The MALICIA dataset: identification and analysis of drive-by download operations
详细信息 查看全文
- 作者:Antonio Nappa ; M. Zubair Rafique…
- 关键词:Drive ; by download operations ; Malicia dataset ; Malware distribution ; Cybercrime
- 刊名:International Journal of Information Security
- 出版年:2015
- 出版时间:February 2015
- 年:2015
- 卷:14
- 期:1
- 页码:15-33
- 全文大小:726 KB
- 参考文献:1. Allatori java obfuscator. m/" class="a-plus-plus">http://www.allatori.com/
2. Anderson, D.S., Fleizach, C., Savage, S., Voelker, G.M.: Spamscatter: characterizing internet scam hosting infrastructure. In: USENIX Security Symposium, Boston, MA (August 2007)
3. An overview of exploit packs (update 20) Jan (2014) mp.blogspot.com.es/2010/06/overview-of-exploit-packs-update.html" class="a-plus-plus">http://contagiodump.blogspot.com.es/2010/06/overview-of-exploit-packs-update.html
4. Bailey, M., Oberheide, J., Andersen, J., Mao, Z., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: International Symposium on Recent Advances in Intrusion Detection, Queensland, Australia (September 2007)
5. Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: Network and Distributed System Security Symposium, San Diego, CA (February 2009)
6. Bfk: Passive dns replication. ml" class="a-plus-plus">http://www.bfk.de/bfk_dnslogger.html
7. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: USENIX Security Symposium, San Francisco, CA (August 2011)
8. Caida: As Ranking (October 2012). http://as-rank.caida.org
9. Canali, D., Balzarotti, D., Francillon, A.: The role of web hosting providers in detecting compromised websites. In: International World Wide Web Conference, Rio de Janeiro, Brazil (May 2013)
10. Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the inside: A view of botnet management from infiltration. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats. San Jose, CA, April (2010)
11. Cova, M., Kruegel, C., Vigna, G.: Detection and analysis of drive-by-download attacks and malicious javascript code. In: International World Wide Web Conference, Raleigh, NC (April 2010)
12. Crocker, D.: Mailbox Names for Common Services, Roles and Functions. RFC 2142 (May 1997)
13. Curtsinger, C., Livshits, B., Zorn, B., Seifert, C.: Zozzle: low-overhead mostly static javascript malware detection. In: USENIX Security Symposium, San Francisco, CA (August 2011)
14. Cool exploit kit—a new browser exploit pack. malware.dontneedcoffee.com/2012/10/newcoolek.html/" class="a-plus-plus">http://malware.dontneedcoffee.com/2012/10/newcoolek.html/
15. Daigle, L.: Whois Protocol Specification. RFC 3912 (September 2004)
16. Dunn, J.C.: Well-separated clusters and optimal fuzzy partitions. J. Cybern. 4(1), 95-04 (1974)
17. Falk, J.: Complaint Feedback Loop Operational Recommendations. RFC 6449 (November 2011)
18. Falk, J., Kucherawy, M.: Creation and Use of Email Feedback Reports: An Applicability Statement for the Abuse Reporting Format (arf). RFC 6650 (June 2012)
19. Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A., Provos, N., Rafique, M.Z. Rajab, M.A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G.M.: Manufacturing compromise: the emergence of exploit-as-a-service. In: ACM Conference on Computer and Communications Security, Raleigh, NC (October 2012)
20. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: ACM Conference on Computer and Communications Security. Chicago, IL (October 2011)
21. John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying spamming botnets using Botlab. In: Symposium on Networked System Design and Implementation, Boston, MA (April 2009)
22. Kaufman, L., Rousseeuw, P.J.: Finding Groups in Data: An Introduction to Cluster Analysis, vol. 4. Wiley, New York (1990) CrossRef
23. Krawetz, N.: Average Perceptual Hash (May 2011). m/blog/index.php?/archives/432-Looks-Like-It.html" class="a-plus-plus">http://www.hackerfactor.com/blog/index.php?/archives/432-Looks-Like-It.html
24. Kreibich, C., Weaver, N., Kanich, C., Cui, W., Paxson, V.: GQ: Practical containment for measuring modern malware systems. In: Internet Measurement Conference, Berlin, Germany (November 2011)
25. Li, Z., Alrwais, S., Xie, Y., Yu, F., Wang, X.: Finding the linchpins of the dark web: a study on topologically dedicated hosts on malicious web infrastructures. In: IEEE Symposium on Security and Privacy, San Francisco, CA (May 2013)
26. Love vps m/" class="a-plus-plus">http://www.lovevps.com/
27. Malicia project malicia-projec - 刊物类别:Computer Science
- 刊物主题:Data Encryption
Computer Communication Networks
Operating Systems
Coding and Information Theory
Management of Computing and Information Systems
Communications Engineering and Networks - 出版者:Springer Berlin / Heidelberg
- ISSN:1615-5270
文摘
Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem, many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper, we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured, which exploits they use, and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16?h, long-lived operations exist that operate for several months. To sustain long-lived operations, miscreants are turning to the cloud, with 60?% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. Furthermore, we analyze the exploit polymorphism problem, measuring the repacking rate for different exploit types. To understand how difficult is to takedown exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61?% of the reports are not even acknowledged. On average, an exploit server still lives for 4.3 days after a report. Finally, we detail the Malicia?dataset we have collected and are making available to other researchers.