browser window and overlay a fake input field only for specific banking Web sites. Automated tools may discover the overlay functionality, but if the trojan were to compare against one-way hashes of URLs, determining which banks were targeted could be rather difficult.
Without doubt, Web-based malware is a security concern for many users. Unfortunately, the root cause that allows the Web to be leveraged for malware delivery is an inherent lack of security in its design—neither Web applications nor the Internet infrastructure supporting these applications were designed with a well-thought-out security model. Browsers evolved in complexity to support a wide range of applications; they inherited some of these weaknesses and added more of their own. Although some of the solutions are promising and may help reduce the magnitude of the problem, safe browsing will continue to be a sought-after goal that deserves serious attention from academia and industry alike. Q
REFERENCES
1. Barth, A., Jackson, C., Reis, C. 2008. The security architecture of the Chromium browser; http:// crypto.stanford.edu/websec/chromium/ chromium-security-architecture.pdf.
2. Brumley, D., Hartwig, C., Kang, M., Liang, Z., New-some, J., Song, D., Yin, H. 2007. BitScope: Automatically dissecting malicious binaries. Technical Report CMU-CS-07-133. School of Computer Science, Carnegie Mellon University (March).
3. Federal Trade Commission. 2008. Court halts bogus computer scans (December); www.ftc.gov/ opa/2008/12/ winsoftware.shtm.
4. Grier, C., Tang, S., King, S. 2008. Secure Web browsing with the OP Web browser. In Proceedings of the IEEE Symposium on Security and Privacy: 402–416.
5. Krebs, B. 2007. Internet Explorer unsafe for 284 days in 2006. Washington Post Online blog (January).
6. Krebs, B. 2009. Blogfight: IE vs. Firefox security. Washington Post Online blog (January).
7. Microsoft Security Advisory (935423). 2007. Vulnerability in Windows animated cursor handling; http://www.microsoft.com/TechNet/security/ advisory/ 935423.mspx.
8. Microsoft Security Bulletin MS06-014. 2006. Vulnerability in the Microsoft Data Access Components (MDAC) function could allow code execution; http:// www.microsoft.com/technet/security/Bulletin/ ms06-014.mspx.
9. Moser, A., Kruegel, C., Kirda, E. 2007. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy: 231–245.
10. Polychronakis, M., Mavrommatis, P., Provos, N. 2008. Ghost turns zombie: Exploring the life cycle of Web-based malware. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats (April).
11. Provos, N. 2008. Using htaccess to distribute malware (December); www.provos.org/index.php?/archives/ 55-Using-htaccess-To-Distribute-Malware.html.
12. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F. 2008. All your IFrames point to us. Usenix Security Symposium: 1– 16.
13. Raz, R. 2008. Asprox silent defacement.
Chapters in Web Security (December); http:// chaptersinWebsecurity.blogspot.com/ 2008/07/ asprox-silent-defacement.html.
14. Small, S., Mason, J., Monrose, F., Provos, N., Stubble-field, A. 2008. To catch a predator: A natural language approach for eliciting malicious payloads. Usenix Security Symposium: 171–184.
15. Stewart, J. 2008. Danmec/Asprox SQL injection attack tool analysis. Secure Works Online (May); www. secureworks.com/research/threats/danmecasprox.
LOVE IT, HATE IT? LET US KNOW feedback@queue.acm.org
NIELS PROVOS (
niels@google.com) joined Google in 2003
and is currently a principal software engineer in the Infra-
structure Security Group. His areas of interest include com-
puter and network security, as well as large-scale distributed
systems. He serves on the Usenix board of directors.
MOHEEB ABU RAJAB (
moheeb@google.com) joined
Google in 2008 and is currently a software engineer in the
Infrastructure Security Group. His areas of interest include
computer and network security.
PANAYIOTIS MAVROMMATIS (
Panayiotis@google.com)
joined Google in 2006 and is currently working as a senior
software engineer in the Security Group.
© 2009 ACM 1542-7730 /09/0200 $5.00
This article appears in print in the April 2009 issue of Communications of the ACM.
References:
http://www.secureworks.com/research/threats/danmecasprox
http://www.microsoft.com/technet/security/Bulletin/ms06-014.mspx
http://www.microsoft.com/technet/security/Bulletin/ms06-014.mspx
http://www.microsoft.com/technet/security/Bulletin/ms06-014.mspx
http://www.ftc.gov/opa/2008/12/winsoftware.shtm
http://www.ftc.gov/opa/2008/12/winsoftware.shtm
http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf
http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf
http://crypto.stanford.edu/websec/chromium/chromium-security-architecture.pdf
http://www.secureworks.com/research/threats/danmecasprox
http://chaptersinWebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html
http://chaptersinWebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html
http://chaptersinWebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html
http://www.provos.org/index.php?/archives/55-Using-htaccess-To-Distribute-Malware.html
http://www.provos.org/index.php?/archives/55-Using-htaccess-To-Distribute-Malware.html
http://www.microsoft.com/TechNet/security/advisory/935423.mspx
http://www.microsoft.com/TechNet/security/advisory/935423.mspx
Archives