Papers Proceedings »
Lines of Malicious Code: Insights Into the Malicious Software Industry
Presentation 900KB | Paper 316KB |
Martina Lindorfer
Vienna University of Technology
Austria
Alessandro Di Federico
Politecnico di Milano
Italy
Federico Maggi
Politecnico di Milano
Italy
Paolo Milani Comparetti
Vienna Univeristy of Technology/Lastline Inc.
Austria
Stefano Zanero
Politecnico di Milano
Italy
Abstract:
Malicious software installed on infected computers is a fundamental component of online crime. Malware development thus plays an essential role in the underground economy of cyber-crime. Malware authors regularly update their software to defeat defenses or to support new or improved criminal business models. A large body of research has focused focused on detecting malware, defending against it and identifying its functionality. In addition to these goals, however, the analysis of malware can provide a glimpse into how the software development industry develops malicious code.
In this work, we present techniques to observe the evolution of a malware family over time. First, we develop techniques to compare versions of malicious code and quantify their differences. Furthermore, we use behavior observed from dynamic analysis to assign semantics to binary code and to identify functional components within a malware binary. By combining these techniques, we are able to monitor the evolution of a malware’s functional components. We implemnet these techniques in a system we call BEAGLE, and apply it to the observation of 16 malware strains over several months. The results of these experiments provide insight into the effort involved in updating malware code, and show that BEAGLE can identify changes to individual malware components.