Publication Details
Title: Manufacturing Compromise: The Emergence of Exploit-as-a-Service
Author: C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Zubair Rafique, M. Abu Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker
Bibliographic Information: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), pp. 821-832, Raleigh, North Carolina
Date: October 2012
Research Area: Networking and Security
Type: Article in conference proceedings
PDF: http://www.icsi.berkeley.edu/pubs/networking/manufacturingcompromise12.pdf
Overview:
We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the “dirty work” of exploiting a victim’s browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker’s control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim’s machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads—32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grant CNS:0831535 (“Collaborative Research: Comprehensive Application Analysis and Control”). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.
Bibliographic Reference:
C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Zubair Rafique, M. Abu Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), pp. 821-832, Raleigh, North Carolina, October 2012
Author: C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Zubair Rafique, M. Abu Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker
Bibliographic Information: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), pp. 821-832, Raleigh, North Carolina
Date: October 2012
Research Area: Networking and Security
Type: Article in conference proceedings
PDF: http://www.icsi.berkeley.edu/pubs/networking/manufacturingcompromise12.pdf
Overview:
We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the “dirty work” of exploiting a victim’s browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker’s control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim’s machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads—32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.
Acknowledgements:
This work was partially supported by funding provided to ICSI through National Science Foundation grant CNS:0831535 (“Collaborative Research: Comprehensive Application Analysis and Control”). Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation.
Bibliographic Reference:
C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, N. Provos, M. Zubair Rafique, M. Abu Rajab, C. Rossow, K. Thomas, V. Paxson, S. Savage, and G. M. Voelker. Manufacturing Compromise: The Emergence of Exploit-as-a-Service. Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), pp. 821-832, Raleigh, North Carolina, October 2012