This week we finalized our paper titled “Peering Through the iFrame” that will appear at InfoCom 2011 in Shanghai. In this paper, we present our infiltration of a drive-by-download campaign known as Mebroot that is used to spread several types of malware, including the Torpig banking trojan. Below is a brief summary of our paper.
We were able to gain even more insight into the effectiveness of the Mebroot drive-by campaign when we were given access to a mirror port of a switch connected to an exploit server for one week. Using this mirror port, we could monitor all requests sent and received by this server. In total, we collected over 300GB of data. Based on the exploit and download requests, we could determine the number of machines that were actually infected, the exploits that were successful in compromising a host, and the versions of the vulnerable browser components. In total, we estimate that more than 91,000 computers may have been infected during this one week period.