Large-scale analysis of malware downloaders

Jump to navigation Jump to search

(Publication) Google search: [1]

Large-scale analysis of malware downloaders
Botnet Renos, Sality, Gbot, Karagany, Gamarue, Dofoil, Emit, GoldInstall, Rodecap, TDSS, Cycbot, Artro, Virut, Winwebsec, Dabvegi, Buzus, Vobfus, Changeup, Zwangi, Harnig, LoaderAdv, ZeuS - P2P+DGA, dldr-#1, dldr-#2, dldr-#3
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 /
Editor/Conference DIMVA
Link (Archive copy)
Author Christian Rossow, Christian Dietrich, Herbert Bosz


Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces

from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1040,
   editor = {DIMVA},
   author = {Christian Rossow, Christian Dietrich, Herbert Bosz},
   title = {Large-scale analysis of malware downloaders},
   date = {26},
   month = May,
   year = {2012},
   howpublished = {\url{}},