Moheeb Abu Rajab

Moheeb Abu Rajab

Authored Publications
Sort By
  • Title
  • Title, descending
  • Year
  • Year, descending
    Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software
    Ryan Rasti
    Cait Phillips
    Marc-André (MAD) Decoste
    Chris Sharp
    Fabio Tirelo
    Ali Tofigh
    Marc-Antoine Courteau
    Lucas Ballard
    Robert Shield
    Nav Jagpal
    Niels Provos
    Damon McCoy
    Proceedings of the USENIX Security Symposium (2016)
    Preview abstract In this work, we explore the ecosystem of commercial pay-per-install (PPI) and the role it plays in the proliferation of unwanted software. Commercial PPI enables companies to bundle their applications with more popular software in return for a fee, effectively commoditizing access to user devices. We develop an analysis pipeline to track the business relationships underpinning four of the largest commercial PPI networks and classify the software families bundled. In turn, we measure their impact on end users and enumerate the distribution techniques involved. We find that unwanted ad injectors, browser settings hijackers, and cleanup utilities dominate the software families buying installs. Developers of these families pay $0.10--$1.50 per install---upfront costs that they recuperate by monetizing users without their consent or by charging exorbitant subscription fees. Based on Google Safe Browsing telemetry, we estimate that PPI networks drive over 60 million download attempts every week---nearly three times that of malware. While anti-virus and browsers have rolled out defenses to protect users from unwanted software, we find evidence that PPI networks actively interfere with or evade detection. Our results illustrate the deceptive practices of some commercial PPI operators that persist today. View details
    Trends and Lessons from Three Years Fighting Malicious Extensions
    Nav Jagpal
    Eric Dingle
    Jean-Philippe Gravel
    Niels Provos
    USENIX Security Symposium (2015)
    Preview abstract In this work we expose wide-spread efforts by criminals to abuse the Chrome Web Store as a platform for distributing malicious extensions. A central component of our study is the design and implementation of WebEval, the first system that broadly identifies malicious extensions with a concrete, measurable detection rate of 96.5%. Over the last three years we detected 9,523 malicious extensions: nearly 10% of every extension submitted to the store. Despite a short window of operation---we removed 50% of malware within 25 minutes of creation---a handful of under 100 extensions escaped immediate detection and infected over 50 million Chrome users. Our results highlight that the extension abuse ecosystem is drastically different from malicious binaries: miscreants profit from web traffic and user tracking rather than email spam or banking theft. View details
    Ad Injection at Scale: Assessing Deceptive Advertisement Modifications
    Chris Grier
    Grant Ho
    Nav Jagpal
    Alexandros Kapravelos
    Damon McCoy
    Antonio Nappa
    Vern Paxson
    Paul Pearce
    Niels Provos
    Proceedings of the IEEE Symposium on Security and Privacy (2015)
    Preview abstract Today, web injection manifests in many forms, but fundamentally occurs when malicious and unwanted actors tamper directly with browser sessions for their own profit. In this work we illuminate the scope and negative impact of one of these forms, ad injection, in which users have ads imposed on them in addition to, or different from, those that websites originally sent them. We develop a multi-staged pipeline that identifies ad injection in the wild and captures its distribution and revenue chains. We find that ad injection has entrenched itself as a cross-browser monetization platform impacting more than 5% of unique daily IP addresses accessing Google—tens of millions of users around the globe. Injected ads arrive on a client’s machine through multiple vectors: our measurements identify 50,870 Chrome extensions and 34,407 Windows binaries, 38% and 17% of which are explicitly malicious. A small number of software developers support the vast majority of these injectors who in turn syndicate from the larger ad ecosystem. We have contacted the Chrome Web Store and the advertisers targeted by ad injectors to alert each of the deceptive practices involved. View details
    CAMP: Content-Agnostic Malware Protection
    Lucas Ballard
    Noe Lutz
    Niels Provos
    Network and Distributed Systems Security Symposium (NDSS), Network and Distributed Systems Security Symposium (NDSS), USA (2013)
    Preview
    Browser Exploits as a Service: The Monetization of Driveby Downloads
    C. Grier
    L. Ballard
    J. Caballero
    N. Chachra
    C. Dietrich
    K. Levchenko
    P. Mavrommatis
    D. McCoy
    A. Nappa
    A. Pitsillidis
    N. Provos
    Z. Rafique
    C. Rossow
    K. Thomas
    V. Paxson
    S. Savage
    G. Voelker
    Proceedings of 19th ACM Conference on Computer and Communications Security (2012)
    Preview
    Manufacturing Compromise: The Emergence of Exploit-as-a-Service
    Chris Grier
    Lucas Ballard
    Juan Caballero
    Neha Chachra
    Christian J. Dietrich
    Kirill Levchenko
    Damon McCoy
    Antonio Nappa
    Andreas Pitsillidis
    Niels Provos
    M. Zubair Rafique
    Christian Rossow
    Vern Paxson
    Stefan Savage
    Geoffrey M. Voelker
    Proceedings of 19th ACM Conference on Computer and Communications Security (2012)
    Preview
    The Nocebo Effect on the Web: An Analysis of Fake Anti-Virus Distribution
    Lucas Ballard
    Niels Provos
    Xin Zhao
    Large-Scale Exploits and Emergent Threats, USENIX (2010)
    Preview abstract We present a study of Fake Anti-Virus attacks on the web. Fake AV software masquerades as a legitimate security product with the goal of deceiving victims into paying registration fees to seemingly remove malware from their computers. Our analysis of 240 million web pages collected by Google's malware detection infrastructure over a 13 month period discovered over 11,000 domains involved in Fake AV distribution. We show that the Fake AV threat is rising in prevalence, both absolutely, and relative to other forms of web-based malware. Fake AV currently accounts for 15% of all malware we detect on the web. Our investigation reveals several characteristics that distinguish Fake AVs from other forms of web-based malware and shows how these characteristics have changed over time. For instance, Fake AV attacks occur frequently via web sites likely to reach more users including spam web sites and on-line Ads. These attacks account for 60% of the malware discovered on domains that include trending keywords. As of this writing, Fake AV is responsible for 50% of all malware delivered via Ads, which represents a five-fold increase from just a year ago. View details
    All Your iFrames Point to Us
    Niels Provos
    Fabian Monrose
    17th USENIX Security Symposium (2008)
    Preview abstract As the web continues to play an ever increasing role in information exchange, so too is it becoming the prevailing platform for infecting vulnerable hosts. In this paper, we provide a detailed study of the pervasiveness of so-called drive-by downloads on the Internet. Driveby downloads are caused by URLs that attempt to exploit their visitors and cause malware to be installed and run automatically. Over a period of 10 months we processed billions of URLs, and our results shows that a non-trivial amount, of over 3 million malicious URLs, initiate driveby downloads. An even more troubling finding is that approximately 1.3% of the incoming search queries to Google’s search engine returned at least one URL labeled as malicious in the results page. We also explore several aspects of the drive-by downloads problem. Specifically, we study the relationship between the user browsing habits and exposure to malware, the techniques used to lure the user into the malware distribution networks, and the different properties of these networks. View details
    Peeking Through the Cloud
    Fabian Monrose
    Niels Provos
    6th Conference on Applied Cryptography and Network Security (2008)
    Preview