Abstract
We present an empirical and large-scale analysis of malware samples captured from two different enterprises from 2017 to early 2018. Particularly, we perform threat vector, social-engineering, vulnerability and time-series analysis on our dataset. Unlike existing malware studies, our analysis is specifically focused on the recent enterprise malware samples. First of all, based on our analysis on the combined datasets of two enterprises, our results confirm the general consensus that AV-only solutions are not enough for real-time defenses in enterprise settings because on average 40% of the malware samples, when first appeared, are not detected by most AVs on VirusTotal or not uploaded to VT at all (i.e., never seen in the wild yet). Moreover, our analysis also shows that enterprise users transfer documents more than executables and other types of files. Therefore, attackers embed malicious codes into documents to download and install the actual malicious payload instead of sending malicious payload directly or using vulnerability exploits. Moreover, we also found that financial matters (e.g., purchase orders and invoices) are still the most common subject seen in Business Email Compromise (BEC) scams that aim to trick employees. Finally, based on our analysis on the timestamps of captured malware samples, we found that 93% of the malware samples were delivered on weekdays. Our further analysis also showed that while the malware samples that require user interaction such as macro-based malware samples have been captured during the working hours of the employees, the massive malware attacks are triggered during the off-times of the employees to be able to silently spread over the networks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
July 2018.
- 2.
We explain the details of the analysis module in Sect. 3.
- 3.
July 2018.
- 4.
For privacy reasons, we do not disclose the company names.
- 5.
July 2018.
References
2017 Q2 quarterly threat report. https://www.esentire.com/resources/knowledge/2017-q2-quarterly-threat-report/. Accessed 28 Sept 2018
2017 state of malware. https://www.malwarebytes.com/pdf/white-papers/CTNT-Q4-17.pdf?aliId=91372483. Accessed 25 Sept 2018
Combating a spate of java malware with machine learning in real-time. https://cloudblogs.microsoft.com/microsoftsecure/2017/04/20/combating-a-wave-of-java-malware-with-machine-learning-in-real-time/. Accessed 17 Sept 2018
CVE details. The ultimate security vulnerbility datasource. https://www.cvedetails.com/. Accessed 20 Sept 2018
Data Breach Investigations Report (DBIR). https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf. Accessed 20 Sept 2018
ENISA threat landscape report 2017. https://www.enisa.europa.eu/publications/enisa-threat-landscape-report-2017/at_download/fullReport. Accessed 23 Sept 2018
Fireeye warns ‘massive’ locky ransomware campaign hits America. https://blog.knowbe4.com/fireeye-warns-massive-locky-ransomware-campaign-hits-america. Accessed 25 Sept 2018
Microsoft security intelligence report volume 20—July through December 2015. http://download.microsoft.com/download/E/8/B/E8B5CEE5-9FF6-4419-B7BF-698D2604E2B2/Microsoft_Security_Intelligence_Report_Volume_20_English.pdf. Accessed 23 Sept 2018
More cyber-attacks occur on weekends than a weekday, study reveals. http://www.eweek.com/security/more-cyber-attacks-occur-on-weekends-than-a-weekday-study-reveals. Accessed 28 Sept 2018
New feature in office 2016 can block macros and help prevent infection. https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/. Accessed 17 Sept 2018
Symantec 2017 internet security threat report. https://www.symantec.com/content/dam/symantec/docs/reports/istr-22-2017-en.pdf. Accessed 25 Sept 2018
Symantec 2017 internet security threat report. https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf. Accessed 16 Oct 2018
What is wannacry ransomware and why is it attacking global computers?. https://www.theguardian.com/technology/2017/may/12/nhs-ransomware-cyber-attack-what-is-wanacrypt0r-20. Accessed 25 Sept 2018
Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS, vol. 9, pp. 8–11. Citeseer (2009)
Hu, X., Chiueh, T.C., Shin, K.G.: Large-scale malware indexing using function-call graphs. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 611–620. ACM (2009)
Invernizzi, L., et al.: Nazca: detecting malware distribution in large-scale networks. In: NDSS, vol. 14, pp. 23–26 (2014)
Kotzias, P., Bilge, L., Vervier, P.A., Caballero, J.: Mind your own business: a longitudinal study of threats and vulnerabilities in enterprises. In: NDSS (2019)
Le Blond, S., Uritesc, A., Gilbert, C., Chua, Z.L., Saxena, P., Kirda, E.: A look at targeted attacks through the lense of an NGO. In: USENIX Security Symposium, pp. 543–558 (2014)
Li, Z., Oprea, A.: Operational security log analytics for enterprise breach detection. In: 2016 IEEE Cybersecurity Development (SecDev), pp. 15–22, November 2016. https://doi.org/10.1109/SecDev.2016.015
Oprea, A., Li, Z., Yen, T., Chin, S.H., Alrwais, S.: Detection of early-stage enterprise infection by mining large-scale log data. In: 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks, pp. 45–56, June 2015. https://doi.org/10.1109/DSN.2015.14
Perdisci, R., Lanzi, A., Lee, W.: McBoost: boosting scalability in malware collection and analysis using statistical classification of executables. In: 2008 Annual Computer Security Applications Conference (ACSAC), pp. 301–310. IEEE (2008)
Tamersoy, A., Roundy, K., Chau, D.H.: Guilt by association: large scale malware detection by mining file-relation graphs. In: Proceedings of the 20th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 1524–1533. ACM (2014)
Yen, T.F., Heorhiadi, V., Oprea, A., Reiter, M.K., Juels, A.: An epidemiological study of malware encounters in a large enterprise. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, pp. 1117–1130. ACM, New York (2014). https://doi.org/10.1145/2660267.2660330
Yen, T.F., et al.: Beehive: large-scale log analysis for detecting suspicious activity in enterprise networks. In: Proceedings of the 29th Annual Computer Security Applications Conference, ACSAC 2013, pp. 199–208, ACM, New York (2013). https://doi.org/10.1145/2523649.2523670
Acknowledgments
The authors would like to thank the anonymous reviewers and our shepherd Dr. Yajin Zhou for their comments and suggestions, which significantly improve the quality and presentation of this paper. This work was partially supported by US National Science Foundation under the grant numbers NSF CNS-1514142, NSF CNS-1703454, NSF-CNS-1718116, NSF-CAREER-CNS-1453647, and ONR (CyberPhys).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A A Sample Malicious Behaviours Report Generated by the DA Module
The list of malicious behaviours extracted via the DA module from a given sample:
B Massive Malware Attacks in Our Dataset
The following is the list of most frequently captured malware samples in our dataset (Table 5).
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Acar, A., Lu, L., Uluagac, A.S., Kirda, E. (2019). An Analysis of Malware Trends in Enterprise Networks. In: Lin, Z., Papamanthou, C., Polychronakis, M. (eds) Information Security. ISC 2019. Lecture Notes in Computer Science(), vol 11723. Springer, Cham. https://doi.org/10.1007/978-3-030-30215-3_18
Download citation
DOI: https://doi.org/10.1007/978-3-030-30215-3_18
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30214-6
Online ISBN: 978-3-030-30215-3
eBook Packages: Computer ScienceComputer Science (R0)