MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks

Yuta Takata; Mitsuaki Akiyama; Takeshi Yagi; Takeo Hariu; Shigeki Goto

doi:10.1109/COMPSAC.2015.76

MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks

Yuta Takata, Mitsuaki Akiyama, Takeshi Yagi, Takeo Hariu, Shigeki Goto

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

10 Citations (Scopus)

Abstract

Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

Original language	English
Title of host publication	Proceedings - International Computer Software and Applications Conference
Publisher	IEEE Computer Society
Pages	444-449
Number of pages	6
Volume	2
ISBN (Print)	9781467365635
DOIs	https://doi.org/10.1109/COMPSAC.2015.76
Publication status	Published - 2015 Sept 21
Event	39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015 - Taichung, Taiwan, Province of China Duration: 2015 Jul 1 → 2015 Jul 5

Other

Other	39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015
Country/Territory	Taiwan, Province of China
City	Taichung
Period	15/7/1 → 15/7/5

Keywords

Code analysis
Drive-by download
Honeyclient
Program slicing

ASJC Scopus subject areas

Computer Science Applications
Software

Access to Document

10.1109/COMPSAC.2015.76

Cite this

Takata, Y, Akiyama, M, Yagi, T, Hariu, T & Goto, S 2015, MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks. in Proceedings - International Computer Software and Applications Conference. vol. 2, 7273652, IEEE Computer Society, pp. 444-449, 39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015, Taichung, Taiwan, Province of China, 15/7/1. https://doi.org/10.1109/COMPSAC.2015.76

@inproceedings{bdfd58fa36314505a976b729c64b2064,

title = "MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks",

abstract = "Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.",

keywords = "Code analysis, Drive-by download, Honeyclient, Program slicing",

author = "Yuta Takata and Mitsuaki Akiyama and Takeshi Yagi and Takeo Hariu and Shigeki Goto",

year = "2015",

month = sep,

day = "21",

doi = "10.1109/COMPSAC.2015.76",

language = "English",

isbn = "9781467365635",

volume = "2",

pages = "444--449",

booktitle = "Proceedings - International Computer Software and Applications Conference",

publisher = "IEEE Computer Society",

note = "39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015 ; Conference date: 01-07-2015 Through 05-07-2015",

}

TY - GEN

T1 - MineSpider

T2 - 39th IEEE Annual Computer Software and Applications Conference, COMPSAC 2015

AU - Takata, Yuta

AU - Akiyama, Mitsuaki

AU - Yagi, Takeshi

AU - Hariu, Takeo

AU - Goto, Shigeki

PY - 2015/9/21

Y1 - 2015/9/21

N2 - Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

AB - Drive-by download attacks force users to automatically download and install malware by redirecting them to malicious URLs that exploit vulnerabilities of the user's web browser. Attackers profile the information on the user's environment such as the name and version of the browser and browser plugins and launch a drive-by download attack on only certain targets by changing the destination URL. When malicious content detection and collection techniques such as honey clients are used that do not match the specific environment of the attack target, they cannot detect the attack because they are not redirected. We propose here a method to exhaustively analyze Java Script code relevant to redirections and to extract the destination URLs in the code. Our method facilitates the detection of attacks by extracting a large number of URLs while controlling the analysis overhead by excluding code not relevant to redirections. We implemented our method in a browser emulator called Mine Spider that automatically extracts potential URLs from websites. We validated it by using communication data with malicious websites captured during a three-year period. The experimental results demonstrated that Mine Spider extracted 30,000 new URLs from websites in a few seconds that existing techniques missed.

KW - Code analysis

KW - Drive-by download

KW - Honeyclient

KW - Program slicing

UR - http://www.scopus.com/inward/record.url?scp=84962137584&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84962137584&partnerID=8YFLogxK

U2 - 10.1109/COMPSAC.2015.76

DO - 10.1109/COMPSAC.2015.76

M3 - Conference contribution

AN - SCOPUS:84962137584

SN - 9781467365635

VL - 2

SP - 444

EP - 449

BT - Proceedings - International Computer Software and Applications Conference

PB - IEEE Computer Society

Y2 - 1 July 2015 through 5 July 2015

ER -

MineSpider: Extracting URLs from Environment-Dependent Drive-by Download Attacks

Abstract

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this