MASCOT: Analyzing Malware Evolution Through A Well-Curated Source Code Dataset

TL;DR

This paper presents MASCOT, a comprehensive malware source code dataset and a multi-view genealogy analysis method to understand malware evolution, revealing increasing complexity, standardization, and lineage expansion driven by code reuse.

Contribution

It introduces a curated malware source code dataset and a novel multi-view genealogy analysis approach to study malware evolution and connections.

Findings

Malware exhibits increasing complexity and standardization over time.

Code reuse significantly influences malware lineage expansion.

Despite quality issues, malware development follows mainstream software engineering trends.

Abstract

In recent years, the explosion of malware and extensive code reuse have formed complex evolutionary connections among malware specimens. The rapid pace of development makes it challenging for existing studies to characterize recent evolutionary trends. In addition, intuitive tools to untangle these intricate connections between malware specimens or categories are urgently needed. This paper introduces a manually-reviewed malware source code dataset containing 6032 specimens. Building on and extending current research from a software engineering perspective, we systematically evaluate the scale, development costs, code quality, as well as security and dependencies of modern malware. We further introduce a multi-view genealogy analysis to clarify malware connections: at an overall view, this analysis quantifies the strength and direction of connections among specimens and categories; at a detailed view, it traces the evolutionary histories of individual specimens. Experimental results indicate that, despite persistent shortcomings in code quality, malware specimens exhibit an increasing complexity and standardization, in step with the development of mainstream software engineering practices. Meanwhile, our genealogy analysis intuitively reveals lineage expansion and evolution driven by code reuse, providing new evidence and tools for understanding the formation and evolution of the malware ecosystem.