Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown
Total Page:16
File Type:pdf, Size:1020Kb
Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown Colin C. Ife?, Yun Sheny, Steven J. Murdoch?, and Gianluca Stringhiniz ?University College London, yNorton Research Group, zBoston University ?yUnited Kingdom, zUnited States {colin.ife,s.murdoch}@ucl.ac.uk,[email protected],[email protected] ABSTRACT 1 INTRODUCTION The malware and botnet phenomenon is among the most signif- Malware delivery has evolved into a major business for the cyber- icant threats to cybersecurity today. Consequently, law enforce- criminal economy and a complex problem for the security commu- ment agencies, security companies, and researchers are constantly nity. The botnet – a network of malware-infected devices that is seeking to disrupt these malicious operations through so-called controlled by a single actor through one or more command and takedown counter-operations. Unfortunately, the success of these control (C&C) servers – is one phenomenon that has benefited takedowns is mixed. Furthermore, very little is understood as to from the malware delivery revolution. Diverse distribution vectors how botnets and malware delivery operations respond to takedown have enabled such malicious networks to expand more quickly and attempts. We present a comprehensive study of three malware de- efficiently than ever before. Once established, these botnets canbe livery operations that were targeted for takedown in 2015–16 using leveraged to commit a wide array of secondary computer crimes, global download metadata provided by Symantec. In summary, we such as data theft, financial fraud, coercion (ransomware), send- found that: (1) Distributed delivery architectures were commonly ing spam messages, distributed denial of service (DDoS) attacks, used, indicating the need for better security hygiene and coordina- and unauthorised cryptocurrency mining [1, 14, 17, 47, 48]. Even tion by the (ab)used service providers. (2) A minority of malware worse, these botnets could be further monetised as pay-per-install binaries were responsible for the majority of download activity, services [19], allowing the operator to rent out access of their net- suggesting that detecting these “super binaries” would yield the work to other criminals. Finally, botnet operators employ a myriad most benefit to the security community. (3) The malware opera- of techniques to avoid detection and improve the resiliency of their tions exhibited displacing and defiant behaviours following their operations, such as using software polymorphism [16] to beat an- respective takedown attempts. We argue that these “predictable” tivirus engines, Fast Flux Service Networks (FFSNs) [29] to rapidly behaviours could be factored into future takedown strategies. (4) change the IP addresses of their servers, Domain Generation Algo- The malware operations also exhibited previously undocumented rithms (DGAs) [15] to constantly change the domain names of their behaviours, such as Dridex dropping competing brands of mal- C&C servers, and distributed servers spanning multiple regions for ware, or Dorkbot and Upatre heavily relying on upstream dropper redundancy and elusive software delivery [35, 41]. malware. These “unpredictable” behaviours indicate the need for Because of the serious and growing threat that botnet and mal- researchers to use better threat-monitoring techniques. ware delivery operations pose to society, law enforcement agencies (LEAs), security companies, and researchers constantly seek meth- CCS CONCEPTS ods, opportunities, and intervention points to disrupt such mali- • Security and privacy ! Malware and its mitigation; Social cious operations [25, 36]. Takedown operations are just a subset of aspects of security and privacy; • Information systems ! some of the disruptive techniques employed: infiltrating botnets World Wide Web; for intelligence-gathering and sabotage; re-routing network traf- fic meant for known C&C servers to disrupt their communication ACM Reference Format: channels (i.e., a DNS sinkhole); forcing Internet service providers Colin C. Ife?, Yun Sheny, Steven J. Murdoch?, and Gianluca Stringhiniz. (ISPs) to shutdown malicious servers that they host; or physically 2021. Marked for Disruption: Tracing the Evolution of Malware Delivery seizing malicious server infrastructure and assets, and arresting the Operations Targeted for Takedown. In 24th International Symposium on miscreants involved. The success of these operations is mixed [25]. Research in Attacks, Intrusions and Defenses (RAID ’21), October 6–8, 2021, Although the details of a number of takedown operations have San Sebastian, Spain. ACM, New York, NY, USA, 14 pages. https://doi.org/ been recorded in the literature, few studies examine how the tar- 10.1145/3471621.3471844 geted malware delivery operations actually respond to such in- terventions. This leaves many important questions unanswered: Permission to make digital or hard copies of all or part of this work for personal or After a takedown operation, what happens next? Do the malware classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation operations break down? If not, how quickly do they resurface? on the first page. Copyrights for components of this work owned by others than the Do the operators move their infrastructure elsewhere, or perhaps author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or change their modus operandi? Assessing the efficacy of takedown republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]. operations, are there more effective intervention points in these RAID ’21, October 6–8, 2021, San Sebastian, Spain malicious infrastructures? Finally, considering the behaviours of © 2021 Copyright held by the owner/author(s). Publication rights licensed to ACM. these miscreants, could some of their reactions be predicted and ACM ISBN 978-1-4503-9058-3/21/10...$15.00 https://doi.org/10.1145/3471621.3471844 taken into account by LEAs and security practitioners? In this study, using global download metadata collected in 2015– to make botnet takedowns more expensive and difficult as cyber- 2016, we devise a novel tracking and analysis methodology to quan- criminals will continue to make their infrastructures more resilient. titatively assess the global activity of malware delivery operations The author called for more coordination and shared knowledge targeted for takedown, and how this activity evolves over the course between the security community to make botnet takedowns more of a year in light of these actions. In particular, we focus on three efficient and sustainable. malware delivery operations (botnets) that were targeted in the fall In an attempt to bring measurement and order to botnet take- of 2015: the Dridex, Dorkbot, and Dyre-Upatre operations. These down analysis, a takedown analysis and recommendation system, botnets were selected as they were among the few known to have rza, is proposed by Nadji et al.[36]. This system allows researchers been targeted for takedown between October 2015–September 2016, to conduct a post-mortem analysis of past botnet takedowns, and corresponding to the collection period of the dataset used herein. provide recommendations on how to execute future ones success- We analyse the activities of two operational components over the fully. This work is motivated with some real case studies. In a second course of a year: the upstream server infrastructure (server-side), work, Nadji et al.[37] propose improvements to the rza system by and the downloaded binaries and their dropper networks (client- enhancing its risk formula to include botnet population counts. side). In summary, this study makes the following contributions: Two additional botnet takedowns are also examined, and the policy (1) We devise a novel methodology to track and analyse malware ramifications of takedowns are discussed in detail by the authors. delivery operations over time using download metadata. This Lerner [34] also discusses regulatory and policy solutions to botnet methodology could be used to analyse any class of software takedowns, particularly arguing the need for more public-private delivery operation at scale, such as malware, potentially partnerships to achieve this endeavour. Shirazi [44] surveys and unwanted programs (PUPs), or benignware. taxonomises 19 botnet takedown initiatives between 2008–2014 and (2) We observe a myriad of behavioural responses to takedown proposed a theoretical model to assess the likelihood of success for attempts by each malware delivery operation. Specifically, future botnet takedown initiatives. To the best of our knowledge, we find that: (1) The use of distributed delivery architectures the author is still in the process of building this database before was common among the studied malware. (2) A minority of releasing it to the security community. malware binaries were responsible for the majority of down- Investigating the effects of takedowns further, a recent historical load activity. (3) The malware operations exhibited some study by Edwards et al.[25] was conducted on the causal effects of “predictable” behaviours following their respective takedown botnet takedowns on ISPs that hosted spamming activity. In this attempts such as displacement [28] and defiance [43] be- work, the authors build an autoregressive