Ife, CC;
Shen, Y;
Murdoch, SJ;
Stringhini, G;
(2021)
Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown.
In:
RAID '21: 24th International Symposium on Research in Attacks, Intrusions and Defenses.
(pp. pp. 340-353).
ACM: San Sebastian, Spain.
Preview |
Text
raid21-11.pdf - Accepted Version Download (5MB) | Preview |
Abstract
The malware and botnet phenomenon is among the most significant threats to cybersecurity today. Consequently, law enforcement agencies, security companies, and researchers are constantly seeking to disrupt these malicious operations through so-called takedown counter-operations. Unfortunately, the success of these takedowns is mixed. Furthermore, very little is understood as to how botnets and malware delivery operations respond to takedown attempts. We present a comprehensive study of three malware delivery operations that were targeted for takedown in 2015–16 using global download metadata provided by Symantec. In summary, we found that: (1) Distributed delivery architectures were commonly used, indicating the need for better security hygiene and coordination by the (ab)used service providers. (2) A minority of malware binaries were responsible for the majority of download activity, suggesting that detecting these “super binaries” would yield the most benefit to the security community. (3) The malware operations exhibited displacing and defiant behaviours following their respective takedown attempts. We argue that these “predictable” behaviours could be factored into future takedown strategies. (4) The malware operations also exhibited previously undocumented behaviours, such as Dridex dropping competing brands of malware, or Dorkbot and Upatre heavily relying on upstream dropper malware. These “unpredictable” behaviours indicate the need for researchers to use better threat-monitoring techniques.
| Type: | Proceedings paper |
|---|---|
| Title: | Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown |
| Event: | The 24th International Symposium on Research in Attacks, Intrusions and Defenses |
| Location: | San Sebastian, Spain |
| Dates: | 06 October 2021 - 08 October 2021 |
| Open access status: | An open access version is available from UCL Discovery |
| DOI: | 10.1145/3471621.3471844 |
| Publisher version: | https://doi.org/10.1145/3471621.3471844 |
| Language: | English |
| Additional information: | This version is the author accepted manuscript. For information on re-use, please refer to the publisher’s terms and conditions. |
| UCL classification: | UCL UCL > Provost and Vice Provost Offices > UCL BEAMS UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Computer Science UCL > Provost and Vice Provost Offices > UCL BEAMS > Faculty of Engineering Science > Dept of Security and Crime Science |
| URI: | https://discovery.ucl.ac.uk/id/eprint/10130780 |
Archive Staff Only
 |
View Item |
