Jacobson, Michael JohnWilliamson, CareyObied, Ahmed Mohamed Abdulla2017-12-182017-12-182008http://hdl.handle.net/1880/103098Bibliography: p. 123-132Some pages are in colour.Malicious software in the form of worms, Trojan horses, spyware, and bots has become an effective tool for financial gain. To effectively infect the computers of unsuspecting users with malware, attackers use malicious Web pages. When a user views a malicious Web page using a Web browser, the malicious Web page delivers a Web-based exploit that targets browser vulnerabilities. Successful exploitation of a browser vulnerability can lead to an automatic download and execution of malware on the victim's computer. This thesis presents a honeypot that uses Internet Explorer as bait to identify malicious Web pages, which successfully download and execute malware via Web­based exploits. When the honeypot instructs Internet Explorer to visit a Web page, the honeypot monitors and records process and file creation activities of Internet Explorer and processes spawned by Internet Explorer. The recorded activities are analyzed to find deviations from normal behavior, which indicate successful exploita­tion. The Web-based exploits delivered by malicious Web pages and the malware downloaded by the exploits are automatically collected by the honeypot after suc­cessful exploitations. Additionally, the honeypot constructs an analysis graph to find relationships between different malicious Web pages and identify the Web pages that download the same malware. This thesis also presents an analysis of data collected by the honeypot after processing 33,811 URLs collected fom three data sets. Observations and case studies are presented to provide insights about Web-based exploits and malware, malicious Web pages, and the techniques used by attackers to deliver and obfuscate the exploits.xiv, 137 leaves : ill. ; 30 cm.engUniversity of Calgary graduate students retain copyright ownership and moral rights for their thesis. You may use this material in any way that is permitted by the Copyright Act or through licensing that has been assigned to the document. For uses that are not allowable under copyright legislation or licensing, you are required to seek permission.Collection and analysis of web-based exploits and malwaremaster thesis10.11575/PRISM/2097