Recall that upon visiting a malicious URL, the browser downloads the initial exploit. The exploit (in most cases, javascript) targets a vulnerability in the browser or one of its plugins and takes control of the infected system, after which it retrieves and runs the malware executable(s) downloaded from the malware distribution site. Rather than inspecting the behavior of each phase in isolation, our goal is to give an overview of the collective changes that happen to the system state after visiting a malicious URL . Figure 14 shows the distribution of the number of Windows executables downloaded after visiting a malicious URL as observed from monitoring the interaction between the browser and the malware distribution site. As the graph shows, visiting malicious URLs can lead to a large number of downloads (8 on average, but as large as 60 in the extreme case).
Another noticeable outcome is the increase in the number of running processes on the virtual machine. This increase is associated with the automatic execution of binaries. For each landing URL , we collected the number of processes that were started on the guest operating system after being infected with malware. Figure 15 shows the CDF of the number of processes launched after the system is infected. As the graph shows visiting malicious URLs produces a noticeable increase in the number of processes, in some cases, inducing so much overhead that they ``crashed'' the virtual machine.
Additionally, we examine the type of registry changes that occur when
the malware executes. Overall, we detected registry changes after
visiting 
of the landing pages. We divide these changes into
the following categories: BHO indicates that the malware
installed a Browser Helper Object that can access privileged state in
the browser; Preferences means that the browser home page,
default search engine or name server where changed by the malware;
Security indicates that malware changed firewall
settings or even disabled automatic software updates; Startup
indicates that the malware is trying to persist across
reboots. Notice that these categories are not mutually exclusive ( i.e., a single malicious URL may cause changes in multiple
categories). Table 4 summarizes the percentage of
registry changes per category. Notice that ``Startup'' changes are
more prevalent indicating that malware tries to persist even after the
machine is rebooted.
|
In addition to the registry changes, we analyzed the network activity
of the virtual machine post infection. In our system, the virtual
machines are allowed to perform only DNS and HTTP
connections. Table 5 shows the percentage of connection
attempts per destination port. Even though we omit the HTTP
connections originating from the browser, HTTP is still the most
prevalent port for malicious activity post-infection. This is due to
``downloader'' binaries that fetch, in some cases, up to 
binaries
over HTTP. We also observe a significant percentage of connection
attempts to typical IRC ports, accounting for more than 
of all
non-HTTP connections. As a number of earlier studies have already
shown (e.g., [6,19,8,21,22,12]),
the IRC connection attempts are most likely for unwillingly (to the
owner) adding the compromised machine to an IRC botnet, confirming the
earlier conjecture by Provos et al. [20] regarding the
connection between web malware and botnets. More detailed examples of
malware's behavior can be found in Polychronakis et
al. [18].
![\includegraphics[width=3in]{graphs/cdf-binaries-per-url.eps}](img58.png)
![\includegraphics[width=3in]{graphs/cdf-processes}](img59.png)