Abstract
Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim’s machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders’ communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader’s process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.
Access provided by Autonomous University of Puebla. Download to read the full chapter text
Chapter PDF
Similar content being viewed by others
References
Antivirus tracker, http://avtracker.info/
yara-project - A malware identification and classification tool, http://code.google.com/p/yara-project/
Lelli, A.: Zeusbot/Spyeye P2P Updated, Fortifying the Botnet, http://www.symantec.com/connect/blogs/zeusbotspyeye-p2p-updated-fortifying-botnet
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: A Tool for Analyzing Malware. In: 15th EICAR Conference (2006)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: 20th USENIX Security Symposium, San Francisco, CA (August 2011)
Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: Malware Analysis via Hardware Virtualization Extensions. In: 15th ACM Computer and Communications Security Conference, Alexandria, VA (October 2008)
John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: NSDI (2009)
Kirat, D., Vigna, G., Kruegel, C.: BareBox: Efficient Malware Analysis on Bare-Metal. In: Proceedings of the Annual Computer Security Applications Conference, ACSAC (2011)
Nazario, J., Holz, T.: As the Net Churns: Fast-Flux Botnet Observations Tracking Fast-Flux Domains. In: 3rd International Conference on Malicious and Unwanted Software, Malware 2008 (2008)
Neugschwandtner, M., Milani Comparetti, P., Platzer, C.: Detecting Malware’s Failover C&C Strategies with SQUEEZE. In: 27th Annual Computer Security Applications Conference, ACSAC, Orlando, Florida (December 2011)
Newsome, J., Brumley, D., Franklin, J., Song, D.: Replayer: Automatic Protocol Replay by Binary Analysis. In: Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006 (2006)
Rossow, C., Dietrich, C.J., Bos, H., Cavallaro, L., van Steen, M., Freiling, F.C., Pohlmann, N.: Sandnet: Network Traffic Analysis of Malicious Software. In: ACM EuroSys BADGERS (2011)
Golovanov, S., Rusakov, V.: TDSS, http://www.securelist.com/en/analysis/204792131/TDSS
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your Botnet is My Botnet: Analysis of a Botnet Takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, CCS 2009 (2009)
ThreatExpert, http://www.threatexpert.com
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Rossow, C., Dietrich, C., Bos, H. (2013). Large-Scale Analysis of Malware Downloaders. In: Flegel, U., Markatos, E., Robertson, W. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2012. Lecture Notes in Computer Science, vol 7591. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37300-8_3
Download citation
DOI: https://doi.org/10.1007/978-3-642-37300-8_3
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37299-5
Online ISBN: 978-3-642-37300-8
eBook Packages: Computer ScienceComputer Science (R0)