ABSTRACT
Exploit kits are software toolkits that are used for widespread malware distribution via automated infection of victims' computers through Internet web pages. They are extremely hard to detect as they constantly evolve by frequently changing the hosted domains and URL patterns which draws any signature-based detection ineffective.
In this paper we analyse common exploit kit characteristics and propose a detection method that relies solely on the information extracted from HTTP proxy logs that are commonly available in most enterprise networks. Our method leverages exploit kit characteristics that are common across different exploit kit families and are unlikely to change as they are crucial for the exploitation process.
We perform two sets of experiments to evaluate the efficacy of the proposed method. The first set uses network traces of a number of publicly available malicious samples to estimate recall of the proposed method. Second set of experiments uses real network traffic collected in large number of corporate networks to estimate the precision. Both sets of experiments show satisfying performance of the algorithm.
- "Teslacrypt ransomware arrives via neutrino exploit kit." https://blogs.mcafee.com/mcafee-labs/teslacrypt-arrives-via-neutrino-exploit-kit/. Accessed: 2016-09-30.Google Scholar
- "Malware with your news? Forbes website victim of malvertisig attack." https://www.fireeye.com/blog/threat-research/2015/09/malvertising attack.html. Accessed: 2016-09-28.Google Scholar
- "Angler exploit kit - operating at the cutting edge." http://community.websense.com/blogs/securitylabs/archive/2015/02/05/Google Scholar
- C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, et al., "Manufacturing compromise: the emergence of exploit-as-a-service," in Proceedings of the 2012 ACM conference on Computer and communications security, pp. 821--832, ACM, 2012. Google ScholarDigital Library
- T. Taylor, X. Hu, T. Wang, J. Jang, M. P. Stoecklin, F. Monrose, and R. Sailer, "Detecting malicious exploit kits using tree-based similarity searches," in Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy, pp. 255--266, ACM, 2016. Google ScholarDigital Library
- G. Stringhini, C. Kruegel, and G. Vigna, "Shady paths: Leveraging surfing crowds to detect malicious web pages," in Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pp. 133--144, ACM, 2013. Google ScholarDigital Library
- B. Stock, B. Livshits, and B. Zorn, "Kizzle: A signature compiler for exploit kits," in International Conference on Dependable Systems and Networks (DSN), 2015.Google Scholar
- B. Eshete and V. Venkatakrishnan, "Webwinnow: Leveraging exploit kit workflows to detect malicious urls," in Proceedings of the 4th ACM conference on Data and application security and privacy, pp. 305--312, ACM, 2014. Google ScholarDigital Library
- J. S. White and J. N. Matthews, "It's you on photo?:Automatic detection of twitter accounts infected with the blackhole exploit kit," in Malicious and Unwanted Software:" The Americas"(MALWARE), 2013 8th International Conference on, pp. 51--58, IEEE, 2013.Google Scholar
- V. Kotov and F. Massacci, "Anatomy of exploit kits," in International Symposium on Engineering Secure Software and Systems, pp. 181--196, Springer, 2013. Google ScholarDigital Library
- "Cisco cloud web security." http://www.cisco.com/c/en/us/products/security/cloud-web-security/index.html. Accessed: 2016-09-28.Google Scholar
- "Cisco web security appliance." http://www.cisco.com/c/en/us/products/security/ web-security-appliance/index.html. Accessed: 2016-09-28.Google Scholar
- "Blue coat." https://www.bluecoat.com/. Accessed: 2016-09-28.Google Scholar
- "squid: Optimising web delivery." http://www.squid-cache.org/. Accessed: 2016-09-28.Google Scholar
- "Malware traffic analysis." http://www.malware-traffic-analysis.net/. Accessed: 2016-09-13.Google Scholar
- "Virus total." https://www.virustotal.com/.Google Scholar
Recommendations
Detecting Malicious Exploit Kits using Tree-based Similarity Searches
CODASPY '16: Proceedings of the Sixth ACM Conference on Data and Application Security and PrivacyUnfortunately, the computers we use for everyday activities can be infiltrated while simply browsing innocuous sites that, unbeknownst to the website owner, may be laden with malicious advertisements. So-called malvertising, redirects browsers to web-...
Detecting, validating and characterizing computer infections in the wild
IMC '11: Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conferenceAlthough network intrusion detection systems (IDSs) have been studied for several years, their operators are still overwhelmed by a large number of false-positive alerts. In this work we study the following problem: from a large archive of intrusion ...
Malicious SSL Certificate Detection: A Step Towards Advanced Persistent Threat Defence
ICFNDS '17: Proceedings of the International Conference on Future Networks and Distributed SystemsAdvanced Persistent Threat (APT) is one of the most serious types of cyber attacks, which is a new and more complex version of multistep attack. Within the APT life cycle, continuous communication between infected hosts and Command and Control (C&C) ...
Comments