The MALICIA dataset: identification and analysis of drive-by download operations

Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem, many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper, we propose a technique to identify...

Full description

Saved in:
Bibliographic Details
Published in:International journal of information security 2015-02, Vol.14 (1), p.15-33
Main Authors: Nappa, Antonio, Rafique, M. Zubair, Caballero, Juan
Format: Article
Language:English
Subjects:
Automation
Cloning
Cloud computing
Clouds
Coding and Information Theory
Communications Engineering
Computer Communication Networks
Computer information security
Computer Science
Computer viruses
Cryptology
Datasets
Downloading
Ecosystems
Exploitation
Hackers
Infrastructure
Internet service providers
Law enforcement
Malware
Management of Computing and Information Systems
Mathematical analysis
Monitors
Networks
Operating Systems
Polymorphism
Regular Contribution
Servers
Statistical analysis
Vectors (mathematics)
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem, many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper, we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured, which exploits they use, and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 h, long-lived operations exist that operate for several months. To sustain long-lived operations, miscreants are turning to the cloud, with 60 % of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. Furthermore, we analyze the exploit polymorphism problem, measuring the repacking rate for different exploit types. To understand how difficult is to takedown exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61 % of the reports are not even acknowledged. On average, an exploit server still lives for 4.3 days after a report. Finally, we detail the Malicia  dataset we have collected and are making available to other researchers.
ISSN:1615-5262
1615-5270
DOI:10.1007/s10207-014-0248-7