SLIDE 1
The Problem
- Drive‐by download aEacks infect thousands of
computers daily
- Millions of URLs spread the aEacks
- Current technologies based on full system
Scalable Web Object Inspec0on and Malfease Collec0on Charalampos - - PowerPoint PPT Presentation
Scalable Web Object Inspec0on and Malfease Collec0on Charalampos - - PowerPoint PPT Presentation
Scalable Web Object Inspec0on and Malfease Collec0on Charalampos Andrianakis Paul Seymer Angelos Stavrou The Problem Driveby download aEacks infect thousands of computers daily Millions of URLs spread the aEacks Current
SLIDE 2
SLIDE 3
Our Solu0on
- A URL analysis framework using lightweight
virtualiza0on and a modified WINE engine
– Scans thousands of URLs in parallel – Minimizes resource consump0on (VM uses less than 300MB of disk, 3MB of memory) – Extracts the offending payload and use it for further analysis
SLIDE 4
Framework Architecture
SLIDE 5
Framework Architecture
- OpenVZ containers with Debian Linux and
WINE
- Execute Internet Explorer inside WINE and
visit malicious URL
- NOP Sled detector inside WINE detects the
aEack (heap spray) and extracts the payload
SLIDE 6
Framework Architecture
- The payload is executed inside WINE with the
payload loader
- Malware contacts a remote server and
downloads zero day malware binaries
SLIDE 7
Framework Architecture
SLIDE 8
Scalability
SLIDE 9
Scalability
SLIDE 10
Limita0ons
- Our solu0on is limited to detec0ng heap spray
aEacks only
- If the offending payload references func0ons
- r data in the address space of the browser it
can evade detec0on
SLIDE 11