Developing a Comprehensive Understanding of Malware Delivery Mechanisms
The cybercriminal community is inarguably more organized, better resourced and more motivated than ever to perpetrate massive-scale computer infections across the Internet. The malware distribution systems that they control and operate are characterized by their use of highly specialized suppliers and commoditized malware services. As a consequence of this development, it is now possible for criminals, with little technical expertise, to operate sophisticated exploit kits and instantiate malicious-content advertising (malvertising) campaigns that surreptitiously infect, hundreds of thousands of, innocent victims. The MALDIVES project seeks to study and develop a new generation of technologies and analytics that offer deeper insights into how these malware infection infrastructures are deployed, operated, and interlinked with open web sources.
The MALDIVES project is organized as a sequence of five attack observation lablets (ATOLLs) which are collectively designed to acquire an in-depth understanding of the key stages in contemporary malware dissemination infrastructures. The Platform Acquisition Observatory (PLATO) is focused on studying the deployment phase of the server-side infection infrastructures. This observatory extends web-application-vulnerability mimicry systems with a dynamic exploit-kit interrogation system, and adds automated intelligence tools to understand subsequent victim infection strategies. The Victim Enticement Scheme Evaluation Lablet (VESSEL) is focused on studying the targeting phase of the malware infection lifecycle. It develops tools and conducts measurements on various enticement schemes, such as Search Engine Optimization (SEO) poisoning and malvertising. The Traffic Redirection Observation Lablet (TROLL) is focused on the delivery phase and builds active and passive techniques to measure malware-related traffic redirection chains. The Exploit Kit Interrogation Environment (EXPLORE) builds automated probes to facilitate the detection and measurement of professionally designed automated infection services. The Defensive Strategies Investigation Lablet (DISTILL) investigates novel malware-defense capabilities based on the insights acquired from prior lablets.
Participating Institutions Heading link
Sponsor: Heading link
Publications Heading link
- Birhanu Eshete and V.N. Venkatakrishnan. DynaMiner: Leveraging Offline Infection Analytics for On-the-Wire Malware Detection. In IEEE/IFIP DSN2017
- Shalini Ghosh, Phillip Porras, Vinod Yegneswaran, Ken Nitz, Ariyam Das. ATOL: A Framework for Automated Analysis and Categorization of the Darkweb Ecosystem. In AAAI AICS’17
Presentations Heading link
- Thesis Defense Presentation on “Multi-Family Analysis and Detection of Exploit Kits” by Stefano Arseni
- DynaMiner Slides: IEEE/IFIP DSN’17 Conference Presentation
- Vinod Yegneswaran (SRI), Phil Porras (SRI), Long Lu (Stony Brook), Venkat Venkatakrishnan (University of Illinois @ Chicago). MALDIVES Poster at The 3rd NSF Secure and Trustworthy Cyberspace Principal Investigator Meeting (Jan 9-11, 2017), Arlington, VA