DOCSLIB.ORG

Modeling the Propagation of Trojan Malware in Online Social Networks Mohamamd Reza Faghani, Member, IEEE, and Uyen Trang Nguyen, Member, IEEE

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Modeling the Propagation of Trojan Malware in Online Social Networks Mohamamd Reza Faghani, Member, IEEE, and Uyen Trang Nguyen, Member, IEEE IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING , VOL. 15, JUNE 2017 1 Modeling the Propagation of Trojan Malware in Online Social Networks Mohamamd Reza Faghani, Member, IEEE, and Uyen Trang Nguyen, Member, IEEE, Abstract—The popularity and widespread usage of online A. Overview of OSN Malware social networks (OSN) have attracted cyber criminals who have There are two major types of malware that target online used OSNs as a platform to spread malware. Among different types of malware in OSNs, Trojan is the most popular type with social network users: : cross-site scripting worm and Trojan: hundreds of attacks on OSN users in the past few years. Trojans • Cross-site scripting (XSS) worms: These are passive infecting a user’s computer have the ability to steal confidential malware that exploits vulnerabilities in web applications information, install ransomware and infect other computers in to propagate themselves without any user intervention. the network. Therefore, it is important to understand propagation dynamics of Trojans in OSNs in order to detect, contain and • Trojans: A Trojan is a type of malware that is often dis- remove them as early as possible. In this article, we present guised as legitimate software. Users are typically tricked an analytical model to study propagation characteristics of by some form of social engineering into opening them Trojans and factors that impact their propagation in an online (and thus loading and executing Trojans on their systems). social network. The proposed model assumes all the topological Trojans are the most common method used to launch characteristics of real online social networks. Moreover, the model takes into account attacking trends of modern Trojans, attacks against OSNs users, who are tricked into visiting the role of anti-virus (AV) products, and security practices of malicious websites and subsequently downloading mal- OSN users and AV software providers. By taking into account ware disguised as legitimate software (e.g., Adobe Flash these factors, the proposed model can accurately and realistically player). There are many variants of Trojans operating in estimate the infection rate caused by a Trojan malware in an OSN OSNs, including clickjacking worms [6] and extension- as well as the recovery rate of the user population. based malware [7]. Index Terms—online social networks, malware, worms, Trojan, Compared with XSS worm, Trojan is the more popular type propagation, modeling, simulation, undirected graphs, anti-virus, disinfection of malware targeting OSN users. Over the past few years, Facebook users have experienced hundreds of separate Trojan malware attacks [8]–[10]. For instance, the first variant of I. INTRODUCTION an OSN Trojan browser extension called Kilim appeared in LINE social networking are amongst the most popular November 2014 [8]. From November 2014 to November 2016, O services offered through the World Wide Web. Online almost 600 variants of Kilim were discovered [11]. In most social networks (OSNs) such as Facebook, Twitter and MyS- cases, a Trojan disguises itself as a legitimate software. For pace have provided hundreds of millions of people with a instance in two major Trojan attacks on Facebook, the Trojan means to connect and communicate with their friends, families posed itself as an Adobe Flash player update [9], [10]. In a and colleagues around the world. For instance, Facebook is the more recent attack discovered in 2015 [9], a message enticed second most visited website in the world according to a recent the victims to click on a link that redirected them to a third- ranking by Alexa [1], only after Google. party website unaffiliated with Facebook where they were arXiv:1708.00969v1 [cs.CR] 3 Aug 2017 The popularity and wide spread usage of OSNs have prompted to download what was claimed to be an update of attracted hackers and cyber criminals to use OSNs as an the Adobe Flash player. If they downloaded and executed the attack platform to spread malware [2], [3]. A successful file, they would infect their computers with a Trojan malware. attack using malware in an OSN can lead to tens of millions Trojans installed on a user’s computer have the ability of OSN accounts being compromised and users’ computers to access contents on the compromised system, including being infected. Cyber criminals can mount massive denial of social network contents, credit card information, and login service attacks against Internet infrastructures or systems using credentials. It can even spread itself further by infecting other compromised accounts and computers. They can steal users’ systems on the same network. Such Trojans have the ability to sensitive information for fraudulent activities. Compromised form a botnet to open up channels for attackers to send further OSN accounts can also be used to spread misinformation to payloads such as ransomware. Such a Trojan is a variant bias public opinions [4], or even to influence automatic trading of Locky ransomware discovered in November 2016 [12], algorithms that rely on public opinions [5]. (Automatic trading which was delivered via JPEG and SVG files via Facebook algorithms place buy/sell stock orders on behalf of human Messenger. investors.) B. Motivations The authors are with the Department of Electrical Engineering and Com- puter Science, York University, Toronto, Ontario, M3J 1P3, Canada, Email: Given the popularity of and potential damages inflicted ffaghani,[email protected]. by Trojans, it is important to understand their propagation IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING , VOL. 15, JUNE 2017 2 dynamics in OSNs in order to detect, contain and remove them the propagation of recent Trojans is their ability to prevent as early as possible. Therefore, our objective is to model and users from accessing websites of AV vendors so that the users study the propagation of Trojans in social networks such as cannot download updates/patches. There have been several Facebook, LinkedIn and Orkut. (These networks can be repre- instances of such malware [7], [9], [10], [30]–[32] including sented by undirected graphs, in which each vertex represents a those targeting Facebook users such as Magnet [9], Koobface user, and each edge represents the mutual relationship between [10], and extension-based malware [7]. In response to this the two users denoted by the two end vertices.) new ability of Trojans, infected users have reached out to The topic of Trojan propagation in OSNs has only been their OSN friends, asking for clean-up solutions to remove studied recently. Most of these studies are based on simulations the malware from their systems, as in the case of a large-scale [3], [13]–[15]. Thomas et al. [10] traced the activities of attack on Facebook caused by a malware named Magnet [9]. Koobface, a Trojan that targeted OSN users, for one month All the above factors have an impact on propagation dynamics to study its propagation characteristics. of Trojans in OSNs; however, none of previous works on There exist few works on the topic of modeling propagations modeling worms/malware in OSNs considered these factors. of malware in OSNs. Faghani and his collaborators [16], [17] modeled the propagation of XSS worms in OSNs. Sanzgiri C. Contributions et al. [18] modeled the propagation of Trojans in the social network Twitter where most relationships are one-directional Having identified gaps in existing research, we propose an (follower-followee), unlike mutual relationships in Facebook analytical model that or LinkedIn networks. • considers characteristics of modern Trojans (e.g, mal- There exist works that model propagations of worms and ware blocking users’ access to AV provider websites), malware (not necessarily Trojans) in other types of networks security practices (e.g., users installing AV products on such as people, email and cellular phones. Many of these their computers, AV manufacturers gradually releasing models [19]–[22] assumed that each user is directly connected updates/patches against a newly propagating malware), to every other user in the same network (also known as and user behaviour (e.g., seeking assistance from OSN “homogeneous mixing”). This assumption does not hold true friends to clean up infected computers). None of previous for a real-world OSN such as Facebook where each user works on modeling worms/malware in OSNs considered is directly connected to only his/her friends. As a result, the above factors. the “homogeneous mixing” assumption may lead to an over- • assumes the topological characteristics of real-world so- estimation of the infection rate in a real OSN [23], [24]. Cheng cial networks, namely, low average shortest distance, et al. [25] proposed a propagation model for malware that power-law distribution of node degrees and high clus- targets multimedia messaging service (MMS) and bluetooth tering coefficient [33]–[35]. In this article, we consider devices. Chen and Ji [26] and Chen et al. [27] modeled the OSNs that are represented by undirected graphs such spreading of scanning worms1 in computer networks. Zou et as Facebook, Linked and Orkut. To the best of our al. [24] and Komnios et al. [28] studied the propagation of knowledge, our work is the first that models Trojan email worms. Wen et al. [23] also modeled the propagation propagation in such networks. (In the future we will of malware in email networks and in semi-directed networks extend the model to OSNs represented by directed graphs represented by mixed graphs (i.e., a subset of edges are such as Twitter.) directed while the others are undirected). • is validated using a real-world social network graph, Besides the network topology, there are several other factors a Facebook sub-graph constructed by McAuley and that affect the propagation of Trojans in social networks. Leskovec [36] that possess all the characteristics of online For example, anti-virus (AV) products play an important role social networks as mentioned above. In all experiments in protecting users against malware and thus slowing down we studied, numerical results obtained from the model their propagation.
Load more

Recommended publications
  • The Use of the Modern Social Web by Malicious Software
    Malicious software thrives in the richness of the social web ecosystem, which incorporates mobile devices, reliable networks, powerful browsers and sociable users. Modern malware is programmed to take full advantage of these elements, which are especially potent in the context of social media and social networking websites. As the result, we’re seeing malware exhibit the following characteristics: • Using social networking sites to remotely direct malicious tools and attackers' actions • Controlling social media site content to provide attackers with financial rewards • Distributing links on websites with social capabilities to for autonomous malware propagation • Defrauding participants of the social web by using chat bots and other techniques Read this briefing to understand how malicious software makes use of these techniques to thrive on the social web and to offer lucrative benefits to malware authors and operators. Together, we can better understand such emerging threat vectors and devise defenses. Copyright 2011‐2012 Lenny Zeltser 1 Social capabilities of modern websites and applications are changing how people communicate with each other and how businesses interact with customers. The social web incorporates sites that allow people to easily publish content and distribute public, private and semi‐private messages. This includes traditional blogging platforms such as Blogger, micro blogs such as Tumblr, photo sharing sites such as Flickr and social networking sites such as Facebook. We increasingly rely on the social web for both routine and crisis‐related interactions. The attackers are also paying attention to this medium. Copyright 2011‐2012 Lenny Zeltser 2 Authors and operators of malware are paying increasing attention to social media and social networking sites for conducting malicious activities.
    [Show full text]
  • MALWARE PROPAGATION in ONLINE SOCIAL NETWORKS: MODELING, ANALYSIS and REAL-WORLD IMPLEMENTATIONS
    MALWARE PROPAGATION IN ONLINE SOCIAL NETWORKS: MODELING, ANALYSIS and REAL-WORLD IMPLEMENTATIONS Mohammad Reza Faghani A DISSERTATION SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY GRADUATE PROGRAM IN ELECTRICAL ENGINEERING AND COMPUTER SCIENCE (EECS) YORK UNIVERSITY TORONTO, ONTARIO June 2017 c Mohammad Reza Faghani, 2017 Abstract The popularity and wide spread usage of online social networks (OSNs) have attracted hackers and cyber criminals to use OSNs as an attack platform to spread malware. Over the last few years, Facebook users have experienced hundreds of malware attacks. A successful attack can lead to tens of millions of OSN accounts being compromised and computers being infected. Cyber criminals can mount massive denial of service attacks against Internet infrastructures or systems using compromised accounts and computers. Malware infecting a user's computer have the ability to steal login credentials and other confidential information stored on the computer, install ransomware and infect other computers on the same network. Therefore, it is important to understand propagation dynamics of malware in OSNs in order to detect, contain and remove them as early as possible. The objective of this dissertation is thus to model and study propagation dynamics of various types of malware in social networks such as Facebook, LinkedIn and Orkut. In particular, we propose analytical models that characterize propagation dynamics of cross-site • scripting and Trojan malware, the two major types of malware propagating in OSNs. Our models assume the topological characteristics of real-world social networks, namely, low average shortest distance, power-law distribution of node degrees and high cluster- ing coefficient.
    [Show full text]
  • Cisco 2017 Midyear Cybersecurity Report
    Cisco 2017 Midyear Cybersecurity Report 1 Executive Summary Table of Contents Executive Summary ..........................................................03 Vulnerabilities update: Rise in attacks following key disclosures ................................................................ 47 Major Findings ..................................................................05 Don’t let DevOps technologies leave the Introduction ......................................................................07 business exposed ............................................................ 50 Attacker Behavior .............................................................09 Organizations not moving fast enough to patch Exploit kits: Down, but not likely out ................................. 09 known Memcached server vulnerabilities ......................... 54 How defender behavior can shift attackers’ focus ...........11 Malicious hackers head to the cloud to shorten the path to top targets ..................................................... 56 Web attack methods provide evidence of a mature Internet ............................................................. 12 Unmanaged infrastructure and endpoints leave organizations at risk ......................................................... 59 Web block activity around the globe ................................ 13 Security Challenges and Opportunities Spyware really is as bad as it sounds............................... 14 for Defenders ...................................................................61
    [Show full text]
  • Antimalware to the Rescue
    MARCH 2014 INFORMATION EDITOR’S DESK: AS MALWARE ADVANCES, SO MUST ECURITY ANTIMALWARE S Insider Edition DEFENSE PLANS FEATURE: PROTECTION FROM ADVANCED MALWARE: WHAT ANTIMALWARE WORKS BEST? TO THE RESCUE InfoSec pros know they must detect and repel advanced FEATURE: HOW malware—but TO PUMP UP YOUR do they know ANTIMALWARE how? DEFENSES EDITOR’S DESK As Malware Advances, So Must HOME EDITOR’S DESK Antimalware Defense Plans WHY YOU MUST Stomping out malware would be lots easier if it just sat still. This Insider REVAMP YOUR BY BRENDA L. HORRIGAN ANTIMALWARE Edition helps make the fight against it more fair. STRATEGY WHAT ADVANCED MALWARE PROTECTION WORKS BEST? PUMPING UP YOUR ANTIMALWARE DEFENSE T’S GETTING HARDER for IT security pros to identify, offers insights on how to best assess the antimalware much less stop, the bad stuff trying to break into products currently on the market, which must include their enterprise. Modern malware is a shape-shifter, a careful weighing of costs and benefits. Finally, Spyro continually changing as it tries to squeeze past the Malaspinas demonstrates how to pump up your antimal- malware protection an enterprise already has in ware arsenal with supplemental products and tactics. place. Lately it’s even grown octopus legs, reaching up to It’s a sad fact of the modern world that, even as more Ithe highest levels of corporate networks but also down enterprises come to depend on antimalware products, into the smartphone of the newest entry-level employee. that protection’s effectiveness is steadily declining. But Advanced malware and its hacker-creators are prob- this doesn’t mean antimalware efforts are for naught: ing your system defenses right now; a revamp of your en- Rather, like modern malware, your efforts must shift and terprise’s antimalware strategies and systems can’t wait.
    [Show full text]
  • Cisco Midyear Cybersecurity Report 2017
    Cisco Midyear Cybersecurity Report 2017 1 Inhalt Zusammenfassung .........................................................3 Veröffentlichung von Schwachstellen führt Wichtigste Erkenntnisse ................................................5 zu vermehrten Angriffen ...............................................47 Einleitung ........................................................................7 Setzen Sie Ihr Geschäft keinem Risiko durch DevOps-Technologien aus ............................................50 Verhalten von Angreifern ...............................................9 Organisationen führen Patches für bekannte Exploit-Kits: viele inaktiv, aber nicht alle .........................9 Schwachstellen von Memchached-Servern Der Einfluss des Verhaltens der Verteidiger nicht schnell genug durch .............................................54 auf die Nutzung anderer Angriffsstrategien ................. 11 Hacker wenden sich der Cloud zu, um attraktive Web-Angriffsmethoden entwickeln sich gemeinsam Ziele schneller zu attackieren ........................................56 mit dem Internet ...........................................................12 Nicht verwaltete Infrastrukturen und Endpunkte Weltweite Blockierungsaktivität im Web ........................13 stellen Risiken für Organisationen dar ...........................59 Spyware ist wirklich so schlimm, wie sie klingt .............14 Herausforderungen in puncto Sicherheit und Möglichkeiten für Verteidiger ...............................61 Rückgang der Exploit-Kit-Aktivität wirkt
    [Show full text]
  • Social Media As an Attack Vector for Cyber Threats
    Social Threats – Social Media as an Attack vector for Cyber Threats Stewart Cawthray General Manager, Enterprise Security Products & Solutions February 10, 2017 1 #WHOAMI • General Manager Security Products – Rogers Enterprise • 15 Year Security Veteran • Industry Speaker & Cybersecurity Evangelist • Devoted Father & Field Hockey Coach • Twitter: @StewartCawthray 2 Confidential & Proprietary #WhatWeDo Rogers Security Services Enterprise Cybersecurity Protection for Businesses of All Sizes 3 Confidential & Proprietary THE SOCIAL REVOLUTION 4 Confidential & Proprietary GLOBAL SCALE OF SOCIAL MEDIA 95% 3/4 US WORKING AGE ARE ACTIVE ON WORLDWIDE INTERNET USERS SOCIAL MEDIA HAVE ACTIVE SOCIAL PROFILES 5 Confidential & Proprietary IMPACT ON DAILY LIVES 27% 3 HOURS INTERNET TIME SPENT EVERY DAY SPENT ON ON SOCIAL MEDIA SOCIAL MEDIA 6 Confidential & Proprietary IMPACT ON ECONOMY 50% 25% OF AMERICAN’S LEVERAGE IS PINTEREST’S SHARE OF FACEBOOK FOR PURCHASE INTERNET RETAIL REFERRAL DECISIONS TRAFFIC 7 Confidential & Proprietary SOCIAL MEDIA THE BUSINESS PLATFORM Confidential & Proprietary 8 SOCIAL CREATES BUSINESS VALUE 40% Increase in performance for social brands vs. S&P 500 60% buying decisions made on perception of brand vs. product or service quality 9 Confidential & Proprietary MASSIVE INVESTMENT INTO SOCIAL Enterprise CMOs to spend 10.8% of marketing budget on social in next 12 months growing to 22.4% in five years. 57.5% are worried that use of online customer data could raise questions about privacy. Source – Duke Fuqua School of Business
    [Show full text]
  • Hacking Social Media – Zerofox
    HACKING SOCIAL Driving Visibility to Support Monitoring & Incident Response CSO – SOCIAL IS A TOP 5 CONCERN CYBER ATTACK NO. 4: SOCIAL MEDIA THREATS “Our online world is a social world led by Facebook, Twitter, LinkedIn or their country-popular counterparts. Social media threats usually arrive as a rogue friend or application install request…Many of today’s worst hacks started out as simple social media hacking. Don’t underestimate the potential.” SLIDE / 2 FORBES – TARGETED ATTACKS VIA SOCIAL “The lovely and disarming ‘Mia Ash’ is a fictional female created by the highly- active hacker crew known as OilRig, which… SecureWorks believes is sponsored by the Iranian regime. In July 2016, Mia's puppeteers targeted a Deloitte cybersecurity employee, engaging him through [Facebook] in conversations about his job.” SLIDE / 3 CISCO – SOCIAL IS #1 SOURCE OF MALWARE “Facebook is now the #1 source of malware…Unsurprisingly, ‘social media’ saw the largest jump from last year’s report on the list of top 24 concerns; social is now ranked #3 overall…Facebook malware is just one example of this dangerous new confluence.” SLIDE / 4 BUSINESS.COM – DON’T FORGET TO SECURE SOCIAL “Businesses already know how important security and protection is in today’s digital world. However they often leave out social media not realizing how porous [social media] can be when it comes to hacks and breaches. There are several ways in which things can go wrong. ” SLIDE / 5 SOCIAL & SOCIAL COLLABORATIO DIGITAL IMPACT BUSINESSES N IMPACT 83% 200 Million 80% Global organization’s
    [Show full text]
  • Trends and Lessons from Three Years Fighting Malicious Extensions
    Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal, Eric Dingle, Jean-Philippe Gravel, Panayiotis Mavrommatis, Niels Provos, Moheeb Abu Rajab, and Kurt Thomas, Google https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/jagpal This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal Eric Dingle Jean-Philippe Gravel Panayiotis Mavrommatis Niels Provos Moheeb Abu Rajab Kurt Thomas Google nav, ericdingle, jpgravel, panayiotis, niels, moheeb, kurtthomas @google.com { } Abstract injected rogue phishing forms into banking webpages or the ZeroAccess bot that tampered with page advertise- In this work we expose wide-spread efforts by crimi- ments [27, 34]—extensions bridge the semantic gap be- nals to abuse the Chrome Web Store as a platform for tween binaries and browsers, trivializing broad access to distributing malicious extensions. A central compo- complex web interactions. nent of our study is the design and implementation of In this paper we expose wide-spread efforts by crim- WebEval, the first system that broadly identifies mali- inals to abuse the Chrome Web Store as a platform for cious extensions with a concrete, measurable detection distributing malicious extensions. Our evaluation cov- rate of 96.5%. Over the last three years we detected ers roughly 100,000 unique extensions submitted to the 9,523 malicious extensions: nearly 10% of every ex- Chrome Web Store over a three year span from January tension submitted to the store.
    [Show full text]
  • Management Devising a New Strategy to Tackle Today's Cyberattacks
    INFORMATION SECURITY ESSENTIAL GUIDE THREAT Management Devising a new strategy to tackle today's cyberattacks INSIDE Antimalware Cybercrime Social Engineering Incident Response Can your network security stop APTs? FireEye can. Over 95% of networks are compromised as advanced attacks easily evade traditional and next generation signature-based firewalls, IPSs, AV and gateways. APT The best and brightest across every industry are protecting themselves from zero-day and APT attacks Targeted with FireEye. FireEye… the leader in stopping Zero-day zero-day and APT attacks! Contact FireEye now for a free assessment. www.FireEye.com/StopAPTs Join FireEye at the online Threat Management Summit Wednesday, March 14, 2012 10:00 – 11:00 AM PST REGISTER NOW www.fireeye.com | [email protected] | 877.FIREEYE (347.3393) EDITORIAL p MARCIA SAVAGE Battling on All Fronts Organizations are preparing to defend themselves from growing malware threats and targeted attacks in 2012. UFFICE TO SAY, an information security pro’s job never gets any easier. The threat environment is constantly changing and growing more complex as criminals continue to find new ways to attack companies Sand their users. Security pros have to battle on multiple fronts, from increasingly sophisticated malware that’s spreading to mobile platforms to stealthy social engineering and targeted attacks. According to Information Security and SearchSecurity.com’s 2012 Priorities survey, 34 percent of survey participants rate preventing worms and viruses as a top security challenge for their organization. Almost 28 percent view preventing spam and spyware as a major problem and 17 percent say detecting targeted, persistent attacks is a top challenge.
    [Show full text]
  • Pwc Weekly Security Report
    Threats and Backdoor Malware Top stories vulnerabilities PwC Weekly Security Report This is a weekly digest of security news and events from around the world. Excerpts from news items are presented and web links are provided for further information. Threats and vulnerabilities Beware! You can get hacked just by opening a ‘JPEG 2000’ image Backdoor Throw your backdoored D-Link router in the bin, urges security researcher Malware Brad Pitt death hoax story on Facebook is a malware masquerading as Fox news report Top stories NGT website hacked as ‘revenge’ against surgical strike Music, latest weapon in Pak arsenal J&J warns diabetic patients: Insulin pump vulnerable to hacking World’s largest 1 Tbps DDoS attack launched from 152,000 hacked smart devices Threats and Backdoor Malware Top stories vulnerabilities Beware! You can get hacked just by opening a ‘JPEG 2000’ image Researchers have disclosed a critical zero-day The team reported the zero-day flaw to OpenJPEG vulnerability in the JPEG 2000 image file format developers in late July, and the company patched parser implemented in OpenJPEG library, which the flaw last week with the release of version 2.1.2. could allow an attacker to remotely execute arbitrary code on the affected systems. The vulnerability has been assigned a CVSS score of 7.5, categorizing it as a high-severity bug. Discovered by security researchers at Cisco Talos group, the zero-day flaw, assigned as TALOS-2016- Source: 0193/CVE-2016-8332, could allow an out-of-bound http://thehackernews.com/2016/10/openjp heap write to occur that triggers the heap eg-exploit-hack.html corruption and leads to arbitrary code execution.
    [Show full text]
  • UNIVERSITY of CALIFORNIA SAN DIEGO Addressing Device
    UNIVERSITY OF CALIFORNIA SAN DIEGO Addressing Device Compromise from the Perspective of Large Organizations A dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science (Computer Engineering) by Louis Floyd DeKoven Committee in charge: Professor Stefan Savage, Co-Chair Professor Geoffrey M. Voelker, Co-Chair Professor Kirill Levchenko Professor Ramesh R. Rao Professor Alex Snoeren 2019 Copyright Louis Floyd DeKoven, 2019 All rights reserved. The Dissertation of Louis Floyd DeKoven is approved and it is acceptable in quality and form for publication on microfilm and electronically: Co-Chair Co-Chair University of California San Diego 2019 iii DEDICATION To my parents: Beverly and Benjamin and to my family: Florence, Melissa, Chris, Ezra, and, Leron iv EPIGRAPH The important thing is to not stop questioning. Curiosity has its own reason for existing. Albert Einstein v TABLE OF CONTENTS Signature Page . iii Dedication . iv Epigraph . v Table of Contents . vi List of Figures . viii List of Tables . x Acknowledgements . xii Vita........................................................................ xiv Abstract of the Dissertation . xv Introduction . 1 Chapter 1 Malicious Browser Extensions at Scale . 6 1.1 Introduction . 6 1.2 Background . 9 1.3 Collecting Browser Malware . 10 1.3.1 Detecting Compromised User Accounts . 11 1.3.2 Malware Scanner and Cleanup . 12 1.3.3 Static Analysis . 13 1.4 Browser Extension Labeling . 14 1.4.1 Automated Extension Labeling. 15 1.4.2 Manual Labeling . 17 1.4.3 A Real World Example . 18 1.5 System Evaluation . 19 1.5.1 Extensions Collected . 20 1.5.2 Malicious Extensions Detected .
    [Show full text]
  • Trends and Lessons from Three Years Fighting Malicious Extensions
    Trends and Lessons from Three Years Fighting Malicious Extensions Nav Jagpal Eric Dingle Jean-Philippe Gravel Panayiotis Mavrommatis Niels Provos Moheeb Abu Rajab Kurt Thomas Google fnav, ericdingle, jpgravel, panayiotis, niels, moheeb, [email protected] Abstract injected rogue phishing forms into banking webpages or the ZeroAccess bot that tampered with page advertise- In this work we expose wide-spread efforts by crimi- ments [27, 34]—extensions bridge the semantic gap be- nals to abuse the Chrome Web Store as a platform for tween binaries and browsers, trivializing broad access to distributing malicious extensions. A central compo- complex web interactions. nent of our study is the design and implementation of In this paper we expose wide-spread efforts by crim- WebEval, the first system that broadly identifies mali- inals to abuse the Chrome Web Store as a platform for cious extensions with a concrete, measurable detection distributing malicious extensions. Our evaluation cov- rate of 96.5%. Over the last three years we detected ers roughly 100,000 unique extensions submitted to the 9,523 malicious extensions: nearly 10% of every ex- Chrome Web Store over a three year span from January tension submitted to the store. Despite a short window 2012–2015. Of these, we deem nearly one in ten to of operation—we removed 50% of malware within 25 be malicious. This threat is part of a larger movement minutes of creation— a handful of under 100 extensions among malware authors to pollute official marketplaces escaped immediate detection and infected over 50 mil- provided by Chrome, Firefox, iOS, and Android with lion Chrome users.
    [Show full text]