The malware and botnet phenomenon is among the most significant threats to
cybersecurity today. Consequently, law enforcement agencies, security
companies, and researchers are constantly seeking to disrupt these malicious
operations through so-called takedown counter-operations. Unfortunately, the
success of these takedowns is mixed. Furthermore, very little is understood as
to how botnets and malware delivery operations respond to takedown attempts. We
present a comprehensive study of three malware delivery operations that were
targeted for takedown in 2015-16 using global download metadata provided by a
major security company. In summary, we found that: (1) Distributed delivery
architectures were commonly used, indicating the need for better security
hygiene and coordination by the (ab)used service providers. (2) A minority of
malware binaries were responsible for the majority of download activity,
suggesting that detecting these “super binaries” would yield the most benefit
to the security community. (3) The malware operations exhibited displacing and
defiant behaviours following their respective takedown attempts. We argue that
these “predictable” behaviours could be factored into future takedown
strategies. (4) The malware operations also exhibited previously undocumented
behaviours, such as Dridex dropping competing brands of malware, or Dorkbot and
Upatre heavily relying on upstream dropper malware. These “unpredictable”
behaviours indicate the need for researchers to use better threat-monitoring

By admin