$1.6m awarded by NSF to Prof. Long Lu in collaboration with SRI and UIC



MALDIVES: Developing a Comprehensive Understanding of Malware Delivery Mechanisms


The cybercriminal community is inarguably more organized, better resourced and more motivated than ever to perpetrate massive-scale computer infections across the Internet. The malware distribution systems that they control and operate are characterized by their use of highly specialized suppliers and commoditized malware services. As a consequence of this development, criminals with little technical expertise can deploy and administer sophisticated exploit kits, and instantiate malicious-content advertising (malvertising) campaigns that surreptitiously infect hundreds of thousands of innocent victims. The MALDIVES project is developing a new generation of technologies to provide deeper insights into how these malware distribution systems are deployed, operated, and interlinked with open web sources.

The MALDIVES project is organized as a sequence of five attack observation lablets (ATOLLs) which are collectively designed to acquire an in-depth understanding of the key stages in contemporary malware dissemination infrastructures. The Platform Acquisition Observatory (PLATO) is focused on studying the deployment phase of the server-side infection infrastructures. This observatory extends web-application-vulnerability mimicry systems with a dynamic exploit-kit interrogation system, and adds automated intelligence tools to understand subsequent victim infection strategies. The Victim Enticement Scheme Evaluation Lablet (VESSEL) is focused on studying the targeting phase of the malware infection lifecycle. It develops tools and conducts measurements on various enticement schemes, such as Search Engine Optimization (SEO) poisoning and malvertising. The Traffic Redirection Observation Lablet (TROLL) is focused on the delivery phase and builds active and passive techniques to measure malware-related traffic redirection chains. The Exploit Kit Interrogation Environment (EXPLORE) builds automated probes to facilitate the detection and measurement of professionally designed automated infection services. The Defensive Strategies Investigation Lablet (DISTILL) investigates novel malware-defense capabilities based on the insights acquired from prior lablets.