Skip to main content
SpringerLink
Log in

Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

  • Conference paper
Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 7967))

Abstract

Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 hours, long-lived operations exist that operate for several months. To sustain long-lived operations miscreants are turning to the cloud, with 60% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. To understand how difficult is to take down exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61% of the reports are not even acknowledged. On average an exploit server still lives for 4.3 days after a report.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 49.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: Characterizing internet scam hosting infrastructure. In: USENIX Security (2007)

    Google Scholar 

  2. Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  3. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS (2009)

    Google Scholar 

  4. Grier, C., et al.: Manufacturing compromise: The emergence of exploit-as-a-service. In: CCS (2012)

    Google Scholar 

  5. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: The commoditization of malware distribution. In: USENIX Security (2011)

    Google Scholar 

  6. Caida. As ranking (2012), http://as-rank.caida.org

  7. Canali, D., Balzarotti, D., Francillon, A.: The role of web hosting providers in detecting compromised websites. In: WWW (2013)

    Google Scholar 

  8. Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: A view of botnet management from infiltration. In: LEET (2010)

    Google Scholar 

  9. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: WWW (2010)

    Google Scholar 

  10. Crocker, D.: Mailbox names for common services, roles and functions. RFC 2142 (1997)

    Google Scholar 

  11. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: Low-overhead mostly static javascript malware detection. In: USENIX Security (2011)

    Google Scholar 

  12. Daigle, L.: Whois protocol specification. RFC 3912 (2004)

    Google Scholar 

  13. Malicia project, http://malicia-project.com/

  14. Dunn, J.C.: Well-separated clusters and optimal fuzzy partitions. Journal of Cybernetics 4(1) (1974)

    Google Scholar 

  15. New dutch notice-and-take-down code raises questions (2008), http://www.edri.org/book/export/html/1619

  16. Falk, J.: Complaint feedback loop operational recommendations. RFC 6449 (2011)

    Google Scholar 

  17. Falk, J., Kucherawy, M.: Creation and use of email feedback reports: An applicability statement for the abuse reporting format (arf). RFC 6650 (2012)

    Google Scholar 

  18. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: Feature hashing malware for scalable triage and semantic analysis. In: CCS (2011)

    Google Scholar 

  19. John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using Botlab. In: NSDI (2009)

    Google Scholar 

  20. Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis, vol. 4. Wiley-Interscience (1990)

    Google Scholar 

  21. Krawetz, N.: Average perceptual hash (2011), http://www.hackerfactor.com/blog/index.php?/archives/432-Looks-Like-It.html

  22. Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: Practical containment for measuring modern malware systems. In: IMC (2011)

    Google Scholar 

  23. Love vps, http://www.lovevps.com/

  24. Malware domain list, http://malwaredomainlist.com/

  25. Morrison, T.: How hosting providers can battle fraudulent sign-ups (2012), http://www.spamhaus.org/news/article/687/how-hosting-providers-can-battle-fraudulent-sign-ups

  26. Moshchuk, A., Bragin, T., Gribble, S.D., Levy, H.M.: A crawler-based study of spyware on the web. In: NDSS (2006)

    Google Scholar 

  27. Bfk: Passive dns replication, http://www.bfk.de/bfk_dnslogger.html

  28. Ssdsandbox, http://xml.ssdsandbox.net/dnslookup-dnsdb

  29. Perdisci, R., Lee, W., Feamster, N.: Behavioral clustering of http-based malware and signature generation using malicious network traces. In: NSDI (2010)

    Google Scholar 

  30. Perdisci, R., U, M.: Vamo: Towards a fully automated malware clustering validity analysis. In: ACSAC (2012)

    Google Scholar 

  31. Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost turns zombie: Exploring the life cycle of web-based malware. In: LEET (2008)

    Google Scholar 

  32. Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: USENIX Security (2008)

    Google Scholar 

  33. Provos, N., McNamee, D., Mavrommatis, P., Wang, K., Modadugu, N.: The ghost in the browser: Analysis of Web-based malware. In: HotBots (2007)

    Google Scholar 

  34. Cool exploit kit - a new browser exploit pack, http://malware.dontneedcoffee.com/2012/10/newcoolek.html/

  35. Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  36. Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network traffic analysis of malicious software. In: BADGERS (2011)

    Google Scholar 

  37. Shafranovich, Y., Levine, J., Kucherawy, M.: An extensible format for email feedback reports. RFC 5965, Updated by RFC 6650 (2010)

    Google Scholar 

  38. Shue, C., Kalafut, A.J., Gupta, M.: Abnormally malicious autonomous systems and their internet connectivity. IEEE/ACM Transactions of Networking 20(1) (2012)

    Google Scholar 

  39. The spamhaus project (2012), http://www.spamhaus.org/

  40. Stone-Gross, B., Christopher, K., Almeroth, K., Moser, A., Kirda, E.: Fire: Finding rogue networks. In: ACSAC (2009)

    Google Scholar 

  41. urlquery, http://urlquery.net/

  42. Walls, R.J., Levine, B.N., Liberatore, M., Shields, C.: Effective digital forensics research is investigator-centric. In: HotSec (2011)

    Google Scholar 

  43. Wang, Y.-M., Beck, D., Jiang, X., Roussev, R., Verbowski, C., Chen, S., King, S.: Automated web patrol with strider honeymonkeys: Finding web sites that exploit browser vulnerabilities. In: NDSS (2006)

    Google Scholar 

  44. Wyke, J.: The zeroaccess botnet: Mining and fraud for massive financial gain (2012), http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.asp:x

  45. X-arf: Network abuse reporting 2.0, http://x-arf.org/

  46. Xylitol. Blackhole exploit kits update to v2.0 (2011), http://malware.dontneedcoffee.com/2012/09/blackhole2.0.html

  47. Xylitol. Tracking cyber crime: Hands up affiliate (ransomware) (2011), http://www.xylibox.com/2011/12/tracking-cyber-crime-affiliate.html

  48. Zauner, C.: Implementation and benchmarking of perceptual image hash functions. Master’s thesis, Upper Austria University of Applied Sciences (2010)

    Google Scholar 

  49. Zhang, J., Seifert, C., Stokes, J.W., Lee, W.: Arrow: Generating signatures to detect drive-by downloads. In: WWW (2011)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. IMDEA Software Institute, Spain

    Antonio Nappa, M. Zubair Rafique & Juan Caballero

  2. Universidad Politécnica de Madrid, Spain

    Antonio Nappa

Authors
  1. Antonio Nappa
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. Zubair Rafique
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juan Caballero
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institute of Computer Science, Computer Security Group, University of Göttingen, Goldschmidtstr. 7, 37077, Göttingen, Germany

    Konrad Rieck

  2. Telekom Innovation Laboratories, Security in Telecommunications, Technische Universität Berlin, Ernst-Reuter-Platz 7, 10587, Berlin, Germany

    Patrick Stewin  & Jean-Pierre Seifert  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Nappa, A., Rafique, M.Z., Caballero, J. (2013). Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting. In: Rieck, K., Stewin, P., Seifert, JP. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2013. Lecture Notes in Computer Science, vol 7967. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39235-1_1

Download citation

  • DOI: https://doi.org/10.1007/978-3-642-39235-1_1

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-642-39234-4

  • Online ISBN: 978-3-642-39235-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation