In this paper, Christian J Dietrich, Herbert Bos and me explored malware downloaders that we found in Sandnet. We motivated our research by the fact that such downloaders are responible for a huge number of malware installations. We were surprised to see such a diversity in the downloader landscape, not only in terms of different downloader families, but also in techniques used to distribute, secure and hide malicious downloads. We summarized our paper as follows:
Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim's machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders' communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active.
We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two novel and generic techniques enabling defenders to actively acquire malware samples.
To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader's process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.
I will present our work at DIMVA in Heraklion (Crete, Greece) on Thursday/Friday July 26-27th 2012. I look forward to meeting you there! Please send me an email if you are interested in an early copy of the paper.