Malicious Web Research Articles

Analysis and Identification of Malicious JavaScript Code

ABSTRACT Malicious JavaScript code has been actively and recently utilized as a vehicle for Web-based security attacks. By exploiting vulnerabilities such as cross-site scripting (XSS), attackers are able to spread worms, conduct Phishing attacks, and do Web page redirection to “typically” porn Web sites. These attacks can be preemptively prevented if the malicious code is detected before executing. Based on the fact that a malignant code will exhibit certain features, we propose a novel classification-based detection approach that will identify Web pages containing infected code. Using datasets of trusted and malicious Web sites, we analyze the behavior and properties of JavaScript code to point out its key features. These features form the basis of our identification system and are used to properly train the various classifiers on malicious and benign data. Performance evaluation results show that our approach achieves a 95% or higher detection accuracy, with very small (less than 3%) false positive and false negative ratios. Our solution surpasses the performance of the comparable literature.

Integrated Approach of Malicious Website Detection

With the advent and the rising popularity of Internet, security is becoming one of the focal point. At present, Web sites have become the attacker’s main target. The attackers uses the strategy of embedding the HTML tags, the script tag to include Web-based Trojan scripting or redirector scripting, the embedded object tag which activates the third-party applications to display the embedded object and the advanced strategy is the ARP spoofing method to build malicious website when the attackers cannot gain control of the target website. The attacker hijacks the traffic, then injects the malicious code into the HTML responses to achieve virtual malicious websites. The malicious code embedded in the web pages by the attackers; change the display mode of the corresponding HTML tags and the respective effects invisible to the browser users. The display feature setting of embedded malicious code is detected by the abnormal visibility recognition technique which increases efficiency and reduces maintenance cost. Inclusion of the honey client increases the malicious website detection rate and speed. Most of the malicious Web pages are hence detected efficiently and the malicious code in the source code is located accurately. It can also handle End-User requests to know whether their webpage is free of Malicious codes or not.

Using trusted computing for privacy preserving keystroke-based authentication in smartphones

Smartphones are increasingly being used to store personal information as well as to access sensitive data from the Internet and the cloud. Establishment of the identity of a user requesting information from smartphones is a prerequisite for secure systems in such scenarios. In the past, keystroke-based user identification has been successfully deployed on production-level mobile devices to mitigate the risks associated with naive username/password based authentication. However, these approaches have two major limitations: they are not applicable to services where authentication occurs outside the domain of the mobile device--such as web-based services; and they often overly tax the limited computational capabilities of mobile devices. In this paper, we propose a protocol for keystroke dynamics analysis which allows web-based applications to make use of remote attestation and delegated keystroke analysis. The end result is an efficient keystroke-based user identification mechanism that strengthens traditional password protected services while mitigating the risks of user profiling by collaborating malicious web services. We present a prototype implementation of our protocol using the popular Android operating system for smartphones.

Learning to detect malicious URLs

Malicious Web sites are a cornerstone of Internet criminal activities. The dangers of these sites have created a demand for safeguards that protect end-users from visiting them. This article explores how to detect malicious Web sites from the lexical and host-based features of their URLs. We show that this problem lends itself naturally to modern algorithms for online learning. Online algorithms not only process large numbers of URLs more efficiently than batch algorithms, they also adapt more quickly to new features in the continuously evolving distribution of malicious URLs. We develop a real-time system for gathering URL features and pair it with a real-time feed of labeled URLs from a large Web mail provider. From these features and labels, we are able to train an online classifier that detects malicious Web sites with 99% accuracy over a balanced dataset.

Using one-time passwords to prevent password phishing attacks

Phishing is now a serious threat to the security of Internet users' confidential information. Basically, an attacker (phisher) tricks people into divulging sensitive information by sending fake messages to a large number of users at random. Unsuspecting users who follow the instruction in the messages are directed to well-built spoofed web pages and asked to provide sensitive information, which the phisher then steals. Based on our observations, more than 70% of phishing activities are designed to steal users' account names and passwords. With such information, an attacker can retrieve more valuable information from the compromised accounts. Statistics published by the anti-phishing working group (APWG) show that, at the end of Q2 in 2008, the number of malicious web pages designed to steal users' passwords had increased by 258% over the same period in 2007. Therefore, protecting users from phishing attacks is extremely important. A naïve way to prevent the theft of passwords is to avoid using passwords. This raises the following question: Is it possible to authenticate a user without a preset password? In this paper, we propose a practical authentication service that eliminates the need for preset user passwords during the authentication process. By leveraging existing communication infrastructures on the Internet, i.e., the instant messaging service, it is only necessary to deploy the proposed scheme on the server side. We also show that the proposed solution can be seamlessly integrated with the OpenID service so that websites supporting OpenID benefit directly from the proposed solution. The proposed solution can be deployed incrementally, and it does not require client-side scripts, plug-ins, nor external devices. We believe that the number of phishing attacks could be reduced substantially if users were not required to provide their own passwords when accessing web pages.

Unsupervised Clustering of Web Sessions to Detect Malicious and Non-malicious Website Users

Denial of Service (DoS) attacks are recognized as one of the most damaging attacks on the Internet security today. Recently, malicious web crawlers have been used to execute automated DoS attacks on web sites across the WWW. In this study, we examine the use of two unsupervised neural network (NN) learning algorithms for the purpose web-log analysis: the Self- Organizing Map (SOM) and Modified Adaptive Resonance Theory 2 (Modified ART2). In particular, through the use of SOM and Modified ART2, our work aims to obtain a better insight into the types and distribution of visitors to a public web-site based on their link-traversal behaviour, as well as to investigate the relative differences and/or similarities between malicious web crawlers and other non-malicious visitor groups. The results of our study show that, even though there is a pretty clear separation between malicious web-crawlers and other visitor groups, around 8% of malicious crawlers exhibit very ‘human-like’ browsing behaviour and as such pose a particular challenge for future web-site security systems.

O-means: An Optimized Clustering Method for Analyzing Spam Based Attacks

In recent years, the number of spam emails has been dramatically increasing and spam is recognized as a serious internet threat. Most recent spam emails are being sent by bots which often operate with others in the form of a botnet, and skillful spammers try to conceal their activities from spam analyzers and spam detection technology. In addition, most spam messages contain URLs that lure spam receivers to malicious Web servers for the purpose of carrying out various cyber attacks such as malware infection, phishing attacks, etc. In order to cope with spam based attacks, there have been many efforts made towards the clustering of spam emails based on similarities between them. The spam clusters obtained from the clustering of spam emails can be used to identify the infrastructure of spam sending systems and malicious Web servers, and how they are grouped and correlate with each other, and to minimize the time needed for analyzing Web pages. Therefore, it is very important to improve the accuracy of the spam clustering as much as possible so as to analyze spam based attacks more accurately. In this paper, we present an optimized spam clustering method, called O-means, based on the K-means clustering method, which is one of the most widely used clustering methods. By examining three weeks of spam gathered in our SMTP server, we observed that the accuracy of the O-means clustering method is about 87% which is superior to the previous clustering methods. In addition, we define 12 statistical features to compare similarity between spam emails, and we determined a set of optimized features which makes the O-means clustering method more effective.

Messenger Attack(Problems and Solutions)

For years, people think that the major threat to various companies' computer networks doesn't come from outside hackers,but from internal(often disgruntled) employees. However, a new study disputes that, saying that outside hack attacks are the largest threat. In fact, the outside hackers usethe ability of messenger to not only transfer text messages,but also to files transferring. Consequently, messengers can transfer worms and other malicious software ( malware).This research includes many practical methods and tricks to attack yahoo messenger by sending executable files that are compressed and masqueraded, that files are responsible for converting Yahoo! Musicand other options to malicious web site, and also it is possible to insert messenger into infinite loop, delete messenger after forcing it to close, or convert its path into malicious program path, insuring that done even after restart computer. And also it containsmprotection methods for that attack which are responsible for disabling system program such as (task manager, system restore, system configuration utility etc) to ensure that the user couldn't remove the program that caused attack.Finally in this research, software is designed to break that attack by enabling system tools and that will lead to facilitate the task of ending attack. Actually, this software is considered as a solution towidespread problem caused by many malware.

How much anonymity does network latency leak?

Low-latency anonymity systems such as Tor, AN.ON, Crowds, and Anonymizer.com aim to provide anonymous connections that are both untraceable by “local” adversaries who control only a few machines and have low enough delay to support anonymous use of network services like Web browsing and remote login. One consequence of these goals is that these services leak some information about the network latency between the sender and one or more nodes in the system. We present two attacks on low-latency anonymity schemes using this information. The first attack allows a pair of colluding Web sites to predict, based on local timing information and with no additional resources, whether two connections from the same Tor exit node are using the same circuit with high confidence. The second attack requires more resources but allows a malicious Web site to gain several bits of information about a client each time he visits the site. We evaluate both attacks against two low-latency anonymity protocols—the Tor network and the MultiProxy proxy aggregator service—and conclude that both are highly vulnerable to these attacks.

Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks

Nowadays, the number of web-browser targeted attacks that lead users to adversaries' web sites and exploit web browser vulnerabilities is increasing, and a clarification of their methods and countermeasures is urgently needed. In this paper, we introduce the design and implementation of a new client honeypot for drive-by-download attacks that has the capacity to detect and investigate a variety of malicious web sites. On the basis of the problems of existing client honeypots, we enumerate the requirements of a client honeypot: 1) detection accuracy and variety, 2) collection variety, 3) performance efficiency, and 4) safety and stability. We improve our system with regard to these requirements. The key features of our developed system are stepwise detection focusing on exploit phases, multiple crawler processing, tracking of malware distribution networks, and malware infection prevention. Our evaluation of our developed system in a laboratory experiment and field experiment indicated that its detection variety and crawling performance are higher than those of existing client honeypots. In addition, our system is able to collect information for countermeasures and is secure and stable for continuous operation. We conclude that our system can investigate malicious web sites comprehensively and support countermeasures.

Removing web spam links from search engine results

Web spam denotes the manipulation of web pages with the sole intent to raise their position in search engine rankings. Since a better position in the rankings directly and positively affects the number of visits to a site, attackers use different techniques to boost their pages to higher ranks. In the best case, web spam pages are a nuisance that provide undeserved advertisement revenues to the page owners. In the worst case, these pages pose a threat to Internet users by hosting malicious content and launching drive-by attacks against unsuspecting victims. When successful, these drive-by attacks then install malware on the victims' machines. In this paper, we introduce an approach to detect web spam pages in the list of results that are returned by a search engine. In a first step, we determine the importance of different page features to the ranking in search engine results. Based on this information, we develop a classification technique that uses important features to successfully distinguish spam sites from legitimate entries. By removing spam sites from the results, more slots are available to links that point to pages with useful content. Additionally, and more importantly, the threat posed by malicious web sites can be mitigated, reducing the risk for users to get infected by malicious code that spreads via drive-by attacks.

Malicious web content detection by machine learning

The recent development of the dynamic HTML gives attackers a new and powerful technique to compromise computer systems. A malicious dynamic HTML code is usually embedded in a normal webpage. The malicious webpage infects the victim when a user browses it. Furthermore, such DHTML code can disguise itself easily through obfuscation or transformation, which makes the detection even harder. Anti-virus software packages commonly use signature-based approaches which might not be able to efficiently identify camouflaged malicious HTML codes. Therefore, our paper proposes a malicious web page detection using the technique of machine learning. Our study analyzes the characteristic of a malicious webpage systematically and presents important features for machine learning. Experimental results demonstrate that our method is resilient to code obfuscations and can correctly determine whether a webpage is malicious or not.

Fraudulent and malicious sites on the web

Fraudulent and malicious web sites pose a significant threat to desktop security, integrity, and privacy. This paper examines the threat from different perspectives. We harvested URLs linking to web sites from different sources and corpora, and conducted a study to examine these URLs in-depth. For each URL, we extract its domain name, determine its frequency, IP address and geographic location, and check if the web site is accessible. Using 3 search engines (Google, Yahoo!, and Windows Live), we check if the domain name appears in the search results; and using McAfee SiteAdvisor, we determine the domain name's safety rating. Our study shows that users can encounter URLs pointing to fraudulent and malicious web sites not only in spam and phishing messages but in legitimate email messages and the top search results returned by search engines. To provide better countermeasures against these threats, we present a proxy-based approach to dynamically block access to fraudulent and malicious web sites based on the safety ratings set by McAfee SiteAdvisor.

Web Camouflage: Protecting Your Clients from Browser-Sniffing Attacks

Browser cache and history are intended to be private, yet it's not difficult for malicious Web sites to sniff cache entries on visitors' computers and then use that information to more accurately deceive them. The authors' approach neutralizes the threat of URLs being discovered on client computers.

A framework of anti‐phishing measures aimed at protecting the online consumer's identity

PurposeThe purpose of this paper is to aim to educate the internet consumer, who may be a potential phishing victim, and to suggest a framework of anti‐phishing measures, following the staggering increase in the number of recent phishing attacks. Phishing describes a method of online identity theft, in which phishers typically pose as legitimate organisations when sending deceptive e‐mail messages to internet users. When they respond to such e‐mails, victims are lured to malicious web sites, where they are duped into disclosing their personal details. In this way, phishers are able to commit identity theft, with possibly devastating consequences for the victim.Design/methodology/approachAfter a literature review of the available sources, the phishing threat is investigated by analysing the modus operandi of phishers and the basic components of a typical phishing scheme. A possible solution for the phishing problem is examined.FindingsPhishers continually target the weakest link in the security chain, namely consumers, in their attacks. Educating the online consumer about phishing, as well as the implementation and proper application of anti‐phishing measures, are critical steps in protecting the identities of online consumers against e‐mail phishing attacks.Originality/valueThis article proposes measures that internet consumers can take to ward off phishing attacks, as well as remedial actions that they can take after falling victim to such an attack. By implementing these measures online, consumers can minimise the risk of becoming victims of successful phishing attacks, as well as remedy the negative effects of any past disclosure of information to phishers.

Web Metering Scheme Based on the Bilinear Pairings

Web metering is an effective means of measuring the number of visits from clients to Web servers during a specific time frame. Naor and Pinkas, in 1998, first introduced metering schemes to evaluate the popularity of Web servers. Ogata and Kurosawa proposed two schemes that improve on the Naor-Pinkas metering schemes. This study presents a Web metering scheme which is based on the bilinear pairings and built on the GDH group. The proposed scheme can resist fraud attempts by malicious Web servers and disruptive attacks by malicious clients.

Learning DFA representations of HTTP for protecting web applications

Intrusion detection is a key technology for self-healing systems designed to prevent or manage damage caused by security threats. Protecting web server-based applications using intrusion detection is challenging, especially when autonomy is required (i.e., without signature updates or extensive administrative overhead). Web applications are difficult to protect because they are large, complex, highly customized, and often created by programmers with little security background. Anomaly-based intrusion detection has been proposed as a strategy to meet these requirements. This paper describes how DFA (Deterministic Finite Automata) induction can be used to detect malicious web requests. The method is used in combination with rules for reducing variability among requests and heuristics for filtering and grouping anomalies. With this setup a wide variety of attacks is detectable with few false-positives, even when the system is trained on data containing benign attacks (e.g., attacks that fail against properly patched servers).

Rucas over privacy of domain name registration

Enormous web pages are visited each day over a network and malicious websites might infect user machines. To identify malicious web sites, the most reliable approach is honeypot, an execution-based method. The vast amount of http traffic makes sandboxing all the web pages impossible. It is not practical in the real environments as it consumes too much computational resource and time. Only 1.3% of websites are malicious. Crawler-based approach might be not easy to find malicious websites effectively, as it has no clue if they are visited by users. Therefore, the proposed system examines only user web requests, not from crawler, in order to catch the real drive-by download web attacks. The challenge is that the web traffic is huge in real networks and an efficient filtering is desired to process large scale user requests efficiently.Based on our observation, the domains of drive-by download attacks often are unreliable and exhibit distinct attributes from the normal. To classify massive volume of web traffic in a real network, this study proposes a two-stage drive-by download attack detection mechanism: first identifying suspicious websites based on domain reputation and then sandboxing only the suspicious ones to reduce the detection time. Such detection not only reduces the required computation resources and time, but also remains the efficiency benefited from sandbox-based detection. As WHOIS database is not reliable for not every domain query can be resolved. Therefore, this study relies on queries from DNS server and proposes novel reputation attributes to distinguish the benign and the suspicious. The experimental results show that the proposed filtering yields the accuracy of 94% in simulated real network environment and efficiently saves more than 12 times of the computing time with the comparison of an improved sandboxing approach. Such two-stage detection system implemented in a real network environment with 560 thousand URL requests per day demonstrates its practicality and efficiency under large scale web requests. During the deployment on the real network, unknown malicious websites are identified which are not listed in the public accessible blacklist websites.