Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games

In this paper we propose a novel technique to improve information gained from
dynamic malware analysis systems. By playing network games during
analysis, we explore the behavior of malware when it believes its network
resources are malfunctioning. This forces the malware to reveal its
alternative plan to the analysis system resulting in a more complete
understanding of malware behavior. Network games are similar to multipath
exploration techniques, but are resistant to conditional code obfuscation.
Our experimental results show that network games discover highly useful
network information from malware. Of the 161,000 domain names and over three
million IP addresses coerced from malware during three weeks, over
95% never appeared on public blacklists. We show that this information is
both likely to be malicious and can be used to improve existing domain name
and IP address reputation systems, blacklists, and network-based malware clustering systems.

Author(s):

Yacin Nadji    
Georgia Institute of Technology
United States

Manos Antonakakis    
Damballa, Inc.
United States

Roberto Perdisci    
University of Georgia
United States

Wenke Lee    
Georgia Institute of Technology
United States