Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

  • Antonio Nappa
  • M. Zubair Rafique
  • Juan Caballero
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7967)


Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 hours, long-lived operations exist that operate for several months. To sustain long-lived operations miscreants are turning to the cloud, with 60% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. To understand how difficult is to take down exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61% of the reports are not even acknowledged. On average an exploit server still lives for 4.3 days after a report.


Abuse Report Median Lifetime Generate Ground Truth Aggressive Cluster Perceptual Hash 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing internet scam hosting infrastructure. In: USENIX Security (2007)Google Scholar
  2. 2.
    Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  3. 3.
    Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS (2009)Google Scholar
  4. 4.
    Grier, C., et al.: Manufacturing compromise: The emergence of exploit-as-a-service. In: CCS (2012)Google Scholar
  5. 5.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: USENIX Security (2011)Google Scholar
  6. 6.
    Caida. As ranking (2012),
  7. 7.
    Canali, D., Balzarotti, D., Francillon, A.: The role of web hosting providers in detecting compromised websites. In: WWW (2013)Google Scholar
  8. 8.
    Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: A view of botnet management from infiltration. In: LEET (2010)Google Scholar
  9. 9.
    Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: WWW (2010)Google Scholar
  10. 10.
    Crocker, D.: Mailbox names for common services, roles and functions. RFC 2142 (1997)Google Scholar
  11. 11.
    Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static javascript malware detection. In: USENIX Security (2011)Google Scholar
  12. 12.
    Daigle, L.: Whois protocol specification. RFC 3912 (2004)Google Scholar
  13. 13.
    Malicia project,
  14. 14.
    Dunn, J.C.: Well-separated clusters and optimal fuzzy partitions. Journal of Cybernetics 4(1) (1974)Google Scholar
  15. 15.
    New dutch notice-and-take-down code raises questions (2008),
  16. 16.
    Falk, J.: Complaint feedback loop operational recommendations. RFC 6449 (2011)Google Scholar
  17. 17.
    Falk, J., Kucherawy, M.: Creation and use of email feedback reports: An applicability statement for the abuse reporting format (arf). RFC 6650 (2012)Google Scholar
  18. 18.
    Jang, J., Brumley, D., Venkataraman, S.: Bitshred: Feature hashing malware for scalable triage and semantic analysis. In: CCS (2011)Google Scholar
  19. 19.
    John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using Botlab. In: NSDI (2009)Google Scholar
  20. 20.
    Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis, vol. 4. Wiley-Interscience (1990)Google Scholar
  21. 21.
  22. 22.
    Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: Practical containment for measuring modern malware systems. In: IMC (2011)Google Scholar
  23. 23.
  24. 24.
    Malware domain list,
  25. 25.
    Morrison, T.: How hosting providers can battle fraudulent sign-ups (2012),
  26. 26.
    Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web. In: NDSS (2006)Google Scholar
  27. 27.
    Bfk: Passive dns replication,
  28. 28.
  29. 29.
    Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: NSDI (2010)Google Scholar
  30. 30.
    Perdisci, R., U, M.: Vamo: Towards a fully automated malware clustering validity analysis. In: ACSAC (2012)Google Scholar
  31. 31.
    Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: LEET (2008)Google Scholar
  32. 32.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security (2008)Google Scholar
  33. 33.
    Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser: Analysis of Web-based malware. In: HotBots (2007)Google Scholar
  34. 34.
    Cool exploit kit - a new browser exploit pack,
  35. 35.
    Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: BADGERS (2011)Google Scholar
  37. 37.
    Shafranovich, Y., Levine, J., Kucherawy, M.: An extensible format for email feedback reports. RFC 5965, Updated by RFC 6650 (2010)Google Scholar
  38. 38.
    Shue, C., Kalafut, A.J., Gupta, M.: Abnormally malicious autonomous systems and their internet connectivity. IEEE/ACM Transactions of Networking 20(1) (2012)Google Scholar
  39. 39.
    The spamhaus project (2012),
  40. 40.
    Stone-Gross, B., Christopher, K., Almeroth, K., Moser, A., Kirda, E.: Fire: Finding rogue networks. In: ACSAC (2009)Google Scholar
  41. 41.
  42. 42.
    Walls, R.J., Levine, B.N., Liberatore, M., Shields, C.: Effective digital forensics research is investigator-centric. In: HotSec (2011)Google Scholar
  43. 43.
    Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: NDSS (2006)Google Scholar
  44. 44.
    Wyke, J.: The zeroaccess botnet: Mining and fraud for massive financial gain (2012),
  45. 45.
    X-arf: Network abuse reporting 2.0,
  46. 46.
    Xylitol. Blackhole exploit kits update to v2.0 (2011),
  47. 47.
    Xylitol. Tracking cyber crime: Hands up affiliate (ransomware) (2011),
  48. 48.
    Zauner, C.: Implementation and benchmarking of perceptual image hash functions. Master’s thesis, Upper Austria University of Applied Sciences (2010)Google Scholar
  49. 49.
    Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: Arrow: Generating signatures to detect drive-by downloads. In: WWW (2011)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Antonio Nappa
    • 1
    • 2
  • M. Zubair Rafique
    • 1
  • Juan Caballero
    • 1
  1. 1.IMDEA Software InstituteSpain
  2. 2.Universidad Politécnica de MadridSpain

Personalised recommendations