(A) comprehensive study on the active malware distribution: common patterns and countermeasures

Abstract

Since its inception in the 1980s, malware has continuously evolved in order to infect a greater number of victims and earn more revenue. And recent malware often contains diverse strategies and sophisticated functionalities, targeting almost all business areas. To catch up with these up-to-date malware threats, we need a comprehensive study on the currently active malware dataset, excluding the deprecated malware samples from previous attacks. To this end, we utilize Cyber Threat Intelligence sharing platforms to collect malicious/suspicious malware distribution URLs. Based on the real-time malware intelligence, we collected a large-scale live malware dataset downloaded directly from the web for more than 270 days. In this work, we systematically analyze malware distribution networks' behaviors and characteristics and finally comprehend how we can effectively prevent/hinder malware distributions. The result of our large-scale study shows a clear trend in the current malware landscape. (i) we found that most malware is not newly invented and produced by modifying some existing malware. (ii) we identified four popular malware families, which consist of 43\% of malicious samples. (iii) we identified the server-side malware variant generation patterns through the byte-level similarity result. We also suggest a novel clustering approach to group similar malware variants, reducing future malware analysis burden.