Measuring and Disrupting Malware Distribution Networks: An Interdisciplinary Approach

Malware Delivery Networks (MDNs) are networks of webpages, servers, computers, and computer files that are used by cybercriminals to proliferate malicious software (or malware) onto victim machines. The business of malware delivery is a complex and multifaceted one that has become increasingly profitable over the last few years. Due to the ongoing arms race between cybercriminals and the security community, cybercriminals are constantly evolving and streamlining their techniques to beat security countermeasures and avoid disruption to their operations, such as by security researchers infiltrating their botnet operations, or law enforcement taking down their infrastructures and arresting those involved. So far, the research community has conducted insightful but isolated studies into the different facets of malicious file distribution. Hence, only a limited picture of the malicious file delivery ecosystem has been provided thus far, leaving many questions unanswered. Using a data-driven and interdisciplinary approach, the purpose of this research is twofold. One, to study and measure the malicious file delivery ecosystem, bringing prior research into context, and to understand precisely how these malware operations respond to security and law enforcement intervention. And two, taking into account the overlapping research efforts of the information security and crime science communities towards preventing cybercrime, this research aims to identify mitigation strategies and intervention points to disrupt this criminal economy more effectively

Automated Analysis of Freeware Installers Promoted by Download Portals

Abstract We present an analysis system for studying Windows application installers. The analysis system is fully automated from installer download to execution and data collection. The system emulates the behavior of a lazy user who wants to finish the installation dialogs with the default options and with as few clicks as possible. The UI automation makes use of image recognition techniques and heuristics. During the installation, the system collects data about the system modification and network access. The analysis system is scalable and can run on bare-metal hosts as well as in a data center. We use the system to analyze 792 freeware application installers obtained from popular download portals. In particular, we measure how many of them drop potentially unwanted programs (PUP) such as browser plugins or make other unwanted system modifications. We discover that most installers that download executable files over the network are vulnerable to man-in-the-middle attacks. We also find, that while popular download portals are not used for blatant malware distribution, nearly 10% of the analyzed installers come with a third-party browser or a browser extension.Peer reviewe

UNDERSTAND, DETECT, AND BLOCK MALWARE DISTRIBUTION FROM A GLOBAL VIEWPOINT

Malware still is a vital security threat. Adversaries continue to distribute various types of malicious programs to victims around the world. In this study, we try to understand the strategies the miscreants take to distribute malware, develop systems to detect malware delivery and explore the benefit of a transparent platform for blocking malware distribution in advance. At the first part of the study, to understand the malware distribution, we conduct several measurements. We initiate the study by investigating the dynamics of malware delivery. We share several findings including the downloaders responsible for the malware delivery and the high ratio of signed malicious downloaders. We further look into the problem of signed malware. To successfully distribute malware, the attacker exploits weaknesses in the code-signing PKI, which falls into three categories: inadequate client-side protections, publisher-side key mismanagement, and CA-side verification failures. We propose an algorithm to identify malware that exploits those weaknesses and to classify to the corresponding weakness. Using the algorithm, We conduct a systematic study of the weaknesses of code-signing PKI on a large scale. Then, we move to the problem of revocation. Certificate revocation is the primary defense against the abuse in code-signing PKI. We identify the effective revocation process, which includes the discovery of compromised certificates, the revocation date setting, and the dissemination of revocation information; moreover, we systematically measure the problems in the revocation process and new threats introduced by these problems. For the next part, we explore two different approaches to detect the malware distribution. We study the executable files known as downloader Trojans or droppers, which are the core of the malware delivery techniques. The malware delivery networks instruct these downloaders across the Internet to access a set of DNS domain address to retrieve payloads. We first focus on the downloaded by relationship between a downloader and a payload recorded by different sensors and introduce the downloader graph abstraction. The downloader graph captures the download activities across end hosts and exposes large parts of the malware download activity, which may otherwise remain undetected, by connecting the dots. By combining telemetry from anti-virus and intrusion-prevention systems, we perform a large-scale analysis on 19 million downloader graphs from 5 million real hosts. The analysis revealed several strong indicators of malicious activity, such as the slow growth rate and the high diameter. Moreover, we observed that, besides the local indicators, taking into account the global properties boost the performance in distinguishing between malicious and benign download activity. For example, the file prevalence (i.e., the number of hosts a file appears on) and download patterns (e.g., number of files downloaded per domain) are different from malicious to benign download activities. Next, we target the silent delivery campaigns, which is the critical method for quickly delivering malware or potentially unwanted programs (PUPs) to a large number of hosts at scale. Such large-scale attacks require coordination activities among multiple hosts involved in malicious activity. We developed Beewolf, a system for detecting silent delivery campaigns from Internet-wide records of download events. We exploit the behavior of downloaders involved in campaigns for this system: they operate in lockstep to retrieve payloads. We utilize Beewolf to identify these locksteps in an unsupervised and deterministic fashion at scale. Moreover, the lockstep detection exposes the indirect relationships among the downloaders. We investigate the indirect relationships and present novel findings such as the overlap between the malware and PUP ecosystem. The two different studies revealed the problems caused by the opaque software distribution ecosystem and the importance of the global properties in detecting malware distribution. To address both of these findings, we propose a transparent platform for software distribution called Download Transparency. Transparency guarantees openness and accountability of the data, however, itself does not provide any security guarantees. Although there exists an anecdotal example showing the benefit of transparency, it is still not clear how beneficial it is to security. In the last part of this work, we explore the benefit of transparency in the domain of downloads. To measure the performance, we designed the participants and the policies they might take when utilizing the platform. We then simulate different policies with five years of download events and measure the block performance. The results suggest that the Download Transparency can help to block a significant part of the malware distribution before the community can flag it as malicious

Marmite: Spreading Malicious File Reputation Through Download Graphs

Effective malware detection approaches need not only high accuracy, but also need to be robust to changes in the modus operandi of criminals. In this paper, we propose Marmite, a feature-agnostic system that aims at propagating known malicious reputation of certain files to unknown ones with the goal of detecting malware. Marmite does this by looking at a graph that encapsulates a comprehensive view of how files are downloaded (by which hosts and from which servers) on a global scale. The reputation of files is then propagated across the graph using semi-supervised label propagation with Bayesian confidence. We show that Marmite is able to reach high accuracy (0.94 G-mean on average) over a 10-day dataset of 200 million download events. We also demonstrate that Marmite's detection capabilities do not significantly degrade over time, by testing our system on a 30-day dataset of 660 million download events collected six months after the system was tuned and validated. Marmite still maintains a similar accuracy after this period of time

A large-scale temporal measurement of Android malicious apps: persistence, migration, and lessons learned

CNS-2127232 - National Science FoundationAccepted manuscrip

Marked for disruption: tracing the evolution of malware delivery operations targeted for takedown

The malware and botnet phenomenon is among the most significant threats to cybersecurity today. Consequently, law enforcement agencies, security companies, and researchers are constantly seeking to disrupt these malicious operations through so-called takedown counter-operations. Unfortunately, the success of these takedowns is mixed. Furthermore, very little is understood as to how botnets and malware delivery operations respond to takedown attempts. We present a comprehensive study of three malware delivery operations that were targeted for takedown in 2015–16 using global download metadata provided by Symantec. In summary, we found that: (1) Distributed delivery architectures were commonly used, indicating the need for better security hygiene and coordination by the (ab)used service providers. (2) A minority of malware binaries were responsible for the majority of download activity, suggesting that detecting these “super binaries” would yield the most benefit to the security community. (3) The malware operations exhibited displacing and defiant behaviours following their respective takedown attempts. We argue that these “predictable” behaviours could be factored into future takedown strategies. (4) The malware operations also exhibited previously undocumented behaviours, such as Dridex dropping competing brands of malware, or Dorkbot and Upatre heavily relying on upstream dropper malware. These “unpredictable” behaviours indicate the need for researchers to use better threat-monitoring techniques.Accepted manuscrip

Hunting for new threats in a feed of malicious samples

Hoy en día, las compañias de seguridad recolectan cantidades masivas de malware y otros posibles ficheros benignos. Encontrar amenazas interesantes entre millones de ficheros recolectados es un gran desafío. Una de las plataformas de seguridad más populares, VirusTotal (VT), permite consultar informes de archivos que los usuarios envían. En este proyecto profundizaremos en el feed de ficheros de VT, analizamos 328.3M de reports de archivos escaneados por VT durante un año, que pertenecen a 235.7M de muestras y observamos que 209.6M de muestras son nuevas (89%). Utilizamos los reports de un año para caracterizar el VT Feed, y lo comparamos con la telemetría de uno de los motores de antivirus más grandes del planeta. Utilizamos ambos datasets para responder a reponder a estas preguntas: ¿Cómo de diverso es el feed? ¿Cuál es la distribución de los tipos de ficheros a lo largo del año? ¿Cuál de ambas plataformas detecta antes los archivos maliciosos? ¿Podemos detectar archivos maliciosos detectados por VirusTotal pero no por el motor de antivirus de la telemetría? ¿Cuál es la distribución del malware a lo largo de un año? A continuación, analizamos 3 estrategias de clustering sobre Windows y APKs ground truths datasets, Hierarchical DBSCAN (HDBSCAN), HAC-T, un HAC mejorado que agrupa sobre TLSH, que reduce la complejidad de O(n2) a O(n log n), y Feature Value Grouping (FVG). Consideramos que solo HAC-T y FVG producen clustering de alta precisión. Nuestros resultados muestran que FVG es la única estrategia escalable sobre el VT File Feed dataset de un año. Ademas, hemos desarrollado un técnica novedosa de threat hunting para identificar muestras maliciosas que supuestamente son benignas, por ejemplo, sin detecciones por motores de AV. Cuando lo aplicamos sobre los 235M del VT feed, nuestra encontramos 190K muestras benignas (no detectadas por ninguna empresa de antivirus) que pertenecen a 29K clústers maliciosos, es decir, la mayoría de las muestras de los clústers son maliciosos.Nowadays, security companies collect massive amounts of malware and other possibly benign files. Finding interesting threats among many millions of files collected is a very challenging task. One of the most popular security platforms, VirusTotal (VT), allows querying for reports of files that the users has submitted. VT offers the VT File Feed (i.e., a stream of reports), in this project we deep dive into the VT File Feed, we analyze 328.3M reports scanned by VirusTotal during one year, that belongs to 235.7M samples, we observe that 209.6M samples were new (89%). We use the one-year reports to characterize the VirusTotal Feed, and we compare it with the telemetry of a large antivirus vendor. With both datasets we want to answer the following questions: How diverse is the feed? What is the filetype distribution over a year? Which of both platforms detects earlier malicious files? Could we detect malicious files detected by VirusTotal but not by the large security vendor telemetry? What is the malware distribution over one year? Then, we evaluate three clustering approaches over windows and apk ground truth datasets, Hierarchical DBSCAN (HDBSCAN), HAC-T, an improved Hierarchical Agglomerative Clustering (HAC) over TLSH that reduces complexity from O(n2) to O(n log n), and Feature Value Grouping (FVG). We conclude that only HAC-T and FVG produces highly precission clusterings. Our results show that FVG is the only approach that scales the full one-year VT File Feed dataset. Then, we develop a novel threat hunting approach to identify malicious samples that were supposedly benign, i.e., have zero detections by AV engines. When applied on 235M samples in the VT feed, our approach identifies 190K possibly not-so-benign samples that belong to 29K malicious clusters, i.e., most cluster samples are malicious.Máster Universitario en Ciberseguridad (M179

Understanding of Adversary Behavior and Security Threats in Public Key Infrastructures

Public Key Infrastructure (PKI) is designed to guarantee the authenticity and integrity of digital assets such as messages, executable binaries, etc. In PKIs, there are two representative applications: 1) the Web PKI and 2) the Code-Signing PKI. 1) The Web PKI enables entities (e.g., clients and web service providers) to securely communicate over untrusted networks such as the Internet, and 2) the Code-Signing PKI helps protect clients from executing files of unknown origin. However, anecdotal evidence has indicated that adversaries compromised and abused the PKIs, which poses security threats to entities. For example, CAs have mis-issued digital certificates to adversaries due to their failed vetting processes. Moreover, private keys that are supposed to be securely kept were stolen by adversaries. Such mis-issued certificates or stolen private keys were used to launch impersonation attacks. In this regard, we need to have a sound understanding of such security threats and adversaries' behaviors in the PKIs to mitigate them and further to enhance the security of the PKIs. In this dissertation, we conduct a large-scale measurement study in the two representative applications---the Web PKI and the Code-Signing PKI---to better understand adversaries' behaviors and the potential security threats. First, in 1) the Web PKI, we mainly focus on phishing websites served with TLS certificates. From the measurement study, we observe that certificate authorities (CAs) often fail in their vetting process and mis-issue TLS certificates to adversaries (i.e., phishing attackers). Also, CAs rarely revoke their issued TLS certificates that have been compromised. Second, in 2) the Code-Signing PKI, we characterize the weaknesses of the three actors (i.e., CAs, software publishers, and clients) that adversaries can exploit to compromise the Code-Signing PKI. Moreover, we measure the effectiveness of the primary defense, revocation, against the Code-Signing PKI abuses. We find that erroneous revocations (e.g., wrong effective revocation date setting) can pose additional security threats to clients who execute binaries because the revocations become ineffective. Such security threats stem from an inherent challenge of setting an effective revocation date in the Code-Signing PKI and CAs' misunderstanding of the PKI. These findings help Anti-Virus companies and a CA fix their flaws