Hunting the red fox online: Understanding and detection of mass redirect-script injections

Proceedings - IEEE Symposium on Security and Privacy

Volumn , Issue , 2014, Pages 3-18

  Li, Zhou ^a,b   Alrwais, Sumayah ^a   Wang, Xiao Feng ^a   Alowaisheq, Eihal ^a  

^a INDIANA UNIVERSITY   (United States)

^b RSA Laboratories   (United States)

Author keywords

Compromised Web Sites; Differential Analysis; Web Redirection

Indexed keywords

HTML; PEER TO PEER NETWORKS; SEARCH ENGINES; WEBSITES;

AUTOMATIC DETECTION; COMMERCIAL DETECTIONS; DIFFERENTIAL ANALYSIS; DRIVE-BY DOWNLOADS; MEASUREMENT STUDY; RAPID DEPLOYMENTS; WEB INFRASTRUCTURE; WEB REDIRECTION;

COMPUTER VIRUSES;

EID: 84910665242     PISSN: 10816011     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1109/SP.2014.8     Document Type: Conference Paper

References (50)

1. Farsight security information exchange. https://api.dnsdb.info/.
2. Joomla! the cms trusted by millions for their websites. http://www.joomla.org/.
3. Malware domains list. http://www.malwaredomainlist.com/.
4. Wordpress, blog tool, publishing platform, and cms. http://wordpress.org/.
5. Semantic Merge - The diff and merge tool that understands C# and Java. http://www.semanticmerge.com/, 2013.
6. K. Borgolte, C. Kruegel, and G. Vigna. Delta: Automatic Identification of Unknown Web-based Infection Campaigns. In Proceedings of the ACM Conference on Computer and Communications Security, CCS '13. ACM, 2013.
7. D. Canali and D. Balzarotti. Behind the scenes of online attacks: an analysis of exploitation behaviors on the web. In In Proceeding of the Network and Distributed System Security Symposium (NDSS'13), 2013.
8. D. Canali, D. Balzarotti, and A. Francillon. The role of web hosting providers in detecting compromised websites. In Proceedings of the 22nd international conference on World Wide Web, WWW '13, pages 177-188, Republic and Canton of Geneva, Switzerland, 2013. International World Wide Web Conferences Steering Committee.
9. D. Canali, M. Cova, G. Vigna, and C. Kruegel. Prophiler: a fast filter for the large-scale detection of malicious web pages. In Proceedings of the 20th international conference on World wide web, WWW '11, pages 197-206, New York, NY, USA, 2011. ACM.
10. M. Cova, C. Kruegel, and G. Vigna. Detection and analysis of driveby-download attacks and malicious javascript code. In Proceedings of the 19th international conference on World wide web, WWW '10, pages 281-290, New York, NY, USA, 2010. ACM.
11. C. Curtsinger, B. Livshits, B. G. Zorn, and C. Seifert. Zozzle: Fast and precise in-browser javascript malware detection. In USENIX Security Symposium. USENIX Association, 2011.
12. D. Danchev. Diy commercially-available 'automatic web site hacking as a service' spotted in the wild webroot threat blog. http://www.webroot.com/blog/2013/07/31/diy-commercially-availableautomatic-web-site-hacking-as-a-service-spotted-in-the-wild/, July 2013.
13. D. Edwards. /packer/. http://dean.edwards.name/packer/, 2013.
14. N. Fraser. google-diff-match-patch - diff, match and patch libraries for plain text - google project hosting. https://code.google.com/p/googlediff-match-patch/, 2013.
15. Google. Can google site search index javascript content on my pages? https://support.google.com/customsearch/answer/72366?hl=en.
16. Google. Safe browsing api google developers. https://developers.google.com/safe-browsing/.
17. Google. Google hosted libraries - developer's guide - make the web faster - google developers. https://developers.google.com/speed/libraries/devguide, 2013.
18. F. Howard. Malware with your Mocha? Obfuscation and antiemulation tricks in malicious Java Script. Technical report, Sept. 2010.
19. F. Howard. Lifting the lid on the redkit exploit kit. http://nakedsecurity.sophos.com/2013/05/03/lifting-the-lid-on-theredkit-exploit-kit-part-1/, May 2013.
20. L. Invernizzi, S. Benvenuti, M. Cova, P. M. Comparetti, C. Kruegel, and G. Vigna. Evilseed: A guided approach to finding malicious web pages. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 428-442, Washington, DC, USA, 2012. IEEE Computer Society.
21. A. K. Jain, M. N. Murty, and P. J. Flynn. Data clustering: a review. ACM Comput. Surv., 31(3):264-323, Sept. 1999.
22. J. P. John, F. Yu, Y. Xie, A. Krishnamurthy, and M. Abadi. deseo: combating search-result poisoning. In Proceedings of the 20th USENIX conference on Security, SEC'11, pages 20-20, Berkeley, CA, USA, 2011. USENIX Association.
23. A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, and G. Vigna. Revolver: an automated approach to the detection of evasiveweb-based malware. In Proceedings of the 22nd USENIX conference on Security, SEC'13, pages 637-652, Berkeley, CA, USA, 2013. USENIX Association.
24. C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. Rozzle: De-cloaking internet malware. In Proceedings of the 2012 IEEE Symposium on Security and Privacy, SP '12, pages 443-457, Washington, DC, USA, 2012. IEEE Computer Society.
25. S. Lee and J. Kim. Warning Bird: Detecting suspicious URLs in Twitter stream. In Proceedings of the 19th Annual Network & Distributed System Security Symposium, Feb. 2012.
26. N. Leontiadis, T. Moore, and N. Christin. Measuring and analyzing search-redirection attacks in the illicit online prescription drug trade. In Proceedings of the 20th USENIX Conference on Security, SEC'11, pages 19-19, Berkeley, CA, USA, 2011. USENIX Association.
27. Z. Li, S. Alrwais, Y. Xie, F. Yu, and X. Wang. Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP '13, pages 112-126, Washington, DC, USA, 2013. IEEE Computer Society.
28. Z. Li, K. Zhang, Y. Xie, F. Yu, and X. Wang. Knowing your enemy: understanding and detecting malicious web advertising. In Proceedings of the 2012 ACM conference on Computer and communications security, CCS '12, pages 674-686, New York, NY, USA, 2012. ACM.
29. J. Long, E. Skoudis, and A. v. Eijkelenborg. Google Hacking for Penetration Testers. Syngress Publishing, 2004.
30. L. Lu, R. Perdisci, and W. Lee. Surf: detecting and measuring search poisoning. In Proceedings of the 18th ACM conference on Computer and communications security, CCS '11, pages 467-476, New York, NY, USA, 2011. ACM.
31. Microsoft. Microsoft security essentials. http://http://windows.microsoft.com/en-us/windows/security-essentials-download/, 2013.
32. T. Moore and R. Clayton. Financial cryptography and data security. chapter Evil Searching: Compromise and Recompromise of Internet Hosts for Phishing, pages 256-272. Springer-Verlag, Berlin, Heidelberg, 2009.
33. Mozilla. Spidermonkey. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey/, 2013.
34. E. W. Myers. An o(nd) difference algorithm and its variations. Algorithmica, 1:251-266, 1986.
35. Parallels. Parallels plesk panel - full-featured control panel experience for hosting management. http://www.parallels.com/products/plesk/, 2013.
36. N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All your iframes point to us. In Proceedings of the 17th conference on Security symposium, pages 1-15, Berkeley, CA, USA, 2008. USENIX Association.
37. C. Reis, S. D. Gribble, T. Kohno, and N. C. Weaver. Detecting inflight page changes with web tripwires. In Proceedings of the 5th USENIX Symposium on Networked Systems Design and Implementation, NSDI'08, pages 31-44, Berkeley, CA, USA, 2008. USENIX Association.
38. J. Resig. jquery. http://jquery.com, 2013.
39. K. Security. Incognito exploit kit redux. http://www.kahusecurity.com/2011/incognito-exploit-kit-redux/, 2011.
40. J. W. Stokes, R. Andersen, C. Seifert, and K. Chellapilla. Webcop: locating neighborhoods of malware on the web. In Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more, LEET'10, pages 5-5, Berkeley, CA, USA, 2010. USENIX Association.
41. G. Stringhini, C. Kruegel, and G. Vigna. Shady paths: Leveraging surfing crowds to detect malicious web pages. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security, CCS '13, pages 133-144, New York, NY, USA, 2013. ACM.
42. Sucuri. Sucuri 2012 web malware trends report. http://blog.sucuri.net/2013/03/2012-web-malware-trend-report-summary.html, 2012.
43. Sucuri. Apache php injection to javascript files. http://blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html, 2013.
44. Symantec. 2013 Norton Report. http://www.symantec.com/about/news/resources/press kits/detail.jsp?pkid=norton-report-2013, 2013.
45. Virus Total. Virustotal - free online virus, malware and url scanner. https://www.virustotal.com/, 2013.
46. W3techs. Usage statistics and market share of javascript libraries for websites, november 2013. http://w3techs.com/technologies/overview/javascript library/all, November 2013.
47. D. Y. Wang, S. Savage, and G. M. Voelker. Cloak and dagger: dynamics of web search cloaking. In Y. Chen, G. Danezis, and V. Shmatikov, editors, ACM Conference on Computer and Communications Security, pages 477-490. ACM, 2011.
48. Y. Wang, D. Beck, X. Jiang, and R. Roussev. Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In In Proceeding of the Network and Distributed System Security Symposium (NDSS'06), 2006.
49. Web Sense. Websense 2013 threat report. http://www.websense.com/assets/reports/websense-2013-threat-report.pdf, 2013.
50. E. Woodruff. A javascript compression tool for web applications. http://www.codeproject.com/Articles/4617/A-JavaScript-Compression-Tool-for-Web-Applications, 2006.