6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Madhu Shankarapani and Srinivas Mukkamala<br />
network. Using JavaScript, it generates pseudo-random domain name on-the-fly and redirects victims<br />
to a malicious webpage.<br />
Vundo, also known as VirtuMundo, VirtuMonde, and MS Juan, spreads via email, peer-to-peer file<br />
sharing, and by other malware (Bell and Chien, 2010). It exploits browser vulnerability and displays<br />
pop-up advertisements. This Trojan has capabilities to inject advertisements into search results.<br />
Fraudulent or misleading applications, intrusive pop-ups, fake scan results are characteristics of this<br />
Trojan. Vundo lowers security settings, prevents access to certain websites, and also disables<br />
antivirus programs, to make it further difficult to remove them. Its new variants are far more<br />
sophisticated with their payloads and its functionality. They have the capability to exploit vulnerability<br />
to download misleading software, and extensions that encrypt files in order to force user for money.<br />
Zeus is a Trojan horse that steals banking information from infected machines, which spreads using<br />
drive-by-downloads and phishing emails. Since from the date it was first identified, Zeus has been<br />
very active in the wild with constant increase in threat. The most threatening is a large group working<br />
on Zeus to create enormous Zeus/Zbot variants builder, which can evade the present anti-virus<br />
software.<br />
The problem is so critical, that a significant research effort has been invested to gain a better<br />
understanding of these malware characteristics. One of the approaches to study the characteristics is<br />
to perform passive analysis of secondary effects that are caused by the activities of compromised<br />
hosts. Many researchers have performed passive analysis like collecting spam emails that are likely<br />
to be sent by bots (Zhuang et al, 2008), DNS queries (Rajab et al, 2007), (Rajab et al, 2006) or DNS<br />
blacklist queries (Ramachandran, Feamster and Dagon, 2006) performed by the bot-infected<br />
machines, analysis of network traffic for cues that are characteristics for certain botnets (Karasaridis,<br />
Rexroad and Hoeflin, 2007).<br />
While these analysis provides interesting insights into particular characteristics of Trojans and bots, its<br />
approach is limited to those botnets that actually exhibit the activity targeted by the analysis. Active<br />
approaches to analyze botnets are through permeation. In this approach researchers join the bot to<br />
perform analysis. Usually honeypots or spam traps are used to collect a copy of a malware sample.<br />
Later, the obtained samples are executed in controlled environment and observe its behavior.<br />
Observations include traffic that is exchanged between bots and its command and control server(s),<br />
IP addresses of other clients that are concurrently logged into the IRC channel (Rajab et al, 2006),<br />
(Cooke, Jahanian and McPherson, 2006), (Freiling, Holz and Wicherski, 2005). Unfortunately these<br />
techniques do not work on stripped-down IRC or HTTP servers as their C&C channels.<br />
Present anti-virus techniques are based on either signature-based detection which is not effective<br />
against polymorphic and unknown malware, or heuristic-based algorithms which are inefficient and<br />
inaccurate. Detection based on string signatures uses a database of regular expressions and a string<br />
matching engine to scan files and detect infected ones. Each regular expression of the database is<br />
designed to identify a known malicious program. Though traditional signature-based malware<br />
detection methods does exists from ages, there are lots to improve the signature-based detection and<br />
to detect new malware a few data mining and machine learning techniques are proposed (Westfeld,<br />
2001: 289-302), (Sallee, 2005: 167-189), (Solanki, Sarkar and Manjunath, 2007: 16-31) examined the<br />
performance of various classifiers such as Naïve Bayes, support vector machine (SVM) and plotting<br />
ROC curves using decision tree methods. (Lyu, and Farid, 2002: 340-354) applied Objective-Oriented<br />
Association (OOA) mining based classification (Fridrich, 2004: 67-81), (Shi, Chen and Chen, 2006) on<br />
Windows API execution sequences called by PE files. A Few of these methods entirely rely on the<br />
occurrence of API sequence of execution. There are methods where websites are crawled to inspect<br />
if those websites host any kind of malicious executables (Pevny, Fridrich, 2007). This study is<br />
generally for web server security, advertising and third-party widgets. Their basic idea of approach<br />
shows how malware executables are often distributed across a large number of URLs and domains.<br />
Analyze and detect these obfuscated malicious executable is by itself a vast field.<br />
Our work is based on collection of Zeus/Zbot variants collected at Offensive Computing (Offensive<br />
Computing, 2010). As of today, Offensive Computing has one of the largest malware databases which<br />
include various kinds of executables like spyware, adware, virus, worms, Trojans, etc. Among<br />
thousands of malware in computing world, the unique executables is likely to be much lower as many<br />
253