Thursday, September 28, 2006
4:15 pm
B17 Upson Hall

Computer Science
Fall 2006

Steven Gribble
Department of Computer Science & Engineering
University of Washington

Web-borne Malware: Measurement and Mitigation

We continue to grow increasingly dependent on the Web as a source of data, software, and computational and communications services. Unsurprisingly, as a result of this, attackers are focusing Web-borne threats as a way of reaching their potential victims. For example, modern Web users are exposed to drive-by download attacks, malware piggy-backed on executables, and phishing attacks.

In this talk, I will first present the results of a measurement study whose goal is to quantify the nature and extent of spyware delivered through the Web, either through drive-by downloads or piggy-backed delivery on executables. Our data suggests that spyware is widespread but relatively benign; for example, 1 in 8 executables that we examined contained piggy-backed spyware, but most spyware contains only "annoyances" such as advertising functions.

Following this, I will discuss two different systems that can help protect users against Web-borne threats. The first, called spyproxy, performs on-the-fly analysis of Web content within a virtualized environment, and can detect threats before they have the chance to reach victims. The second, called Tahoma, re-examines the architecture of Web browsers, and introduces the notion of a "Web browser operating system" to isolate Web applications from each other and from the users' desktop.