MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Shigeki Goto

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    5 Citations (Scopus)

    Abstract

    Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

    Original languageEnglish
    Title of host publicationProceedings - International Computer Software and Applications Conference
    PublisherIEEE Computer Society
    Pages444-449
    Number of pages6
    Volume2
    ISBN (Print)9781467365635
    DOIs
    Publication statusPublished - 2015 Sep 21
    Event39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015 - Taichung, Taiwan, Province of China
    Duration: 2015 Jul 12015 Jul 5

    Other

    Other39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015
    CountryTaiwan, Province of China
    CityTaichung
    Period15/7/115/7/5

    Fingerprint

    Websites
    Web browsers
    Communication

    Keywords

    • Code analysis
    • Drive-by download
    • Honeyclient
    • Program slicing

    ASJC Scopus subject areas

    • Computer Science Applications
    • Software

    Cite this

    Takata, Y., Akiyama, M., Yagi, T., Hariu, T., & Goto, S. (2015). MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. In Proceedings - International Computer Software and Applications Conference (Vol. 2, pp. 444-449). [7273652] IEEE Computer Society. https://doi.org/10.1109/COMPSAC.2015.76

    MineSpider : Extracting URLs from Environment-Dependent Drive-by Download Attacks. / Takata, Yuta; Akiyama, Mitsuaki; Yagi, Takeshi; Hariu, Takeo; Goto, Shigeki.

    Proceedings - International Computer Software and Applications Conference. Vol. 2 IEEE Computer Society, 2015. p. 444-449 7273652.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Takata, Y, Akiyama, M, Yagi, T, Hariu, T & Goto, S 2015, MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. in Proceedings - International Computer Software and Applications Conference. vol. 2, 7273652, IEEE Computer Society, pp. 444-449, 39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015, Taichung, Taiwan, Province of China, 15/7/1. https://doi.org/10.1109/COMPSAC.2015.76
    Takata Y, Akiyama M, Yagi T, Hariu T, Goto S. MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. In Proceedings - International Computer Software and Applications Conference. Vol. 2. IEEE Computer Society. 2015. p. 444-449. 7273652 https://doi.org/10.1109/COMPSAC.2015.76
    Takata, Yuta ; Akiyama, Mitsuaki ; Yagi, Takeshi ; Hariu, Takeo ; Goto, Shigeki. / MineSpider : Extracting URLs from Environment-Dependent Drive-by Download Attacks. Proceedings - International Computer Software and Applications Conference. Vol. 2 IEEE Computer Society, 2015. pp. 444-449
    @inproceedings{bdfd58fa36314505a976b729c64b2064,
    title = "MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks",
    abstract = "Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.",
    keywords = "Code analysis, Drive-by download, Honeyclient, Program slicing",
    author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeo Hariu and Shigeki Goto",
    year = "2015",
    month = "9",
    day = "21",
    doi = "10.1109/COMPSAC.2015.76",
    language = "English",
    isbn = "9781467365635",
    volume = "2",
    pages = "444--449",
    booktitle = "Proceedings - International Computer Software and Applications Conference",
    publisher = "IEEE Computer Society",

    }

    TY - GEN

    T1 - MineSpider

    T2 - Extracting URLs from Environment-Dependent Drive-by Download Attacks

    AU - Takata, Yuta

    AU - Akiyama, Mitsuaki

    AU - Yagi, Takeshi

    AU - Hariu, Takeo

    AU - Goto, Shigeki

    PY - 2015/9/21

    Y1 - 2015/9/21

    N2 - Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

    AB - Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

    KW - Code analysis

    KW - Drive-by download

    KW - Honeyclient

    KW - Program slicing

    UR - http://www.scopus.com/inward/record.url?scp=84962137584&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84962137584&partnerID=8YFLogxK

    U2 - 10.1109/COMPSAC.2015.76

    DO - 10.1109/COMPSAC.2015.76

    M3 - Conference contribution

    AN - SCOPUS:84962137584

    SN - 9781467365635

    VL - 2

    SP - 444

    EP - 449

    BT - Proceedings - International Computer Software and Applications Conference

    PB - IEEE Computer Society

    ER -