tacks. Many drive-by downloads can be detected automatically via client honeypots. However, when adversaries use social engineering to trick the users into installing malicious software, automated detection is significantly complicated. Although, user interactions can be simulated by the client honeypot, a fundamental problem is the user’s expectation about the functionality of a downloaded application compared to what it actually does. In the video case described earlier, the user expected to watch a video. After downloading and installing such a trojan, nothing usually happens. This could warn the user that something is amiss and might result in the user trying to fix their system. However, there is no reason why the installed software could not also play a video leaving the user with no reasons to suspect that she was infected.

Similarly, in addition to extorting the user for money, some of the fake anti-virus software does actually have some detection capability for old malware. The question then is how to determine if a piece of software functions as advertised. In general, this problem is undecidable. For example, the popular Google toolbar allows a user to opt into receiving the pagerank of a visited page. This works by sending the current URL to Google and then returning the associated pagerank and displaying it in the browser. This functionality was desired by the user and a legitimate feature. However, a similar piece of software might not disclose its functionality and send all visited URLs to some ominous third party. In that case, we would label the software spyware.

Automated analysis is more difficult

2, 9

when malicious activity is triggered only under certain conditions. For example, some banking trojans watch the URL in the browser window and overlay a fake input field only for specific banking Web sites. Automated tools may discover the overlay functionality, but if the trojan was to compare against one-way hashes of URLs determining which banks were targeted could be rather difficult.

conclusion

Without doubt, Web-based malware is a security concern for many users. Unfortunately, the root cause that allows the Web to be leveraged for malware delivery is an inherent lack of security

Whether a user
was compromised
by a social
engineering attack,
or a successful
exploit and drive-by
download, once the
adversaries have
control over a user’s
machine, they
usually attempt
to turn their work
into profit.

in its design—neither Web applications nor the Internet infrastructure supporting these applications were designed with a well-thought-out security model. Browsers evolved in complexity to support a wide range of applications and inherited some of these weaknesses and added more of their own. While some of the solutions in this space are promising and may help reduce the magnitude of the problem, safe browsing will continue to be a far sought-after goal that deserves serious attention from academia and industry alike.

 

References

1. barth, a., jackson, c., and reis, c. The Security Architecture of the Chromium Browser; http://crypto. stanford.edu/websec/chromium/chromium-security-architecture.odf.

2. brumley, D., hartwig, c., kang, m., liang, Z., newsome, j., song, D., and yin, h. bitscope: automatically dissecting malicious binaries. technical report, technical report cmu-cs-07-133, school of computer science, carnegie mellon university, march 2007.

3. court halts bogus computer scans (Dec. 2008); www. ftc.gov/opa/2008/12/winsoftware.shtm

4. grier, c., tang, s., and king, s. secure Web browsing with the oP Web browser. Security and Privacy, 2008. ieee symposium, 2008, 402–416.

5. krebs, b. internet explorer unsafe for 284 days in 2006. Washington Post Online blog, jan. 2007.

6. krebs, b. blogfight: ie vs. firefox security. Washington Post Online blog, jan. 2009.

7. microsoft. microsoft security bulletin ms06-014: Vulnerability in the microsoft Data access components (mDacs) function could allow code execution. may, 2006.

8. microsoft. microsoft security advisory (935423): Vulnerability in Windows animated cursor handling, mar. 2007.

9. moser, a., kruegel, c., and kirda, e. exploring multiple execution paths for malware analysis. in Proceedings of the IEEE Symposium on Security and Privacy, 2007, 231–245.

10. Polychronakis, m., mavrommatis, P., and Provos, n. ghost turns Zombie: exploring the life cycle of Web-based malware. in Proceedings of the 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats (apr. 2008).

11. Provos, n. using htaccess to Distribute malware. Dec. 2008; www.provos.org/index.php?/archives/55-using- htaccess-to-Distribute-malware.html.

12. Provos, n., mavrommatis, P., rajab, m.a., and monrose, f. all your iframes point to us. USENIX Security Symposium, 2008, 1–16.

13. raz, r. asprox silent defacement. Chapters in Web Security, Dec. 2008; http://chaptersin Websecurity. blogspot.com/2008/07/asprox-silent-defacement.html.

14. small, s., mason, j., monrose, f., Provos, n., and stubblefield, a. to catch a predator: a natural language approach for eliciting malicious payloads. USENIX Security Symposium, 2008, 171–184.

15. stewart, j. Danmec/asprox sQl injection attack tool analysis. Secure Works Online, may 2008; www. secureworks.com/research/threats/danmecasprox.

Niels Provos ( niels@google.com) joined google in 2003 and is currently a principle software engineer in the infrastructure security group. his areas of interest include computer and network security as well as large-scale distributed systems. he is serving on the usenix board of Directors. Moheeb Abu Rajab ( moheeb@google.com) joined google in 2008 and is currently a software engineer in the infrastructure security group. his areas of interest include computer and network security. Panayiotis Mavrommatis ( Panayiotis@google.com) joined google in 2006 and is currently working as a senior software engineer in the security group.

© 2009 acm 0001-0782/09/0400 $5.00

APriL 2009 | voL. 53 | no. 4 | communicAtionS of the Acm

47