ETRI Journal

Electronics and Telecommunications Research Institute (한국전자통신연구원)
권호 표지
DOI QR코드

DOI QR Code

LoGos: Internet-Explorer-Based Malicious Webpage Detection

  • Kim, Sungjin (Graduate School of Information Security, School of Computing, Korea Advanced Institute of Science and Technology) ;
  • Kim, Sungkyu (Information Sharing and Analysis Center, NcubeLab) ;
  • Kim, Dohoon (ITMD, Agency for Defense Development)
  • Received : 2016.11.14
  • Accepted : 2017.04.09
  • Published : 2017.06.01
Download PDF
⟨ Previous Next ⟩

Abstract

Malware propagated via the World Wide Web is one of the most dangerous tools in the realm of cyber-attacks. Its methodologies are effective, relatively easy to use, and are developing constantly in an unexpected manner. As a result, rapidly detecting malware propagation websites from a myriad of webpages is a difficult task. In this paper, we present LoGos, an automated high-interaction dynamic analyzer optimized for a browser-based Windows virtual machine environment. LoGos utilizes Internet Explorer injection and API hooks, and scrutinizes malicious behaviors such as new network connections, unused open ports, registry modifications, and file creation. Based on the obtained results, LoGos can determine the maliciousness level. This model forms a very lightweight system. Thus, it is approximately 10 to 18 times faster than systems proposed in previous work. In addition, it provides high detection rates that are equal to those of state-of-the-art tools. LoGos is a closed tool that can detect an extensive array of malicious webpages. We prove the efficiency and effectiveness of the tool by analyzing almost 0.36 M domains and 3.2 M webpages on a daily basis.

Keywords

References

  1. B. Eshete and V.N. Venkatakrishnan, "WebWindow: Leveraging Exploit Kit Workflows to Detect Malicious Urls," Proc. ACM Conf. Data Applicat. Security Privacy, San Antonio, TX, USA, Mar. 3-5, 2014, pp. 305-312.
  2. B. Eshete et al., "EKHunter: a Counter-Offensive Toolkit for Exploit Kit Infiltration," Netw. Distrib. Security Symp., San Diego, CA, USA, Feb. 8-11, 2015, pp. 1-15.
  3. Anubis, Accessed Nov. 11, 2016. http://anubis.iseclab.org/
  4. Cuckoo Sandbox, Accessed Nov. 11, 2016. https://cuckoosandbox.org/
  5. Thug, Accessed Nov. 11, 2016. http://buffer.github.io/thug/
  6. Capture-HPC, Accessed Nov. 11, 2016. https://projects.honeynet.org/capture-hpc
  7. C. Willems, T. Holz, and F. Freiling, "Toward Automated Dynamic Malware Analysis Using CWSandbox," IEEE Security Privacy, vol. 5, no. 2, Apr. 2007, pp. 32-39.
  8. Norman SandBox, Accessed Nov. 11, 2016. http://sandbox.norman.no
  9. M. Cova, C. Kruegel, and G. Vigna, "Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code," Proc. Int. Conf. World Wide Web, Raleigh, NC, USA, Apr. 26-30, 2010, pp. 281-290.
  10. M.A. Rajab et al., "CAMP: Content-Agnostic Malware Protection," Netw. Distrib. Security Symp., San Diego, CA, USA, Feb. 24-27, 2013, pp. 1-15.
  11. C. Curtsinger et al., "ZOZZLE: Fast and Precise In-browser JavaScript Malware Detection," Proc. USENIX Conf. Security, San Francisco, CA, USA, Aug. 8-12, 2011, p. 3.
  12. L. Lu et al., "Blade: an Attack-Agnostic Approach for Preventing Drive-by Malware Infections," Proc. ACM Conf. Comput. Commun. Security, Chicago, IL, USA, Oct. 2010, pp. 440-450.
  13. A. Dewald, T. Holz, and F.C. Freiling, "ADSandbox: Sandboxing JavaScript to Fight Malicious Websites," Proc. ACM Symp. Appl. Comput., Sierre, Switzerland, 2010, pp. 1859-1864.
  14. SpiderMonkey, Accessed Jan. 25, 2017. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
  15. Phantomjs, Accessed Jan. 25, 2017. http://phantomjs.org/
  16. Chrome V8, Accessed Jan. 25, 2017. https://developers.google.com/v8/
  17. PyV8, Accessed Jan. 25, 2017. https://pypi.python.org/pypi/PyV8
  18. T. Taylor et al., "Detecting Malicious Exploit Kits Using Tree-Based Similarity Searches," Proc. ACM Conf. Data Applicat. Security Privacy, New Orleans, LA, USA, 2016, pp. 255-266.
  19. B. Stock, B. Livshits, and B. Zorn, "Kizzle: a Signature Compiler for Detecting Exploit Kits," Annu., IEEE/IFIP Int. Conf. Dependable Syst. Netw., Toulouse, France, 2016, pp. 455-466.
  20. A. Nappa, M.Z. Rafique, and J. Caballero, "Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting," in International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Heidelberg, Berlin, Germany: Springer, 2013, pp. 1-20.
  21. Heap Spraying, Accessed Nov. 11, 2016. https://en.wikipedia.org/wiki/Heap_spraying
  22. Address Space Layout Randomization, Accessed Nov. 11, 2016. http://en.wikipedia.org/wiki/Address space layout randomization
  23. Data Execution Prevention, Accessed Nov. 11, 2016. https://en.wikipedia.org/w/index.php?title=Data_Execution_Prevention&redirect=no
  24. N. Jagpal et al., "Trends and Lessons from Three Years Fighting Malicious Extensions," Proc. USENIX Conf. Security Symp., Washington, D.C., USA, Aug. 12-14, 2015, pp. 579-593.
  25. G. Stringhini et al., "Shady Paths: Leveraging Surfing Crowds to Detect Malicious Web Pages," Proc. ACM SIGSAC Conf. Comput. Commun. Security, Berlin, Germany, Nov. 4-8, 2013, pp. 133-144.
  26. Z. Li et al., "Knowing Your Enemy: Understanding and Detecting Malicious Web Advertising," Proc. ACM Conf. Comput. Commun. Security, Raleigh, NC, USA, Oct. 16-18, 2012, pp. 674-686.
  27. G. Wang et al., "Detecting Malicious Landing Pages in Malware Distribution Networks," Auun. IEEE/IFIP Int. Conf. Dependable Syst. Netw., Budapest, Hungary, June 24-27, 2013, pp. 1-11.
  28. Hooking, Accessed Jan. 25, 2017. https://en.wikipedia.org/wiki/Hooking
  29. VMware ESXi, Accessed Nov. 11, 2016. https://www.vmware.com/products/esxi-and-esx/overview
  30. RabbitMQ, Accessed Nov. 11, 2016. https://www.rabbitmq.com/
  31. Malware Domain Blocklist, Accessed Nov. 11, 2016. http://www.malwaredomains.com/
  32. Malware Domain List, Accessed Nov. 11, 2016. https://www.malwaredomainlist.com/
  33. VirusTotal, Accessed Nov. 11, 2016. https://www.virustotal.com/
  34. Alexa, Accessed Nov. 11, 2016. http://www.alexa.com/topsites
  35. YARA, Accessed Nov. 11, 2016. http://plusvic.github.io/yara/
  36. D. Canali et al., "Prophiler: a Fast Filter for the Large-Scale Detection of Malicious Web Pages Categories and Subject Descriptors," Proc. Int. Conf. World Wide Web, Hyderabad, India, Mar. 28-Apr. 1, 2011, pp. 197-206.