1 4 1.1..................................... 4 1.2..................................... 5 1.3..................................... 5 2 HTTP 7 2.1 HTTP

2015 HTTP Web 2016 2 1 5114F036-1

1 4 1.1..................................... 4 1.2..................................... 5 1.3..................................... 5 2 HTTP 7 2.1 HTTP.................................... 7 2.2 HTTP..................................... 7 2.2.1 GET................................. 7 2.2.2 Referer ()............................. 8 2.2.3 User-Agent................................. 8 2.2.4 Accept.................................... 8 2.3 HTTP..................................... 9 2.3.1 HTTP................................ 9 2.3.2 HTTP.......................... 9 2.3.3 Content-Type................................ 10 3 Drive-by-Download 11 3.1 Drive-by-Download.............................. 11 3.2 Blackhole...................................... 12 3.3 Redkit........................................ 13 3.4 JavaScript.............................. 13 4 14 4.1..................... 14 4.2 Web.......... 14 4.3 Detecting Malicious HTTP Redirections by User Browsing Activity...... 16 1

5 17 5.1................................... 17 5.2....................................... 17 5.2.1..................................... 17 5.2.2................................ 17 5.2.3............................... 18 5.3............................. 18 5.4............................... 20 5.5.................................... 21 5.6.............................. 21 5.6.1............................... 21 5.6.2................................. 22 6 23 6.1................................ 23 6.2..................................... 24 6.3 1............................... 24 6.4 2................................ 25 6.5 3......................... 25 6.6......................................... 26 7 30 7.1........................................ 30 7.2..................................... 30 7.2.1................................ 30 7.2.2............................ 31 32 33 2

2.1 GET.................................. 8 2.2 HTTP............................... 9 3.1 Drive-by-Download.............................. 12 3.2................................ 13 4.1............................. 15 5.1.................................... 18 5.2.................................... 19 5.3 ( D)...................................... 19 5.4..................................... 20 5.5.................................... 21 5.6........................................ 22 5.7.................................. 22 6.1.......................... 23 6.2 ().................... 27 6.3 ( )..................... 28 6.4 ()................. 29 3

2.1 HTTP.............................. 10 4.1................................ 15 5.1 ( D)............................... 20 6.1..................... 24 6.2........................... 25 6.3.................................... 25 6.4.................................. 26 6.5......................... 26 4

1 1.1 Web Web [1] iframe JavaScript [2] Web Drive-by-Download ( 3 ) Drive-by-Download Web Web Web IP [3] 5

1 1.2 HTTP Web HTTP URL Web 1 Web HTTP 1.3 1 2 HTTP HTTP (Hypertext Transfer Protocol) 3 Drive-by-Download Web Drive-by-Download 4 5 6 1 6

1 7 7

2 HTTP 2.1 HTTP HTTP (Hypertext Transfer Protocol) HTML (HyperText Markup Language) HTTP HTTP HTTP URL HTTP ( 2.2 ) Web HTTP ( 2.2 ) HTTP ( 2.3.2 ) HTTP ( 2.3 ) 2.2 HTTP 2.2.1 GET URL GET 2.1 HTML GET 2.1 GET (Request Method: GET) www.xxx.zzz/index.html URL index.html (Referer, 2.2.2 ) (User-Agent 2.2.3 ) HTTP (Accept-Encoding) GET 8

2 HTTP GET /index.html HTTP/1.1 Accept: */* Referer: http://hoge.com/index.html Accept-Language: ja Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (Compatible; MSIE 6.0; Windows NT 5.1;) Host: www.xxx.zzz Connection: Keep-Alive 2.1: GET 2.2.2 Referer () GET Referer () Referer URL Referer URL GET 2.1 Referer http://hoge.com/index.html http://hoge.com/index.html http://www.xxx.zzz/index.html 2.2.3 User-Agent User-Agent HTTP Web User-Agent Mozilla [4] Netscape Navigator Web User-Agent Mozilla PC Web User-Agent Mozilla Opera [4] 2.2.4 Accept Accept HTTP (MIME ) HTTP 9

2 HTTP HTTP Accept HTTP ( 2.3.2 ) 406 2.1 Accept */* HTTP HTTP 2.3 HTTP 2.3.1 HTTP HTTP HTTP 2.2 HTTP 2.2 2.1 HTTP HTTP 1 HTTP ( 2.3.2 ) (Date) (Content-Length) (Content-Type, 2.3.3 ) HTTP/1.1 200 OK Server: Apache Last-Modified: Mon, 14 Oct 2013 13:00:27 GMT Accept-Ranges: bytes Content-Length: 3296 Content-Type: application/zip Cache-Control: max-age=205 Expires: Mon, 14 Oct 2013 13:08:35 GMT Date: Mon, 14 Oct 2013 13:05:10 GMT Connection: keep-alive 2.2: HTTP 2.3.2 HTTP HTTP HTTP 3 10

2 HTTP HTTP 2.1 2.2 HTTP 200 OK 2.1: HTTP 1xx 2xx 3xx 4xx 5xx (e.g. 100 Continue ) (e.g. 200 OK ) (e.g. 301 Moved Permanently Location ) (e.g. 401 Unauthorized ) (e.g. 500 Internal Server Error ) 2.3.3 Content-Type Content-Type / MIME JPEG Content- Type image/jpeg MIME 1 1 MIME 1 MIME Javascript application/javascript text/javascript MIME 11

3 Drive-by-Download 3.1 Drive-by-Download Drive-by-Download Web Web iframe JavaScript Web Web [2] Drive-by-Download 3.1 HTTP Exploit kit Oracle Java Acrobat/Reader Adobe Flash Java Runtime Emviromnent [1, 2, 5] Web SQL ID PASSWROD Twitter (SNS) URL [6] 12

3 Drive-by-Download 3.1: Drive-by-Download 3.2 Blackhole Blackhole Web [5] Web PC PC Web Drive-by-Download [7]Blackhole Blackhole 2 Blackhole OS Web 2013 10 Blackhole 8 Blackhole Blackhole [8, 9] 2 13

3 Drive-by-Download 3.3 Redkit Redkit 2013 Blackhole PC Web Java Adobe PDF Flash Blackhole Redkit Java [9] 3.4 JavaScript JavaScript HTTP JavaScript alert( Hello, World!! ); [10] 3.2 eval(function(p,a,c,k,e,r){e=string;if(!.replace(/ˆ/,string)){while(c )r[c]=k[c] c;k=[function(e){return r[e]}];e=function(){return \\w+ };c=1}; while(c )if(k[c])p=p.replace(new RegExp( \\b +e(c)+ \\b, g ),k[c]);return p}( 0( 1, 2!! );,3,3, alert Hello World.split( ),0,{})) 3.2: eval String replace, split escape ASCII fromcharcode 14

4 4.1 [11] URL 4.1 HTTP 4.1 6 4.1 URL URL 4.1 URL HTTP HTTP (6) URL HTTP (6) HTTP URL HTTP 4.2 Web [12] Drive-by-Download 15

4 4.1: pdf swf BIN Content-type application/pdf application/x-shockwave-flash application/octet-stream application/x-msdowmload application/x-download application/x-msdos-program (1) URL URL HTTP (2) HTTP 3xx (3) HTTP URL (4) HTTP URL (5) (6) HTTP URL 4.1: Web URL HTML 0 1 (JavaScript CSS ) 2 URL 16

4 4.3 Detecting Malicious HTTP Redirections by User Browsing Activity Mekky [13] ISP IDS 17

5 5.1 HTTP Web Web 5.2 5.2.1 [11] HTTP Web HTTP HTTP [14] 5.2.2 HTTP 5.1 URL 18

5 5.1: 5.2.3 HTTP (4.1) HTTP URL URL HTTP URL URL HTTP Host header URL 5.3 ( 5.2 ) 5.3 ( D) ( D) Web ( D) Accuracy 5.1 5.1 TPR 19

5 5.2: 5.3: ( D) 20

5 5.1: ( D) [%] [%] Accuracy 98.52 84.93 TPR 98.85 92.86 FPR 1.68 26.33 5.4 5.4 Web 2 (4 ) [12] Mekky [13] 5.4: 21

5 5.5 5.5 3 1 HTTP Web HTTP Drive-by-Download D3M2015 [15] HTTP 2 1 3 2 HTTP Web Web 5.5: 5.6 5.6.1 5.6 7 [11] ( 4.1 ) (6) URL 22

5 X-Powered-By header [16] WEB Referrer header [17] (1) (NotUrl) (2) (TransPerTime) (3) X-Powered-By header (PhpVer) (4) Referrer header (Ref) (5) HTTP (Data) (6) (Trans) (7) (MalGrade) 5.6: 5.6.2 5.6 MalGrade TransPerTime PhpVer Ref 3 5.7 3 5.7: 23

6 6.1 Web D3M2015 [15] NTT Web Marionette [18] Web Marionette OS Windows XP SP2 Web Internet Explorer6.0 Adobe Reader Flash player Win Zip Quick Time JRE Marionette 6.1 HTTP Accept ( 2.2.4 ) User-Agent Mozilla, Opera ( 2.2.3 ) User-Agent api, application, bat, bot, crawl, exe, hunny, pot, program 6.1: HTTP 6.1 1000 HTTP 24

6 HTTP 6.1 5.3 ( D) 6.1: (D3M2015) 2014/ 4/11, 5/ 2, 2015/ 2/ 8 515 2015/10/23, 11/9 191 6.2 3 1 SVM (Support Vector Machine) Accuracy Accuracy 2 Accuracy TPR FPR 3 1 2 Web 6.3 1 SVM 5.1 ( D) ( ( D)) 6.2 Accuracy TPR (True Positive Rate) Web Web FPR (False Positive Rate) Web 25

6 6.2: [%] ( D) [%] Accuracy 95.58 84.93 TPR 94.24 92.86 FPR 3.69 26.33 6.4 2 2 7 MalGrade ( ) 6 SVM Accuracy TPR FPR 6.3: Accuracy [%] NotUrl 81.02 TransPerTime 81.02 PhpVer 96.18 Ref 71.25 Data 92.21 Trans 81.02 6.3 Phpver (X-Powered-By header ) Accuracy Phpver Accuracy TPR FPR 6.4 6.5 3 1 2 26

6 6.4: [%] [%] Accuracy 96.18 95.58 TPR 92.15 94.24 FPR 2.34 3.69 6.2 6.3 6.4 6.5 () / ( ) 6.5: 0.30 0.27 0.28 6.6 1 3 1 ( D) TPR TPR ( D) ( D) TPR 2 3 Phpver Accuracy TPR 27

6 80 100 (%) 60 40 20 0 0 20 40 60 80 100 (%) 6.2: () 3 () / ( ) 7 3 6.2 6.3 2 () 24% 50% 28

100 (%) 6 80 60 40 20 0 0 20 40 60 80 100 (%) 6.3: ( ) 29

100 (%) 6 80 60 40 20 0 0 20 40 60 80 100 (%) 6.4: () 30

7 7.1 HTTP URL Web Web URL URL 7.2 7.2.1 URL 5.2.3 31

7 7.2.2 5.6.2 MalGrade ( ) 32

33

[1] IBM Security Service 2015 Tokyo SOC IBM https://www-304.ibm.com/connections/blogs/tokyo-soc/resource/pdf/ tokyo soc report2015 h1.pdf?lang=ja September 2015 [2] JPCERT Web JPCERT https://www.jpcert.or. jp/at/2013/at130027.html June 2013 [3] Independent Tests of Anti-Virus Software, http://www.av-comparatives.org/ [4] Kazuhiro Furuhata, useragent, OpenSpace, http://www. openspc2.org/useragent/, October, 2012. [5] McAfee 6 McAfee http://www.mcafee. com/japan/security/monthly/pc201305.asp June 2013 [6] 14.3 URL CNET Japan http://japan.cnet.com/news/business/20426859/ March 2011 [7] Nick Johnston Blackhole Exploit Kit Gets an Upgrade: Pseudo-random Domains Symantec http://www.symantec.com/connect/blogs/blackhole-exploit-kitgets-upgrade-pseudo-random-domains June 2012 [8] Charlie Osborne Blackhole malware toolkit creator Paunch suspect arrested CBS Interactive. http://www.zdnet.com/blackhole-malware-toolkit-creator-pauncharrested-7000021740/ October 2013 34

[9] SophosLabs 2014 Sophos http://www.sophos.com/ ja-jp/medialibrary/pdfs/other/sophos-security-threat-report-2014.pdf January 2014 [10] /packer/, http://dean.edwards.name/packer/ [11] 2010 3F1 pp.765 770 October 2010. [12] Web 2011 pp.205 210 July 2011 [13] Hesham Mekky Ruben Torres Zhi-Li Zhang Sabyasachi Saha Antonio Nucci Detecting malicious HTTP redirections using trees of user browsing activity INFOCOM 2014 pp.1159 1167 2014 [14] HTTP Web p.180 March 2014 [15] 2015 (MWS2015), http://www.iwsec.org/mws/2015/ [16] Drive By Download HTTP pp.1 6 March 2013 [17] Yuta Takata Shigeki Goto and Tatsuya Mori Analysis of Redirection Caused by Webbased Malware Proceedings of the Asia-Pacific Advanced Network 2011 v.32 pp.53-62 August 2011 [18] Mitsuaki Akiyama, et al: Design and Implementation of High Interaction Client Honeypot for Drive-by-download Attacks, IEICE Transactions on Communication, Vol.E93-B No.5 pp.1131 1139, May, 2010. 35

[19] HTTP Web 2013(1) pp.549 551 March 2013 [20] 2011 (MWS2011), http://www.iwsec.org/mws/2011/ [21] 2012 (MWS2012), http://www.iwsec.org/mws/2012/ [22] MWS2013 MWS2013 Datasets http://www.iwsec.org/mws/2013/about.html [23] Microsoft Microsoft Security Intelligence Report Volume 18 Microsoft Corporation https://www.microsoft.com/en-us/download/confirmation.aspx?id=46928 December 2014 [24] Mynavi Corporation - IBM Mynavi Corporation http://news.mynavi.jp/articles/2015/09/08/ibm/ September 2015 [25] McAfee Labs McAfee Labs :2015 2 McAfee http: //www.mcafee.com/jp/resources/reports/rp-quarterly-threat-q2-2015.pdf August 2015 [26] IBM IBM X-Force IBM http://www-01.ibm.com/ software/jp/cmp/security report/ September 2015 [27] Mynavi Corporation IE JRE Mynavi Corporation http: //news.mynavi.jp/articles/2013/10/11/mcafee9/ October 2013 [28] Symantec Corporation : 2013 1 Symantec http://www.symantec.com/content/ja/jp/enterprise/white papers/ sr wp spam report 1301.pdf February 2013 36

[29] Web 4 IBM Impress Watch Corporation, an Impress Group company http://cloud. watch.impress.co.jp/docs/news/20130826 612630.html August 2013 [30] TCPDUMP & LIBPCAP, http://www.tcpdump.org/ [31] Wireshark, tshark, http://www.wireshark.org/ 37