当前位置: X-MOL 学术Comput. Secur. › 论文详情
Our official English website, www.x-mol.net, welcomes your feedback! (Note: you will need to create a separate account there.)
On Cloaking Behaviors of Malicious Websites
Computers & Security ( IF 5.6 ) Pub Date : 2021-02-01 , DOI: 10.1016/j.cose.2020.102114
Nayanamana Samarasinghe , Mohammad Mannan

Abstract Malicious websites often mimic top brands to host malware and launch social engineering attacks, e.g., to collect user credentials. Some such sites often attempt to hide malicious content from search engine crawlers (e.g., Googlebot), but show harmful content to users/client browsers—a technique known as cloaking. Past studies uncovered various aspects of cloaking, using selected categories of websites (e.g., mimicking specific types of malicious sites). We focus on understanding cloaking behaviors using a broader set of websites. As a way forward, we built a crawler to automatically browse and analyze content from 100000 squatting (mostly) malicious domains—domains that are generated through typo-squatting and combo-squatting of 2883 popular websites. We use a headless Chrome browser and a search-engine crawler with user-agent modifications to identify cloaking behaviors—a challenging task due to dynamic content, served at random; e.g., consecutive requests serve very different malicious or benign content. Most malicious sites (e.g., phishing and malware) go undetected by current blacklists; only a fraction of cloaked sites (127, 3.3%) are flagged as malicious by VirusTotal. In contrast, we identify 80% cloaked sites as malicious, via a semi-automated process implemented by extending the content categorization functionality of Symantec’s SiteReview tool. Even after 3 months of observation, nearly a half (1024, 45.4%) of the cloaked sites remained active, and only a few (31, 3%) of them are flagged by VirusTotal. This clearly indicate that existing blacklists are ineffective against cloaked malicious sites. Our techniques can serve as a starting point for more effective and scalable early detection of cloaked malicious sites.

中文翻译:

恶意网站的伪装行为

摘要 恶意网站经常模仿顶级品牌来托管恶意软件并发起社会工程攻击,例如收集用户凭据。一些此类网站经常试图向搜索引擎抓取工具(例如 Googlebot)隐藏恶意内容,但会向用户/客户端浏览器显示有害内容——这种技术称为伪装。过去的研究使用选定类别的网站(例如,模仿特定类型的恶意网站)揭示了伪装的各个方面。我们专注于使用更广泛的网站来了解伪装行为。作为前进的方向,我们构建了一个爬虫来自动浏览和分析来自 100000 个抢注(主要是)恶意域的内容,这些域是通过对 2883 个流行网站的错字抢注和组合抢注生成的。我们使用无头 Chrome 浏览器和带有用户代理修改的搜索引擎爬虫来识别伪装行为——由于动态内容,这是一项具有挑战性的任务,随机提供;例如,连续请求服务于非常不同的恶意或良性内容。大多数恶意站点(例如,网络钓鱼和恶意软件)不会被当前的黑名单检测到;只有一小部分隐藏站点(127 个,3.3%)被 VirusTotal 标记为恶意站点。相比之下,我们通过扩展赛门铁克 SiteReview 工具的内容分类功能实现的半自动化流程,将 80% 的隐藏站点识别为恶意站点。即使经过 3 个月的观察,近一半 (1024, 45.4%) 的隐形站点仍然活跃,只有少数 (31, 3%) 被 VirusTotal 标记。这清楚地表明现有的黑名单对隐藏的恶意站点无效。我们的技术可以作为更有效和可扩展的早期隐藏恶意站点检测的起点。
更新日期:2021-02-01
down
wechat
bug