MineSpider: Extracting hidden URLs behind evasive drive-by download attacks

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Shigeki Goto

    Research output: Contribution to journalArticle

    4 Citations (Scopus)

    Abstract

    Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. In addition, several evasion techniques, such as code obfuscation and environment-dependent redirection, are used in combination with drive-by download attacks to prevent detection. In environment-dependent redirection, attackers profile the information on the user's environment, such as the name and version of the browser and browser plugins, and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques, such as honeyclients, are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. Therefore, it is necessary to improve analysis coverage while countering these adversarial evasion techniques. We propose a method for exhaustively analyzing JavaScript code relevant to redirections and extracting the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called MineSpider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that MineSpider extracted 30,000 new URLs from malicious websites in a few seconds that conventional methods missed.

    Original languageEnglish
    Pages (from-to)860-872
    Number of pages13
    JournalIEICE Transactions on Information and Systems
    VolumeE99D
    Issue number4
    DOIs
    Publication statusPublished - 2016 Apr 1

    Keywords

    • Code analysis
    • Drive-by download
    • Redirection analysis
    • Web-based malware

    ASJC Scopus subject areas

    • Electrical and Electronic Engineering
    • Software
    • Artificial Intelligence
    • Hardware and Architecture
    • Computer Vision and Pattern Recognition

    Fingerprint Dive into the research topics of 'MineSpider: Extracting hidden URLs behind evasive drive-by download attacks'. Together they form a unique fingerprint.

    Cite this