Recall that upon visiting a malicious URL, the browser downloads the initial exploit. The exploit (in most cases, javascript) targets a vulnerability in the browser or one of its plugins and takes control of the infected system, after which it retrieves and runs the malware executable(s) downloaded from the malware distribution site. Rather than inspecting the behavior of each phase in isolation, our goal is to give an overview of the collective changes that happen to the system state after visiting a malicious URL . Figure 14 shows the distribution of the number of Windows executables downloaded after visiting a malicious URL as observed from monitoring the interaction between the browser and the malware distribution site. As the graph shows, visiting malicious URLs can lead to a large number of downloads (8 on average, but as large as 60 in the extreme case).
Another noticeable outcome is the increase in the number of running processes on the virtual machine. This increase is associated with the automatic execution of binaries. For each landing URL , we collected the number of processes that were started on the guest operating system after being infected with malware. Figure 15 shows the CDF of the number of processes launched after the system is infected. As the graph shows visiting malicious URLs produces a noticeable increase in the number of processes, in some cases, inducing so much overhead that they ``crashed'' the virtual machine.
Additionally, we examine the type of registry changes that occur when the malware executes. Overall, we detected registry changes after visiting of the landing pages. We divide these changes into the following categories: BHO indicates that the malware installed a Browser Helper Object that can access privileged state in the browser; Preferences means that the browser home page, default search engine or name server where changed by the malware; Security indicates that malware changed firewall settings or even disabled automatic software updates; Startup indicates that the malware is trying to persist across reboots. Notice that these categories are not mutually exclusive ( i.e., a single malicious URL may cause changes in multiple categories). Table 4 summarizes the percentage of registry changes per category. Notice that ``Startup'' changes are more prevalent indicating that malware tries to persist even after the machine is rebooted.
|
In addition to the registry changes, we analyzed the network activity of the virtual machine post infection. In our system, the virtual machines are allowed to perform only DNS and HTTP connections. Table 5 shows the percentage of connection attempts per destination port. Even though we omit the HTTP connections originating from the browser, HTTP is still the most prevalent port for malicious activity post-infection. This is due to ``downloader'' binaries that fetch, in some cases, up to binaries over HTTP. We also observe a significant percentage of connection attempts to typical IRC ports, accounting for more than of all non-HTTP connections. As a number of earlier studies have already shown (e.g., [6,19,8,21,22,12]), the IRC connection attempts are most likely for unwillingly (to the owner) adding the compromised machine to an IRC botnet, confirming the earlier conjecture by Provos et al. [20] regarding the connection between web malware and botnets. More detailed examples of malware's behavior can be found in Polychronakis et al. [18].