Skip to main content
SpringerLink
Log in

Large-Scale Analysis of Malware Downloaders

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2012)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7591))

Abstract

Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 54.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 72.00
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Antivirus tracker, http://avtracker.info/

  2. yara-project - A malware identification and classification tool, http://code.google.com/p/yara-project/

  3. Lelli, A.: Zeusbot/Spyeye P2P Updated, Fortifying the Botnet, http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet

  4. Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th EICAR Conference (2006)

    Google Scholar 

  5. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: 20th USENIX Security Symposium, San Francisco, CA (August 2011)

    Google Scholar 

  6. Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: 15th ACM Computer and Communications Security Conference, Alexandria, VA (October 2008)

    Google Scholar 

  7. John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: NSDI (2009)

    Google Scholar 

  8. Kirat, D., Vigna, G., Kruegel, C.: BareBox: Efficient Malware Analysis on Bare-Metal. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2011)

    Google Scholar 

  9. Nazario, J., Holz, T.: As the Net Churns: Fast-Flux Botnet Observations Tracking Fast-Flux Domains. In: 3rd International Conference on Malicious and Unwanted Software, Malware 2008 (2008)

    Google Scholar 

  10. Neugschwandtner, M., Milani Comparetti, P., Platzer, C.: Detecting Malware’s Failover C&C Strategies with SQUEEZE. In: 27th Annual Computer Security Applications Conference, ACSAC, Orlando, Florida (December 2011)

    Google Scholar 

  11. Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic Protocol Replay by Binary Analysis. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006 (2006)

    Google Scholar 

  12. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network Traffic Analysis of Malicious Software. In: ACM EuroSys BADGERS (2011)

    Google Scholar 

  13. Golovanov, S., Rusakov, V.: TDSS, http://www.securelist.com/en/analysis/204792131/TDSS

  14. Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009 (2009)

    Google Scholar 

  15. ThreatExpert, http://www.threatexpert.com

Download references

Author information

Authors and Affiliations

  1. Institute for Internet Security, University of Applied Sciences Gelsenkirchen, Germany

    Christian Rossow & Christian Dietrich

  2. The Network Institute, VU University Amsterdam, The Netherlands

    Christian Rossow & Herbert Bos

  3. Department of Computer Science, Friedrich-Alexander University, Erlangen, Germany

    Christian Dietrich

Authors
  1. Christian Rossow
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Dietrich
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Herbert Bos
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Department C, HFT Stuttgart, Schellingstr. 24, 70174, Stuttgart, Germany

    Ulrich Flegel

  2. Department of Computer Science, Foundation for Research and Technology – Hellas (FORTH), 100 Plastira Ave, Vassilika Vouton, 70013, Heraklion, Crete, Greece

    Evangelos Markatos

  3. College of Computer and Information Science, Northeastern University, 360 Huntington Ave, 02115, Boston, MA, USA

    William Robertson

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Rossow, C., Dietrich, C., Bos, H. (2013). Large-Scale Analysis of Malware Downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-37300-8_3

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-37299-5

  • Online ISBN: 978-3-642-37300-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation