Putting out a HIT Putting out a HIT Crowdsourcing Malware Installs - - PowerPoint PPT Presentation

putting out a hit putting out a hit
SMART_READER_LITE
LIVE PREVIEW

Putting out a HIT Putting out a HIT Crowdsourcing Malware Installs - - PowerPoint PPT Presentation

Jan 19, 2024 197 likes •382 views

Putting out a HIT Putting out a HIT Crowdsourcing Malware Installs Stephen Checkoway Keaton Mowery Chris Kanich UC San Diego 1 Mechanical Turk Crowdsourcing platform Requesters post tasks paying 1 $10 Workers perform HITs

slide-1
SLIDE 1

1

Putting out a HIT Putting out a HIT

Crowdsourcing Malware Installs

Chris Kanich Stephen Checkoway Keaton Mowery UC San Diego

slide-2
SLIDE 2

Mechanical Turk

  • Crowdsourcing platform
  • Requesters post tasks paying 1¢ – $10
  • Workers perform HITs – Human Intelligence Tasks
  • Amazon takes a 10% cut of each reward

2

slide-3
SLIDE 3

Pay-Per-Install

  • Abstracts compromise from monetization
  • Broker buys and sells “installs” in bulk
  • Sellers compromise hosts and install “droppers”
  • Sellers need exploits and traffic
  • Buyers monetize hosts (or install other droppers)
  • We act as hypothetical install sellers
  • Can we turn a profit selling installs from mturk?

3

slide-4
SLIDE 4

Summary

  • Drive-bys on Turkers are economically feasible
  • Volume leaves something to be desired…
  • Very high “exploitability” figures are common
  • AV up-to-date-ness in a similar state
  • Low-wage Turkers majority Indian

4

slide-5
SLIDE 5

Methodology

  • Goal: accurately simulate machine takeover

and determine its economic profitability

  • Find a vulnerable population (Mturk workers)
  • Determine their vulnerability
  • Is host value > Mturk cost?

5

Cost = 110% x (mturk wage) x (vulnerable ratio)

slide-6
SLIDE 6

Mechanical Turk HITs

  • Ran this at both 1¢ and 5¢

6

slide-7
SLIDE 7

Mechanical Turk HITs

  • 38% conversion rate

7

slide-8
SLIDE 8

Mechanical Turk HITs

  • Ran this at 1¢ only

8

slide-9
SLIDE 9

Worker Uptake

9

>400 hosts by t = 48 hours

slide-10
SLIDE 10

Worker Demographics

  • 61.3% in India
  • 23.2% in the U.S.
  • Remaining 15.5% in 75 other countries
  • English language HIT

10

slide-11
SLIDE 11

Worker Uptake

11

400-500 hosts per region by t = 5 days

slide-12
SLIDE 12

Vulnerability Oracle

  • Surveyed CVEs for popular browser plugins
  • Determined vulnerable version range
  • Limited to remotely exploitable CVEs

12

slide-13
SLIDE 13

Vulnerability of Workers

13

slide-14
SLIDE 14

Economic feasibility

  • For 5¢ hosts:

PPI purchase price:

  • $100 – $180 for U.S. hosts
  • $7 – $8 for Asian hosts

14

slide-15
SLIDE 15

Drawbacks

  • Synthetic exploitation oracle
  • Exploit “startup cost” not factored in
  • Detection might hamper success
  • Uptake rate
  • PPI affiliates expect 1000s of hosts/week
  • Only feasible as a supplement to other infections
  • Only useful if crowdsourcing takes off

15

slide-16
SLIDE 16

Additional observations

  • Mturk allows targeting by country
  • Mturk’s iframe interface is powerful
  • AV penetration high; up-to-date not so much
  • Criminals might not pay their victims

16

slide-17
SLIDE 17

Conclusions

  • Antivirus use very high; correct use very low
  • Turker browsers very vulnerable
  • Mturk is very expensive as traffic acquisition
  • Mturk based drive-bys economically profitable,

but perhaps not economically practical.

17

slide-18
SLIDE 18

Thank You!

Yahoo! 18