; --------------------------------------------------------------------- ; To submit, log into grace.umd.edu and use the following command: ; /submit 2017 fall ENEE 657 0101 13 exploit_impact.bib ; --------------------------------------------------------------------- ; Required Readings @ARTICLE{ Staniford2002, title = {{How to Own the Internet in Your Spare Time}}, author = {Staniford, Stuart and Paxson, Vern and Weaver, Nicholas}, journal = {USENIX Security '02 Proceedings of the 11th USENIX Security Symposium}, url = {http://dl.acm.org/citation.cfm?id=647253.720288}, doi = {10.1145/1198255.1198265}, year = {2002}, isbn = {1-931971-00-5}, issn = {01464833}, pages = {149--167}, abstract = {The ability of attackers to rapidly gain control of vast numbers of Internet hosts poses an immense risk to the overall security of the Internet. Once subverted, these hosts can not only be used to launch massive denial of service floods, but also to steal or corrupt great quantities of sensitive information, and confuse and disrupt use of the network in more subtle ways. We present an analysis of the magnitude of the threat. We begin with a mathematical model derived from empirical data of the spread of Code Red I in July, 2001. We discuss techniques subsequently employed for achieving greater virulence by Code Red II and Nimda. In this context, we develop and evaluate several new, highly virulent possible techniques: hit-list scanning (which creates a Warhol worm), permutation scanning (which enables self-coordinating scanning), and use of Internetsized hit-lists (which creates a flash worm). We then turn to the to the threat of surreptitious worms that spread more slowly but in a much harder to detect “contagion” fashion. We demonstrate that such a worm today could arguably subvert upwards of 10,000,000 Internet hosts. We also consider robust mechanisms by which attackers can control and update deployed worms. In conclusion, we argue for the pressing need to develop a “Center for Disease Control” analog for virusand worm-based threats to national cybersecurity, and sketch some of the components that would go into such a Center.}, studentfirstname ={}, studentlastname ={}, summary = {}, contribution1 ={}, contribution2 ={}, contribution3 ={}, contribution4 ={}, contribution5 ={}, weakness1 = {}, weakness2 = {}, weakness3 = {}, weakness4 = {}, weakness5 = {}, interesting = {high/med/low}, opinions = {}, } @ARTICLE{ Grier2012, title = {{Manufacturing compromise: the emergence of exploit-as-a-service}}, author = {Grier, Chris and Ballard, Lucas and Caballero, Juan}, journal = {Computer and Communications Security}, address = {New York, New York, USA}, doi = {10.1145/2382196.2382283}, abstract = {We investigate the emergence of the exploit-as-a-service model for driveby browser compromise. In this regime, attackers pay for an exploit kit or service to do the “dirty work” of exploiting a victim's browser, decoupling the complexities of browser and plugin vulnerabilities from the challenges of generating traffic to a web- site under the attacker's control. Upon a successful exploit, these kits load and execute a binary provided by the attacker, effectively transferring control of a victim's machine to the attacker. In order to understand the impact of the exploit-as-a-service paradigm on the malware ecosystem, we perform a detailed analysis of the prevalence of exploit kits, the families of malware installed upon a successful exploit, and the volume of traffic that malicious web sites receive. To carry out this study, we analyze 77,000 malicious URLs received from Google Safe Browsing, along with a crowd-sourced feed of blacklisted URLs known to direct to exploit kits. These URLs led to over 10,000 distinct binaries, which we ran in a contained environment. Our results show that many of the most prominent families of malware now propagate through driveby downloads—32 families in all. Their activities are supported by a handful of exploit kits, with Blackhole accounting for 29{\%} of all malicious URLs in our data, followed in popularity by Incognito.We use DNS traffic from real networks to provide a unique perspective on the popularity of malware families based on the frequency that their binaries are in- stalled by drivebys, as well as the lifetime and popularity of do- mains funneling users to exploits.}, issn = {15437221}, year = {2012}, isbn = {9781450316514}, publisher = {ACM Press}, url = {http://dl.acm.org/citation.cfm?doid=2382196.2382283 http://dl.acm.org/citation.cfm?id=2382283}, keywords = {Malware,driveby downloads,exploit kits,measurement}, pages = {821--832}, annote = {ref J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring Pay-per-Install: The Commoditization of Malware Distribution. In Proceedings of USENIX Security, 2011. ref N. Provos, P. Mavrommatis, M. A. Rajab, and F. Monrose. All Your iFRAMEs Point to Us. In Proceedings of the 17th Usenix Security Symposium, pages 1–15, July 2008.}, mendeley-tags = {driveby downloads,exploit kits,measurement}, studentfirstname ={}, studentlastname ={}, summary = {}, contribution1 ={}, contribution2 ={}, contribution3 ={}, contribution4 ={}, contribution5 ={}, weakness1 = {}, weakness2 = {}, weakness3 = {}, weakness4 = {}, weakness5 = {}, interesting = {high/med/low}, opinions = {}, } ; BibTex cross-references (don't add anything here)