Difference between revisions of "Large-scale analysis of malware downloaders"
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
{{Publication | {{Publication | ||
|Botnet=Renos, Sality, Gbot, Karagany, Gamarue, Dofoil, Emit, GoldInstall, Rodecap, TDSS | |Botnet=Renos, Sality, Gbot, Karagany, Gamarue, Dofoil, Emit, GoldInstall, Rodecap, TDSS, Cycbot, Artro, Virut, Winwebsec, Dabvegi, Buzus, Vobfus, Changeup, Zwangi, Harnig, LoaderAdv, ZeuS - P2P+DGA, dldr-#1, dldr-#2, dldr-#3, | ||
|Year=2012 | |Year=2012 | ||
|Editor=DIMVA | |Editor=DIMVA | ||
|Link=http://www.christian-rossow.de/publications/downloaders-dimva12.pdf | |Link=http://www.christian-rossow.de/publications/downloaders-dimva12.pdf | ||
|Author=Christian Rossow, Christian Dietrich, Herbert Bosz | |Author=Christian Rossow, Christian Dietrich, Herbert Bosz | ||
|Abstract=Downloaders are malicious programs with the goal to subversively | |Abstract=Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces | ||
download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show | from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we | ||
a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces | reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. | ||
from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then | After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain | ||
describe how attackers choose resilient server infrastructures. For example, we | |||
reveal that 20% of the C&C servers remain operable on long term. Moreover, | |||
we observe steady migrations between different domains and TLD registrars, and | |||
notice attackers to deploy critical infrastructures redundantly across providers. | |||
After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire | |||
malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process | |||
activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain | |||
and encrypted communication channels. | and encrypted communication channels. | ||
|NomRevue=Conference on Detection of Intrusions and Malware & Vulnerability Assessment | |NomRevue=Conference on Detection of Intrusions and Malware & Vulnerability Assessment | ||
Latest revision as of 23:31, 30 July 2015
(Publication) Google search: [1]
| Large-scale analysis of malware downloaders | |
|---|---|
| Botnet | Renos, Sality, Gbot, Karagany, Gamarue, Dofoil, Emit, GoldInstall, Rodecap, TDSS, Cycbot, Artro, Virut, Winwebsec, Dabvegi, Buzus, Vobfus, Changeup, Zwangi, Harnig, LoaderAdv, ZeuS - P2P+DGA, dldr-#1, dldr-#2, dldr-#3 |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / |
| Editor/Conference | DIMVA |
| Link | http://www.christian-rossow.de/publications/downloaders-dimva12.pdf (Archive copy) |
| Author | Christian Rossow, Christian Dietrich, Herbert Bosz |
| Type | |
Abstract
“ Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces
from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1040,
editor = {DIMVA},
author = {Christian Rossow, Christian Dietrich, Herbert Bosz},
title = {Large-scale analysis of malware downloaders},
date = {07},
month = May,
year = {2012},
howpublished = {\url{http://www.christian-rossow.de/publications/downloaders-dimva12.pdf}},
}