Abstract
Compromised websites that redirect users to malicious websites are often used by attackers to distribute malware. These attackers compromise popular websites and integrate them into a drive-by download attack scheme to lure unsuspecting users to malicious websites. An incident response organization such as a CSIRT contributes to preventing the spread of malware infection by analyzing compromised websites reported by users and sending abuse reports with detected URLs to webmasters. However, these abuse reports with only URLs are not sufficient to clean up the websites; therefore, webmasters cannot respond appropriately to such reports. In addition, it is difficult to analyze malicious websites across different client environments, i.e., a CSIRT and a webmaster, because these websites change behavior depending on the client environment. To expedite compromised website clean-up, it is important to provide fine-grained information such as the precise position of compromised web content, malicious URL relations, and the target range of client environments. In this paper, we propose a method of constructing a redirection graph with context, such as which web content redirects to which malicious websites. Our system with the proposed method analyzes a website in a multi-client environment to identify which client environment is exposed to threats. We evaluated our system using crawling datasets of approximately 2,000 compromised websites. As a result, our system successfully identified compromised web content and malicious URL relations, and the amount of web content and the number of URLs to be analyzed were sufficient for incident responders by 0.8% and 15.0%, respectively. Furthermore, it can also identify the target range of client environments in 30.4% of websites and a vulnerability that has been used in malicious websites by leveraging target information. This fine-grained information identified with our system would dramatically make the daily work of incident responders more efficient.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
D. Edwards, “/packer/,” http://dean.edwards.name/packer/.
- 2.
CVE Details, http://www.cvedetails.com/.
- 3.
- 4.
Gargoyle Software Inc., http://htmlunit.sourceforge.net/.
References
Symantec Corporation: Internet Security Threat Report 2014: Volume 19 (2014). http://www.symantec.com/content/en/us/enterprise/other_resources/b-istr_main_report_v19_21291018.en-us.pdf
Sophos Ltd.: Security Threat Report 2014 (2014). https://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf
Kobayashi, H., Uchiyama, T.: Keeping eyes on malicious websites - ‘ChkDeface’ against fraudulent sites. In: The 27th Annual FIRST Conference (2015)
Japan’s Ministry of Internal Affairs and Communications: ACTIVE: Advanced Cyber Threats response InitiatiVE. http://www.active.go.jp/en/
Li, F., Ho, G., Kuan, E., Niu, Y., Ballard, L., Thomas, K., Bursztein, E., Paxson, V.: Remedying web hijacking: notification effectiveness and webmaster comprehension. In: Proceedings of the International World Wide Web Conference (WWW) (2016)
Mavrommatis, N., Monrose, M.: All your iFRAMEs point to us. In: Proceedings of the USENIX Security Symposium (2008)
Eshete, B., Venkatakrishnan, V.N.: WebWinnow: leveraging exploit kit workflows to detect malicious URLs. In: Proceedings of the ACM Conference on Data and Application Security and Privacy (CODASPY) (2014)
Kolbitsch, C., Livshits, B.: Rozzle: de-cloaking internet malware. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2012)
Min, B., Varadharajan, V.: A simple and novel technique for counteracting exploit kits. In: Tian, J., Jing, J., Srivatsa, M. (eds.) SecureComm 2014. LNICSSITE, vol. 152, pp. 259–277. Springer, Cham (2015). doi:10.1007/978-3-319-23829-6_19
Lu, L., Perdisci, R., Lee, W.: SURF: detecting and measuring search poisoning categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2011)
Borgolte, K., Kruegel, C., Vigna, G.: Delta: automatic identification of unknown web-based infection campaigns. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)
Li, Z., Alrwais, S., Wang, X., Alowaisheq, E.: Hunting the red fox online: understanding and detection of mass redirect-script injections. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2014)
TripWire. http://www.tripwire.com/
Xie, G., Iliofotou, M., Karagiannis, T., Faloutsos, M., Jin, Y.: ReSurf: reconstructing web-surfing activity from network traffic. In: IFIP Networking Conference (2013)
Nelms, T., Perdisci, R., Antonakakis, M., Ahamad, M.: WebWitness: investigating, categorizing, and mitigating malware download paths. In: Proceedings of the USENIX Security Symposium (2015)
Akiyama, M., Yagi, T., Kadobayashi, Y., Hariu, T., Yamaguchi, S.: Client honeypot multiplication with high performance and precise detection. IEICE Trans. Inf. Syst. E98–D(4), 775–787 (2015)
Neasbitt, C., Perdisci, R., Li, K., Nelms, T.: ClickMiner: towards forensic reconstruction of user-browser interactions from network traces categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2014)
Nikiforakis, N., Kapravelos, A., Joosen, W., Kruegel, C., Piessens, F., Vigna, G.: Cookieless monster: exploring the ecosystem of web-based device fingerprinting. In: Proceedings of the IEEE Symposium on Security and Privacy (SP) (2013)
Intel Security Inc.: Red kit an emerging exploit pack, January 2013. https://blogs.mcafee.com/mcafee-labs/red-kit-an-emrging-exploit-pack/
Lu, L., Yegneswaran, V., Porras, P., Lee, W.: BLADE: an attack-agnostic approach for preventing drive-by malware infections. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2010)
Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attack and javascript code. In: Proceedings of the International World Wide Web Conference (WWW) (2010)
Dell’Aera, A.: Thug. http://buffer.github.io/thug/
Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: ZOZZLE: fast and precise in-browser javascript malware detection. In: Proceedings of the USENIX Security Symposium (2011)
Canali, D., Cova, M., Vigna, G.: Prophiler: a fast filter for the large-scale detection of malicious web pages categories and subject descriptors. In: Proceedings of the International World Wide Web Conference (WWW) (2011)
Eshete, B., Villafiorita, A., Weldemariam, K.: BINSPECT: holistic analysis and detection. In: Proceedings of the International Conference on Security and Privacy in Communication Networks (SecureComm) (2013)
Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: Arrow: generating signatures to detect drive-by downloads. In: Proceedings of the International World Wide Web Conference (WWW) (2011)
Stringhini, G., Kruegel, C., Vigna, G.: Shady paths: leveraging surfing crowds to detect malicious web pages categories and subject descriptors. In: Proceedings of the ACM Conference on Computer and Communications Security (CCS) (2013)
Mekky, H., Torres, R., Zhang, Z.L., Saha, S., Nucci, A.: Detecting malicious HTTP redirections using trees of user browsing activity. In: Proceedings of the IEEE International Conference on Computer Communications (INFOCOM) (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Appendix: Difference Between Proposed Graph and Conventional Graph
A Appendix: Difference Between Proposed Graph and Conventional Graph
We show redirection graph examples constructed with the referer-based method [14], the heuristic-based method [15], and the proposed method in Figs. 10, 11, and 12, respectively. Figure 10 depicts a graph smaller than the other graphs because a redirection without a Referer header was caused by a function of the location object. In this case, the referer-based method cannot connect the any of the following redirections. The heuristic-based method can connect all redirections. However, semantic gaps between Referer headers and JavaScript redirections occur. As a result, we cannot identify precise redirection origins, e.g., the web content of URL “http://DOMAIN10/gzcr?t=[a-zA-Z0-9]{118},” due to the gaps. Our method can connect all redirections and precisely identify all of their redirection origins.
Redirection graph constructed by referer-based method.
Redirection graph constructed by heuristic-based method (WebWitness).
Redirection graph constructed by proposed method (redirection call graph).
Rights and permissions
Copyright information
© 2017 ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Takata, Y., Akiyama, M., Yagi, T., Yada, T., Goto, S. (2017). Website Forensic Investigation to Identify Evidence and Impact of Compromise. In: Deng, R., Weng, J., Ren, K., Yegneswaran, V. (eds) Security and Privacy in Communication Networks. SecureComm 2016. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 198. Springer, Cham. https://doi.org/10.1007/978-3-319-59608-2_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-59608-2_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-59607-5
Online ISBN: 978-3-319-59608-2
eBook Packages: Computer ScienceComputer Science (R0)