path web infection trails, instead of just the binaries executed at end hosts. This paper is a first attempt in this direction to automatically collect web-based malware scenarios (including complete web infection trails) to enable fine-grained analysis. Based on the collections, we provide the capability for offline "live" replay, i.e., an end user (e.g., an analyst) can faithfully experience the original infection trail based on her current client environment, even when the original malicious web pages are not available or already cleaned. Our evaluation shows that WebPatrol can collect/cover much more complete infection trails than state-of-the-art honeypot systems such as PHoneyC [11] and Capture-HPC [1]. We also provide several case studies on the analysis of web-based malware scenarios we have collected from a large national education and research network, which contains around 35,000 web sites.

References

[1]

Capture-HPC. https://projects.honeynet.org/capture-hpc.

[2]

libemu: x86 shellcode detection and emulation. http://libemu.carnivore.it/.

[3]

Malzilla: Malware hunting tool. http://malzilla.sourceforge.net/.

[4]

Polipo: a caching web proxy. http://www.pps.jussieu.fr/~jch/software/polipo/.

[5]

P. Baecher, M. Koetter, T. Holz, M. Dornseif, and F. Freiling. The nepenthes platform: An efficient approach to collect malware. Lecture Notes in Computer Science, vol. 4219:165, 2006.

Digital Library

[6]

M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of drive-by-download attacks and malicious javascript code. In Proceedings of the 19th International World Wide Web Conference, 2010.

Digital Library

[7]

CVE-2007-4105. Baidu soba remote code execute vulnerability. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-4105.

[8]

B. Feinstein, D. Peck, and I. SecureWorks. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. Black Hat USA, 2007.

[9]

S. Ford, M. Cova, C. Kruegel, and G. Vigna. Analyzing and detecting malicious flash advertisements. In 2009 Annual Computer Security Applications Conference, pages 363--372, 2009.

Digital Library

[10]

J. Mieres. Fragus. new botnet framework in-the-wild, 2009. http://evilfingers.blogspot.com/2009/08/fragus-new-botnet-framework-in-wild.html.

[11]

J. Nazario. PhoneyC: a virtual client honeypot. In Proceedings of the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threat, 2009.

Digital Library

[12]

M. Polychronakis, P. Mavrommatis, and N. Provos. Ghost turns zombie: exploring the life cycle of web-based malware. In Proceedings of the 1st USENIX Workshop on Large-scale Exploits and Emergent Threats, 2008.

Digital Library

[13]

N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iFRAMEs point to us. In Proceedings of the 17th USENIX Security Symposium, pages 1--15, 2008.

Digital Library

[14]

N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The Ghost In The Browser. In First Workshop on Hot Topics in Understanding Botnets, 2007.

Digital Library

[15]

C. Seifert, V. Delwadia, P. Komisarczuk, D. Stirling, and I. Welch. Measurement Study on Malicious Web Servers in the. nz Domain. In Proceedings of the 14th Australasian Conference on Information Security and Privacy, page 25, 2009.

Digital Library

[16]

C. Song, J. Zhuge, X. Han, and Z. Ye. Preventing drive-by download via inter-module communication monitoring. In Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pages 124--134, 2010.

Digital Library

[17]

W3C. XMLHttpRequest. http://www.w3.org/TR/XMLHttpRequest/.

[18]

Y. M. Wang. Strider HoneyMonkeys: active Client-Side honeypots for finding web sites that exploit browser vulnerabilities. In Part of Works in Progress at the 14th USENIX Security Symposium, 2007.

[19]

J. Zhuge, T. Holz, X. Han, C. Song, and W. Zou. Collecting autonomous spreading malware using high-interaction honeypots. Lecture Notes In Computer Science, vol. 4861:438, 2007.

Digital Library

[20]

J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economy on the chinese web. In Proceedings of the 7th Workshop on the Economics of Information Security, 2007.

Cited By

Dashevskyi SSantos DMassacci FSabetta A(2019)TestRExInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-017-0474-121:1(105-119)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s10009-017-0474-1
Rodriguez JPosegga J(2018)RAPIDProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274735(313-326)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274735
Hooshmand SFaheem MBochmann GJourdan GCouturier ROnut IMindel MMüller HOnut V(2016)D-ForenRIAProceedings of the 26th Annual International Conference on Computer Science and Software Engineering10.5555/3049877.3049884(64-74)Online publication date: 31-Oct-2016
https://dl.acm.org/doi/10.5555/3049877.3049884
Show More Cited By

Index Terms

WebPatrol: automated collection and replay of web-based malware scenarios
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Preventing drive-by download via inter-module communication monitoring
ASIACCS '10: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security

Drive-by download attack is one of the most severe threats to Internet users. Typically, only visiting a malicious page will result in compromise of the client and infection of malware. By the end of 2008, drive-by download had already become the number ...
Defending Browsers against Drive-by Downloads: Mitigating Heap-Spraying Code Injection Attacks
DIMVA '09: Proceedings of the 6th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Drive-by download attacks are among the most common methods for spreading malware today. These attacks typically exploit memory corruption vulnerabilities in web browsers and browser plug-ins to execute shellcode, and in consequence, gain control of a ...
BLADE: an attack-agnostic approach for preventing drive-by malware infections
CCS '10: Proceedings of the 17th ACM conference on Computer and communications security

Web-based surreptitious malware infections (i.e., drive-by downloads) have become the primary method used to deliver malicious software onto computers across the Internet. To address this threat, we present a browser independent operating system kernel ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

ASIACCS '11: Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security

March 2011

527 pages

ISBN:9781450305648

DOI:10.1145/1966913

General Chairs:
Bruce Cheung
The University of Hong Kong, China
,
Lucas Chi Kwong Hui
The University of Hong Kong, China
,
Program Chairs:
Ravi Sandhu
University of Texas, San Antonio
,
Duncan S. Wong
City University of Hong Kong, China

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 22 March 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Doctoral Program of Higher Education of China

Conference

ASIA CCS '11

Sponsor:

SIGSAC

ASIA CCS '11: 6th ACM Symposium on Information, Compuer and Communications Security

March 22 - 24, 2011

Hong Kong, China

Acceptance Rates

ASIACCS '11 Paper Acceptance Rate 35 of 217 submissions, 16%;

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

16
Total Citations
View Citations
459
Total Downloads

Downloads (Last 12 months)8
Downloads (Last 6 weeks)0

Reflects downloads up to 25 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Dashevskyi SSantos DMassacci FSabetta A(2019)TestRExInternational Journal on Software Tools for Technology Transfer (STTT)10.1007/s10009-017-0474-121:1(105-119)Online publication date: 1-Feb-2019
https://dl.acm.org/doi/10.1007/s10009-017-0474-1
Rodriguez JPosegga J(2018)RAPIDProceedings of the 34th Annual Computer Security Applications Conference10.1145/3274694.3274735(313-326)Online publication date: 3-Dec-2018
https://dl.acm.org/doi/10.1145/3274694.3274735
Hooshmand SFaheem MBochmann GJourdan GCouturier ROnut IMindel MMüller HOnut V(2016)D-ForenRIAProceedings of the 26th Annual International Conference on Computer Science and Software Engineering10.5555/3049877.3049884(64-74)Online publication date: 31-Oct-2016
https://dl.acm.org/doi/10.5555/3049877.3049884
Ding YWei TXue HZhang YZhang CHan X(2016)Accurate and efficient exploit capture and classification快速准确的Exploit自动捕获与分类方法和系统Science China Information Sciences10.1007/s11432-016-5521-060:5Online publication date: 13-Sep-2016
https://doi.org/10.1007/s11432-016-5521-0
Baghbanzadeh SHooshmand SBochmann GJourdan GMirtaheri SFaheem MOnut I(2016)Reconstructing Interactions with Rich Internet Applications from HTTP TracesAdvances in Digital Forensics XII10.1007/978-3-319-46279-0_8(147-164)Online publication date: 20-Sep-2016
https://doi.org/10.1007/978-3-319-46279-0_8
Nelms TPerdisci RAntonakakis MAhamad M(2015)WebWitnessProceedings of the 24th USENIX Conference on Security Symposium10.5555/2831143.2831208(1025-1040)Online publication date: 12-Aug-2015
https://dl.acm.org/doi/10.5555/2831143.2831208
Sakib MHuang C(2015)Automated Collection and Analysis of Malware Disseminated via Online AdvertisingProceedings of the 2015 IEEE Trustcom/BigDataSE/ISPA - Volume 0110.1109/Trustcom.2015.539(1411-1416)Online publication date: 20-Aug-2015
https://dl.acm.org/doi/10.1109/Trustcom.2015.539
Neasbitt CPerdisci RLi KNelms TAhn GYung MLi N(2014)ClickMinerProceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security10.1145/2660267.2660268(1244-1255)Online publication date: 3-Nov-2014
https://dl.acm.org/doi/10.1145/2660267.2660268
Xu LZhan ZXu SYe K(2014)An evasion and counter-evasion study in malicious websites detection2014 IEEE Conference on Communications and Network Security10.1109/CNS.2014.6997494(265-273)Online publication date: Oct-2014
https://doi.org/10.1109/CNS.2014.6997494
Sirageldin ABaharudin BJung L(2014)Malicious Web Page Detection: A Machine Learning ApproachAdvances in Computer Science and its Applications10.1007/978-3-642-41674-3_32(217-224)Online publication date: 2014
https://doi.org/10.1007/978-3-642-41674-3_32
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten