Manufacturing compromise: the emergence of exploit-as-a-service

Authors:
Chris Grier;Lucas Ballard;Juan Caballero;Neha Chachra;Christian J. Dietrich;Kirill Levchenko;Panayiotis Mavrommatis;Damon McCoy;Antonio Nappa;Andreas Pitsillidis;Niels Provos;M. Zubair Rafique;Moheeb Abu Rajab;Christian Rossow;Kurt Thomas;Vern Paxson;Stefan Savage;Geoffrey M. Voelker
Affiliations:
UC Berkeley, Berkeley, CA, USA;Google, Inc., Mountain View, CA, USA;IMDEA Software Institute, Madrid, Spain;UC San Diego, San Diego, CA, USA;University of Applied Sciences Gelsenkirchen, Gelsenkirchen, Germany;UC San Diego, San Diego, CA, USA;Google, Inc., Mountain View, CA, USA;George Mason University, Fairfax, VA, USA;IMDEA Software Institute, Madrid, Spain;UC San Diego, San Diego, CA, USA;Google, Inc., Mountain View, CA, USA;IMDEA Software Institute, Madrid, Spain;Google, Inc., Mountain View, CA, USA;University of Applied Sciences Gelsenkirchen, Gelsenkirchen, Germany;UC Berkeley, Berkeley, CA, USA;UC Berkeley, Berkeley, CA, USA;UC San Diego, San Diego, CA, USA;UC San Diego, San Diego, CA, USA
Venue:
Proceedings of the 2012 ACM conference on Computer and communications security
Year:
2012

Citing 27
Cited 7

An inquiry into the nature and causes of the wealth of internet miscreants

Proceedings of the 14th ACM conference on Computer and communications security
Spamscatter: characterizing internet scam hosting infrastructure

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Ghost turns zombie: exploring the life cycle of web-based malware

LEET'08 Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats
Learning and Classification of Malware Behavior

DIMVA '08 Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
All your iFRAMEs point to Us

SS'08 Proceedings of the 17th conference on Security symposium
Studying spamming botnets using Botlab

NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Your botnet is my botnet: analysis of a botnet takeover

Proceedings of the 16th ACM conference on Computer and communications security
Detection and analysis of drive-by-download attacks and malicious JavaScript code

Proceedings of the 19th international conference on World wide web
Automated classification and analysis of internet malware

RAID'07 Proceedings of the 10th international conference on Recent advances in intrusion detection
Peeking through the cloud: DNS-based estimation and its applications

ACNS'08 Proceedings of the 6th international conference on Applied cryptography and network security
Spamcraft: an inside look at spam campaign orchestration

LEET'09 Proceedings of the 2nd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
Insights from the inside: a view of botnet management from infiltration

LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
The nocebo effect on the web: an analysis of fake anti-virus distribution

LEET'10 Proceedings of the 3rd USENIX conference on Large-scale exploits and emergent threats: botnets, spyware, worms, and more
BLADE: an attack-agnostic approach for preventing drive-by malware infections

Proceedings of the 17th ACM conference on Computer and communications security
Detecting and characterizing social spam campaigns

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
Detecting algorithmically generated malicious domain names

IMC '10 Proceedings of the 10th ACM SIGCOMM conference on Internet measurement
The underground economy of spam: a botmaster's perspective of coordinating large-scale spam campaigns

LEET'11 Proceedings of the 4th USENIX conference on Large-scale exploits and emergent threats
Sandnet: network traffic analysis of malicious software

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
Click Trajectories: End-to-End Analysis of the Spam Value Chain

SP '11 Proceedings of the 2011 IEEE Symposium on Security and Privacy
What's clicking what? techniques and innovations of today's clickbots

DIMVA'11 Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment
ZOZZLE: fast and precise in-browser JavaScript malware detection

SEC'11 Proceedings of the 20th USENIX conference on Security
Measuring pay-per-install: the commoditization of malware distribution

SEC'11 Proceedings of the 20th USENIX conference on Security
Suspended accounts in retrospect: an analysis of twitter spam

Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
Understanding fraudulent activities in online ad exchanges

Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
GQ: practical containment for measuring modern malware systems

Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference
EvilSeed: A Guided Approach to Finding Malicious Web Pages

SP '12 Proceedings of the 2012 IEEE Symposium on Security and Privacy
Large-Scale analysis of malware downloaders

DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment

Anatomy of exploit kits: preliminary analysis of exploit kits as software artefacts

ESSoS'13 Proceedings of the 5th international conference on Engineering Secure Software and Systems
Resolvers Revealed: Characterizing DNS Resolvers and their Clients

ACM Transactions on Internet Technology (TOIT)
POSTER: Cross-platform malware: write once, infect everywhere

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Shady paths: leveraging surfing crowds to detect malicious web pages

Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security
Driving in the cloud: an analysis of drive-by download operations and abuse reporting

DIMVA'13 Proceedings of the 10th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Revolver: an automated approach to the detection of evasiveweb-based malware

SEC'13 Proceedings of the 22nd USENIX conference on Security
WebWinnow: leveraging exploit kit workflows to detect malicious urls

Proceedings of the 4th ACM conference on Data and application security and privacy

Quantified Score

Hi-index	0.00

Visualization

Abstract

We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads--32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito. We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.