Abstract

Malware remains one of the most significant security threats on the Internet.Antivirus solutions and blacklists, the main weapons of defense against these attacks, have only been (partially) successful.One reason is that cyber-criminals take active steps to bypass defenses, for example, by distributing constantly changing (obfuscated) variants of their malware programs, and by quickly churning through domains and IP addresses that are used for distributing exploit code and botnet commands.We analyze one of the core tasks that malware authors have to achieve to be successful: They must distribute and install malware programs onto as many victim machines as possible.A main vector to accomplish this is through drive-by download attacks where victims are lured onto web pages that launch exploits against the users' web browsers and their components.Once an exploit is successful, the injected shellcode automatically downloads and launches the malware program.While a significant amount of previous work has focused on detecting the drive-by exploit step and the subsequent network traffic produced by malware programs, little attention has been paid to the intermediate step where the malware binary is downloaded.In this paper, we study how clients in real-world networks download and install malware, and present Nazca, a system that detects infections in large scale networks.Nazca does not operate on individual connections, nor looks at properties of the downloaded programs or the reputation of the servers hosting them.Instead, it looks at the telltale signs of the malicious network infrastructures that orchestrate these malware installation that become apparent when looking at the collective traffic produced and becomes apparent when looking at the collective traffic produced by many users in a large network.Being content agnostic, Nazca does not suffer from coverage gaps in reputation databases (blacklists), and is not susceptible to code obfuscation.We have run Nazca on seven days of traffic from a large Internet Service Provider, where it has detected previously-unseen malware with very low false positive rates.