论文信息 - Analysis of malware download sites by focusing on time series variation of malware

Analysis of malware download sites by focusing on time series variation of malware

As Internet use increases, it is plagued by malicious activity. In particular, drive-by download attacks have become a serious problem. As part of an exploit-as-a-service ecosystem for drive-by download attacks, malware download sites play a particularly important role for attackers. In this paper, we analyzed approximately 43,000 malware download URLs. Our measurement period is over 1.5 years and studied their long-term behavior. We discovered that some malware download sites survive for a very long time and revives many times, a fact that had not been revealed by previous research. We established three categories by focusing attention on malware variation. Our results showed that 10% of the unchanged category survives for more than 500 days and 10% of the changed occasionally category revives more than 15 times. We also analyzed sites in terms of change in IP address, number of anti-virus signatures, and URL features. We found that each category has different attacker operational and resource characteristics. Using these findings, we discuss how to mitigate the effects of each category.

Yasuyuki Tanaka | Atsuhiro Goto

[1] V. N. Venkatakrishnan,et al. WebWinnow: leveraging exploit kit workflows to detect malicious urls , 2014, CODASPY '14.

[2] Juan Caballero,et al. The MALICIA dataset: identification and analysis of drive-by download operations , 2014, International Journal of Information Security.

[3] Mitsuaki Akiyama,et al. Active Credential Leakage for Observing Web-Based Attack Cycle , 2013, RAID.

[4] Kevin C. Almeroth,et al. FIRE: FInding Rogue nEtworks , 2009, 2009 Annual Computer Security Applications Conference.

[5] Craig A. Shue,et al. Abnormally Malicious Autonomous Systems and Their Internet Connectivity , 2012, IEEE/ACM Transactions on Networking.

[6] Stefan Savage,et al. Manufacturing compromise: the emergence of exploit-as-a-service , 2012, CCS.

[7] Roberto Perdisci,et al. WebWitness: Investigating, Categorizing, and Mitigating Malware Download Paths , 2015, USENIX Security Symposium.

[8] Mitsuaki Akiyama,et al. Design and Implementation of High Interaction Client Honeypot for Drive-by-Download Attacks , 2010, IEICE Trans. Commun..

[9] Niels Provos,et al. All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[10] Konstantin Beznosov,et al. Improving malicious URL re-evaluation scheduling through an empirical study of malware download centers , 2011, WebQuality '11.