"Infect-me-not": A user-centric and site-centric study of web-based malware

Malware authors have been using websites to distribute their products as a way to evade spam filters and classic anti-virus engines. Yet there has been relatively little work in modeling the behaviors and temporal properties of websites, as most research focuses on detecting whether a website distri...

Full description

Saved in:
Bibliographic Details
Published in2016 IFIP Networking Conference (IFIP Networking) and Workshops pp. 234 - 242
Main Authors Huy Hang, Bashir, Adnan, Faloutsos, Michalis, Faloutsos, Christos, Dumitras, Tudor
Format Conference Proceeding
LanguageEnglish
Published IFIP 01.05.2016
Subjects
Computer hacking
Computer science
Engines
Malware
Telemetry
Uniform resource locators
Online AccessGet full text

Cover

More Information
Summary:Malware authors have been using websites to distribute their products as a way to evade spam filters and classic anti-virus engines. Yet there has been relatively little work in modeling the behaviors and temporal properties of websites, as most research focuses on detecting whether a website distributes malware. In this paper we ask: How does web-based malware spread? We conduct an extensive study and follow a website-centric and user-centric point of view. We collect data from four online databases, including Symantec's WINE Project, for a total of more than 600K malicious URLs and over 500K users. First, we find that legitimate but compromised websites constitute 33.1% of the malicious websites in our dataset. In order to conduct this study, we develop a classifier to distinguish between compromised vs. malicious websites with an accuracy of 95.3%, which could be of interest to studies on website profiling. Second, we find that malicious URLs can be surprisingly long-lived, with 10% of malicious sites staying active for three months or more. Third, we observe that a significant number of URLs exhibit the same temporal pattern that suggests a flush-crowd behavior, inflicting most of their damage during the first few days of appearance. Finally, the distribution of the visits to malicious sites per user is skewed, with 1.4% of users visiting more than 10 malicious sites in 8 months. Our study is a first step towards modeling web-based malware propagation as a network-wide phenomenon and enabling researchers to develop realistic assumptions and models.
DOI:10.1109/IFIPNetworking.2016.7497222