Ce projet de recherche doctorale est publié a été réalisé par davide BALZAROTTI
Description d'un projet de recherche doctoral
Automated Monitoring and Analysis of Malicious Code on the Internet
Résumé du projet de recherche (Langue 1)
introduction : The world wide web has become an integral part in the lives of hundreds of millions of people, who routinely use online services to store and manage sensitive information. Unfortunately, the popularity of the web has also attracted miscreants who attempt to abuse the Internet and its users to make illegal profits. A common scheme to make money involves the installation of malicious software on a large number of hosts. The installed malware programs typically connect to a command and control (C&C) infrastructure. In this fashion, the infected hosts form a botnet, which is a network of machines under the direct control of cyber criminals. As a recent study has shown , a botnet can contain hundreds of thousands of compromised hosts, and it can generate significant income for the botmaster who controls it. Malicious web content has become one of the most effective mechanisms for cyber criminals to distribute malicious code. In particular, attackers frequently use drive-by-download exploits to compromise a large number of users. Other common infection mechanisms include the distribution of malware programs over Peer-to-Peer networks or malicious and misleading websites. Other than malware, several other threats are posed by the Internet today, such as the distribution of rogue antivirus programs and of phishing pages that lure web users into providing sensitive information to malicious organizations. Besides this, also several kinds of fraud are performed daily and on large scales, such as click-fraud and scams. Given the rising threat posed by malicious web pages, it is not surprising that researchers have started to investigate techniques to protect web users. As such, several approaches have been proposed to identify, analyze and block malware spreading on the Internet. The aim of this thesis is to study the approaches that have been recently proposed to target these problems, and to finally be able to develop a new system, based on a combination of static and dynamic analysis techniques, for the automatic detection of malware on the Internet. Our new approach will use several characterizing sets of information do detect whether a machine, or a web site, in general, is infected with malware. To do so, we expect to derive information from the content of web pages, the format of URLs, the patterns appearing in DNS requests, as well as from the use of pre-existing tools made available to us. Our final aim is to be able to effectively detect and fight the security threats that have been emerging on the Internet in the last years, such as drive-by-download malware, phishing and rogue antivirus software. Drive-by-download malware A drive-by-download attack installs malware on a victim machine exploiting vulnerabilities in a web browser or in one of the browser’s plugins. In order for it to work, the attacker usually injects malicious scripting code into compromised web sites or hosts it in a server under his own control. When a victim visits a malicious web page, the malicious code is executed, and, if the victim’s browser is vulnerable, the browser is compromised, infecting the victim’s computer with malware. This kind of attacks have become pervasive over the last few years [5, 6]. Phishing Phishing web sites are used to steal users’ sensitive information, such as login credentials and credit card numbers, in order for the criminals to be able to sell the stolen data in the underground market. The way a phishing web site works is simple: the visitor is presented a web page that resembles in every detail a login page of a legitimate bank, or online service. The user does not usually realize he is visiting a fake web page; he’s invited to enter his login credentials, which, once submitted, are sent to the criminals. Rogue antivirus software Rogue antivirus programs lure the visitor of a web page into believing that his machine is infected by some kind of virus, presenting themselves as the only way to remove the malware. Once the user accepts to install the rogue antivirus (with the purpose of getting rid of the virus), this piece of software asks for a payment in order to be activated and remove the “virus” that it claims to have detected. The main reason why Rogue AVs are so successful nowadays is their persistence and ability to scare visitors, making them believe they are infected by a virus. A study of this phenomenon has been presented in .
Résumé du projet de recherche (Langue 2)