Malicious File Hash Detection and Drive-by Download Attacks

  • Ibrahim Ghafir
  • Vaclav Prenosil
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 379)


Malicious web content has become the essential tool used by cybercriminals to accomplish their attacks on the Internet. In addition, attacks that target web clients, in comparison to infrastructure components, have become prevalent. Malware drive-by downloads are a recent challenge, as their spread appears to be increasing substantially in malware distribution attacks. In this paper we present our methodology for detecting any malicious file downloaded by one of the network hosts. Our detection method is based on a blacklist of malicious file hashes. We process the network traffic, analyze all connections, and calculate MD5, SHA1, and SHA256 hash for each new file seen being transferred over a connection. Then we match the calculated hashes with the blacklist. The blacklist of malicious file hashes is automatically updated each day and the detection is in the real time.


Cyber attacks Botnet Malware Malicious file hash Intrusion detection system 



This work has been supported by the project CYBER-2 funded by the Ministry of Defence of the Czech Republic under contract No. 1201 4 7110.


  1. 1.
    Mavrommatis, N.P.P., Monrose, M.A.R.F.: All your iframes point to us. In: USENIX Security Symposium, pp. 1–16 (2008)Google Scholar
  2. 2.
    Silva, S.S., Silva, R.M., Pinto, R.C., Salles, R.M.: Botnets: a survey. Comput. Netw. 57(2), 378–403 (2013)CrossRefGoogle Scholar
  3. 3.
    Moore, D., Shannon, C., Brown, D.J., Voelker, G.M., Savage, S.: Inferring internet denial-of-service activity. ACM Trans. Comput. Syst. (TOCS) 24(2), 115–139 (2006)CrossRefGoogle Scholar
  4. 4.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G.M.., Paxson, V., Savage, S.: Spamalytics: an empirical analysis of spam marketing conversion. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, pp. 3–14 . ACM (2008)Google Scholar
  5. 5.
    Seifert, C.: Cost-effective detection of drive-by-download attacks with hybrid client honeypots. (2010)Google Scholar
  6. 6.
    Hsu, F.-H., Tso, C.-K., Yeh, Y.-C., Wang, W.-J., Chen, L.-H.: Browserguard: a behavior-based solution to drive-by-download attacks. IEEE J. Sel. Areas Commun. 29(7), 1461–1468 (2011)CrossRefGoogle Scholar
  7. 7.
    Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: Arrow: generating signatures to detect drive-by downloads. In: Proceedings of the 20th International Conference on World Wide Web, pp. 187–196. ACM (2011)Google Scholar
  8. 8.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N., et al.: The ghost in the browser analysis of web-based malware. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, pp. 4–4 (2007)Google Scholar
  9. 9.
    Rieck, K., Krueger, T., Dewald, A.: Cujo: efficient detection and prevention of drive-by-download attacks. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 31–39. ACM (2010)Google Scholar
  10. 10.
    Sotirov, A.: Heap feng shui in javascript. Black Hat Europe (2007)Google Scholar
  11. 11.
    Ratanaworabhan, P., Livshits, V.B., Zorn, B.G.: Nozzle: a defense against heap-spraying code injection attacks. In: USENIX Security Symposium, pp. 169–186 (2009)Google Scholar
  12. 12.
    Gadaleta, F., Younan, Y., Joosen, W.: Bubble: a javascript engine level countermeasure against heap-spraying attacks. In: Engineering Secure Software and Systems, pp. 1–17. Springer (2010)Google Scholar
  13. 13.
    Song, C., Zhuge, J., Han, X., Ye, Z.: Preventing drive-by download via inter-module communication monitoring. In: Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security, pp. 124–134. ACM (2010)Google Scholar
  14. 14.
    The-Bro-Project: The bro network security monitor. (2015). Accessed 15 Feb 2015
  15. 15.
    Bro-Project: Intelligence framework. (2015). Accessed 15 Feb 2015
  16. 16.
    Leau, Y.B., Tan, S.F., Manickam, S., et al.: A comparative study of alert correlations for intrusion detection. In: Proceedings-2013 International Conference on Advanced Computer Science Applications and Technologies, ACSAT 2013, pp. 85–88. IEEE (2014)Google Scholar
  17. 17.
    Computer-Incident-Response-Center-Luxembourg: Md5, sha1 and sha256 blocklist. (2015). Accessed 15 Feb 2015
  18. 18.
    Network-Traffic-Analysis: Nuclear EK delivers digitally-signed cryptowall malware. (2015). Accessed 15 Feb 2015

Copyright information

© Springer India 2016

Authors and Affiliations

  1. 1.Faculty of InformaticsMasaryk UniversityBrnoCzech Republic

Personalised recommendations