General Info | Project Description | Updates | Links
General Information
| Student: | Alexander Crowell (acrowell@dimax.rutgers.edu) |
| Office: | CoRE 446 |
| School: | Rutgers University |
| Faculty Advisor: | Danfeng Yao, Computer Science Department |
| Project: | Detecting drive-by-downloads using human behavior patterns |
Project Description
In the previous year, an REU project investigated the similarities and differences in HTTP periodicity between botnet command and control traffic and legitimate web server traffic in order to detect running botnets. In this project we seek to apply a similar approach to the problem of drive-by-downloads, where a malicious web page installs software on the user's computer without their permission, in that we investigate the similarities and differences between user-permitted downloads and drive-by-downloads. Studying human behavior patterns to differentiate between legitimate downloads and malicious ones and investigating how difficult it is for the malicious sites to fool our detection mechanisms, we seek to create a reliable system for detecting and preventing drive-by-downloads.
Opening Presentation as PDF PPT
Closing Presentation as PDF PPT
Background on drive-by-downloads:
- All Your iFRAMEs Point to Us (2008)
Niels Provos and Panayiotis Mavrommatis, Google Inc.;
Moheeb Abu Rajab and Fabian Monrose, Johns Hopkins University - The Ghost in the Browser: Analysis of
Web-based Malware (2007)
Niels Provos, Dean McNamee, Panayiotis Mavrommatis, Ke Wang, and Nagendra Modadugu, Google, Inc. - A Crawler-based Study of Spyware on the Web (2005)
Alex Moshchuk, Tanya Bragin, Steven D. Gribble, Henry M. Levy, University of Washington
Updates
Week 8 so far:
- Continued integrating the JSON parser into the minispy code
Week 7:
- Found prewritten code for parsing the JSON data given by tlogger and modified it so that it could be integrated with my modified minispy code to create a real-time drive-by-download detection system instead of the current one which detects them retroactively
- Began integrating the JSON parser into the minispy code
- Created and gave final presentation (PPT)
Week 6:
- Found out about Tripwire, which could potentially be used along with our drive-by-download detector to prevent overwrites of Firefox's main files if they were modified with downloaded code rather than a new file being created by an attacker
- Looked into how difficult it would be to get tlogger to additionally log the user's clicks in the Save File dialog box, as this better reflects the user initializing a download than a URL click. It seems to be an internal part of Firefox, and so may not be modifiable by an extension.
Week 5:
- Began studying more in-depth how Firefox, and also Internet Explorer, proceed when the user downloads a file
- Looked into getting the minispy code to recognize processes with browser names (like 'firefox.exe') and report only their file system activities
- Discovered problem with redirects for downloads; for instance, when clicking a link leads to a page, which leads to another page, which leads to the download (without a user click directly initiating it with a mouse click). For example, this is how it is done at download.com
Week 4:
- Knowing how to interpret the data in both tlogger and ProcMon, I quickly wrote a simple script that tries to match downloads to user input
- Continued to modify the minispy code to eventually work as part of the detection system
Week 3:
- Set up what I thought was a good filter for tracking file creation in ProcMon; the problem was that it didn't show the name of the file being created
- Looked into the Windows Driver Kit documentation to find out if I could write my own file system tracker that could get the file name too
- Found the sample program minispy, and began looking at the source code to see how it works
- After looking at the output of minispy, I noticed that some entries did give the file name, and after going back into ProcMon, I noticed that there were entries that recorded the file creation AND gave the file's name
Week 2:
- Finished reading background material
- Set up a virtualized copy of Windows for development and testing
- Looked at tlogger and ProcMon to see how they could be used to track user input and file system changes
- Created and gave presentation (PPT)
Week 1: Read background on drive-by-downloads, including:
- All Your iFRAMEs Point to Us
- The Ghost in the Browser: Analysis of Web-based Malware
- Video of a Drive-by-download
- Description of a particular exploit in Internet Explorer from December 2008
- A Crawler-based Study of Spyware on the Web
- Paper for the REU Project from last year on botnets