Large-scale analysis of malware downloaders
(Publication) Google search: [1]
Large-scale analysis of malware downloaders | |
---|---|
Botnet | Renos, Sality, Gbot, Karagany, Gamarue, Dofoil, Emit, GoldInstall, Rodecap, TDSS, Cycbot, Artro, Virut, Winwebsec, Dabvegi, Buzus, Vobfus, Changeup, Zwangi, Harnig, LoaderAdv, ZeuS - P2P+DGA, dldr-#1, dldr-#2, dldr-#3 |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / |
Editor/Conference | DIMVA |
Link | http://www.christian-rossow.de/publications/downloaders-dimva12.pdf (Archive copy) |
Author | Christian Rossow, Christian Dietrich, Herbert Bosz |
Type |
Abstract
“ Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces
from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1040, editor = {DIMVA}, author = {Christian Rossow, Christian Dietrich, Herbert Bosz}, title = {Large-scale analysis of malware downloaders}, date = {13}, month = Dec, year = {2012}, howpublished = {\url{http://www.christian-rossow.de/publications/downloaders-dimva12.pdf}}, }