![Page 1: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/1.jpg)
A Crawler-based Study of Spyware on the Web
A.Moshchuk, T.Bragin, D.Gribble, M.LevyNDSS, 2006
* Presented by Justin Miller on 3/6/07
![Page 2: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/2.jpg)
A Quick Joke…
“I caught a little of that computer virus that’s been
going around… I haven’t been myself since”
www.CartoonStock.com
![Page 3: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/3.jpg)
Overview
vs.
User visits websiteWeb spyware infects computerComputer is unhappy
![Page 4: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/4.jpg)
Background
Spyware study Infected 80% of AOL users93 spyware components (known)
GoalsLocate spyware on the internetGather Internet spyware statisticsQuantitative analysis of spyware-laden
content on the web
![Page 5: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/5.jpg)
Outline
What is spyware?Crawling the web
Web executablesDrive-by downloads
ResultsImprovements
![Page 6: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/6.jpg)
Definition
Spyware – software that collects personal information about usersNo user knowledge
Spyware techniques:Log keystrokesCollect web historyScan documents on hard disk
![Page 7: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/7.jpg)
Types of Spyware
Spyware-infected executablesContent-type headerURL extension
Drive-by downloadsMalicious web contentProduce event triggers
![Page 8: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/8.jpg)
Part I: Executable files
Finding executablesContent-type (HTTP header) contains .exeURL contains .exe, .cab, or .msi
Hidden executablesEmbedded file (.zip)URL hidden in JavaScript
Missed executablesHidden URL on dynamic page
![Page 9: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/9.jpg)
Part I: Executable files
DL, install, run in a clean VMTool to automate installer framework
EULA agreementsRadio buttons and check boxes
Analyze fileAd-Aware softwareLog identifies spyware program
![Page 10: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/10.jpg)
Web Crawling
Heritrix public domain Web crawlerSearch 2,500+ web sitesc|net’s download.com for DL executablesRandomly selected web sites
Google keyword searchDepth of 3 linksFind .exe hosted on separate Web servers
![Page 11: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/11.jpg)
Changing Spyware Environment
2 separate program crawlsMay, October 2005Generated list of crawling seeds
Most recent anti-spyware program usedOctober crawl detect mores vulnerabilities
![Page 12: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/12.jpg)
Executable Results
2 separate program crawlsMay 2005 – 18 million URLsOct 2005 – 22 million URLs
No appreciable change in spywareOne site dropped # of infected executables
![Page 13: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/13.jpg)
Executable Results
Overall spyware 3.8% in May 2005 4.4% in Oct 2005
Individual programs 82 in May 2005 89 in Oct 2005
![Page 14: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/14.jpg)
Infected Executables
May 2005 October 2005
![Page 15: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/15.jpg)
Web Categories
Web categories infected with spyware
![Page 16: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/16.jpg)
Spyware Functions
Spyware-infected executablesContain various spyware functionsExecutables may have multiple functions
![Page 17: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/17.jpg)
Spyware Upgrades
Spyware-infected executables May have multiple
spyware functions 1,294 infected .exe
found in Oct 2005 880 detected 414 variants
![Page 18: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/18.jpg)
Blacklisting Spyware
Block clients from accessing listed sitesDone by firewall or proxyBlacklisting is ineffective
![Page 19: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/19.jpg)
Part II: Drive-by Downloads
Spyware from visiting a web pageJavascript embedded in HTML
Modifies filesSystem/registryRender web pages
with unmodified
browser
![Page 20: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/20.jpg)
Event Triggers for DB-DLs
Event occurs that matches a triggerTrigger Conditions
Process creationFile activity (creation)Suspicious process (file modification)Registry file modifiedBrowser/OS crash
![Page 21: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/21.jpg)
Complex Web Content
“Time Bomb” attackSpeed up virtual time of guest OS
JavaScript when page closesFetch a clean URL before closing
Pop-up windowsAllow all to open before closing
![Page 22: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/22.jpg)
IE Browser Configuration
Security-related IE dialog boxes
![Page 23: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/23.jpg)
Drive-by Results
3 web crawlsMay 2005 – 45K URLsOct 2005 – Same URLsOct 2005 – New URLs
Decrease in infectious URLsIncrease in unique spyware programs
![Page 24: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/24.jpg)
Drive-by Results
![Page 25: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/25.jpg)
Origin of Drive-by DLs
Top 6 web categories (IE):Pirate sitesCelebrityMusicAdultGamesWallpaper
![Page 26: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/26.jpg)
Spyware Top 10
May 2005 October 2005
![Page 27: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/27.jpg)
Spyware Top 10
May 2005 October 2005
![Page 28: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/28.jpg)
Spyware Trends
Decline in total # of spyware programs Increase of anti-spyware toolsAutomated patch installationsLawsuits against spyware distributors
![Page 29: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/29.jpg)
IE vs Firefox Security
Internet Explorer v6186 - cfg_y92 - cfg_n
Firefox v1.0.636 - cfg_y0 - cfg_n
![Page 30: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/30.jpg)
Drive-by Summary
Performed 3 URL crawlsReduction in % of domains hosting DB-DLsSmall # of domains host majority of
infectious linksDrive-by DLs attempted in 0.4% of URLsDrive-by attacks in 0.2% of URLs
![Page 31: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/31.jpg)
Strengths
Analysis methodStudies density of spyware on the WebProduces spyware trends over time
Calculated frequency of spyware on webDistinguished security prompts (y/n)
Found 14% of spyware is maliciousDensity of spyware is substantial
![Page 32: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/32.jpg)
Weaknesses
Missed executablesURL hidden in JavaScript, dynamic pageLimited by what Ad-Aware is able to detect
Method weaknessDifferent anti-spyware programs (May/Oct)Did not crawl entire webCannot relate density of spyware on the
Web and the presence of threats on desktops
![Page 33: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/33.jpg)
Improvements
Test multiple browsersAdditional anti-spyware programsCrawl more URLsFind geographic patterns of hosts
![Page 34: A Crawler-based Study of Spyware on the Web A.Moshchuk, T.Bragin, D.Gribble, M.Levy NDSS, 2006 * Presented by Justin Miller on 3/6/07](https://reader034.vdocuments.us/reader034/viewer/2022051516/56649e705503460f94b6d7e4/html5/thumbnails/34.jpg)
Questions?
Ask me!
Reasons to ask questions:Class discussion is 20% of your gradeYou can’t leave until 5:45 anywayOf the two of us, I’m probably the only one
that read the entire paper (except Dr. Zou)