(2019) MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware.
|
Text
malpity-eurosp2019.pdf - Accepted Version Download (359kB) | Preview |
Abstract
Law enforcement agencies regularly take down botnets as the ultimate defense against global malware operations. By arresting malware authors, and simultaneously infiltrating or shutting down a botnet’s network infrastructures (such as C2 servers), defenders stop global threats and mitigate pending infections. In this paper, we propose malware tarpits, an orthogonal defense that does not require seizing botnet infrastructures, and at the same time can also be used to slow down malware spreading and infiltrate its monetization techniques. A tarpit is a network service that causes a client to stay busy with a network operation. Our work aims to automatically identify network operations used by malware that will block the malware either forever or for a significant amount of time. We describe how to non-intrusively exploit such tarpit vulnerabilities in malware to slow down or, ideally, even stop malware. Using dynamic malware analysis, we monitor how malware interacts with the POSIX and Winsock socket APIs. From this, we infer network operations that would have blocked when provided certain network inputs. We augment this vulnerability search with an automated generation of tarpits that exploit the identified vulnerabilities. We apply our prototype MALPITY on six popular malware families and discover 12 previously-unknown tarpit vulnerabilities, revealing that all families are susceptible to our defense. We demonstrate how to, e.g., halt Pushdo’s DGA-based C2 communication, hinder SalityP2P peers from receiving commands or updates, and stop Bashlite’s spreading engine.
Item Type: | Conference or Workshop Item (A Paper) (Paper) |
---|---|
Divisions: | Christian Rossow (System Security Group, SysSec) |
Conference: | EuroS&P IEEE European Symposium on Security and Privacy |
Depositing User: | Sebastian Walla |
Date Deposited: | 23 Jun 2019 18:38 |
Last Modified: | 18 Jul 2019 12:10 |
Primary Research Area: | NRA3: Threat Detection and Defenses |
URI: | https://publications.cispa.saarland/id/eprint/2922 |
Actions
Actions (login required)
View Item |