Wednesday 24 September 16:30 - 17:00, Red room.
Paul Royal Barracuda Labs
download slides (PDF)
Most people assume that it is safe to visit popular, well-established websites. While examples of popular website compromises contradict this expectation, there exist few comprehensive studies that attempt to systematically quantify maliciousness in top-ranked sites.
To address this gap in understanding, my presentation details the design and results of long-running experiments that identify maliciousness among popular websites in a vulnerability and exploit-independent manner. To perform experimentation, I created a scalable URL analysis system that forces a browser within a sterile virtual machine to visit a given site, then examines the network-level actions of the VM to determine whether a drive-by download occurred. As input to this system, I provided the Alexa top 25,000 most popular domains each day in what became a series of month-long studies.
An analysis of the results reveals that, each month, millions of users are served malicious content from just tens of popular websites, and at least one million users are successfully compromised. In addition to an assessment of the threat (e.g. use of Java or ad networks in drive-by downloads), my presentation will coincide with release of the raw data collected to promote a better understanding of this issue.
Paul Royal is a consultant for Barracuda Labs, the research and threat analysis division of Barracuda Networks. In this role, he collaborates with a team of researchers on the design and implementation of technologies that enhance the company's ability to protect users and online communications. When not consulting for Barracuda Labs, Paul is a research scientist at the College of Computing at Georgia Tech and Associate Director of the Georgia Tech Information Security Center (GTISC).