Collection and analysis of web-based exploits and malware
Date
2008
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Malicious software in the form of worms, Trojan horses, spyware, and bots has become an effective tool for financial gain. To effectively infect the computers of unsuspecting users with malware, attackers use malicious Web pages. When a user views a malicious Web page using a Web browser, the malicious Web page delivers a Web-based exploit that targets browser vulnerabilities. Successful exploitation of a browser vulnerability can lead to an automatic download and execution of malware on the victim's computer. This thesis presents a honeypot that uses Internet Explorer as bait to identify malicious Web pages, which successfully download and execute malware via Webbased exploits. When the honeypot instructs Internet Explorer to visit a Web page, the honeypot monitors and records process and file creation activities of Internet Explorer and processes spawned by Internet Explorer. The recorded activities are analyzed to find deviations from normal behavior, which indicate successful exploitation. The Web-based exploits delivered by malicious Web pages and the malware downloaded by the exploits are automatically collected by the honeypot after successful exploitations. Additionally, the honeypot constructs an analysis graph to find relationships between different malicious Web pages and identify the Web pages that download the same malware. This thesis also presents an analysis of data collected by the honeypot after processing 33,811 URLs collected fom three data sets. Observations and case studies are presented to provide insights about Web-based exploits and malware, malicious Web pages, and the techniques used by attackers to deliver and obfuscate the exploits.
Description
Bibliography: p. 123-132
Some pages are in colour.
Some pages are in colour.
Keywords
Citation
Obied, A. M. (2008). Collection and analysis of web-based exploits and malware (Master's thesis, University of Calgary, Calgary, Canada). Retrieved from https://prism.ucalgary.ca. doi:10.11575/PRISM/2097