| Presentation | 2010-06-18 An Empirical Investigation of Gumblar Evolution Mitsuaki AKIYAMA, Kazumichi SATO, Makoto IWAMURA, Mitsutaka ITOH, |
|---|---|
| PDF Download Page |  PDF download Page Link |
| Abstract(in Japanese) | (See Japanese page) |
| Abstract(in English) | Due to incidents of web-based malware infection lead by a tampered web content, called Gumblar, clarification of the actual situation of Gumblar and effective countermeasures against it are urgently needed. In this research, we conducted periodical investigation for tampered web sites over the course of six months by using a web-client honeypot we developed. We discovered 300 tampered sites, 821 exploit site's fully qualified domain name (FQDN), and 93 malware executables. Based on the investigation result, we discovered the features of tampered web sites and exploit web sites in the view point of temporal sequence. Moreover, we conducted an experiment on the matching between DNS cache information and exploit's FQDNs/IP addresses to estimate the rate of victim users as well as discovering unknown exploit site's FQDN. The matching result showed 1) infection rates of Gumblar.x and Gumblar.8080 are from 0.070 to 0.102 % and from 0.004 to 0.055 % respectively, and 2) the number of unknown exploit site's FQDNs related with Gumblar.8080 are 1811. |
| Keyword(in Japanese) | (See Japanese page) |
| Keyword(in English) | Web client honeypot / malware / DNS cache |
| Paper # | IA2010-13,ICSS2010-13 |
| Date of Issue |
| Conference Information | |
| Committee | IA |
|---|---|
| Conference Date | 2010/6/10(1days) |
| Place (in Japanese) | (See Japanese page) |
| Place (in English) | |
| Topics (in Japanese) | (See Japanese page) |
| Topics (in English) | |
| Chair | |
| Vice Chair | |
| Secretary | |
| Assistant | |
| Paper Information | |
| Registration To | Internet Architecture(IA) |
|---|---|
| Language | JPN |
| Title (in Japanese) | (See Japanese page) |
| Sub Title (in Japanese) | (See Japanese page) |
| Title (in English) | An Empirical Investigation of Gumblar Evolution |
| Sub Title (in English) | |
| Keyword(1) | Web client honeypot |
| Keyword(2) | malware |
| Keyword(3) | DNS cache |
| 1st Author's Name | Mitsuaki AKIYAMA |
| 1st Author's Affiliation | NTT corporation() |
| 2nd Author's Name | Kazumichi SATO |
| 2nd Author's Affiliation | NTT corporation |
| 3rd Author's Name | Makoto IWAMURA |
| 3rd Author's Affiliation | NTT corporation |
| 4th Author's Name | Mitsutaka ITOH |
| 4th Author's Affiliation | NTT corporation |
| Date | 2010-06-18 |
| Paper # | IA2010-13,ICSS2010-13 |
| Volume (vol) | vol.110 |
| Number (no) | 78 |
| Page | pp.pp.- |
| #Pages | 6 |
| Date of Issue | |