Lines of Malicious Code: Insights Into the Malicious Software Industry

Malicious software installed on infected computers is a fundamental component of online crime. Malware development thus plays an essential role in the underground economy of cyber-crime. Malware authors regularly update their software to defeat defenses or to support new or improved criminal business models. A large body of research has focused focused on detecting malware, defending against it and identifying its functionality. In addition to these goals, however, the analysis of malware can provide a glimpse into how the software development industry develops malicious code.

In this work, we present techniques to observe the evolution of a malware family over time. First, we develop techniques to compare versions of malicious code and quantify their differences. Furthermore, we use behavior observed from dynamic analysis to assign semantics to binary code and to identify functional components within a malware binary. By combining these techniques, we are able to monitor the evolution of a malware’s functional components. We implemnet these techniques in a system we call BEAGLE, and apply it to the observation of 16 malware strains over several months. The results of these experiments provide insight into the effort involved in updating malware code, and show that BEAGLE can identify changes to individual malware components.

Author(s):

Martina Lindorfer    
Vienna University of Technology
Austria

Alessandro Di Federico    
Politecnico di Milano
Italy

Federico Maggi    
Politecnico di Milano
Italy

Paolo Milani Comparetti    
Vienna Univeristy of Technology/Lastline Inc.
Austria

Stefano Zanero    
Politecnico di Milano
Italy