Preventing drive-by download via inter-module communication monitoring

Proceedings of the 5th International Symposium on Information, Computer and Communications Security, ASIACCS 2010

Volumn , Issue , 2010, Pages 124-134

  Song, Chengyu ^a   Zhuge, Jianwei ^a   Han, Xinhui ^a   Ye, Zhiyuan ^a  

^a NONE

Author keywords

ActiveX; drive by download; inter module communication; intrusion detection; malicious script

Indexed keywords

ACTIVEX; DISTRIBUTED DENIAL OF SERVICE ATTACK; FALSE POSITIVE; INTER-MODULE COMMUNICATION; INTERNET EXPLORERS; INTERNET USERS; MALWARES; MICROSOFT; PERFORMANCE PENALTIES; PERSONAL IDENTIFICATION; PHISHING; PLUG-INS; PROTOTYPE SYSTEM; TEST SETS;

COMPUTER CRIME; DISTRIBUTED PARAMETER CONTROL SYSTEMS; INFORMATION DISSEMINATION; INTERNET; INTRUSION DETECTION; NETWORK SECURITY; WORLD WIDE WEB;

WEB BROWSERS;

EID: 77954497121     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1755688.1755705     Document Type: Conference Paper

References (49)

1. S. Bandhakavi, P. Bisht, P. Madhusudan, and V. N. Venkatakrishnan. Candid: preventing sql injection attacks using dynamic candidate evaluations. In CCS '07: Proceedings of the 14th ACM conference on Computer and communications security, pages 12-24, New York, NY, USA, 2007. ACM.
2. L. Beijing Rising International Software Co. Internet security report for china mainland, 2009 h1. http://it.rising.com.cn/new2008/News/NewsInfo/2009-07- 21/1248160663d53890.shtml, November 2008.
3. P. Bisht and V. N. Venkatakrishnan. XSS-GUARD: Precise dynamic prevention of cross-site scripting attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment, volume 5137 of Lecture Notes in Computer Science, pages 23-43. Springer Berlin / Heidelberg, 2008.
4. D. Brumley, J. Newsome, D. Song, H. Wang, and S. Jha. Towards automatic generation of Vulnerability-Based signatures. In Proceedings of the 2006 IEEE Symposium on Security and Privacy, pages 2-16. IEEE Computer Society, 2006.
5. M. Cruz. Most abused infection vector. http://blog.trendmicro.com/most- abused-infection-vector/, December 2008.
6. W. Cui, M. Peinado, H. J. Wang, and M. E. Locasto. Shieldgen: Automatic data patch generation for unknown vulnerabilities with informed probing. In SP '07: Proceedings of the 2007 IEEE Symposium on Security and Privacy, pages 252-266, Washington, DC, USA, 2007. IEEE Computer Society.
7. D. Dagon, G. Gu, C. P. Lee, and W. Lee. A taxonomy of botnet structures. Computer Security Applications Conference, Annual, 0:325-339, 2007.
8. M. Daniel, J. Honoroff, and C. Miller. Engineering heap overflow exploits with javascript. In WOOT '08: Proceedings of the 2nd USENIX Workshop on Offensive Technologies, July 2008.
9. O. Day, B. Palmen, and R. Greenstadt. Reinterpreting the DisclosureDebate for web infections. In Managing Information Risk and the Economics of Security, pages 1-19. Springer US, 2009.
10. W. Dormann and D. Plakosh. Vulnerability detection in activex controls through automated fuzz test. http://www.cert.org/archive/pdf/dranzer.pdf, 2008.
11. J. R. Douceur, J. Elson, J. Howell, and J. R. Lorch. Leveraging legacy code to deploy desktop applications on the web. In OSDI '08: Proceedings of the 8th USENIX Symposium on Operating Systems Design and Implementation, December 2008.
12. B. Dutertre and L. D. Moura. The yices smt solver. Technical report, SRI International, 2006.
13. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda. Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In DIMVA '09: Proceedings of the 6th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, July 2009.
14. B. Feinstein and D. Peck. Caffeine monkey: Automated collection, detection and analysis of malicious javascript. http://mirror.fpux.com/ HackerCons/BlackHat 2007/BlackHat/Presentations/Feinstien and Peck/Whitepaper/bh-usa-07-feinstien and peck-WP.pdf, 2007.
15. C. Grier, S. Tang, and S. T. King. Secure web browsing with the op web browser. Security and Privacy, IEEE Symposium on, 0:402-416, 2008.
16. W. G. J. Halfond and A. Orso. Amnesia: analysis and monitoring for neutralizing sql-injection attacks. In ASE '05: Proceedings of the 20th IEEE/ACM international Conference on Automated software engineering, pages 174-183, New York, NY, USA, 2005. ACM.
17. W. G. J. Halfond, A. Orso, and P. Manolios. Using positive tainting and syntax-aware evaluation to counter sql injection attacks. In SIGSOFT '06/FSE-14: Proceedings of the 14th ACM SIGSOFT international symposium on Foundations of software engineering, pages 175-185, New York, NY, USA, 2006. ACM.
18. G. Inc. Google safe browsing api. http://code.google.com/apis/ safebrowsing/.
19. C. Kanich, C. Kreibich, K. Levchenko, B. Enright, G. M. Voelker, V. Paxson, and S. Savage. Spamalytics: an empirical analysis of spam marketing conversion. In CCS '08: Proceedings of the 15th ACM conference on Computer and communications security, pages 3-14, New York, NY, USA, 2008. ACM.
20. U. C. S. Lab. Wepawet. http://wepawet.iseclab.org/.
21. D. Moore, C. Shannon, D. J. Brown, G. M. Voelker, and S. Savage. Inferring internet denial-of-service activity. ACM Trans. Comput. Syst., 24(2):115-139, 2006.
22. T. Moore and R. Clayton. An empirical analysis of the current state of phishing attack and defence. In WEIS '07: Proceedings of the Sixth Workshop on the Economics of Information Security, 2007.
23. Mozilla. Spidermonkey (javascript-c) engine. http://www.mozilla.org/js/ spidermonkey/, 2009.
24. J. Nazario. Phoneyc: A virtual client honeypot. In LEET '09: Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats. USENIX Association, 2009.
25. A. Nguyen-Tuong, S. Guarnieri, D. Greene, J. Shirley, and D. Evans. Automatically hardening web applications using precise tainting. In Security and Privacy in the Age of Ubiquitous Computing, volume 181 of IFIP International Federation for Information Processing, pages 295-307. Springer Boston, 2005.
26. T. Pietraszek and C. V. Berghe. Defending against injection attacks through context-sensitive string evaluation. In Recent Advances in Intrusion Detection, volume 3858 of Lecture Notes in Computer Science, pages 124-145. Springer Berlin / Heidelberg, 2006.
27. J. Pincus and B. Baker. Beyond stack smashing: Recent advances in exploiting buffer overruns. IEEE Security and Privacy, 2(4):20-27, 2004.
28. M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Emulation-based detection of non-self-contained polymorphic shellcode. In Recent Advances in Intrusion Detection, volume 4637 of Lecture Notes in Computer Science, pages 87-106. Springer Berlin / Heidelberg, 2007.
29. M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. Journal in Computer Virology, 2(4):257-274, February 2007.
30. T. H. Project. Know your enemy: Malicious web servers, August 2007.
31. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Security '08: Proceedings of the 17th Usenix Security Symposium, pages 1-15, Berkeley, CA, USA, 2008. USENIX Association.
32. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. The ghost in the browser analysis of web-based malware. In HotBots'07: Proceedings of the rst conference on First Workshop on Hot Topics in Understanding Botnets, pages 4-4, Berkeley, CA, USA, 2007. USENIX Association.
33. P. Ratanaworabhan, B. Livshits, and B. Zorn. Nozzle: A defense against heap-spraying code injection attacks. In Security '09: Proceedings of the 18th USENIX Security Symposium, 2009.
34. C. Reis, J. Dunagan, H. J. Wang, O. Dubrovsky, and S. Esmeir. Browsershield: Vulnerability-driven filtering of dynamic html. ACM Trans. Web, 1(3):11, 2007.
35. Secunia. 2008 report. http://secunia.com/gfx/Secunia2008Report.pdf, 2008.
36. R. Sekar. An efficient black-box technique for defeating web application attacks. In NDSS '09: Proceedings of the 16th Annual Network & Distributed System Security Symposium, San Diego, CA, Februry 2009.
37. M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. Security and Privacy, IEEE Symposium on, 0:94-109, 2009.
38. A. Sotirov. Heap feng shui in javascript. http://www.phreedom.org/ research/heap-feng- shui/heap-feng-shui.html, 2008.
39. R. Steenson and C. Seifert. Capture-hpc client honeypot / honeyclient. https://projects.honeynet.org/capture-hpc/.
40. Z. Su and G. Wassermann. The essence of command injection attacks in web applications. In POPL '06: Conference record of the 33rd ACM SIGPLAN-SIGACT symposium on Principles of programming languages, pages 372-382, New York, NY, USA, 2006. ACM.
41. T. Toth and C. Kruegel. Accurate buffer overow detection via abstract pay load execution. In Recent Advances in Intrusion Detection, volume 2516 of Lecture Notes in Computer Science, pages 274-291. Springer Berlin / Heidelberg, 2002.
42. W3Counter. Global web stats. 2009.
43. H. J. Wang, C. Grier, A. Moshchuk, S. T. King, P. Choudhury, and H. Venter. The multi-principal os construction of the gazelle web browser. In Security '09: 19th USENIX Security Symposium, August 2009.
44. H. J. Wang, C. Guo, D. R. Simon, and A. Zugenmaier. Shield: vulnerability-driven network filters for preventing known vulnerability exploits. SIGCOMM Comput. Commun. Rev., 34(4):193-204, 2004.
45. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. T. King. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA, 2006.
46. Y.-M. Wang, R. Roussev, C. Verbowski, A. Johnson, M.-W. Wu, Y. Huang, and S.-Y. Kuo. Gatekeeper: Monitoring auto-start extensibility points (aseps) for spyware management. In LISA '04: Proceedings of the 18th USENIX conference on System administration, pages 33-46, Berkeley, CA, USA, 2004. USENIX Association.
47. J. Wolf. Heap spraying with actionscript. http://blog.fireeye.com/ research/2009/07/ actionscript heap spray.html, 2009.
48. B. Yee, D. Sehr, G. Dardyk, J. B. Chen, R. Muth, T. Ormandy, S. Okasaka, N. Narula, and N. Fullagar. Native client: A sandbox for portable, untrusted x86 native code. In Proceedings of the 30th IEEE Symposium on Security and Privacy, 2009.
49. J. Zhuge, T. Holz, C. Song, J. Guo, X. Han, and W. Zou. Studying malicious websites and the underground economyon the chinese web. In Managing Information Risk and the Economics of Security, pages 1-20. Springer US, 2009.