WebWitness: Investigating, Categorizing, and Mitigating Malware Download Paths

Terry Nelms, Roberto Perdisci, Manos Antonakakis, Mustaque Ahamad
USENIX Security Symposium, 2015.

Most modern malware download attacks occur via the browser, typically due to social engineering and drive- by downloads. In this paper, we study the “origin” of malware download attacks experienced by real network users, with the objective of improving malware down- load defenses. Specifically, we study the web paths fol- lowed by users who eventually fall victim to different types of malware downloads. To this end, we propose a novel incident investigation system, named WebWitness. Our system targets two main goals: 1) automatically trace back and label the sequence of events (e.g., visited web pages) preceding malware downloads, to highlight how users reach attack pages on the web; and 2) leverage these automatically labeled in-the-wild malware down- load paths to better understand current attack trends, and to develop more effective defenses.

We deployed WebWitness on a large academic net- work for a period of ten months, where we collected and categorized thousands of live malicious download paths. An analysis of this labeled data allowed us to design a new defense against drive-by downloads that rely on in- jecting malicious content into (hacked) legitimate web pages. For example, we show that by leveraging the inci- dent investigation information output by WebWitness we can decrease the infection rate for this type of drive-by downloads by almost six times, on average, compared to existing URL blacklisting approaches.