Peering Through the iFrame

This week we finalized our paper titled “Peering Through the iFrame” that will appear at InfoCom 2011 in Shanghai. In this paper, we present our infiltration of a drive-by-download campaign known as Mebroot that is used to spread several types of malware, including the Torpig banking trojan. Below is a brief summary of our paper.

Mebroot spreads through drive-by-download attacks, which start when a victim visits a legitimate web site that has been compromised by the Mebroot gang. Pages on the infected site have been modified to contain JavaScript code that redirects the client to a site that launches exploits against vulnerabilities in the browser or its plugins. Interestingly, this JavaScript code implements a domain generation algorithm (DGA) that dynamically computes a domain name using custom hash functions. We observed several DGAs that were seeded with different parameters such as the current date and time. In addition, the malware authors introduced a variant that seeded the algorithm with Twitter search trends, making the DGA non-deterministic.

By reverse-engineering Mebroot’s DGAs, we were able to register a number of domain names before the Mebroot controllers used them to serve exploits. These domains were active on 56 distinct days over a 4-month interval. As a consequence of our sinkholing, when users visited an infected web site containing the Mebroot JavaScript code, instead of being redirected to an exploit server, they were redirected to a domain (and host) that was under our control. As part of our experiments, we recorded all the requests directed at our sites. Furthermore, we served to visitors of our domains JavaScript code that fingerprinted the clients’ machines to identify vulnerable software components. Finally, from the Referer header contained in client requests, we were able to identify infected web sites, and leveraging this knowledge, were able to monitor and track site infections.

We were able to gain even more insight into the effectiveness of the Mebroot drive-by campaign when we were given access to a mirror port of a switch connected to an exploit server for one week. Using this mirror port, we could monitor all requests sent and received by this server. In total, we collected over 300GB of data. Based on the exploit and download requests, we could determine the number of machines that were actually infected, the exploits that were successful in compromising a host, and the versions of the vulnerable browser components. In total, we estimate that more than 91,000 computers may have been infected during this one week period.

This entry was posted in Botnets, Malware Analysis and Detection, Web Security. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s