Landing Landing Intermediate Exploit Exploit Distribution Provos [1] Drive-by Download (Exploit Distribution ) Drive-by Download (FCDBD: Framework for

Size: px

Start display at page:

Download "Landing Landing Intermediate Exploit Exploit Distribution Provos [1] Drive-by Download (Exploit Distribution ) Drive-by Download (FCDBD: Framework for"

さやこのえ
5 years ago
Views:

1 Drive-by Download Web 1,a) 1,b) 1,c) Web Web Web Drive-by Download FCDBD(Framework for Countering Drive-By Download) FCDBD Drive-by Download Landing Web <iframe> Landing Web JavaScript Web Drive-by Download Web A Feasibility Study for Enhancing the Framework for Countering Drive-by Download Attacks with Analysis of Web Link Structures of Websites Abstract: The authors proposed the Framework for Countering Drive-By Download (FCDBD) which monitors the Web by utilizing web access logs from users and detects malicious websites related to the drive-by download attacks. Monitoring link-related behaviors is one of the approaches to detect the malicious websites in the framework. The authors proposed a detection method for the Landing site of Drive-by Download attacks. The method focused on the change of referred websites from a webpage. However, a legitimate webpage has many changes of referred websites caused by advertisement websites or traffic analysis websites. Therefore, it is hard to extract the change caused by the defacement and detect the Landing site correctly. In this paper, the authors propose the improved method for detecting the Landing site of drive-by download attacks. Keywords: Drive-by download attack, Web link analysis 1. Drive-by Download Web Web Web 1 ( )KDDI KDDI R&D Laboratories Inc., Ohara, Fujimino, Saitama , Japan a) ta-matsunaka@kddilabs.jp b) ai-yamada@kddilabs.jp c) kubota@kddilabs.jp 1 Drive-by Download (OS ) (Exploit ) (Distribution ) Exploit (Intermediate ) Intermediate (Landing ) Landing Intermediate Exploit (JavaScript PHP ) 1

Landing Landing Intermediate Exploit Exploit Distribution Provos [1] Drive-by Download (Exploit Distribution ) Drive-by Download (FCDBD: Framework for Countering Drive-By Download) [2] [6] Web Web

2 Landing Landing Intermediate Exploit Exploit Distribution Provos [1] Drive-by Download (Exploit Distribution ) Drive-by Download (FCDBD: Framework for Countering Drive-By Download) [2] [6] Web Web Web Drive-by Download Web Web Web Drive-by Download Drive-by Download [3] Web / Exploit [5] Web Landing [6] Landing JavaScript [4] Landing Web / Web Landing Landing FCDBD Web Web HTTP Request HTTP Response User Force to download malwares 1 Exploit the vulnerabilities Landing sites (defaced) Intermediate sites Drive-by Download Exploit site Distribution site (False Positives) Web % / [5] (Exploit ) 1.5% Web 2. Drive-by Download Drive-by Download Web (honeyclient) Web () [7] [8] honeyclient seed Web (cloaking) Drive-by Download Web ( ) Zhang [10] Drive-by Download HTTP URL 2

Web Access Log, Contents 2 Analysis Center Web Access Log Analysis (Web Link Analysis) Content Analysis (Dynamic/Static) The Internet Access/Download Monitoring Sensors Browser Sensor

HTML URL MDN URL MDN Landing MDN 3. FCDBD: Framework for Countering Drive-By Download 3.

3 Web Access Log, Contents 2 Analysis Center Web Access Log Analysis (Web Link Analysis) Content Analysis (Dynamic/Static) The Internet Access/Download Monitoring Sensors Browser Sensor Web Proxy Sensor Users FCDBD Warnings (central server) MDN(Malware Distribution Network) central server URL MDN Stringhini [11] (OS ) Web Drive-by Download Wand [12] [10] MDN Landing HTML URL MDN URL MDN Landing MDN 3. FCDBD: Framework for Countering Drive-By Download 3.1 FCDBD FCDBD(Framework for Countering Drive-By Download) Drive-by Download [2] [6] 2 FCDBD FCDBD Web ( ) Web (Web ) Web 1 ID Web URL Web HTTP Request/Response Web 1 Web ID ID Web Web Web Web Web Web Web Landing [6] Web / Exploit [5] Web Web Drive-by Download Web [3] 2 / [13] (URL) 3

4 3 Exploit / Distribution Landing <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML>... </DIV><!--c ><script type="text/javascript" src="hxxp://lodgesure.co.za/.../nfyvrkb8.php?id= "></script><!--/c >... </HTML> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <HTML>... </DIV>... </HTML> 4 Landing 3.2 Web Drive-by Download FCDBD Web Drive-by Download Web [6] [5] [3] 1: Landing 3 Web Web Landing Web google twitter Alexa[14] ( ) Firefox Adblock Plus[15] [6] 4 URL URL Landing 4 () <script> Web ( ) Web <script> Web Landing 2: / Exploit 5 Drive-by Download [16] D3M(Drive-by Download Dataset by Marionette) [17] 1 Web Exploit 5 Exploit Exploit Exploit (Exploit /Distribution ) Web Web Exploit Web #fanin#fan-out #fan-in > 1 #fan-out = 1 Web Exploit 4

5 Web /3/3 2014/3/4 Web u 1 u 1 1. Web r 1 r 2 r 1 r 2 r 1,a 2. Web ( 1) {(Web, { })} = {(u 1, {r 1,a, r 1,b,...}),..., (u n, {r n,a,...})} 3. / ( 2) 2 (#fan-in > 1?) u 1 u 3 r 1,a Landing? Exploit? Landing : u 1,..., u m Exploit : r 1,a,..., r m,a,..., r m,l (#fan-out = 1?) r 5 7 Landing Landing site u/.../check.php buzziskin.net/.../ returning_depending.php /.../check.php 2 Web Web : 1,684 : 2014/3/3 2014/3/14( ) URL : 7, Exploit site /Distribution site buzziskin.net/.../ returning_depending.php? xxx (PDF) buzziskin.net/.../ returning_depending.php? yyy (EXE) Drive-by Download Landing #fan-in 2 Exploit #fan-out = 1 Exploit /Distribution / Exploit Landing 7 Landing Web Web Web 1 Web ( ) Web / #fan-in#fan-out #fan-in > 1 #fan-out = 1 Exploit Web Landing 5. Landing 3.2 Landing FCDBD Web Web Web Web 2 Web Web 1,684URL Web URL FCDBD Web Internet Explorer 8 Web (false positives) 8 5

6 Web (2014/3/3 2014/3/14) Web : 1,680URL : 7, Web 2. Web ( 1) Web : 100URL(6.0%)/1 : 116 /1 3. / ( 2) 4 (87 ) Web Advertisement 29 Computers/Internet 21 Internet/Infrastructure /Search Engines/Portals 11 Business/Economy/Finantial 10 Blogs/Web Communications 3 Pornography/Adult/Mature 3 Arts/Entertainment/Games 3 Auctions/Shopping 2 Brokerages/Trading 2 Health/Society/Life Style 2 News/Media 1 Web : 24URL(1.5%)/1 : 18 / Web Web 1,680URL Web ( ) ( 1) Web Web / (Exploit ) Web ( 2) (false positives) Web Web 3 1 Web 3 Web (4.6% 7.5%) Web (1.6% 3.2%) ( 24.2%) 492 ( 2.3%) 10 1 Web 70 (4.1%) 20 (1.2%) Web (0.7% 3.3%) % 5.8% (0.2% 0.7%) (8.9%) 87 (0.5%) Trend Micro Site Safety Center [18] Web Web (Web Advertisement) (Computer/Internet/Infrastructure) webbug Web Web / 2 /

7 3 1 (YYMMDD) Web 1,684 1,684 1,684 1,684 1,684 1,684 1,684 1,684 1,684 1,684 1,684 5,397 5,315 5,240 5,375 5,192 5,318 5,158 5,516 5,285 5,232 7, (YYMMDD) 3326 Web( 1) ( 1) Web( 2) ( 2) (1 : ( 1)Web :100.2(6.0%) :116.1(2.2%) ( 2)Web :24.8(1.5%) :18.2(0.3%)) (YYMMDD) Web( )( 1) ( )( 1) Web( )( 2) ( )( 2) 10 ( ) / (#fan-in > 1 #fan-out = 1 ) 5 5 Drive-by Download [1] / / 1 FCDBD Landing FCDBD Landing Drive-by Download Web Web Web / Web Landing FCDBD 1.5% 100 Web 1 2 FCDBD Web * URL Web 1.5% 23,000 Web Landing Exploit Web *1 7

8 5 2 (YYMMDD) ,397 5,836 6,152 6,507 6,718 6,947 7,152 7,495 7,720 7, ,007 1,094 1, % 8.7% 9.5% 10.7% 11.2% 11.8% 12.3% 13.4% 14.2% 14.7% Web Drive-by Download Landing Web Landing Web / Web Landing 1 6.0% 1.5% FCDBD FCDBD *2 (( NICT) : : ) [1] N. Provos, P. Mavrommatis, M. A. Rajab and F. Monrose, All Your iframes Point to Us, Proc. the 17th USENIX Security Symposium, [2],,,,,, 2011(CSS2011), [3] T. Matsunaka, A. Kubota and T. Kasama, An Approach to Detect Drive-by Download by Observing the Web Page Transition Behaviors, Proc. of 9th Asia Joint Con- *2 ference on Information Security (AsiaJCIS2014), [4].,,,, 31 (SCIS2014), [5],,, Drive-by Download Web Web, 2014(CSS2014), [6] T. Matsunaka, J. Urakawa and A. Kubota, Detecting and Preventing Drive-by Download Attack via Participative Monitoring of the Web, Proc. of 8th Asia Joint Conference on Information Security (AsiaJCIS2013), [7] M. Akiyama, M. Iwamura, Y. Kawakoya, K. Aoki and M. Itoh, Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attack, IEEE Trans. of Communication, Vol. E93 B, No. 5, pp , May [8] Y M. Wang, D. Beck, X. Jiang, C. Verbowski, S. Chen and S. King, Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities, Proc. 13th Annual Network & Distributed System Security Symposium (NDSS2006), [9] J. W. Stokes, R. Andersen, C. Seifert and K. Chellapilla, WebCop: Locating Neighborhoods of Malware on the Web, Proc. 3rd USENIX Workshop on Large-scale Exploits and Emergent Threats (LEET2010), [10] J. Zhang, C. Seifert, J. W. Stokes and W. Lee, ARROW: GenerAting SignatuRes to Detect DRive-By DOWnloads, Proc. 20th International World Wide Web Conference (WWW2011), [11] G. Stringhini, C. Kruegel and G. Vigna, Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages, Proc. 20th ACM Conference on Computer and Communications Security (CCS2013), [12] G. Wand, J. W. Stokes, C. Herley and D. Felstead, Detecting Malicious Landing Pages in Malware Distribution Networks, Proc. 43rd Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN2013), [13],,,,,, JavaScript, (CSEC), Vol CSEC-64, No. 21, [14] Alexa Actionable Analytics of the Web, alexa.com. [15] Adblock Plus, [16] 2014(MWS2014) [17],,,, MWS Datasets 2014, (CSEC) Vol CSEC-66, No. 19, [18] Trend Micro, Site Safety Center, sitesafety.trendmicro.com/index.php. 8

29 jjencode JavaScript

29 jjencode JavaScript Kochi University of Technology Aca Title jjencode で難読化された JavaScript の検知 Author(s) 中村, 弘亮 Citation Date of 2018-03 issue URL http://hdl.handle.net/10173/1975 Rights Text version author Kochi, JAPAN http://kutarr.lib.kochi-tech.ac.jp/dspa