IMDEA Software Institute researcher Juan Caballero, graduated Ph.D. student Antonio Nappa, and former intern M. Zubair Rafique have received the Most Influential DIMVA paper 2009-2013 Award for their paper “Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting”. The award recognizes the most influential paper published in a period of 5 years at DIMVA, the International Conference on Detection of Intrusions and Malware & Vulnerability Assessment. The authors received their award at the gala dinner of DIMVA 2017, which was held on July 6-7 2017 in Bonn, Germany.
The winning paper was published in DIMVA 2013. It proposed a technique to identify exploit servers managed by the same organization. Exploit servers are Web servers that try to exploit vulnerabilities in the browser and browser plugins (e.g., PDF or Flash players) of visitors. If exploitation is successful, malware is installed on the visitor’s computer. This process is known as a drive-by download. In the drive-by ecosystem many exploit servers run the same exploit kit software and it is a challenge understanding whether the exploit server is part of a larger operation. The paper results revealed that although individual exploit servers have a short median lifetime of a few hours, attackers were able to sustain long-lived malware distribution by turning to the cloud, hosting their exploit servers in specialized cloud hosting services.
As a result of the paper the authors released the Malicia dataset, which comprised 11688 malware binaries collected from 500 drive-by download servers over a period of 11 months, a database that details when and from where the malware was collected, and the malware classification into families. The dataset enables, among other applications, evaluating malware clustering and labeling approaches. Since its release, the Malicia dataset has been requested by 73 research institutions worlwide.