Wepawet

Detection and Analysis of Malicious Web Content

Malicious web content has become the primary instrument used by miscreants to perform their attacks on the Internet. In particular, attacks that target web clients, as opposed to infrastructure components, have become pervasive. Drive-by downloads are a particularly common and insidious form of such attacks. We have developed a novel approach to the automatic detection and analysis of malicious web pages. For this, we visit web pages with an instrumented browser and record events that occur during the interpretation of HTML elements and the execution of JavaScript code. For each event (e.g., the instantiation of an ActiveX control via JavaScript code or the retrieval of an external resource via an iframe tag), we extract one or more features whose values are evaluated using anomaly detection techniques. Anomalous features allow us to identify malicious content even in the case of previously-unseen attacks. Our features are comprehensive and model many properties that capture intrinsic characteristics of attacks. Moreover, our system provides additional details about the attack. For example, it identifies the exploits that are used and the unobfuscated version of the code, which are helpful to explain how the attack was executed and for performing additional analysis. We implemented our approach in a tool called Wepawet. Wepawet is available online at http://wepawet.cs.ucsb.edu, where users can submit URLs and files that are automatically analyzed, delivering detailed reports about the type of observed attacks and the targeted vulnerabilities. This service has been operative since November 2008 and analyzes thousands of URLs per day submitted by users across the world.

Publications

2011 (1 publication)

Escape from Monkey Island: Evading High-Interaction Honeyclients A. Kapravelos, M. Cova, C. Kruegel, G. Vigna Proceedings of the Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA 2011) BibTeX PDF (224.9 KB)

2010 (1 publication)

Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code M. Cova, C. Kruegel, G. Vigna Proceedings of the International World Wide Web Conference (WWW 2010) BibTeX PDF (242.5 KB)

Research topics

People involved

Faculty

PhD Students

Last update
Nov. 14, 2011, 7:42 p.m.