PExy: The Other Side of Exploit Kits

Maio, Giancarlo De; Kapravelos, Alexandros; Shoshitaishvili, Yan; Kruegel, Christopher; Vigna, Giovanni

doi:10.1007/978-3-319-08509-8_8

Cited by 16 publications

(17 citation statements)

References 7 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Most previous academic work [8][9][10][11] focused on the server-side source code of the EK families and conducted static source code analysis mostly on PHP code. While the EK families they analyzed leaked behind the scenes, the current EK families that we analyzed are not leaked online yet.…”

Section: Introductionmentioning

confidence: 99%

I see EK: A lightweight technique to reveal exploit kit family by overall URL patterns of infection chains

Suren¹,

Angin²,

Baykal³

2019

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

The prevalence and nonstop evolving technical sophistication of exploit kits (EKs) is one of the most challenging shifts in the modern cybercrime landscape. Over the last few years, malware infections via drive-by download attacks have been orchestrated with EK infrastructures. Malicious advertisements and compromised websites redirect victim browsers to web-based EK families that are assembled to exploit client-side vulnerabilities and finally deliver evil payloads. A key observation is that while the webpage contents have drastic differences between distinct intrusions executed through the same EK, the patterns in URL addresses stay similar. This is due to the fact that autogenerated URLs by EK platforms follow specific templates. This practice in use enables the development of an efficient system that is capable of classifying the responsible EK instances. This paper proposes novel URL features and a new technique to quickly categorize EK families with high accuracy using machine learning algorithms. Rather than analyzing each URL individually, the proposed overall URL patterns approach examines all URLs associated with an EK infection automatically. The method has been evaluated with a popular and publicly available dataset that contains 240 different real-world infection cases involving over 2250 URLs, the incidents being linked with the 4 major EK flavors that occurred throughout the year 2016. The system achieves up to 100% classification accuracy with the tested estimators.

show abstract

Section: Introductionmentioning

confidence: 99%

I see EK: A lightweight technique to reveal exploit kit family by overall URL patterns of infection chains

Suren¹,

Angin²,

Baykal³

2019

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

show abstract

“…On the other hand, some EK families prefer to serve more stable exploits, where attackers get a lower but steadier infection pace over time. De Maio et al executed an analysis, PExy, on the source code of over 50 EKs in 37 families [6]. They also worked with EKs in off-line mode in their laboratories and via automated static source code analysis, where they produced all combinations of HTTP request parameters (in particular URL and user-agents) that cause an EK to trigger an infection.…”

Section: Related Workmentioning

confidence: 99%

ZEKI: unsupervised zero-day exploit kit intelligence

Suren¹

2020

Turk J Elec Eng & Comp Sci

View full text Add to dashboard Cite

Over the last few years, exploit kits (EKs) have become the de facto medium for large-scale spread of malware.Drive-by download is the leading method that is widely used by EK flavors to exploit web-based client-side vulnerabilities.Their principal goal is to infect the victim's system with a malware. In addition, EK families evolve quickly, where they port zero-day exploits for brand new vulnerabilities that were never seen before and for which no patch exists. In this paper, we propose a novel approach for categorizing malware infection incidents conducted through EKs by leveraging the inherent "overall URL patterns" in the HTTP traffic chain. The proposed approach is based on the key finding that EKs infect victim systems using a specially designed chain, where EKs lead the web browser to download a malicious payload by issuing several HTTP requests to more than one malicious domain addresses. This practice in use enables the development of a system that is capable of clustering the responsible EK instances. The method has been evaluated with a popular and publicly available dataset that contains 240 different real-world infection cases involving over 2250 URLs, the incidents being linked with the 4 major EK flavors that occurred throughout the year 2016. The system achieves up to 93.7% clustering accuracy with the estimators experimented.

show abstract

“…Kotov et al [11] showed typical components of exploit kits based on the source codes analysis of 30 exploit kits. Maio et al [12] also analyzed the source codes of exploit kits and reported behavior of exploit kit at the server side. According to [11] and [12], exploit kits have the following four components:…”

Section: Exploit Kit's Componentsmentioning

confidence: 99%

A Malicious Web Site Identification Technique Using Web Structure Clustering

Nagai

Kamizono²,

Shiraishi

et al. 2019

IEICE Trans. Inf. & Syst.

View full text Add to dashboard Cite

Epidemic cyber incidents are caused by malicious websites using exploit kits. The exploit kit facilitate attackers to perform the drive-by download (DBD) attack. However, it is reported that malicious websites using an exploit kit have similarity in their website structure (WS)trees. Hence, malicious website identification techniques leveraging WStrees have been studied, where the WS-trees can be estimated from HTTP traffic data. Nevertheless, the defensive component of the exploit kit prevents us from capturing the WS-tree perfectly. This paper shows, hence, a new WS-tree construction procedure by using the fact that a DBD attack happens in a certain duration. This paper proposes, moreover, a new malicious website identification technique by clustering the WS-tree of the exploit kits. Experiment results assuming the D3M dataset verify that the proposed technique identifies exploit kits with a reasonable accuracy even when HTTP traffic from the malicious sites are partially lost.

show abstract

PExy: The Other Side of Exploit Kits

Cited by 16 publications

References 7 publications

I see EK: A lightweight technique to reveal exploit kit family by overall URL patterns of infection chains

I see EK: A lightweight technique to reveal exploit kit family by overall URL patterns of infection chains

ZEKI: unsupervised zero-day exploit kit intelligence

A Malicious Web Site Identification Technique Using Web Structure Clustering

Contact Info

Product

Resources

About