Life-cycle monitoring scheme of malware download sites for websites

To protect many websites on cloud computing environments, we propose a scheme for monitoring the life cycles of malware download sites for websites and report the actual life cycles as monitored by web honeypots carrying vulnerable web applications. Recently, attackers have been using a large number of websites as hopping sites to attack other websites and user terminals. To create hopping sites, many attackers use vulnerabilities in web applications to force victims to download malware. To protect websites from these attacks, technologies for filtering access from websites to malware download sites, which are set by attackers, are effective. However, to update the filtering configuration, it is necessary to periodically identify malware since malware may be changed or removed from malware download sites. We propose a scheme for automatically updating the filtering configuration. It is based on dynamic malware analysis using attack re-creation by coupling the attack collection function (i.e., a web honeypot), attack analysis function (i.e., web attack analyzer), and filter management function (i.e., site monitoring system). Our investigations revealed that some malware files on malware download sites are replaced with other types of malware. In addition, they revealed that the life cycles of malware download sites are similar to those of normal web pages.