Marked for Disruption: Tracing the Evolution of Malware Delivery Operations Targeted for Takedown

TL;DR

This study analyzes how malware delivery operations respond to takedown efforts, revealing patterns of resilience, dominant binaries, and new behaviors that inform future cybersecurity strategies.

Contribution

It provides a detailed empirical analysis of malware operations' responses to takedown attempts, highlighting behaviors and structures previously undocumented.

Findings

Malware operations often use distributed architectures.

A small number of binaries account for most downloads.

Operations show displacing and defiant behaviors post-takedown.

Abstract

The malware and botnet phenomenon is among the most significant threats to cybersecurity today. Consequently, law enforcement agencies, security companies, and researchers are constantly seeking to disrupt these malicious operations through so-called takedown counter-operations. Unfortunately, the success of these takedowns is mixed. Furthermore, very little is understood as to how botnets and malware delivery operations respond to takedown attempts. We present a comprehensive study of three malware delivery operations that were targeted for takedown in 2015-16 using global download metadata provided by a major security company. In summary, we found that: (1) Distributed delivery architectures were commonly used, indicating the need for better security hygiene and coordination by the (ab)used service providers. (2) A minority of malware binaries were responsible for the majority of download activity, suggesting that detecting these "super binaries" would yield the most benefit to the security community. (3) The malware operations exhibited displacing and defiant behaviours following their respective takedown attempts. We argue that these "predictable" behaviours could be factored into future takedown strategies. (4) The malware operations also exhibited previously undocumented behaviours, such as Dridex dropping competing brands of malware, or Dorkbot and Upatre heavily relying on upstream dropper malware. These "unpredictable" behaviours indicate the need for researchers to use better threat-monitoring techniques.