As the web continues to play an increasing role in information exchange, so too is it becoming the prevailing platform for infecting vulnerable hosts. One commonly deployed strategy for delivering web-malware involves the underhanded tactic of targeting browser vulnerabilities to automatically download and run malicious software upon visiting a website. When popular websites are exploited, the victim base from these so-called drive-by downloads can be far greater than other forms of exploitation because traditional defenses (e.g., firewalls) pose no barrier to infection. Unfortunately, with the plethora of (insecure) web applications being deployed today, it is likely that web servers will continue to be popular targets for exploitation for the foreseeable future.
One of our primary goals is to take an in-depth look at the malware serving network on the Web by building a scalable malware execution and analysis infrastructure. Specifically, we plan to build a resource-efficient host architecture that permits lightweight process monitoring via tracking of interactions with the OS. An important facet of our research direction is to explore a transactional framework that unifies virtualization and logging to allow efficient analysis. In this framework, the granularity of recorded transactions is dynamically adjusted based on execution contexts, aggregating multiple transactions to a single, summarized, transaction whenever possible. Broader impats of this project will result from the comprehensive analysis of the different aspects of the problem posed by web-based malware, and the tools, methods, and analytical techniques that will ultimately allow for large-scale malware analysis by the security community at large.
Today’s security landscape paints a disturbing scene where underground economies seem to thrive on an unlimited supply of compromised end-user systems. Many of these end-user systems are compromised via so-called runtime attacks that exploit vulnerabilities in popular applications (e.g., browsers or document readers). Despite differences in the style and implementation of these exploits, they all share a common goal: the ability to redirect program logic within the vulnerable application. The overarching goal of this project is to advance research on malicious software detection and analysis. To that end, we explored ways to detect new forms of computer security attacks that are delivered using the web or are embedded in popular document formats. More specifically, we developed a novel framework that employs a myriad of analysis techniques to efficiently inspect suspicious documents to find what lurks within. Our objectives were to explore automated techniques that (i) achieve high accuracy in correctly assigning benign or malicious labels to each object analyzed, and (ii) provide a scalable mechanism for analyzing files in an isolated environment (e.g., are cloud-capable). Our empirical analyses of tens of thousands of malicious documents show that our techniques perform exceedingly well in operational settings. Our results have been broadly disseminated in academic venues, and our tools and analytical techniques continue to contribute to the growing body of public domain software that will ultimately allow for large-scale malware analysis by other researchers and practitioners.
