A Crawler-based Study of Spyware on the Web

A.Moshchuk, T.Bragin, D.Gribble, M.LevyNDSS, 2006

* Presented by Justin Miller on 3/6/07

A Quick Joke…

“I caught a little of that computer virus that’s been

going around… I haven’t been myself since”

www.CartoonStock.com

Overview

vs.

User visits websiteWeb spyware infects computerComputer is unhappy

Background

Spyware study Infected 80% of AOL users93 spyware components (known)

GoalsLocate spyware on the internetGather Internet spyware statisticsQuantitative analysis of spyware-laden

content on the web

Outline

What is spyware?Crawling the web

Web executablesDrive-by downloads

ResultsImprovements

Definition

Spyware – software that collects personal information about usersNo user knowledge

Spyware techniques:Log keystrokesCollect web historyScan documents on hard disk

Types of Spyware

Spyware-infected executablesContent-type headerURL extension

Drive-by downloadsMalicious web contentProduce event triggers

Part I: Executable files

Finding executablesContent-type (HTTP header) contains .exeURL contains .exe, .cab, or .msi

Hidden executablesEmbedded file (.zip)URL hidden in JavaScript

Missed executablesHidden URL on dynamic page

Part I: Executable files

DL, install, run in a clean VMTool to automate installer framework

EULA agreementsRadio buttons and check boxes

Analyze fileAd-Aware softwareLog identifies spyware program

Web Crawling

Heritrix public domain Web crawlerSearch 2,500+ web sitesc|net’s download.com for DL executablesRandomly selected web sites

Google keyword searchDepth of 3 linksFind .exe hosted on separate Web servers

Changing Spyware Environment

2 separate program crawlsMay, October 2005Generated list of crawling seeds

Most recent anti-spyware program usedOctober crawl detect mores vulnerabilities

Executable Results

2 separate program crawlsMay 2005 – 18 million URLsOct 2005 – 22 million URLs

No appreciable change in spywareOne site dropped # of infected executables

Executable Results

Overall spyware 3.8% in May 2005 4.4% in Oct 2005

Individual programs 82 in May 2005 89 in Oct 2005

Infected Executables

May 2005 October 2005

Web Categories

Web categories infected with spyware

Spyware Functions

Spyware-infected executablesContain various spyware functionsExecutables may have multiple functions

Spyware Upgrades

Spyware-infected executables May have multiple

spyware functions 1,294 infected .exe

found in Oct 2005 880 detected 414 variants

Blacklisting Spyware

Block clients from accessing listed sitesDone by firewall or proxyBlacklisting is ineffective

Part II: Drive-by Downloads

Spyware from visiting a web pageJavascript embedded in HTML

Modifies filesSystem/registryRender web pages

with unmodified

browser

Event Triggers for DB-DLs

Event occurs that matches a triggerTrigger Conditions

Process creationFile activity (creation)Suspicious process (file modification)Registry file modifiedBrowser/OS crash

Complex Web Content

“Time Bomb” attackSpeed up virtual time of guest OS

JavaScript when page closesFetch a clean URL before closing

Pop-up windowsAllow all to open before closing

IE Browser Configuration

Security-related IE dialog boxes

Drive-by Results

3 web crawlsMay 2005 – 45K URLsOct 2005 – Same URLsOct 2005 – New URLs

Decrease in infectious URLsIncrease in unique spyware programs

Drive-by Results

Origin of Drive-by DLs

Top 6 web categories (IE):Pirate sitesCelebrityMusicAdultGamesWallpaper

Spyware Top 10

May 2005 October 2005

Spyware Top 10

May 2005 October 2005

Spyware Trends

Decline in total # of spyware programs Increase of anti-spyware toolsAutomated patch installationsLawsuits against spyware distributors

IE vs Firefox Security

Internet Explorer v6186 - cfg_y92 - cfg_n

Firefox v1.0.636 - cfg_y0 - cfg_n

Drive-by Summary

Performed 3 URL crawlsReduction in % of domains hosting DB-DLsSmall # of domains host majority of

infectious linksDrive-by DLs attempted in 0.4% of URLsDrive-by attacks in 0.2% of URLs

Strengths

Analysis methodStudies density of spyware on the WebProduces spyware trends over time

Calculated frequency of spyware on webDistinguished security prompts (y/n)

Found 14% of spyware is maliciousDensity of spyware is substantial

Weaknesses

Missed executablesURL hidden in JavaScript, dynamic pageLimited by what Ad-Aware is able to detect

Method weaknessDifferent anti-spyware programs (May/Oct)Did not crawl entire webCannot relate density of spyware on the

Web and the presence of threats on desktops

Improvements

Test multiple browsersAdditional anti-spyware programsCrawl more URLsFind geographic patterns of hosts

Questions?

Ask me!

Reasons to ask questions:Class discussion is 20% of your gradeYou can’t leave until 5:45 anywayOf the two of us, I’m probably the only one

that read the entire paper (except Dr. Zou)