The malware and botnet phenomenon is among the most significant threats to cybersecurity today. Consequently, law enforcement agencies, security companies, and researchers are constantly seeking to disrupt these malicious operations through so-called takedown counter-operations. Unfortunately, the success of these takedowns is mixed. Furthermore, very little is understood as to how botnets and malware delivery operations respond to takedown attempts. We present a comprehensive study of three malware delivery operations that were targeted for takedown in 2015-16 using global download metadata provided by a major security company. In summary, we found that: (1) Distributed delivery architectures were commonly used, indicating the need for better security hygiene and coordination by the (ab)used service providers. (2) A minority of malware binaries were responsible for the majority of download activity, suggesting that detecting these "super binaries" would yield the most benefit to the security community. (3) The malware operations exhibited displacing and defiant behaviours following their respective takedown attempts. We argue that these "predictable" behaviours could be factored into future takedown strategies. (4) The malware operations also exhibited previously undocumented behaviours, such as Dridex dropping competing brands of malware, or Dorkbot and Upatre heavily relying on upstream dropper malware. These "unpredictable" behaviours indicate the need for researchers to use better threat-monitoring techniques.
翻译:恶意软件和恶意软件是当今对网络安全的最大威胁之一。 因此,执法机构、安保公司和研究人员不断试图通过所谓的 " 拆卸反行动 " 来破坏这些恶意操作。 不幸的是,这些拆卸的成功是喜忧参半的。 此外,很少有人了解这些“超级软件”和恶意软件交付行动如何应对拆卸尝试。 我们对三个恶意软件交付行动进行了全面研究,这三个行动的目标是利用一家主要安保公司提供的全球下载元数据在2015-16年拆卸。 简而言之,我们发现:(1) 分配的交付结构经常被使用,表明(被利用的)服务提供商需要更好的安全卫生和协调。 (2) 少数恶意软件的二进制对大多数下载活动负责,表明检测这些“超级二进制”将给安全界带来最大的好处。 (3) 恶意软件业务在进行各自拆卸尝试后表现出令人不解和不解的行为。 我们认为,这些“预期的”行为可以纳入未来的拆卸战略。 (4) 恶意软件操作还展示了以往的无证行为,如Dregard max 大幅监控, 需要这些“高额的上头的磁。
相关内容
微信扫码咨询专知VIP会员