Abstract
Malicious web sites perform drive-by download attacks to infect their visitors with malware. Current protection approaches rely on black- or white-listing techniques that are difficult to keep up-to-date. As todays drive-by attacks already employ encryption to evade network level detection we propose a series of techniques that can be implemented in web browsers to protect the user from such threats. In addition, we discuss challenges and open problems that these mechanisms face in order to be effective and efficient.
Chapter PDF
Similar content being viewed by others
References
Flash player update available to address security vulnerabilities, http://www.adobe.com/support/security/bulletins/apsb09-01.html
Barwinski, M., Irvine, C., Levin, T.: Empirical study of drive-by-download spyware (2006), http://cisr.nps.navy.mil/downloads/06paper_spyware_OnlinePDF.pdf
Superbuddy activex control vulnerability (2006), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5820
Buffer overflow in apple quicktime 7.1.3 (2007), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0015
Dan Goodin (The Register). SQL injection taints BusinessWeek.com. (2008), http://www.theregister.co.uk/2008/09/16/businessweek_hacked/ (Last accessed, December 2008)
Daniel, M., Honoroff, J., Miller, C.: Engineering Heap Overflow Exploits with JavaScript. In: 2nd USENIX Workshop on Offensive Technologies, WOOT 2008 (2008)
Egele, M., Kirda, E., Kruegel, C.: Defending browsers against drive-by downloads: Mitigating heap-spraying code injection attacks. In: Detection of Intrusions and Malware, and Vulnerability Assessment, 6th International Conference, DIMVA 2009 (to appear, 2009)
Egele, M., Kruegel, C., Kirda, E., Yin, H., Song, D.X.: Dynamic spyware analysis. In: USENIX Annual Technical Conference, pp. 233–246 (2007)
Egele, M., Szydlowski, M., Kirda, E., Kruegel, C.: Using static program analysis to aid intrusion detection. In: Büschkes, R., Laskov, P. (eds.) DIMVA 2006. LNCS, vol. 4064, pp. 17–36. Springer, Heidelberg (2006)
Frei, S., Dübendorfer, T., Ollmann, G., May, M.: Understanding the web browser threat. Technical Report 288, ETH Zurich (June 2008)
Leyden, J.: Drive-by download attack compromises 500k websites (2009), http://www.channelregister.co.uk/2008/05/13/zlob_trojan_forum_compromise_attack/ (Last accessed, February 2009)
Kirda, E., Kruegel, C., Banks, G., Vigna, G., Kemmerer, R.A.: Behavior-based spyware detection. In: USENIX Security (2006)
Exploit Prevention Labs: LinkScanner, http://linkscanner.explabs.com/linkscanner/default.aspx
Microsoft Office Snapshot Viewer ActiveX vulnerability (2008), http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2463 (Last accessed, March 2009)
Microsoft Corporation. Microsoft Security Bulletin MS06-014 - Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (2006), http://www.microsoft.com/technet/security/Bulletin/MS06-014.mspx (Last accessed, December 2008)
Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware in the web. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA (2006)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Recent Advances in Intrusion Detection, 10th International Symposium (RAID), pp. 87–106 (2007)
Polychronakis, M., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: First USENIX Workshop on Large-Scale Exploits and Emergent Threats (2008)
Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security Symposium (2008)
Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The Ghost In The Browser Analysis of Web-based Malware. In: First Workshop on Hot Topics in Understanding Botnets, HotBots 2007 (2007)
Robertson, W.K., Vigna, G., Krügel, C., Kemmerer, R.A.: Using generalization and characterization techniques in the anomaly-based detection of web attacks. In: Proceedings of the Network and Distributed System Security Symposium, NDSS 2006, San Diego, California, USA (2006)
Roesch, M.: Snort - Lightweight Intrusion Detection for Networks. In: 13th Systems Administration Conference, LISA (1999)
Sina dloader class activex control ’donwloadandinstall’ method arbitrary file download vulnerability, http://www.securityfocus.com/bid/30223/info
Sotirov, A.: Heap Feng Shui in JavaScript (2008), http://www.phreedom.org/research/heap-feng-shui/heap-feng-shui.html (Last accessed, November 2008)
Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.T.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: NDSS (2006)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Security and Privacy 5(2), 32–39 (2007)
Yin, H., Song, D.X., Egele, M., Kruegel, C., Kirda, E.: Panorama: capturing system-wide information flow for malware detection and analysis. In: ACM Conference on Computer and Communications Security, pp. 116–127 (2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 IFIP International Federation for Information Processing
About this paper
Cite this paper
Egele, M., Kirda, E., Kruegel, C. (2009). Mitigating Drive-By Download Attacks: Challenges and Open Problems. In: Camenisch, J., Kesdogan, D. (eds) iNetSec 2009 – Open Research Problems in Network Security. 2009. IFIP Advances in Information and Communication Technology, vol 309. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-05437-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-05437-2_5
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-05436-5
Online ISBN: 978-3-642-05437-2
eBook Packages: Computer ScienceComputer Science (R0)