EvilSeed: A guided approach to finding malicious web pages

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2012, Pages 428-442

  Invernizzi, Luca ^a   Comparetti, Paolo Milani ^b,c   Benvenuti, Stefano ^d   Kruegel, Christopher ^a   Cova, Marco ^b,e   Vigna, Giovanni ^a  

^a UNIVERSITY OF CALIFORNIA   (United States)

^b Lastline Inc ^*  (Austria)

^c VIENNA UNIVERSITY OF TECHNOLOGY   (Austria)

^d University Genova   (Switzerland)

^e UNIVERSITY OF BIRMINGHAM   (United Kingdom)

Author keywords

Drive By Downloads; Guided Crawl Web Security; Guided Crawling; Web Security

Indexed keywords

TOXICITY; WEB CRAWLER; WEBSITES;

DRIVE-BY DOWNLOADS; ENGINEERING TECHNIQUES; GUIDED CRAWL-WEB SECURITY; GUIDED CRAWLING; MALICIOUS CODES; MALICIOUS WEB PAGES; PRE-FILTERING; SOCIAL ENGINEERING; WEB SECURITY;

SEARCH ENGINES;

EID: 84870640932     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2012.33     Document Type: Conference Paper

References (47)

1. N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu, "The Ghost in the Browser: Analysis of Web-based Malware," in USENIX Workshop on Hot Topics in Understanding Botnet, 2007.
2. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose, "All Your iFrames Point to Us," in USENIX Security Symposium, 2008.
3. M. Polychronakis, P. Mavrommatis, and N. Provos, "Ghost Turns Zombie: Exploring the Life Cycle of Web-based Malware," in USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2008.
4. M. A. Rajab, L. Ballard, P. Mavrommatis, N. Provos, and X. Zhao, "The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution," in USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2010.
5. M. Cova, C. Leita, O. Thonnard, A. Keromytis, and M. Dacier, "An Analysis of Rogue AV Campaigns," in Symposium on Recent Advances in Intrusion Detection (RAID), 2010.
6. M. Cova, C. Kruegel, and G. Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code," in International World Wide Web Conference (WWW), 2010.
7. J. Nazario, "PhoneyC: A Virtual Client Honeypot," in USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2009.
8. K. Rieck, T. Krueger, and A. Dewald, "Cujo: Efficient Detection and Prevention of Drive-by-Download Attacks," in Annual Computer Security Applications Conference (ACSAC), 2010.
9. Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. King, "Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites that Exploit Browser Vulnerabilities," in Symposium on Network and Distributed System Security (NDSS), 2006.
10. C. Seifert and R. Steenson, "Capture-HPC," http://goo.gl/vSdds.
11. N. Provos, J. McClain, and K. Wang, "Search Worms," in ACM Workshop on Recurring Malcode (WORM), 2006.
12. J. John, F. Yu, Y. Xie, M. Abadi, and A. Krishnamurthy, "Searching the Searchers with SearchAudit," in USENIX Security Symposium, 2010.
13. IBM, "Mid-Year Trend and Risk Report," Tech. Rep., 2010.
14. T. Moore and R. Clayton, "Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing," in International Conference on Financial Cryptography and Data Security, 2008.
15. S. Small, J. Mason, F. Monrose, N. Provos, and A. Stubblefield, "To Catch A Predator: A Natural Language Approach for Eliciting Malicious Payloads," in USENIX Security Symposium, 2008.
16. Google, "Safe Browsing API," http://goo.gl/vIYfk, 2011.
17. J. Stokes, R. Andersen, C. Seifert, and K. Chellapilla, "WebCop: Locating Neighborhoods of Malware on the Web," in USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2010.
18. J. Long, E. Skoudis, and A. v. Eijkelenborg, Google Hacking for Penetration Testers, 2004.
19. J. Long, "Google Hacking Database," http://goo.gl/qmPA8.
20. Cult of the Dead Cow, "Goolag Scanner," http://goo.gl/lBK1o.
21. D. Canali, M. Cova, C. Kruegel, and G. Vigna, "A fast filter for the large-scale detection of malicious web pages," in International World Wide Web Conference (WWW), 2011.
22. C. Curtsinger, B. Livshits, B. Zorn, and C. Seifert, "Zozzle: Low-overhead Mostly Static JavaScript Malware Detection," Microsoft Research, Tech. Rep., 2010.
23. Yahoo, "Yahoo Term Extraction API," http://goo.gl/wGacG.
24. R. Flores, "How Blackhat SEO Became Big," Trend Micro, Tech. Rep., 2010.
25. F. Howard and O. Komili, "Poisoned search results: How hackers have automated search engine poisoning attacks to distribute malware." SophosLabs, Tech. Rep., 2010.
26. B. Googins, "Black Hat SEO Demystified: Abusing Google Trends to Serve Malware," 2010.
27. B. Zdrnja, "Down the RogueAV and Blackhat SEO rabbit hole," http://goo.gl/5nDuK, 2010.
28. D. Wang, S. Savage, and G. Voelker, "Cloak and dagger: dynamics of web search cloaking," in 18th ACM conference on Computer and communications security. ACM, 2011.
29. B. Wu and B. D. Davison, "Detecting semantic cloaking on the web," 2006.
30. K. Chellapilla and D. M. Chickering, "Improving cloaking detection using search query popularity and monetizability," in 2nd International Workshop on Adversarial Information Retrieval on the Web (AIRWeb), 2006.
31. B. Wu and B. D. Davison, "Cloaking and redirection: A preliminary study," in Workshop on Adversarial Information Retrieval on the Web (AIRWeb), 2005.
32. M. Cutts and J. Shellen, "Preventing comment spam," http://goo.gl/rA9mZ, 2005.
33. S. Ford, M. Cova, C. Kruegel, and G. Vigna, "Analyzing and Detecting Malicious Flash Advertisements," in Annual Computer Security Applications Conference (ACSAC), 2009.
34. A. Moshchuk, T. Bragin, D. Deville, S. Gribble, and H. Levy, "SpyProxy: Execution-based Detection of Malicious Web Content," in USENIX Security Symposium, 2007.
35. A. Moshchuk, T. Bragin, S. Gribble, and H. Levy, "A Crawler-based Study of Spyware in the Web," in Symposium on Network and Distributed System Security (NDSS), 2006.
36. B. Feinstein and D. Peck, "Caffeine Monkey: Automated Collection, Detection and Analysis of Malicious JavaScript," in Black Hat Security Conference, 2007.
37. P. Likarish, E. Jung, and I. Jo, "Obfuscated Malicious Javascript Detection using Classification Techniques," in Conference on Malicious and Unwanted Software (Malware), 2009.
38. P. Ratanaworabhan, B. Livshits, and B. Zorn, "NOZZLE: A Defense Against Heap-spraying Code Injection Attacks," in USENIX Security Symposium, 2009.
39. M. Egele, P. Wurzinger, C. Kruegel, and E. Kirda, "Defending Browsers against Drive-by Downloads: Mitigating Heapspraying Code Injection Attacks," in Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), 2009.
40. B. Hartstein, "Jsunpack: A Solution to Decode JavaScript Exploits as they Rapidly Evolve," in ShmooCon Conference, 2009.
41. S. Chenette, "The Ultimate Deobfuscator," in ToorCon, 2008.
42. L. Lu, V. Yegneswaran, P. Porras, and W. Lee, "BLADE: An Attack-Agnostic Approach for Preventing Drive-By Malware Infections," in ACM Conference on Computer and Communications Security (CCS), 2010.
43. J. Zhang, C. Seifert, J. Stokes, and W. Lee, "ARROW: Generating Signatures to Detect Drive-By Downloads," in International World Wide Web Conference (WWW), 2011.
44. C. Seifert, P. Komisarczuk, and I. Welch, "Identification of Malicious Web Pages with Static Heuristics," in Austalasian Telecommunication Networks and Applications Conference, 2008.
45. S. Yadav, A. K. Reddy, A. Reddy, and S. Ranjan, "Detecting algorithmically generated malicious domain names," in Conference on Internet Measurement (IMC), 2010.
46. L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi, "EXPOSURE: Finding Malicious Domains Using Passive DNS Analysis," in Symposium on Network and Distributed System Security (NDSS), 2011.
47. M. Felegyhazi, C. Kreibich, and V. Paxson, "On the Potential of Proactive Domain Blacklisting," in USENIX Workshop on Large-Scale Exploits and Emergent Threats, 2010.