research-article

Waves of Malice: A Longitudinal Measurement of the Malicious File Delivery Ecosystem on the Web

Authors:

Steven J. Murdoch,

Gianluca StringhiniAuthors Info & Claims

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

Pages 168 - 180

https://doi.org/10.1145/3321705.3329807

Published: 02 July 2019 Publication History

Abstract

We present a longitudinal measurement of malicious file distribution on the Web. Following a data-driven approach, we identify network infrastructures and the files that they download. We then study their characteristics over a short period (one day), over a medium period (daily, over one month) as well as in the long term (weekly, over one year). This analysis offers us an unprecedented view of the malicious file delivery ecosystem and its dynamics. We find that the malicious file delivery landscape can be divided into two distinct ecosystems: a much larger, tightly connected set of networks that is mostly responsible for the delivery of potentially unwanted programs (PUP), and a number of disjoint network infrastructures that are responsible for delivering malware on victim computers. We find that these two ecosystems are mostly disjoint, but it is not uncommon to see malware downloaded from the PUP Ecosystem, and vice versa. We estimate the proportions of PUP-to-malware in the wild to be heavily skewed towards PUP (17:2) and compare their distribution patterns. We observe periodicity in the activity of malicious network infrastructures, and we find that although malicious file operations present a high degree of volatility, 75% of the observed malicious networks remain active for more than six weeks, with 26% surviving for an entire year. We then reason on how our findings can help the research and law enforcement communities in developing better takedown techniques.

References

[1]

Adware/ExtCrome.syek. https://www.avira.com/en/support-threats-summary/tid/143973/threat/Adware.ExtCrome.syek.

[2]

IPv6 martian and bogon filters. https://6session.wordpress.com/2009/04/08/ipv6-martian-and-bogon-filters/. Accessed: 2018-05--24.

[3]

VirusTotal. https://www.virustotal.com.

[4]

M. Abu Rajab, J. Zarfoss, F. Monrose, and A. Terzis. A multifaceted approach to understanding the botnet phenomenon. In Internet Measurement Conference (IMC), 2006.

Digital Library

[5]

U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel. A view on current malware behaviors. In LEET, 2009.

Digital Library

[6]

H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang. On the analysis of the zeus botnet crimeware toolkit. In Privacy Security and Trust (PST), 2010.

[7]

J. Caballero, C. Grier, C. Kreibich, and V. Paxson. Measuring pay-per-install: The commoditization of malware distribution. In USENIX Security Symposium, 2011.

Digital Library

[8]

D. S. Callaway, M. E. Newman, S. H. Strogatz, and D. J. Watts. Network robustness and fragility: Percolation on random graphs. Phy. rev. letters, 85(25), 2000.

[9]

M. Christodorescu, S. Jha, S. A. Seshia, D. Song, and R. E. Bryant. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, 2005.

Digital Library

[10]

L. E. Cohen and M. Felson. Social change and crime rate trends: A routine activity approach. American sociological review, 1979.

[11]

E. Cooke, F. Jahanian, and D. McPherson. The zombie roundup: Understanding, detecting, and disrupting botnets. SRUTI, 5:6--6, 2005.

Digital Library

[12]

C. Grier, L. Ballard, J. Caballero, N. Chachra, C. J. Dietrich, K. Levchenko, P. Mavrommatis, D. McCoy, A. Nappa, A. Pitsillidis, et al. Manufacturing compromise: the emergence of exploit-as-a-service. In ACM Conference on Computer and Communications Security (CCS), 2012.

Digital Library

[13]

H. J. Highland. The BRAIN virus: fact and fantasy. Computers & Security, 1988.

Digital Library

[14]

N. Jagpal, E. Dingle, J.-P. Gravel, P. Mavrommatis, N. Provos, M. A. Rajab, and K. Thomas. Trends and lessons from three years fighting malicious extensions. In USENIX Security Symposium, 2015.

Digital Library

[15]

A. Kapravelos, C. Grier, N. Chachra, C. Kruegel, G. Vigna, and V. Paxson. Hulk: Eliciting malicious behavior in browser extensions. In USENIX Security Symposium, 2014.

Digital Library

[16]

A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda. Cutting the gordian knot: a look under the hood of ransomware attacks. In Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 2015.

Digital Library

[17]

P. Kotzias, L. Bilge, and J. Caballero. Measuring PUP Prevalence and PUP Distribution through Pay-Per-Install Services. In USENIX Security Symposium, 2016.

Digital Library

[18]

P. Kotzias, S. Matic, R. Rivera, and J. Caballero. Certified PUP: Abuse in authenticode code signing. In ACM Conference on Computer and Communications Security (CCS), 2015.

Digital Library

[19]

B. J. Kwon, J. Mondal, J. Jang, L. Bilge, and T. Dumitras. The dropper effect: Insights into malware distribution with downloader graph analytics. In ACM Conference on Computer and Communications Security (CCS), 2015.

Digital Library

[20]

B. J. Kwon, V. Srinivas, A. Deshpande, and T. Dumitracs. Catching worms, trojan horses and pups: Unsupervised detection of silent delivery campaigns. arXiv preprint arXiv:1611.02787, 2016.

[21]

Y. Nadji, M. Antonakakis, R. Perdisci, D. Dagon, and W. Lee. Beheading hydras: performing effective botnet takedowns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security, pages 121--132. ACM, 2013.

Digital Library

[22]

T. Nelms, R. Perdisci, M. Antonakakis, and M. Ahamad. Webwitness: Investigating, categorizing, and mitigating malware download paths. In USENIX Security Symposium, 2015.

Digital Library

[23]

T. Nelms, R. Perdisci, M. Antonakakis, and M. Ahamad. Towards measuring and mitigating social engineering software download attacks. In USENIX Security Symposium, 2016.

Digital Library

[24]

N. Provos, D. McNamee, P. Mavrommatis, K. Wang, N. Modadugu, et al. The ghost in the browser: Analysis of web-based malware. In HotBots, 2007.

Digital Library

[25]

C. Rossow, C. Dietrich, and H. Bos. Large-scale analysis of malware downloaders. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA). 2013.

Digital Library

[26]

M. Sebastián, R. Rivera, P. Kotzias, and J. Caballero. Avclass: A tool for massive malware labeling. In International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), 2016.

[27]

B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In ACM conference on Computer and communications security (CCS), 2009.

Digital Library

[28]

B. Stone-Gross, T. Holz, G. Stringhini, and G. Vigna. The underground economy of spam: A botmaster's perspective of coordinating large-scale spam campaigns. In Workshop on lage-scale exploits and emerging threats (LEET), 2011.

Digital Library

[29]

B. Stone-Gross, C. Kruegel, K. Almeroth, A. Moser, and E. Kirda. Fire: Finding rogue networks. In Annual Computer Security Applications Conference (ACSAC), 2009.

Digital Library

[30]

Symantec. Dyre: Operations of bank fraud group grind to halt following takedown. https://www.symantec.com/connect/blogs/dyre-operations-bank-fraud-group-grind-halt-following-takedown, 2016. {Online; accessed 11-August-2017}.

[31]

K. Thomas, E. Bursztein, C. Grier, G. Ho, N. Jagpal, A. Kapravelos, D. McCoy, A. Nappa, V. Paxson, P. Pearce, et al. Ad injection at scale: Assessing deceptive advertisement modifications. In IEEE Symposium on Security and Privacy, 2015.

Digital Library

[32]

K. Thomas, J. Crespo, J.-M. Picod, C. Phillips, C. Sharp, M.-A. Decoste, A. Tofigh, M.-A. Courteau, L. Ballard, R. Shield, N. Jagpal, M. Abu Rajab, P. Mavrommatis, N. Provos, E. Bursztein, and D. McCoy. Investigating Commercial Pay-Per-Install and the Distribution of Unwanted Software. In USENIX Security Symposium, 2016.

Digital Library

[33]

A. Zarras, A. Kapravelos, G. Stringhini, T. Holz, C. Kruegel, and G. Vigna. The dark alleys of Madison avenue: Understanding malicious advertisements. In Internet Measurement Conference (IMC), 2014.

Digital Library

Cited By

Allegretta MSiracusano GGonzález RGramaglia MCaballero J(2025)Web of shadows: Investigating malware abuse of internet servicesComputers & Security10.1016/j.cose.2024.104182149(104182)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104182
Labrèche FMariconti EStringhini G(2022)Shedding Light on the Targeted Victim Profiles of Malicious DownloadersProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544435(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544435
Huh SCho SChoi JShin SLee H(2022)A Comprehensive Analysis of Today’s Malware and Its Distribution Network: Common Adversary Strategies and ImplicationsIEEE Access10.1109/ACCESS.2022.317122610(49566-49584)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3171226
Show More Cited By

Recommendations

Certified PUP: Abuse in Authenticode Code Signing
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Code signing is a solution to verify the integrity of software and its publisher's identity, but it can be abused by malware and potentially unwanted programs (PUP) to look benign. This work performs a systematic analysis of Windows Authenticode code ...
The Dropper Effect: Insights into Malware Distribution with Downloader Graph Analytics
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security

Malware remains an important security threat, as miscreants continue to deliver a variety of malicious programs to hosts around the world. At the heart of all the malware delivery techniques are executable files (known as downloader trojans or droppers) ...
A fuzzy logic approach for detecting redirection spam

Redirection spam is a relatively newer technique whereby spammers redirect the search user to an unwanted webpage or download malware on the victim's machine without his consent. Spammers are making use of chained redirections to hide their nefarious ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

Asia CCS '19: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security

July 2019

708 pages

ISBN:9781450367523

DOI:10.1145/3321705

General Chairs:
Steven Galbraith
University of Auckland, New Zealand
,
Giovanni Russello
University of Auckland, New Zealand
,
Willy Susilo
University of Wollongong, Australia
,
Program Chairs:
Dieter Gollmann
Hamburg University of Technology, Germany & Nanyang Technological University, Singapore
,
Engin Kirda
Northeastern University, USA
,
Zhenkai Liang
National University of Singapore, Singapore

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 July 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Engineering and Physical Sciences Research Council

Conference

Asia CCS '19

Sponsor:

SIGSAC

Asia CCS '19: ACM Asia Conference on Computer and Communications Security

July 9 - 12, 2019

Auckland, New Zealand

Acceptance Rates

Overall Acceptance Rate 418 of 2,322 submissions, 18%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

6
Total Citations
View Citations
251
Total Downloads

Downloads (Last 12 months)16
Downloads (Last 6 weeks)2

Reflects downloads up to 26 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Allegretta MSiracusano GGonzález RGramaglia MCaballero J(2025)Web of shadows: Investigating malware abuse of internet servicesComputers & Security10.1016/j.cose.2024.104182149(104182)Online publication date: Mar-2025
https://doi.org/10.1016/j.cose.2024.104182
Labrèche FMariconti EStringhini G(2022)Shedding Light on the Targeted Victim Profiles of Malicious DownloadersProceedings of the 17th International Conference on Availability, Reliability and Security10.1145/3538969.3544435(1-10)Online publication date: 23-Aug-2022
https://dl.acm.org/doi/10.1145/3538969.3544435
Huh SCho SChoi JShin SLee H(2022)A Comprehensive Analysis of Today’s Malware and Its Distribution Network: Common Adversary Strategies and ImplicationsIEEE Access10.1109/ACCESS.2022.317122610(49566-49584)Online publication date: 2022
https://doi.org/10.1109/ACCESS.2022.3171226
Ife CShen YMurdoch SStringhini GBilge LDumitras T(2021)Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for TakedownProceedings of the 24th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3471621.3471844(340-353)Online publication date: 6-Oct-2021
https://dl.acm.org/doi/10.1145/3471621.3471844
Shen YStringhini G(2021)ANDRuspex: Leveraging Graph Representation Learning to Predict Harmful App Installations on Mobile Devices2021 IEEE European Symposium on Security and Privacy (EuroS&P)10.1109/EuroSP51992.2021.00044(562-577)Online publication date: Sep-2021
https://doi.org/10.1109/EuroSP51992.2021.00044
Zhu SShi JYang LQin BZhang ZSong LWang GCapkun SRoesner F(2020)Measuring and modeling the label dynamics of online anti-malware enginesProceedings of the 29th USENIX Conference on Security Symposium10.5555/3489212.3489345(2361-2378)Online publication date: 12-Aug-2020
https://dl.acm.org/doi/10.5555/3489212.3489345

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten