Large-Scale analysis of malware downloaders

Authors:
Christian Rossow;Christian Dietrich;Herbert Bos
Affiliations:
Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Germany,The Network Institute, VU University Amsterdam, The Netherlands;Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Germany,Department of Computer Science, Friedrich-Alexander University, Erlangen, Germany;The Network Institute, VU University Amsterdam, The Netherlands
Venue:
DIMVA'12 Proceedings of the 9th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment
Year:
2012

Citing 8
Cited 3

Replayer: automatic protocol replay by binary analysis

Proceedings of the 13th ACM conference on Computer and communications security
Ether: malware analysis via hardware virtualization extensions

Proceedings of the 15th ACM conference on Computer and communications security
Studying spamming botnets using Botlab

NSDI'09 Proceedings of the 6th USENIX symposium on Networked systems design and implementation
Your botnet is my botnet: analysis of a botnet takeover

Proceedings of the 16th ACM conference on Computer and communications security
Sandnet: network traffic analysis of malicious software

Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
Measuring pay-per-install: the commoditization of malware distribution

SEC'11 Proceedings of the 20th USENIX conference on Security
Detecting malware's failover C&C strategies with squeeze

Proceedings of the 27th Annual Computer Security Applications Conference
BareBox: efficient malware analysis on bare-metal

Proceedings of the 27th Annual Computer Security Applications Conference

Manufacturing compromise: the emergence of exploit-as-a-service

Proceedings of the 2012 ACM conference on Computer and communications security
Lines of malicious code: insights into the malicious software industry

Proceedings of the 28th Annual Computer Security Applications Conference
CoCoSpot: Clustering and recognizing botnet command and control channels using traffic analysis

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim's machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders' communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader's process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.