Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures

Transcription

1 Finding the Linchpins of the Dark Web: A Study on Topologically Dedicated Hosts on Malicious Web Infrastructures Zhou Li, Indiana University Bloomington Sumayah Alrwais, Indiana University Bloomington Yinglian Xie, MSR Silicon Valley Fang Yu, MSR Silicon Valley XiaoFeng Wang, Indiana University Bloomington 1

2 The Big Web 2

3 The Dangerous Web 3

4 What bothers you? Phishing Theft Scam Drive-by Download Bot 4

5 Who is behind? Individual Hacker Criminal Organization 5

6 Malicious Web Infrastructure Compromised Site Phishing Server SEO Site Scam Server SPAM Link Redirector Exploit Server 6

7 Our Work - I What is the topological view of malicious Web infrastructure? Build redirection graph 7

8 What are the linchpins? Our Work - II Topologically Dedicated Malicious Hosts: All redirection paths are malicious Stay in dark side, far from bright side 8

9 Our Work - III How can we find the linchpins? Topologically detector Not relying on semantics of attacks Study of Traffic Direction System (TDS) Landscape, Lifetime, Parking 9

10 Outline Build graph Find the linchpins Study Traffic Direction System (TDS) 10

11 Dynamic Crawler Firefox extension Data Collection Redirection: JavaScript, iframe, Http(302), Meta-refresh, Data Source Client-side redirection <script> var a = <iframe src = > ; document.write(a); </script> 5.5M URLs, 7 Months Feed Type Start End # Doorway URLs Microsoft Malicious 3/2012 8/2012 1,558,690 WarningBird[1] Malicious 3/2012 5/ ,232 Twitter Search Mostly good 3/2012 8/2012 1,613,924 Alexa Mostly good 2/2012 8/2012 2,040,720 [1] WarningBird: Detecting Suspicious URLs in Twitter Stream, Lee et.al, NDSS 12 11

12 Data Labeling Building Redirection Graph Malicious (Forefront) Legitimate (Whitelist) Unknown Node Constructing Node: Hostname-IP Cluster (HIC) Edge Constructing Link 2 nodes if there is an URL redirection 2M Nodes, 9M Edges HIC Hostname URL URL URL Hostname URL URL URL 12

13 Building Redirection Graph (Cond.) >70% malicious paths through 15k dedicated hosts Legitimate (Totally good) Dedicated Malicious (Totally bad) Non-dedicated Malicious (Mixed) 13

14 Outline Build graph Find the linchpins Study Traffic Direction System (TDS) 14

15 Finding the Linchpins is Challenging Serve for different attacks and different sources Hide by cloaking Mixed with legitimate nodes 15

16 Properties of Dedicated Hosts Bright World Legitimate (Totally good) 2.25% Dedicated Malicious (Totally bad) 80.40% Non-dedicated Malicious (Mixed) Dark World 16

17 Topological Detector Can we leverage this topological feature? Use known bad and good as seed Detect dedicated hosts Expand the result using topology Work on different attacks and different sources YES! 17

18 Hunting Dedicated Hosts Score Propagation using PageRank Good Bad Assign score to good seed Assign score to bad seed Score Propagation Choose nodes with high bad score and low GS=10 BS=10 GS=8.65 BS=0 GS=0 BS=4.4 GS=7.5 BS=3.89 good score GS=0 BS=4.4 18

19 Evaluation Using x% of known malicious hosts as bad seed How many more malicious paths can be identified? # Detected Paths / # All Malicious Paths 100% 80% 60% 40% 20% 0% selected seed only total 0% 20% 40% 60% 80% 100% #Selected Paths / #Seed Paths FDR 3.0% 2.5% 2.0% 1.5% 1.0% 0.5% 0.0% FDR FPR 0.030% 0.025% 0.020% 0.015% 0.010% 0.005% 0.000% 0% 20% 40% 60% 80% 100% # selected paths / # seed paths FPR 5% bad hosts, 7x expansion rate 0.025% FPR, 0.34% FDR 19

20 Evaluation (Cond.) Detect new hosts 6k new malicious hostnames identified Detection result can serve as new seed 12x expansion rate if rolling back the detected result Path sharing across different sources 56% malicious paths from WarningBird feed overlapped with Microsoft feed 20

21 Outline Build graph Find the linchpins Study Traffic Direction System (TDS) 21

22 Traffic Direction System (TDS) Underground traffic brokers who buy traffic from generators (e.g., malicious doorways) and sell to consumers (e.g., exploit servers) >50% of the malicious paths go through TDS. TDS Spam Exploit Server Blackhat SEO Phishing 22

23 TDS Landscape 71% TDS use Sutra TDS kit. 26% Dynamic DNS, 14% Free Domain Providers. Inbound traffic: 97% from doorway, 6% from non-doorway redirectors. Outbound traffic of Active TDS: 49% to exploit servers, 3% to scam sites. 23

24 TDS Lifetime Query Passive DNS Database from SIE Lifetime: interval of host when A record bounding to bad IP Result 65 days (exclude DDNS/ Free Domain Providers) Much longer than exploit servers, 2.5 hours[1]. [1] Manufacturing Compromise: The Emergence of Exploit-as-a-Service, Chris et. al., CCS 12 24

25 TDS Parking Even suspended TDSes monetized by attackers 20% TDS hosts parked. Continue to receive high volume of traffic after parking. 62% traffic to ad-networks. 1 10x more traffic than legitimate ones Regular parking TDS parking Traffic Per day (log scale) 25

26 Conclusion Dedicated Hosts are critical in Malicious Web Infrastructure Serve >70% malicious paths. Detect Dedicated Hosts only using Topological information. No need to know semantics of specific attacks. 7x expansion rate, <1% FPR & FDR TDS Hosts deserve in-depth study Key role in malicious Web infrastructure Long lifetime (65 days) Traffic monetized even after suspended 26

27 27

28 Validation Forefront reporting Content and URL clustering Safebrowsing reporting 28

29 Dedicated Malicious Hosts Compromised Site Phishing Site SEO Site Scam Site Social Network Link Redirector Exploit Site Link 29

30 Limits of Prior Works Code Analysis [Cova 10, Curtsinger 10] Obfuscate Code Code Execution [Provos 08, Wang 06] Detect Emulator URL Pattern [Zhang 11, John 11] Regenerate URL Pattern Redirection Chain [Li 12, Lee 12, Lu 11] Depend on Semantics of Attacks 30