Catching Worms, Trojan Horses and PUPs: Unsupervised Detection of Silent Delivery Campaigns

TL;DR

This paper introduces Beewolf, an unsupervised system that detects silent malware delivery campaigns by identifying lockstep download behaviors, revealing new insights into malware ecosystems and outperforming existing detection methods.

Contribution

The paper presents Beewolf, a novel unsupervised system for detecting silent delivery campaigns at scale, with high accuracy and early detection capabilities.

Findings

Beewolf detects over 92% of true positives with less than 5% false positives.

It can identify suspicious downloaders a median of 165 days before antivirus detection.

It uncovers malware distribution through software update channels and ecosystem overlaps.

Abstract

The growing commoditization of the underground economy has given rise to malware delivery networks, which charge fees for quickly delivering malware or unwanted software to a large number of hosts. To provide this service, a key method is the orchestration of silent delivery campaigns, which involve a group of downloaders that receive remote commands and that deliver their payloads without any user interaction. These campaigns have not been characterized systematically, unlike other aspects of malware delivery networks. Moreover, silent delivery campaigns can evade detection by relying on inconspicuous downloaders on the client side and on disposable domain names on the server side. We describe Beewolf, a system for detecting silent delivery campaigns from Internet-wide records of download events. The key observation behind our system is that the downloaders involved in these campaigns frequently retrieve payloads in lockstep. Beewolf identifies such locksteps in an unsupervised and deterministic manner. By exploiting novel techniques and empirical observations, Beewolf can operate on streaming data. We utilize Beewolf to study silent delivery campaigns at scale, on a data set of 33.3 million download events. This investigation yields novel findings, e.g. malware distributed through compromised software update channels, a substantial overlap between the delivery ecosystems for malware and unwanted software, and several types of business relationships within these ecosystems. Beewolf achieves over 92% true positives and fewer than 5% false positives. Moreover, Beewolf can detect suspicious downloaders a median of 165 days ahead of existing anti-virus products and payload-hosting domains a median of 196 days ahead of existing blacklists.