Developing a Comprehensive Understanding of Malware Delivery Mechanisms
Long Lu in collaboration with SRI and UIC
The cybercriminal community is inarguably more organized, better resourced and more motivated than ever to perpetrate massive-scale computer infections across the Internet. The malware distribution
systems that they control and operate are characterized by their use of highly specialized suppliers and commoditized malware services. As a consequence of this development, it is now possible for criminals, with little technical expertise, to operate sophisticated exploit kits and instantiate malicious-content advertising (malvertising) campaigns that surreptitiously infect, hundreds of thousands of, innocent victims. The MALDIVES project seeks to study and develop a new generation of technologies and analytics that offer deeper insights into how these malware infection infrastructures are deployed, operated, and interlinked with open web sources.
The MALDIVES project is primarily organized as a series of four attack observation lablets (ATOLLs). The Platform Acquisition Observatory (PLATO) is focused on studying the deployment phase of the server-side infection infrastructures. Specifically, this observatory extends web-application-vulnerability mimicry systems with a dynamic exploit-kit interrogation system, and adds automated intelligence tools to understand subsequent victim enticement strategies. The Victim Enticement Scheme Evaluation Lablet (VESSEL) is focused on studying the targeting phase of the malware infection lifecycle. It develops tools and conducts measurements on various enticement schemes, such as SEO poisoning and malvertising. The Traffic Redirection Observation Lablet (TROLL) is focused on the delivery phase and builds active and passive techniques to measure malware-related traffic redirection chains. The Exploit Kit Interrogation Environment (EXPLORE) builds automated probes to facilitate the detection and measurement of professionally designed automated infection services. A fifth lablet, that we call Defensive Strategies Investigation Lablet (DISTILL), investigates novel malware-defense capabilities based on lessons learned from prior lablets.
The outputs of this project aims at improving our understanding of malware delivery mechanisms employed by cybercriminals. The tools, techniques and intelligence acquired during the project will be valuable to not only cybersecurity research but also internet service providers and security product vendors. The project will open-source its software and provide education opportunities to women and minority students in the development and transition of technology.