Understanding and detecting newly emerging attack vectors in cybercrimes
Date
2018
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
Numerous efforts have been devoted to securing computer systems in the past decade, which has rendered many previously popular attacks ineffective. In response to the arms race, cybercriminals are constantly seeking for new attack vectors. In this dissertation, we investigate several newly emerging attack vectors in cybercrime. ☐ Our research first focuses on embedded malware inside Adobe PDF (Portable Document Format) documents. Due to its widespread use and Javascript support, PDF has become the primary vehicle for delivering embedded exploits since 2008. Unfortunately, existing defenses are limited in effectiveness, prone to evasion, or computationally expensive to be employed as on-line protection systems. To this end, we propose a context-aware approach for detection and confinement of malicious Javascript in PDF documents. Based on more than twenty thousand benign and malicious samples, our experimental evaluation shows that our defense system can achieve very high detection accuracy with minor overhead. ☐ We further conduct the first comprehensive study on domain shadowing, a new strategy adopted by miscreants to build their attack infrastructures. We design a novel domain shadowing detector called Woodpecker, which characterizes shadowed domains based on a set of 17 novel features. By applying Woodpecker to the daily feeds of VirusTotal collected in two months, we can detect thousands of new domain shadowing campaigns. Our study highlights domain shadowing as an increasingly rampant threat since 2014. ☐ Moreover, we discover a new security threat caused by dangling records in DNS. In a dangling DNS record (Dare), the resources pointed to by the DNS record are invalid, but the record itself has not yet been purged from DNS. Our work reveals that Dare can be easily manipulated by adversaries for domain hijacking. In particular, we identify three attack vectors that an adversary can harness to exploit Dares. In a large-scale measurement study, we uncover 467 exploitable Dares in 277 Alexa top 10,000 domains and 52 edu zones, showing that Dare is a real, prevalent threat. ☐ Finally, we present a novel defense called pSweeper to robustly protect against use-after-free (UaF) exploits with low overhead and pinpoint the root-causes of UaF vulnerabilities with one safe crash. The success of pSweeper lies in its two unique and innovative techniques: concurrent pointer sweeping (CPS) and object origin tracking (OOT). Unlike previous works that rely on pointer propagation tracking to find dangling pointers, CPS iteratively sweeps all live pointers in a concurrent thread to find dangling ones. OOT can help to pinpoint the root-causes by informing developers of how a dangling pointer is caused. We implement a prototype of pSweeper and validate its efficacy in real scenarios.
Description
Keywords
Applied sciences, Cybercrime, Domain name system, Malware detection, Software security