One common class of attacks includes images that resemble popular video players, along with a false warning that the computer is missing essential codecs for displaying the video or that a newer version of the video player plug-in is required to view it. Instead, the provided link downloads a trojan that, once installed, gives the attacker full control over the user’s machine.
A more recent trick involves fake security scans. A specially crafted Web site displays virus-scanning dialogs, along with animated progress bars and a list of infections presumably found on the computer, but all the warnings are false and are meant to scare the user into believing the machine is infected. The Web site then offers a download as a solution, which could be another trojan, or asks the user for a registration fee to perform an unnecessary cleanup of the machine.
We have observed a steady increase in fake anti-virus attacks. From July to October 2008, we measured an average of 60 different domains serving fake security products, infecting an average of 1,500 Web sites. In November and December 2008, the number of domains increased to 475, infecting more than 85,000 URLs. At that time the Federal Trade Commission reported more than 1 million consumers were tricked into buying these products, and a U.S. district court issued a halt and an asset freeze on some of the companies behind these fake products. 3 This does not appear to have been sufficient to stop the scheme. In January 2009, we observed more than 450 different domains serving fake security products, and the number of infected URLs had increased to 148,000.
Malware activities on the user’s machine. Once attackers have control over a user’s machine, they usually attempt to turn their work into profit. We have previously analyzed the behavior of Web malware installed by drive-by downloads. 10 In many cases, malware was equipped with key-loggers to spy on the user’s activity. Often, a backdoor was installed, allowing the attacker to access the machine directly at a later time. More sophisticated malware turned the machine into a bot that listened to remote commands and executed various tasks on demand. Common uses of botnets include sending spam or harvesting passwords or credit card numbers. Botnets afford the attackers a degree of anonymity since the spam appears to be sent from a set of continuously changing IP addresses, making it harder to blacklist them.
To help improve the safety of the Internet, Google
has developed an extensive infrastructure for identifying
URLs that trigger drive-by downloads. Our analysis starts
by inspecting pages in Google’s large Web repository. Since exhaustive inspection of each page is prohibitively expensive as the repository contains billions of pages, we have developed a lightweight system to identify candidate pages likely to be malicious. These pages are then subjected to more detailed analysis in a virtual machine, allowing us to determine if visiting a page results in malicious changes to the machine itself.
The lightweight analysis uses a machine-learning framework that can detect 90 percent of all malicious
pages with a false positive rate of only 10–3. At this false positive rate, the filter reduces the workload of the virtual machines from billions of pages to only millions. The URLs that are determined to be malicious are further processed into host-suffix path-prefix patterns. This system has been used to protect Google’s search engine since 2006. Our data is also published via Google’s Safe Browsing API for browsers such as Firefox, Chrome, and Safari, which use the data to prevent users from visiting harmful pages.
CHALLENGES Despite these efforts to make the Web safer for users, a number of fundamental challenges remain, requiring future work.
References:
Archives