Ruian Duan

Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi et al.

Package managers have become a vital part of the modern software development process. They allow developers to reuse third-party code, share their own code, minimize their codebase, and simplify the build process. However, recent reports showed that package managers have been abused by attackers to distribute malware, posing significant security risks to developers and end-users. For example, eslint-scope, a package with millions of weekly downloads in Npm, was compromised to steal credentials from developers. To understand the security gaps and the misplaced trust that make recent supply chain attacks possible, we propose a comparative framework to qualitatively assess the functional and security features of package managers for interpreted languages. Based on qualitative assessment, we apply well-known program analysis techniques such as metadata, static, and dynamic analysis to study registry abuse. Our initial efforts found 339 new malicious packages that we reported to the registries for removal. The package manager maintainers confirmed 278 (82%) from the 339 reported packages where three of them had more than 100,000 downloads. For these packages we were issued official CVE numbers to help expedite the removal of these packages from infected victims. We outline the challenges of tailoring program analysis tools to interpreted languages and release our pipeline as a reference point for the community to build on and help in securing the software supply chain.

Ruian Duan, Weiren Wang, Wenke Lee

Cloaking has long been exploited by spammers for the purpose of increasing the exposure of their websites. In other words, cloaking has long served as a major malicious technique in search engine optimization (SEO). Cloaking hides the true nature of a website by delivering blatantly different content to users versus web crawlers. Recently, we have also witnessed a rising trend of employing cloaking in search engine marketing (SEM). However, detecting cloaking is challenging. Existing approaches cannot detect IP cloaking and are not suitable for detecting cloaking in SEM because their search-and-visit method leads to click fraud. In addition, they focus on detecting and measuring cloaking on the server side, but the results are not visible to users to help them avoid frauds. Our work focuses on mitigating IP cloaking and SEM cloaking, and providing client-based real-time cloaking detection services. To achieve these goals, we first propose the Simhash-based Website Model (SWM), a condensed representation of websites, which can model natural page dynamics. Based on SWM, we design and implement Cloaker Catcher, an accurate, efficient and privacy-preserving system, that consists of a server that crawls websites visited by users on demand and a client-side extension that fetches spider views of websites from the server and compares them with user views to detect cloaking. Since Cloaker Catcher checks on the client side for each real user, IP cloaking can be detected whenever it occurs and click fraud in SEM can also be prevented. Using our system, we conducted the first analysis of SEM cloaking and found that the main purpose of SEM cloakers is to provide illicit services.