Browse > Article
http://dx.doi.org/10.13089/JKIISC.2013.23.6.1121

Multi-Level Emulation for Malware Distribution Networks Analysis  

Choi, Sang-Yong (Korea Advanced Institute of Science and Technology)
Kang, Ik-Seon (Korea Advanced Institute of Science and Technology)
Kim, Dae-Hyeok (Korea Advanced Institute of Science and Technology)
Noh, Bong-Nam (Chonnam National University)
Kim, Yong-Min (Chonnam National University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.23, no.6, 2013 , pp. 1121-1129 More about this Journal
Abstract
Recent malware distribution causes severe and nation-wide problems such as 3 20 cyber attack in Korea. In particular, Drive-by download attack, which is one of attack types to distribute malware through the web, becomes the most prevalent and serious threat. To prevent Drive-by download attacks, it is necessary to analyze MDN(Malware Distribution Networks) of Drive-by download attacks. Effective analysis of MDN requires a detection of obfuscated and/or encapsulated JavaScript in a web page. In this paper, we propose the scheme called Multi-level emulation to analyze the process of malware distribution. The proposed scheme analyzes web links used for malware distribution to support the efficient analysis of MDN.
Keywords
Drive-by download; Web-based malware; Multi-level emulation; Malware Distribution Network;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Graham Cluley, "DarkSeoul: Sophos-Labs identifies malware used in south korean internet attack," "http://nakedsecurity.sophos.com/2013/03/20/south-korea-cyber-attack/" March, 2013
2 Wang, G., Stokes, J., Herley, C., and Felstead, D., "Detecting malicious landing pages in malware distribution networks," Proceedings of IEEE DSN, Jun. 2013.
3 Provos, N., McNamee, D., Mavrommatis, P., Wang, K., and Modadugu, N. "The ghost in the browser analysis of web-based malware," Proceedings of the first conference on First Workshop on Hot Topics in Understanding Botnets, pp. 4-4, Apr. 2007.
4 Louis Marinos and Andreas Sfakianakis, "Threat landscape report", ENISA, Jan. 2013.
5 Fahmida Y. Rashid, "Department of labor website hacked to distribute malware," "http://www.securityweek.com/department-labor-website-hacked-distribute-malware," May. 2013.
6 Julianne Pepitone, "NBC hack infects visitors in 'drive by' cyber attack," "http://money.cnn.com/2013/02/22/technology/security/nbc-com-hacked-malware/index.html," Feb. 2013.
7 HAURI CERT 2Team, "Malware analysis report for Nateon hacking", HAURI, Aug. 2011.
8 ASEC, "Malware analysis using 6.25 DDoS attack," Ahnlab, June. 2013.
9 Ma, J., Saul, L.K., Savage, S., and Voelker, G.M., "Identifying suspicious URLs: an application of large-scale online learning," Proceedings of the 26th Annual International Conference on Machine Learning, pp. 681-688, Jun. 2009.
10 Ma, J., Saul, L.K., Savage, S., & Voelker, G.M., "Beyond Blacklists: Learning to detect malicious web sites from suspicious URLs," Proceedings of the 15th ACM SIGKDD international conference on Knowledge discovery and data mining, pp. 1245-1254, Jun. 2009.
11 Mavrommatis, N.P.P., and Monrose, M.A.R.F.., "All your iFRAMEs point to us," Usenix Security, pp. 1-15, Jul. 2008.
12 Cova, M., Kruegel, C., and Vigna, G, "Detection and analysis of drive-bydownload attacks and malicious Javascript code," Proceedings of the 19th international conference on World wide web, pp. 281-290, Apr. 2010.
13 Chen, K.Z., Gu, G., Zhuge, J., Nazario, J., and Han, X.., "WebPatrol: Automated collection and replay of web-based malware scenarios," Proceedings of the 6th ACM Symposium on Information, Computer and Communications Security, pp. 186-195, Mar. 2011.
14 Moshchuk, A., Bragin, T., Deville, D., Gribble, S.D., and Levy, H.M., "Spy-Proxy: execution based detection of malicious web content," Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, pp. 27-42, Aug. 2007.
15 Spider Monkey, "https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey"