000000268 001__ 268
000000268 005__ 20130522141943.0
000000268 037__ $$aLERSSE-THESIS-2011-002
000000268 100__ $$aKyle Zeeuwen
000000268 245__ $$aOptimizing Re-Evaluation of Malware Distribution Networks
000000268 260__ $$c2011-10-12
000000268 300__ $$a120
000000268 520__ $$aThe retrieval and analysis of malicious content is an essential task for security researchers. Security labs use automated HTTP clients known as client honeypots to visit hundreds of thousands of suspicious URLs daily. The dynamic nature of malware distribution networks necessitate periodic re-evaluation of a subset of the confirmed malicious sites, which introduces two problems: 1) the number of URLs requiring re-evaluation exhaust available resources, and 2) repeated evaluation exposes the system to adversarial blacklisting, which affects the accuracy of the content collected. To address these problems, I propose optimizations to the re-evaluation logic that reduce the number of re-evaluations while maintaining a constant sample discovery rate during URLs re-evaluation. I study these problems in two adversarial scenarios: 1) monitoring malware repositories where no provenance is available, and 2) monitoring Fake Anti-Virus (AV) distribution networks. I perform a study of the adversary by repeatedly downloading content from the distribution networks. This re- veals trends in the update patterns and lifetimes of the distribution sites and malicious executa- bles. Using these observations I propose optimizations to reduce the amount of re-evaluations necessary to maintain a high malicious sample discovery rate. In the first scenario the proposed techniques, when evaluated versus a fixed interval scheduler, are shown to reduce the number of re-evaluations by 80-93% (assuming a re-evaluation interval of 1 hour to 1 day) with a corresponding impact on sample discovery rate of only 2-7% percent. In the second scenario, optimizations proposed are shown to reduce fetch volume by orders of magnitude and, more importantly, reduce the likelihood of blacklisting. During direct evaluation of malware repositories I observe multiple instances of blacklisting, but on the whole, less than 1% of the repositories studied show evidence of blacklisting. Fake AV dis- tribution networks actively blacklist IPs; I encountered repeated occurrences of IP blacklisting while monitoring Fake AV distribution networks.
000000268 6531_ $$amalware distribution networks
000000268 6531_ $$aadversarial blacklisting
000000268 6531_ $$ahoneyclient
000000268 6531_ $$ascareware
000000268 6531_ $$afake antivirus
000000268 6531_ $$aneveragain
000000268 8560_ $$fkylez@ece.ubc.ca
000000268 8564_ $$uhttp://lersse-dl.ece.ubc.ca/record/268/files/268.pdf$$yTransfer from CDS 0.99.7
000000268 909C4 $$pKyle Zeeuwen, "Optimizing Re-Evaluation of Malware Distribution Networks", MASc thesis, Department of Electrical and Computer Engineering, University of British Columbia, Vancouver, Canada, October 2011.
000000268 980__ $$aTHESIS