Check out the new USENIX Web site.

All Your iFRAMEs Point to Us

Niels Provos     Panayiotis Mavrommatis
Google Inc.
{niels, panayiotis}

Moheeb Abu Rajab     Fabian Monrose
Johns Hopkins University
{moheeb, fabian}


As the web continues to play an ever increasing role in information exchange, so too is it becoming the prevailing platform for infecting vulnerable hosts. In this paper, we provide a detailed study of the pervasiveness of so-called drive-by downloads on the Internet. Drive-by downloads are caused by URLs that attempt to exploit their visitors and cause malware to be installed and run automatically. Over a period of $ 10$ months we processed billions of URLs, and our results shows that a non-trivial amount, of over $ 3$ million malicious URLs, initiate drive-by downloads. An even more troubling finding is that approximately $ 1.3\%$ of the incoming search queries to Google's search engine returned at least one URL labeled as malicious in the results page. We also explore several aspects of the drive-by downloads problem. Specifically, we study the relationship between the user browsing habits and exposure to malware, the techniques used to lure the user into the malware distribution networks, and the different properties of these networks.

Niels Provos 2008-05-13