research-article

Understanding the prevalence and use of alternative plans in malware with network games

Authors:

Manos Antonakakis,

Roberto Perdisci,

Wenke LeeAuthors Info & Claims

ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

Pages 1 - 10

https://doi.org/10.1145/2076732.2076734

Published: 05 December 2011 Publication History

Abstract

In this paper we describe and evaluate a technique to improve the amount of information gained from dynamic malware analysis systems. By playing network games during analysis, we explore the behavior of malware when it believes its network resources are malfunctioning. This forces the malware to reveal its alternative plan to the analysis system resulting in a more complete understanding of malware behavior. Network games are similar to multipath exploration techniques, but are resistant to conditional code obfuscation. Our experimental results show that network games discover highly useful network information from malware. Of the 161,000 domain names and over three million IP addresses coerced from malware during three weeks, over 95% never appeared on public blacklists. We show that this information is both likely to be malicious and can be used to improve existing domain name and IP address reputation systems, blacklists, and network-based malware clustering systems.

References

[1]

Alexa. Top sites. http://www.alexa.com/topsites, (Retrieved) March 2011.

[2]

M. Antonakakis, R. Perdisci, D. Dagon, and W. Lee. Building a dynamic reputation system for DNS. In Proceedings of the 19th USENIX Security Symposium, 2010.

Digital Library

[3]

D. Balzarotti, M. Cova, C. Karlberger, C. Kruegel, and E. Kirda. Efficient detection of split personalities in malware. In Proceedings of the Symposium on Network and Distributed System Security, 2010.

[4]

L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. EXPOSURE: Finding malicious domains using passive DNS analysis. In Proceedings of the Symposium on Network and Distributed System Security, Jan 2011.

[5]

P. Biondi. Scapy. http://www.secdev.org/projects/scapy/, (Retrieved) March 2011.

[6]

D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Automatically identifying trigger-based behavior in malware. Botnet Detection, pages 65--88, 2008.

[7]

E. Bursztein and J. C. Mitchell. Using strategy objectives for network security analysis. Information Security and Cryptology, Jan 2011.

Digital Library

[8]

T. Carroll and D. Grosu. A game theoretic investigation of deception in network security. Security and Communication Networks, Jan 2009.

Digital Library

[9]

X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In Proceedings of the International Conference on Dependable Systems and Networks DSN, 2008.

[10]

B. Cheswick. An evening with berferd in which a cracker is lured, endured, and studied. In Proceedings of the USENIX Security Symposium, Jan 1990.

[11]

F. Cohen and D. Koike. Misleading attackers with deception. In Proceedings of the 2004 IEEE Workshop on Information Assurance, Jan 2004.

[12]

A. D. Correa. Malware patrol. http://malwarepatrol.com/, 2010.

[13]

T. Cymru. Bogons. http://www.cymru.com/Documents/bogon-bn-nonagg.txt, 2010.

[14]

A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: Malware analysis via hardware virtualization extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security, Jan 2008.

Digital Library

[15]

DNS-BH. Malware prevention through DNS redirection (black hole DNS sinkhole). http://www.malwaredomains.com, 2010.

[16]

dnsbl.abuse.ch. dnsbl.abuse.ch. http://dnsbl.abuse.ch, 2010.

[17]

dnswl. DNS whitelist - protect against false positives. http://www.dnswl.org, (Retrieved) March 2011.

[18]

J. John, A. Moshchuk, S. Gribble, and A. Krishnamurthy. Studying spamming botnets using botlab. In Proceedings of the 6th USENIX Symposium on Networked Systems Design and Implementation, pages 291--306, 2009.

Digital Library

[19]

M. D. List. Malware domain list. http://www.malwaredomainlist.com, 2010.

[20]

L. Lu, V. Yegneswaran, P. Porras, and W. Lee. BLADE: an attack-agnostic approach for preventing drive-by malware infections. In Proceedings of the 17th ACM Conference on Computer and Communiations Security (CCS 2010), Jan 2010.

Digital Library

[21]

malc0de. Malc0de DNS blacklist. http://malc0de.com, 2010.

[22]

A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Proceedings of the IEEE Symposium on Security and Privacy, volume 245, 2007.

Digital Library

[23]

netfilter team. The netfilter.org "iptables" project. http://www.netfilter.org/projects/iptables/index.html, (Retrieved) March 2011.

[24]

R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of HTTP-based malware and signature generation using malicious network traces. In Proceedings of the USENIX Symposium on Networked Systems Design and Implementation, 2010.

Digital Library

[25]

H. S. Phillip Porras and V. Yegneswaran. An analysis of conficker's logic and rendezvous points. http://mtc.sri.com/Conficker/, 2009.

[26]

S. Project. Snort DNS/IP/URL lists. http://labs.snort.org/iplists/, 2011.

[27]

T. S. Project. Spamhaus drop list. http://www.spamhaus.org/drop/drop.lasso, 2011.

[28]

T. Raffetseder, C. Krügel, and E. Kirda. Detecting system emulators. In Information Security Conference, pages 1--18, 2007.

Digital Library

[29]

C. Report. CIDR report bogons. http://www.cidr-report.org, 2011.

[30]

J. Riden. How fast-flux service networks work. http://www.honeynet.org/node/132, 2008.

[31]

N. Rowe, E. Custy, and B. T. Duong. Defending cyberspace with fake honeypots. Journal of Computers, Jan 2007.

[32]

J. Rutkowska. Red pill... or how to detect VMM using (almost) one CPU instruction. http://invisiblethings.org/papers/redpill.html, 2004.

[33]

M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Rotalume: A tool for automatic reverse engineering of malware emulators.

[34]

M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proceedings of the Symposium on Network and Distributed System Security, Jan 2008.

[35]

spyeyetracker.abuse.ch. Spyeye tracker. https://spyeyetracker.abuse.ch, 2010.

[36]

P.-N. Tan, M. Steinbach, and V. Kumar. Introduction to Data Mining. Addison Wesley, 2006.

Digital Library

[37]

G. Wagener, R. State, A. Dulaunoy, and T. Engel. Self adaptive high interaction honeypots driven by game theory. In Proceedings of the 11th International Symposium on Stabilization, Safety, and Security of Distributed Systems, Jan 2009.

Digital Library

[38]

J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proceedings of the Symposium on Recent Advances in Intrusion Detection, Jan 2007.

Digital Library

[39]

J. Wolf. Technical details of srizbi's domain generation algorithm. http://blog.fireeye.com/research/2008/11/technical-details-of-srizbis-domain-generation-algorithm. html, 2008.

Cited By

Davanian AFaloutsos MLindorfer MQuek TGao DZhou JCardenas A(2024)C2Miner: Tricking IoT Malware into Revealing Live Command & Control ServersProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644992(112-127)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644992
Davanian AFaloutsos MBarakat CPelsser CBenson TChoffnes D(2022)MalNetProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561463(472-487)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561463
Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Show More Cited By

Index Terms

Recommendations

Malware prevalence in the KaZaA file-sharing network
IMC '06: Proceedings of the 6th ACM SIGCOMM conference on Internet measurement

In recent years, more than 200 viruses have been reported to use a peer-to-peer (P2P) file-sharing network as a propagation vector. Disguised as files that are frequently exchanged over P2P networks, these malicious programs infect the user's host if ...
Understanding malware on the internet
Network Malware Capture
CATCH '09: Proceedings of the 2009 Cybersecurity Applications & Technology Conference for Homeland Security

Botnets are a fundamental threat to network security. Their lifecycle follows a repeated pattern of growth via exploitation, infection and communication(command & control). Preventing botnet command & control requires runtime knowledge of communication ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '11: Proceedings of the 27th Annual Computer Security Applications Conference

December 2011

432 pages

ISBN:9781450306720

DOI:10.1145/2076732

Conference Chair:
Robert H'obbes' Zakon
Zakon Group LLC
,
Program Chairs:
John McDermott
Naval Research Lab
,
Michael Locasto
University of Calgary

Copyright © 2011 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

ACSA: Applied Computing Security Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 December 2011

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Qualifiers

Research-article

Conference

ACSAC '11

Sponsor:

ACSA

ACSAC '11: Annual Computer Security Applications Conference

December 5 - 9, 2011

Florida, Orlando, USA

Acceptance Rates

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

10
Total Citations
View Citations
281
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 03 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Davanian AFaloutsos MLindorfer MQuek TGao DZhou JCardenas A(2024)C2Miner: Tricking IoT Malware into Revealing Live Command & Control ServersProceedings of the 19th ACM Asia Conference on Computer and Communications Security10.1145/3634737.3644992(112-127)Online publication date: 1-Jul-2024
https://dl.acm.org/doi/10.1145/3634737.3644992
Davanian AFaloutsos MBarakat CPelsser CBenson TChoffnes D(2022)MalNetProceedings of the 22nd ACM Internet Measurement Conference10.1145/3517745.3561463(472-487)Online publication date: 25-Oct-2022
https://dl.acm.org/doi/10.1145/3517745.3561463
Yong Wong MLanden MAntonakakis MBlough DRedmiles EAhamad MKim YKim JVigna GShi E(2021)An Inside Look into the Practice of Malware AnalysisProceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security10.1145/3460120.3484759(3053-3069)Online publication date: 12-Nov-2021
https://dl.acm.org/doi/10.1145/3460120.3484759
Botacin MCeschin FSun ROliveira DGrégio A(2021)Challenges and pitfalls in malware researchComputers and Security10.1016/j.cose.2021.102287106:COnline publication date: 1-Jul-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102287
Zhang JJang JGu GStoecklin MHu X(2018)Error-Sensor: Mining Information from HTTP Error Traffic for Malware IntelligenceResearch in Attacks, Intrusions, and Defenses10.1007/978-3-030-00470-5_22(467-489)Online publication date: 7-Sep-2018
https://doi.org/10.1007/978-3-030-00470-5_22
Nadji YPerdisci RAntonakakis M(2017)Still Beheading Hydras: Botnet Takedowns Then and NowIEEE Transactions on Dependable and Secure Computing10.1109/TDSC.2015.249617614:5(535-549)Online publication date: 1-Sep-2017
https://doi.org/10.1109/TDSC.2015.2496176
Lever CKotzias PBalzarotti DCaballero JAntonakakis M(2017)A Lustrum of Malware Network Communication: Evolution and Insights2017 IEEE Symposium on Security and Privacy (SP)10.1109/SP.2017.59(788-804)Online publication date: May-2017
https://doi.org/10.1109/SP.2017.59
Johnson RKiourtis NStavrou ASritapan V(2015)Analysis of content copyright infringement in mobile application markets2015 APWG Symposium on Electronic Crime Research (eCrime)10.1109/ECRIME.2015.7120798(1-10)Online publication date: May-2015
https://doi.org/10.1109/ECRIME.2015.7120798
Xu ZZhang JGu GLin Z(2014)GoldenEye: Efficiently and Effectively Unveiling Malware’s Targeted EnvironmentResearch in Attacks, Intrusions and Defenses10.1007/978-3-319-11379-1_2(22-45)Online publication date: 2014
https://doi.org/10.1007/978-3-319-11379-1_2
Nadji YAntonakakis MPerdisci RDagon DLee WSadeghi AGligor VYung M(2013)Beheading hydrasProceedings of the 2013 ACM SIGSAC conference on Computer & communications security10.1145/2508859.2516749(121-132)Online publication date: 4-Nov-2013
https://dl.acm.org/doi/10.1145/2508859.2516749

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents