This report from Imperva’s Hacker Intelligence Initiative (HII), describes a Search Engine Poisoning (SEP) campaign from start to finish. SEP abuses the ranking algorithms of search engines to promote an attacker-controlled Web site that contains malware. Imperva’s Application Defense Center (ADC) has witnessed these types of automated attack campaigns, which cause search engines to return high-ranking Web pages infected with malicious code that references an attacker-controlled Web site.
This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT).
Android mobile platform security and malware surveyeSAT Journals
Abstract As mobile devices become ubiquitous, more people and companies are readily adopting the technology to conduct day-to-day business, and are increasing the amount of personal data transmitted and stored on these devices. These devices are now part of a global infrastructure powering communication and how we do business around the world. In turn, the inherent vulnerabilities are becoming an ever more critical topic of interest and challenge as we continue to see a rapid rate of malware development. This paper is a comprehensive survey on a broad view of the growing Android community, its rapidly growing malware attacks, and security concerns. Serving to aid in the continuous challenge of identifying current and future vulnerabilities as well as incorporating security strategies against them, this survey will focus primarily on mobile devices (also known as smart phones) running the Android mobile operating system between the years of 2007 and 2013. Index Terms: mobile, Android, malware, security
We are the company providing Complete Solution for all Academic Final Year/Semester Student Projects. Our projects are
suitable for B.E (CSE,IT,ECE,EEE), B.Tech (CSE,IT,ECE,EEE),M.Tech (CSE,IT,ECE,EEE) B.sc (IT & CSE), M.sc (IT & CSE),
MCA, and many more..... We are specialized on Java,Dot Net ,PHP & Andirod technologies. Each Project listed comes with
the following deliverable: 1. Project Abstract 2. Complete functional code 3. Complete Project report with diagrams 4.
Database 5. Screen-shots 6. Video File
SERVICE AT CLOUDTECHNOLOGIES
IEEE, WEB, WINDOWS PROJECTS ON DOT NET, JAVA& ANDROID TECHNOLOGIES,EMBEDDED SYSTEMS,MAT LAB,VLSI DESIGN.
ME, M-TECH PAPER PUBLISHING
COLLEGE TRAINING
Thanks&Regards
cloudtechnologies
# 304, Siri Towers,Behind Prime Hospitals
Maitrivanam, Ameerpet.
Contact:-8121953811,8522991105.040-65511811
cloudtechnologiesprojects@gmail.com
http://cloudstechnologies.in/
This report from Imperva’s Hacker Intelligence Initiative (HII), describes a Search Engine Poisoning (SEP) campaign from start to finish. SEP abuses the ranking algorithms of search engines to promote an attacker-controlled Web site that contains malware. Imperva’s Application Defense Center (ADC) has witnessed these types of automated attack campaigns, which cause search engines to return high-ranking Web pages infected with malicious code that references an attacker-controlled Web site.
This report is based on data collected and analyzed by the Sucuri Remediation Group (RG), which includes the Incident Response Team (IRT) and the Malware Research Team (MRT).
Android mobile platform security and malware surveyeSAT Journals
Abstract As mobile devices become ubiquitous, more people and companies are readily adopting the technology to conduct day-to-day business, and are increasing the amount of personal data transmitted and stored on these devices. These devices are now part of a global infrastructure powering communication and how we do business around the world. In turn, the inherent vulnerabilities are becoming an ever more critical topic of interest and challenge as we continue to see a rapid rate of malware development. This paper is a comprehensive survey on a broad view of the growing Android community, its rapidly growing malware attacks, and security concerns. Serving to aid in the continuous challenge of identifying current and future vulnerabilities as well as incorporating security strategies against them, this survey will focus primarily on mobile devices (also known as smart phones) running the Android mobile operating system between the years of 2007 and 2013. Index Terms: mobile, Android, malware, security
We are the company providing Complete Solution for all Academic Final Year/Semester Student Projects. Our projects are
suitable for B.E (CSE,IT,ECE,EEE), B.Tech (CSE,IT,ECE,EEE),M.Tech (CSE,IT,ECE,EEE) B.sc (IT & CSE), M.sc (IT & CSE),
MCA, and many more..... We are specialized on Java,Dot Net ,PHP & Andirod technologies. Each Project listed comes with
the following deliverable: 1. Project Abstract 2. Complete functional code 3. Complete Project report with diagrams 4.
Database 5. Screen-shots 6. Video File
SERVICE AT CLOUDTECHNOLOGIES
IEEE, WEB, WINDOWS PROJECTS ON DOT NET, JAVA& ANDROID TECHNOLOGIES,EMBEDDED SYSTEMS,MAT LAB,VLSI DESIGN.
ME, M-TECH PAPER PUBLISHING
COLLEGE TRAINING
Thanks&Regards
cloudtechnologies
# 304, Siri Towers,Behind Prime Hospitals
Maitrivanam, Ameerpet.
Contact:-8121953811,8522991105.040-65511811
cloudtechnologiesprojects@gmail.com
http://cloudstechnologies.in/
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...Nexgen Technology
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
Malicious URLs have been universally used to ascend various cyber attacks including spamming, phishing and malware. Malware, short term for malicious software, is software which is developed to penetrate computers in a network without the user’s permission or notification. Existing methods typically detect malicious URLs of a single attack type. Hence such detection systems are failed to protect the users from various attacks. Malware spreading widely throughout the area of network as consequence of this it becomes predicament in distributed computer and network systems. Malicious links are the place of origin of all attacks which circulated all over the web. Hence malicious URLs should be detected for the prevention of users from these malware attacks. In this paper we described a novel approach which analyze all types of attacks by identifying malicious URLs and secure the web users from them. This technique prevents the users from malignant URLs before visiting them. Therefore efficiency of web security gets maintained. For such anatomization we developed an analyzer which identifies URLs and examine as malicious or benign. We also developed five processes which crawl for suspicious URLs. This approach will prevent the users from all types of attacks and increase efficiency of web crawling phase.
What Should Go Into A Web Application Penetration Testing Checklist?Hacker Combat
Penetration testing is the process of testing a software by trained security experts in order to find out its security vulnerabilities. Want more information visit website: https://hackercombat.com/go-web-application-penetration-testing-checklist/
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
Overiew on SQL Injection. Different Types of SQL injection. How it can be detected and methods to prevent SQL Injection. How it can be implemented using Kalii Linux commands
Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
This white paper discusses the key issues surrounding Web security and the need for organizations of all sizes to implement robust Web security processes and technologies – namely, a secure Web gateway.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
DETECTING MALICIOUS FACEBOOK APPLICATIONS - IEEE PROJECTS IN PONDICHERRY,BUL...Nexgen Technology
Nexgen Technology Address:
Nexgen Technology
No :66,4th cross,Venkata nagar,
Near SBI ATM,
Puducherry.
Email Id: praveen@nexgenproject.com.
www.nexgenproject.com
Mobile: 9751442511,9791938249
Telephone: 0413-2211159.
NEXGEN TECHNOLOGY as an efficient Software Training Center located at Pondicherry with IT Training on IEEE Projects in Android,IEEE IT B.Tech Student Projects, Android Projects Training with Placements Pondicherry, IEEE projects in pondicherry, final IEEE Projects in Pondicherry , MCA, BTech, BCA Projects in Pondicherry, Bulk IEEE PROJECTS IN Pondicherry.So far we have reached almost all engineering colleges located in Pondicherry and around 90km
State of the Art Analysis Approach for Identification of the Malignant URLsIOSRjournaljce
Malicious URLs have been universally used to ascend various cyber attacks including spamming, phishing and malware. Malware, short term for malicious software, is software which is developed to penetrate computers in a network without the user’s permission or notification. Existing methods typically detect malicious URLs of a single attack type. Hence such detection systems are failed to protect the users from various attacks. Malware spreading widely throughout the area of network as consequence of this it becomes predicament in distributed computer and network systems. Malicious links are the place of origin of all attacks which circulated all over the web. Hence malicious URLs should be detected for the prevention of users from these malware attacks. In this paper we described a novel approach which analyze all types of attacks by identifying malicious URLs and secure the web users from them. This technique prevents the users from malignant URLs before visiting them. Therefore efficiency of web security gets maintained. For such anatomization we developed an analyzer which identifies URLs and examine as malicious or benign. We also developed five processes which crawl for suspicious URLs. This approach will prevent the users from all types of attacks and increase efficiency of web crawling phase.
What Should Go Into A Web Application Penetration Testing Checklist?Hacker Combat
Penetration testing is the process of testing a software by trained security experts in order to find out its security vulnerabilities. Want more information visit website: https://hackercombat.com/go-web-application-penetration-testing-checklist/
Widespread security flaws in web application development 2015mahchiev
Widespread security flaws in web application development
*SQL Injection - Hands-On Example
*Cross - Site Scripting (XSS)
*Cross Site Request Forgery
*HTTP Strict Transport Security
Overiew on SQL Injection. Different Types of SQL injection. How it can be detected and methods to prevent SQL Injection. How it can be implemented using Kalii Linux commands
Whether you’re loyal to Microsoft’s Internet Explorer, or whether you opt for one of the the dozens of other web browsers available to download and use for free out there (such as Google Chrome, Opera, Mozilla’s Firefox or Mac Safari), you are probably using your preferred browser to access both personal and professional websites. These wondrous tools that are part of our daily (digital) lives can now replace other existing software thanks to something called an extension.
Content Management System Security.
How to secure your CMS?
Common rules:
+ Choose your CMS with both functionality and security in mind
+ Update with urgency
+ Use a strong password (admin dashboard access, database users, etc.)
+ Have a firewall in place (detect or prevent suspicious requests)
+ Keep track of the changes to your site and their source code
+ Give the user permissions (and their levels of access) a lot of thought
+ Limit the type of files to non-executables and monitor them closely
+ Backup your CMS (daily backups of your files and databases)
+ Uninstall plugins you do not use or trust.
IEEE PROJECTS 2015
1 crore projects is a leading Guide for ieee Projects and real time projects Works Provider.
It has been provided Lot of Guidance for Thousands of Students & made them more beneficial in all Technology Training.
Dot Net
DOTNET Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
Java Project Domain list 2015
1. IEEE based on datamining and knowledge engineering
2. IEEE based on mobile computing
3. IEEE based on networking
4. IEEE based on Image processing
5. IEEE based on Multimedia
6. IEEE based on Network security
7. IEEE based on parallel and distributed systems
ECE IEEE Projects 2015
1. Matlab project
2. Ns2 project
3. Embedded project
4. Robotics project
Eligibility
Final Year students of
1. BSc (C.S)
2. BCA/B.E(C.S)
3. B.Tech IT
4. BE (C.S)
5. MSc (C.S)
6. MSc (IT)
7. MCA
8. MS (IT)
9. ME(ALL)
10. BE(ECE)(EEE)(E&I)
TECHNOLOGY USED AND FOR TRAINING IN
1. DOT NET
2. C sharp
3. ASP
4. VB
5. SQL SERVER
6. JAVA
7. J2EE
8. STRINGS
9. ORACLE
10. VB dotNET
11. EMBEDDED
12. MAT LAB
13. LAB VIEW
14. Multi Sim
CONTACT US
1 CRORE PROJECTS
Door No: 214/215,2nd Floor,
No. 172, Raahat Plaza, (Shopping Mall) ,Arcot Road, Vadapalani, Chennai,
Tamin Nadu, INDIA - 600 026
Email id: 1croreprojects@gmail.com
website:1croreprojects.com
Phone : +91 97518 00789 / +91 72999 51536
This white paper discusses the key issues surrounding Web security and the need for organizations of all sizes to implement robust Web security processes and technologies – namely, a secure Web gateway.
OWASP Top 10 Vulnerabilities 2017- AppTranaIshan Mathur
Our latest OWASP Top Vulnerabilities Guide updated for new 2017 issues serves as a practical guide to understanding OWASP Top 10 vulnerabilities and preparing a response plan to counter these vulnerabilities.
PHP is one of the most commonly used languages to develop web sites because of i
ts simplicity, easy to
learn and it can be easily embedded with any of the databases. A web developer with his basic knowledge
developing an application without practising secure guidelines, improper validation of user inputs leads to
various source code
v
ulnerabilities. Logical flaws while designing, implementing and hosting the web
application causes work flow deviation attacks.
In this paper, we are analyzing the complete behaviour of a
web application through static and dynamic analysis methodologies
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
The Enemy Within: Organizational Insight Through the Eyes of a WebserverRamece Cave
This presentation covers some of the information provided by web servers and how it can reflect on a organizations current security posture regarding its web services. Delving into some of the reasoning behind running specific versions, and what it can mean to potential attackers. We will also be looking at supporting information from malicious campaigns and information collected on various malware domains, how they all intertwine and evolve into other nefarious practices.
Lab-3 Cyber Threat Analysis In Lab-3, you will do some c.docxLaticiaGrissomzz
Lab-3: Cyber Threat Analysis
In Lab-3, you will do some cyber threat analysis by browsing several websites and services maintained by either security companies, volunteers, or hackers. Nothing will harm your computer as long as you don't push the limits by clicking on the links and ignoring the browser's security warnings.
To ensure %100 security, you can consider using the Firefox browser inside your Kali VM instead of using the browser at your computer. If you proceed with your computer, then it is recommended to update your browser if it is out of date.Section-1: Analysis of zone-h.org
Zone-h.org is used and most probably operated by hackers to share the websites that they defaced. They don't provide any details on how they hacked the website; instead, they share the URL of the defaced website and a mirror for the defaced webpage.
If you are planning to use your computer instead of Kali VM, it is strongly suggested to open a new incognito/InPrivate/Private browser window for the following steps:
1) Enter the website:
www.zone-h.org
2) Click on the Archive menu on the top menu. You will see the result screen similar to below:
There is a lot of information on defaced websites on this page, including the original URL and the hacked version of the website (on the mirror link at the rightmost column). Hacked versions of the websites give some clues on the motivations of the hackers; you can see political reasons, have some fun, or a basis to make cyberspace secure.
The legends M and R provide more insight on the defacement. M means mass defacement. If you click one of the M letters, you can see the defacements initiated from a specific IP address. Mass defacements are usually succeeded by the help of scripts. Hackers prepare the scanning and exploitation scripts, scan thousands of websites for a particular vulnerability, and exploit the ones that have the specific vulnerability.
3) Click on one of the M letters you spotted, and see the websites defaced from the same IP address. You can see the IP address in the address bar.
Note: You can perform a whois query to see the detailed information about the IP address you found, including contact information and geographical location.
4) To see a redefacement, you can click one of the R letters you spotted.
Below is an example screenshot of a redefacement, myschool.ng website has been defaced twice in two years.
5) You can click the ENABLE FILTERS link at the top and search for the websites with gov extension. You can see the result of this query below.
Section-2: Pastebin.com
A pastebin site hosts the text-based data such as source codes, code snippets, and anything worth sharing. Pastebin.com is the oldest pastebin site. Pastebin.com had been hosting the pastes of the hacktivist group, Anonymous. After pastebin.com started monitoring the site for illegally pasted data, Anonymous began to a new service:
https://anonpaste.org. This pastebin site is used f.
CS266 Software Reverse Engineering (SRE)
Identifying, Monitoring, and Reporting Malware
Teodoro (Ted) Cipresso, teodoro.cipresso@sjsu.edu
Department of Computer Science
San José State University
Spring 2015
Anti-phishing Web browser allow to avoid the fake site and can do the Steganography and Cryptography on data or email contents from the browser itself.(Developed by Sumeet Jaisinghani, from ( Nashik, Maharashtra )India
Continuing in your role as a human service provider for your local.docxrichardnorman90310
Continuing in your role as a human service provider for your local community, your manager has asked you to write an opinion piece for the local newspaper discussing gaps in prison and jail services in their state.
Write an opinion article that is 900 words. Complete the following in your article:
· Describe the major beliefs of 4 criminological theories.
· For each criminological theory, explain what human services should be provided to inmates.
· Of the services identified for each criminological theory, list the services that are not currently provided by your local or state agencies.
· Discuss your personal beliefs related to which human services should be provided by your local or state agencies.
· Discuss a conclusion focused on changes in human services you would like to see made by your local or state agencies.
Lab-8: Web Hacking
Websites have always been among the first targets of hackers. There are many reasons for this. These are the most important ones:
1) Websites have to be reachable from the Internet. Their primary purpose is to publish something or provide some service for the public
2) There are more than 1 billion websites as almost every organization, and many individuals have websites
3) As opposed to the earlier years of the world wide web, websites are very dynamic today. They come with forms and dynamic applications implemented by many different frontend and backend technologies. A wide variety of dynamic applications not only bring more functionality to web applications but also introduces vulnerabilities.
As a result, we are talking about something valuable that is billions in amount, accessible by anybody, and a commonplace for wrong implementation and vulnerabilities.Section-1: Exploit Cross-Site Scripting (XSS) Vulnerability
An XSS attack enables malicious users to inject client-side scripts such as JavaScript codes into web pages viewed by other users. The term XSS is used to describe both the vulnerability and the attack type, such as XSS attack / XSS vulnerability on the web application.
1) Log into Windows 7 Attacker on the Netlab environment.
2) Open Firefox by clicking the icon on the desktop or start menu
3) Visit this page
http://192.168.2.15/dvwa/login.php
This is the "Damn Vulnerable Web Application" hosted on the OWASP BWA machine on Netlab.
4)
Log in to web application by typing
user as Username and
user as Password. After logging in, you will see the page below.
5) Click on the XSS reflected on the left menu and type your nickname into the textbook at the right pane of the webpage. (I typed "ethical" and clicked the submit button. The web application gets what you typed as the input, add Hello to the beginning, and prints to the screen.
6)
Try some basic HTML tags now. Type
<h1>your nickname</h1>
I typed "<h1>ethical</h1> and then clicked submit button. I confirm .
Similar to Automated web patrol with strider honey monkeys finding web sites that exploit browser vulnerabilities (20)
Automated web patrol with strider honey monkeys finding web sites that exploit browser vulnerabilities
1. - 0 -
Automated Web Patrol with Strider HoneyMonkeys:
Finding Web Sites That Exploit Browser Vulnerabilities
Yi-Min Wang
Doug Beck
Xuxian Jiang
Roussi Roussev
First Version: June 4, 2005
Last Updated: July 27, 2005
Technical Report
MSR-TR-2005-72
Microsoft Research
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052
2. - 1 -
Automated Web Patrol with Strider HoneyMonkeys:
Finding Web Sites That Exploit Browser Vulnerabilities
Yi-Min Wang, Doug Beck, Xuxian Jiang, and Roussi Roussev
Cybersecurity and Systems Management Research Group
Microsoft Research, Redmond, Washington
Abstract
Internet attacks that use Web servers to exploit browser vulnerabilities to install malware programs are on
the rise [D04,R04,B04,S05]. Several recent reports suggested that some companies may actually be building a
business model around such attacks [IF05,R05]. Expensive, manual analyses for individually discovered
malicious Web sites have recently emerged [F04,G05]. In this paper, we introduce the concept of Automated
Web Patrol, which aims at significantly reducing the cost for monitoring malicious Web sites to protect
Internet users. We describe the design and implementation of the Strider HoneyMonkey Exploit Detection
System [L05,N05], which consists of a network of monkey programs running on virtual machines with
different patch levels and constantly patrolling the Web to hunt for Web sites that exploit browser
vulnerabilities.
Within the first month of utilizing this new system, we identified 752 unique URLs that are operated by
287 Web sites and that can successfully exploit unpatched WinXP machines. The system automatically
constructs topology graphs that capture the connections between the exploit sites based on traffic redirection,
which leads to the identification of several major players who are responsible for a large number of exploit
pages.
1. Introduction
Internet attacks that use a malicious, hacked, or infected Web server to exploit unpatched client-side
vulnerabilities of visiting browsers are on the rise. Many attacks in the past 12 months fell into this category,
including Download.Ject [D04], Bofra [R04], and Xpire.info [B04]. Such attacks allow the attackers to install
malware programs without requiring any user interaction. Manual analyses of exploit sites have recently
emerged [F04,G05,IF05,R05,S05,T05]. Although they often provide very useful and detailed information
about which vulnerabilities are exploited and which malware programs are installed, such analysis efforts are
not scalable and do not provide a comprehensive picture of the problem.
In this paper, we introduce the concept of Automated Web Patrol that involves a network of automated
agents actively patrolling the Web to find malicious Web sites. We describe the design and implementation of
the Strider HoneyMonkey Exploit Detection System that uses active client honeypots [H,HC] to perform
3. - 2 -
automated Web patrol with the specific goal of finding Web sites that exploit browser vulnerabilities. The
system consists of a pipeline of monkey programs running on Virtual Machines (VMs) with different patch
levels in order to detect exploit sites with different capabilities.
Within the first month, we identified 752 unique URL links, operated by 287 Web sites, that can
successfully exploit unpatched WinXP machines. We present a preliminary analysis of the data and suggest
what can be done based on the data to improve Internet safety.
2. Automated Web Patrol with the Strider HoneyMonkey Exploit Detection System
Although the general idea of crawling the Web to look for pages of particular interest is fairly
straightforward, we have found that a combination of the following key ideas are most crucial for increasing
the “hit rate” and making the concept of Web patrol useful in practice:
1. Where Do We Start? There are 10 billion Web pages out there and most of them do not exploit
browser vulnerabilities. So, it is very important to start with a list of URLs that are most likely to
generate hits. The approach we took was to collect an initial list of 5000+ potentially malicious URLs
by doing a Web search for Windows “hosts” files [HF] that are used to block advertisements and bad
sites, and lists of known-bad Web sites that host some of the most malicious spyware programs
[CWS05].
2. How Do We Detect An Exploit? One method of detecting a browser exploit is to study all known
vulnerabilities and build signature-based detection code for each. Since this approach is fairly
expensive, we decided to lower the cost of Web patrol by utilizing a black-box approach: we run a
monkey program1
with the Strider Flight Data Recorder (FDR) [W03] to efficiently record every single
file and Registry read/write. The monkey launches a browser instance for each suspect URL and wait
for a few minutes. The monkey is not set up to click on any dialog box to permit installation of any
software; consequently, any executable files that get created outside the browser’s temporary folder are
detected by the FDR and signal an exploit. Such a black-box approach has an important advantage: it
allows the detection of known-vulnerability exploits and zero-day exploits in a uniform way, through
monkeys with different patch levels. Each monkey also runs with the Strider Gatekeeper [W04] to
detect any hooking of Auto-Start Extensibility Points (ASEPs) that may not involve creation of
executables, and with Strider GhostBuster [W05] to detect stealth malware that hide processes and
ASEP hooks.
1
An automation-enabled program such as the Internet Explorer browser allows programmatic access to most of the
operations that can be invoked by a user. A “monkey program” is a program that drives the browser in a way that mimics
human user’s operation.
4. - 3 -
To ease cleanup of infected state, we run the monkey inside a VM. Upon detecting an exploit, the
monkey persists its data and notifies the Monkey Controller, running on the host machine, to destroy
the infected VM and restart a clean VM. The restarted VM automatically launches the monkey, which
then continues to visit the remaining URL list. The Monkey Controller also passes the detected exploit
URL to the next monkey in the pipeline to continue investigating the strength of the exploit. When the
end-of-the-pipeline monkey, running on a fully patched VM, reports a URL as an exploit, the URL is
upgraded to a zero-day exploit and the malware programs that it installed are immediately investigated
and passed on to the Microsoft Security Response Center.
3. How Do We Expand And Guide The Search? The initial list may contain only a small number of
hits, so it is important to have an effective guided search in order to grow the patrolled area to increase
coverage. We have found that, usually, the links displayed on an exploit page have a higher probability
of being exploit pages as well because people in the exploit business like to refer to each other to
increase traffic. We take advantage of this by doing Web crawling through those links to generate
bigger “bad neighborhoods”. More importantly, we have observed that many of the exploit pages
automatically redirect visiting browsers to a number of other pages, each of which may try a different
exploit or install different malware programs. We take advantage of this by tracking such redirections
to enable automatic derivation of their business relationship: content providers are responsible for
attracting browser traffic and selling/redirecting the traffic to exploit providers, which specialize in and
are responsible for actually performing the exploits to install malware.
3. Exposing and Analyzing The Exploit Sites
3.1. The Importance of Software Patching
Figure 1 shows the breakdown of the 752 Internet Explorer browser-based exploit URLs among different
service-pack (SP1 or SP2) and patch levels, where “UP” stands for “UnPatched”, “PP” stands for “Partially
Patched”, and “FP” stands for “Fully Patched”. As expected, the SP1-UP number is much higher than the SP2-
UP number because the former has more vulnerabilities and they have existed for a longer time.
The SP2-PP numbers are the numbers of exploit pages and sites that successfully exploited a WinXP SP2
machine partially patched up to early 2005. The fact that the number is one order of magnitude lower than the
SP2-UP number demonstrates the importance of keeping software up to date. But since the number is still not
negligible, enterprise corporate proxies may want to black-list these sites while the latest updates are still being
tested for deployment and ISPs may want to block access to these sites to give their consumer customers more
time to catch up with the updates.
5. - 4 -
Number of Unique Exploit URLs Number of Exploit Sites
Total 752 287
WinXP SP1 Unpatched (SP1-UP) 688 270
WinXP SP2 Unpatched (SP2-UP) 204 115
WinXP SP2 Partially Patched (SP2-PP) 17 10
WinXP SP2 Fully Patched (SP2-FP) 0 0
Figure 1. Number of Exploit URLs and sites as a Function of Patch Levels (May/June 2005 data).
The SP2-FP numbers again demonstrate the importance of keeping software up to date: none of the 752
exploit URLs was able to exploit a fully updated WinXP SP2 machine according to our May/June 2005 data. If
any Web site that exploits a zero-day vulnerability ever appears and gets connected to any of these URLs, our
SP2-FP HoneyMonkey will be able to quickly detect and report it to the browser and security response teams.
This hopefully creates a dilemma that discourages the exploiters: most of the future exploit pages will likely
get detected before they have a chance to cause large-scale infections because HoneyMonkeys browse the Web
like humans and the first HoneyMonkey that gets infected can report the exploit.
3.2. Connection Topology based on Traffic Redirection
Next, we present the topology graph for each of the first three patch levels and discuss what we can learn
from each graph.
3.2.1. “WinXP SP1 Unpatched” Topology
Figure 2 shows the URL-level topology graph for WinXP SP1-UP. Each rectangular node represents an
individual exploit URL. Blue nodes represent Web pages that did not receive redirected traffic from any other
nodes; they are most likely content providers and not major exploit providers. In contrast, red nodes represent
Web pages that received redirected traffic from other exploit pages; they are most likely exploit providers if the
traffic came from multiple different sites. Each gray edge represents an automatic traffic redirection. Each
circle represents a site node that serves as an aggregation point for all exploit pages hosted on that site, with the
site node having one blue or red edge pointing to each of the child-page rectangles. Any circle without a border
is a “virtual site node” that does not correspond to an exploit URL, but is introduced purely for aggregation
purposes.
The size of a circle is proportional to the number of outgoing gray edges for blue nodes and the number of
incoming gray edges for red nodes. Such numbers provide a good indication of the relative popularity of the
exploit sites and will be referred to as the connection counts. The top exploit site in this graph has a
connection count of 63; the top exploit page has a count of 29; the largest blue circle at the top has a count of
6. - 5 -
19. If available, actual amount of visit traffic to each exploit site can provide a more accurate picture of the
relative popularity.
Figure 2. URL-level Topology Graph for WinXP SP1 Unpatched: 688 URLs from 270 sites
It is clear from Figure 2 that there are many major exploit providers as marked by the large red circles. We
performed WHOIS lookups on the top 30 exploit providers and found that several individuals actually own
more than one of these top sites and the registration addresses of these individuals span more than 10 countries.
The top exploiter in our current SP1-UP network owns the three big red circles in the upper-left corner of
Figure 2, which are ranked #1, #3, and #10, respectively, based on connection counts. We found that a total of
61 exploit sites have direct traffic redirection relationship with this exploiter’s three sites.
Although most of the exploit URLs in Figure 2 appear to be pornography sites that are well connected to
each other, there are several visibly isolated sub-graphs. We discuss three groups that are of particular interest.
The first group consists of a normal-looking shopping site that performs exploits by redirecting traffic to seven
exploit URLs hosted by five advertising companies. We have verified that one of the five companies is also
serving exploiting ads on a large number of popular Web pages.
7. - 6 -
The second group is a site related to screen savers. It is well known that many freeware programs bundle
spyware programs in their installations; now it appears that some freeware sites are actually installing spyware
through exploits. The third group consists of malicious search sites; there are more than 20 search sites in our
current list of exploit URLs.
Ironically, it is not uncommon to see rogue anti-spyware vendors involved in exploit activities. Figure 3
shows screenshots of several spyware warnings following exploit-based spyware installations. Several of them
try to sell to the users anti-spyware programs in order to remove spyware programs that, they themselves, have
installed.
8. - 7 -
Figure 3. Screenshots of Exploit-based Spyware Installations and Warnings
9. - 8 -
3.2.2. “WinXP SP2 Unpatched” Topology
Figure 4 illustrates the site-level topology for SP2-UP. Each node in a site-level topology graph represents
a folded sub-graph consisting of a site node and all its child pages with colored incoming edges from a URL-
level graph. A site-level topology graph is most useful for showing the potential business relationship among
the players. The clean separation between the blue and red nodes in Figure 4 raises the possibility of disrupting
the network by blocking or pursuing legal actions when appropriate against exploit providers, and monitoring
content providers to detect new exploit providers that join the network. In some cases, content providers may
have been hacked to do traffic redirection or exploit providers may be hosted on infected zombie machines;
identifying them through the HoneyMonkey will help innocent owners clean up and reclaim their machines.
Intersecting the top 30 SP2-UP exploit sites with their SP1-UP counterpart yields 11 sites; these appear to
belong to professional exploiters who are continuing to improve their capabilities in order to maintain and
increase coverage. Among the remaining 19 sites on the SP2-UP list, 16 of them are known SP1-UP exploit
sites but the #2, #10, and #18 sites appear to be targeting SP2 machines.
Figure 4. Site-level Topology Graph for WinXP SP2 Unpatched: 115 sites
3.2.3. “WinXP SP2 Partially Patched” Topology
Figure 5 illustrates the URL-level topology for SP2-PP, which consists of only 17 Web pages hosted by 10
sites. These are the most powerful exploit pages in terms of the number of machines they are capable of
infecting and should be considered the highest priorities for investigation. It is clear from the picture that
blocking the two exploit pages at the bottom of the middle sub-graph is the most effective starting point
because it would disrupt more than half of this graph.
Figure 5. URL-level Topology Graph for WinXP SP2 Partially Patched: 17 URLs from 10 sites
10. - 9 -
3.3. Search Engines as an Infection Vector
Search engines are popular starting points for Web surfers. This leads to the question: how many of the 752
exploit URLs exist in popular search engines? Figure 6 provides the answer for three of them. An URL is
counted when its name is supplied as the search string and the search results include a link to the URL. It is
clear that a non-trivial percentage of the exploit URLs is returned by popular search engines. The ones that
appeared in MSN Search results have since been removed, as shown in the bottom row of Figure 6.
Number of Exploit URLs
Total 752
In Google search results 102 (13.6%)
In Yahoo search results 100 (13.3%)
In MSN Search results (June 1, 2005) 49 (6.5%)
In MSN Search results (June 10, 2005) 0 (0%)
Figure 6. Number of Exploit URLs That Generated Hits At Three Popular Search Engines
4. Summary, Future Work, and Zero-Day Exploit Detection
We have presented summary statistics and topology graphs for exploit URLs that the HoneyMonkey
system discovered in the first round of Web patrol. We plan to continue monitoring all discovered exploit
pages to capture new exploiters. Statistics regarding exploit sites for the latest patched vulnerabilities will be
used to assess the urgency of patch deployment. Software samples gathered from the exploit URLs will be
analyzed and investigated to provide concrete evidence of spyware programs that are being installed without
user permission. These results will also be provided to our Enforcement Team, in order to further investigate
and possibly pursue legal actions, including referrals, against those exploiters acting in contravention of the
law.
We are also monitoring the top one million click-through links from a search engine to see if the exploit
industry has penetrated the “good neighborhoods” of popular sites. Preliminary results reveal that
contaminated Web pages that unknowingly serve ads that exploit browser vulnerabilities may be a serious
concern. We are beginning to monitor links contained in spam and phishing emails because that is another way
for the exploiters to lure Web users to the “bad neighborhoods” [S05]. We plan to investigate other infection
vectors as well [N05,G05,S04,HD05,IW05,XSS]. In the long run, we envision multiple networks of
HoneyMonkeys patrolling the Web from different corners of the world so that it is not possible for the
exploiters to black-list HoneyMonkey network IP addresses and deliberately skip exploit.
Update on Zero-Day Exploit Detection: In early July 2005, the HoneyMonkey system discovered its first
zero-day exploit. The javaprxy.dll vulnerability was known at that time without an available patch yet
11. - 10 -
[J105,J205], and whether it was actually being exploited was a very important piece of information. The
HoneyMonkey system was able to detect the first exploit page within 2.5 hours of scanning and that was
confirmed to be the first in-the-wild exploit URL reported to the Microsoft Security Response Center. Within
the subsequent two weeks, we detected that over 40 of those 752 exploit URLs started to “upgrade” to the
javaprxy.dll exploit. We were able to identify the three exploit sites behind them that were responsible for all
the exploits and report them to the response center. Three interesting observations further demonstrate the
effectiveness of the HoneyMonkey system: (1) the first detected zero-day exploit URL belongs to the top
exploiter discussed right after Figure 2; (2) all three top SP1-UP exploit sites owned by this exploiter were
upgraded within a short time; (3) almost half of the exploit URLs in Figure 5 were upgraded, as expected,
because they appear to have the tendency of keeping their exploit capability up-to-date.
References
[B04] Xpire.info, http://www.vitalsecurity.org/xpire-splitinfinity-serverhack_malwareinstall-condensed.pdf, Nov.
2004.
[CWS05] “Webroot: CoolWebSearch Top Spyware Threat,”
http://www.techweb.com/showArticle.jhtml?articleID=160400314, TechWeb, March 30, 2005.
[D04] Download.Ject, http://www.microsoft.com/security/incident/download_ject.mspx, June 2004.
[F04] “Follow the Money; or, why does my computer keep getting infested with spyware?”
http://www.livejournal.com/users/tacit/125748.html.
[G05] “Googkle.com installed malware by exploiting browser vulnerabilities,” http://www.f-secure.com/v-
descs/googkle.shtml.
[H] The Honeynet Project, http://www.honeynet.org/.
[HC] Honeyclient Development Project, http://www.honeyclient.org/.
[HD05] “Another round of DNS cache poisoning,” Handlers Diary, March 30, 2005, http://isc.sans.org/.
[HF] hpHOSTS community managed hosts file, http://www.hosts-file.net/downloads.html.
[IF05] “iframeDOLLARS dot biz partnership maliciousness,” http://isc.sans.org/diary.php?date=2005-05-23.
[IW05] “Scammers use Symantec, DNS holes to push adware,” InfoWorld.com, March 7, 2005,
http://www.infoworld.com/article/05/03/07/HNsymantecholesandadware_1.html?DESKTOP%20SECURITY.
[J105] Microsoft Security Advisory (903144) - A COM Object (Javaprxy.dll) Could Cause Internet Explorer to
Unexpectedly Exit, http://www.microsoft.com/technet/security/advisory/903144.mspx.
[J205] Microsoft Security Bulletin MS05-037 - Vulnerability in JView Profiler Could Allow Remote Code
Execution (903235), http://www.microsoft.com/technet/security/bulletin/ms05-037.mspx.
[L05] Robert Lemos, “Microsoft looks to "monkeys" to find Web threats,” SecurityFocus News, May 17,
2005, http://www.securityfocus.com/news/11178.
12. - 11 -
[N05] Ryan Naraine, “Strider HoneyMonkey: Trawling for Windows Exploits,” eWEEK.com, May 19, 2005,
http://www.eweek.com/article2/0,1759,1817822,00.asp.
[R05] “Russians use affiliate model to spread spyware,” http://www.itnews.com.au/newsstory.aspx?CIaNID=18926.
[R04] Team Register, “Bofra exploit hits our ad serving supplier,”
http://www.theregister.co.uk/2004/11/21/register_adserver_attack/, November 2004.
[S04] Symantec Gateway Security Products DNS Cache Poisoning Vulnerability,
http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html.
[S05] “Michael Jackson suicide spam leads to Trojan horse,”
http://www.sophos.com/virusinfo/articles/jackotrojan.html, Sophos, June 9, 2005.
[T05] Michael Ligh, “Tri-Mode Browser Exploits - MHTML, ANI, and ByteVerify,”
http://www.mnin.org/write/2005_trimode.html, April 30, 2005.
[XSS] “Code insertion in Blogger comments”, March 28, 2005, http://www.securityfocus.com/archive/1/394532.
[W03] Yi-Min Wang, et al., "STRIDER: A Black-box, State-based Approach to Change and Configuration
Management and Support", in Proc. Usenix LISA, Oct. 2003.
[W04] Yi-Min Wang, et al., "Gatekeeper: Monitoring Auto-Start Extensibility Points (ASEPs) for Spyware
Management", in Proc. Usenix LISA, 2004
[W05] Yi-Min Wang, et al., "Detecting Stealth Software with Strider GhostBuster," to appear in Proc. DSN,
June 2005