IMDEA Software

IMDEA initiative

Home > Events > Software Seminar Series > 2012 > Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

Antonio Nappa

Tuesday, November 27, 2012

11:00am Meeting room 302 (Mountain View), level 3

Antonio Nappa, PhD Student, IMDEA Software Institute

Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

Abstract:

Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper we propose a technique to identify exploit servers managed by the same organization. We build an infrastructure to collect over time how exploit servers are configured and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 19 hours, long-lived operations exist that operate for several months. To sustain long-lived operations miscreants are turning to the cloud, with 60% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. To understand how difficult is to take down exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61% of the reports are not even acknowledged. On average an exploit server still lives for 4.3 days after a report.