Manufacturing compromise

The emergence of exploit-as-a-service

Chris Grier, Lucas Ballard, Juan Caballero, Neha Chachra, Christian J. Dietrich, Kirill Levchenko, Panayiotis Mavrommatis, Damon McCoy, Antonio Nappa, Andreas Pitsillidis, Niels Provos, M. Zubair Rafique, Moheeb Abu Rajab, Christian Rossow, Kurt Thomas, Vern Paxson, Stefan Savage, Geoffrey M. Voelker

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads-32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.

    Original languageEnglish (US)
    Title of host publicationCCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security
    Pages821-832
    Number of pages12
    DOIs
    StatePublished - 2012
    Event2012 ACM Conference on Computer and Communications Security, CCS 2012 - Raleigh, NC, United States
    Duration: Oct 16 2012Oct 18 2012

    Other

    Other2012 ACM Conference on Computer and Communications Security, CCS 2012
    CountryUnited States
    CityRaleigh, NC
    Period10/16/1210/18/12

    Fingerprint

    Websites
    Ecosystems
    Malware

    Keywords

    • Malware
    • Security

    ASJC Scopus subject areas

    • Software
    • Computer Networks and Communications

    Cite this

    Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C. J., Levchenko, K., ... Voelker, G. M. (2012). Manufacturing compromise: The emergence of exploit-as-a-service. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security (pp. 821-832) https://doi.org/10.1145/2382196.2382283

    Manufacturing compromise : The emergence of exploit-as-a-service. / Grier, Chris; Ballard, Lucas; Caballero, Juan; Chachra, Neha; Dietrich, Christian J.; Levchenko, Kirill; Mavrommatis, Panayiotis; McCoy, Damon; Nappa, Antonio; Pitsillidis, Andreas; Provos, Niels; Rafique, M. Zubair; Rajab, Moheeb Abu; Rossow, Christian; Thomas, Kurt; Paxson, Vern; Savage, Stefan; Voelker, Geoffrey M.

    CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. p. 821-832.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Grier, C, Ballard, L, Caballero, J, Chachra, N, Dietrich, CJ, Levchenko, K, Mavrommatis, P, McCoy, D, Nappa, A, Pitsillidis, A, Provos, N, Rafique, MZ, Rajab, MA, Rossow, C, Thomas, K, Paxson, V, Savage, S & Voelker, GM 2012, Manufacturing compromise: The emergence of exploit-as-a-service. in CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. pp. 821-832, 2012 ACM Conference on Computer and Communications Security, CCS 2012, Raleigh, NC, United States, 10/16/12. https://doi.org/10.1145/2382196.2382283
    Grier C, Ballard L, Caballero J, Chachra N, Dietrich CJ, Levchenko K et al. Manufacturing compromise: The emergence of exploit-as-a-service. In CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. p. 821-832 https://doi.org/10.1145/2382196.2382283
    Grier, Chris ; Ballard, Lucas ; Caballero, Juan ; Chachra, Neha ; Dietrich, Christian J. ; Levchenko, Kirill ; Mavrommatis, Panayiotis ; McCoy, Damon ; Nappa, Antonio ; Pitsillidis, Andreas ; Provos, Niels ; Rafique, M. Zubair ; Rajab, Moheeb Abu ; Rossow, Christian ; Thomas, Kurt ; Paxson, Vern ; Savage, Stefan ; Voelker, Geoffrey M. / Manufacturing compromise : The emergence of exploit-as-a-service. CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security. 2012. pp. 821-832
    @inproceedings{d3625d8b04b5454396dbcf6b3220ba2e,
    title = "Manufacturing compromise: The emergence of exploit-as-a-service",
    abstract = "We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the {"}dirty work{"} of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads-32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29{\%} of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.",
    keywords = "Malware, Security",
    author = "Chris Grier and Lucas Ballard and Juan Caballero and Neha Chachra and Dietrich, {Christian J.} and Kirill Levchenko and Panayiotis Mavrommatis and Damon McCoy and Antonio Nappa and Andreas Pitsillidis and Niels Provos and Rafique, {M. Zubair} and Rajab, {Moheeb Abu} and Christian Rossow and Kurt Thomas and Vern Paxson and Stefan Savage and Voelker, {Geoffrey M.}",
    year = "2012",
    doi = "10.1145/2382196.2382283",
    language = "English (US)",
    isbn = "9781450316507",
    pages = "821--832",
    booktitle = "CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security",

    }

    TY - GEN

    T1 - Manufacturing compromise

    T2 - The emergence of exploit-as-a-service

    AU - Grier, Chris

    AU - Ballard, Lucas

    AU - Caballero, Juan

    AU - Chachra, Neha

    AU - Dietrich, Christian J.

    AU - Levchenko, Kirill

    AU - Mavrommatis, Panayiotis

    AU - McCoy, Damon

    AU - Nappa, Antonio

    AU - Pitsillidis, Andreas

    AU - Provos, Niels

    AU - Rafique, M. Zubair

    AU - Rajab, Moheeb Abu

    AU - Rossow, Christian

    AU - Thomas, Kurt

    AU - Paxson, Vern

    AU - Savage, Stefan

    AU - Voelker, Geoffrey M.

    PY - 2012

    Y1 - 2012

    N2 - We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads-32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.

    AB - We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the "dirty work" of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a website under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads-32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29% of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are installed by drivebys, as well as the lifetime and popularity of domains funneling users to exploits.

    KW - Malware

    KW - Security

    UR - http://www.scopus.com/inward/record.url?scp=84869388520&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84869388520&partnerID=8YFLogxK

    U2 - 10.1145/2382196.2382283

    DO - 10.1145/2382196.2382283

    M3 - Conference contribution

    SN - 9781450316507

    SP - 821

    EP - 832

    BT - CCS'12 - Proceedings of the 2012 ACM Conference on Computer and Communications Security

    ER -