Malpedia: A Collaborative Effort to Inventorize the Malware Landscape

  • Daniel Plohmann Fraunhofer FKIE
  • Martin Clauß Fraunhofer FKIE
  • Elmar Padilla Fraunhofer FKIE

Abstract

For more than a decade now, a perpetual influx of new malware samples can be observed. To analyze this flood effectively, static analysis is still one of the most important methods. Thus, it would be highly desirable to have an open, freely accessible, curated, and cleanly labeled corpus of unpacked malware samples for research on static analysis methods.


In this paper, we introduce MALPEDIA, a collaboration platform for curating a malware corpus. Additionally, we provide a baseline for a cleanly labeled malware corpus consisting of 607 families divided into 1792 samples. This corpus offers a plethora of possibilities for researchers, including using it as a testbed for evaluations on detection and analysis methods, quality assurance for classification, and contextualization of new malware. To ensure the quality of our corpus, we adapted the requirements by Rossow et al., derive specific requirements for the context of static malware analysis, and evaluate our corpus against them.


Based on our corpus, we show that looking beyond packers dramatically reduces the size needed for a corpus to be representative, as the number of distinct malware families and versions after unpacking is orders of magnitude smaller than the number of unique packed samples. Additionally, we perform a comprehensive study of the Windows malware in the corpus, scrutinizing its structural features. This analysis clearly illustrates that MALPEDIA offers a wealth of information, readily available for in-depth investigations.

References

[1] C. Rossow, C. J. Dietrich, C. Kreibich, C. Grier, V. Paxson, N. Pohlmann, H. Bos, and M. van Steen, “ Prudent Practices for Designing Malware Experiments: Status Quo and Outlook ,” in Proceedings of the 33rd IEEE Symposium on Security and Privacy (S&P), San Francisco, CA, 2012.
[2] AV-Test GmbH, “Malware Statistics,” October 2017. Tracking website by AV-Test: https://www.av-test.org/en/statistics/malware/.
[3] T. Barabosch, N. Bergmann, A. Dombeck, and E. Padilla, “Quincy: Detecting host-based code injection attacks in memory dumps,” in Proceedings of the 14th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), Bonn, Germany, 2017.
[4] T. Barabosch, S. Eschweiler, and E. Gerhards-Padilla, “Bee master: Detecting host-based codeinjection attacks,” in Proceedings of the 11th InternationalConference on Detection of Intrusions andMalware, and Vulnerability Assessment (DIMVA),London, UK, 2014.
[5] FIRST Traffic Light Protocol Special InterestGroup, “TRAFFIC LIGHT PROTOCOL (TLP).”FIRST Standards Definitions and Usage Guidance: https://first.org/tlp/.
[6] C. Wagner, A. Dulaunoy, G. Wagener, and A. Iklody,“Misp: The design and implementation of acollaborative threat intelligence sharing platform,”in Proceedings of the 2016 ACM on Workshopon Information Sharing and Collaborative Security,pp. 49–56, ACM, 2016.
[7] G. Webster, B. Kolosnjaji, C. von Pentz, J. Kirsch,Z. Hanif, A. Zarras, and C. Eckert, “Finding the Needle:A Study of the PE32 Rich Header and RespectiveMalware Triage,” in Proceedings of the 14thConference on Detection of Intrusions and Malwareand Vulnerability Assessment (DIMVA), Bonn,Germany, 2017.
[8] D. Plohmann, “ApiScout: Painless Windows APIinformation recovery,” April 2017. Blog postfor ByteAtlas: http://byte-atlas.blogspot.de/2017/04/apiscout.html.
[9] V. Zwanger and F. C. Freiling, “Kernel mode apispectroscopy for incident response and digitalforensics,” in Proceedings of the 2nd ACM SIGPLANProgram Protection and Reverse EngineeringWorkshop (PPREW), Rome, Italy, 2013.
[10] Horsicq, “Detect-It-Easy,” 2014. GitHub Repository:https://github.com/horsicq/Detect-It-Easy/.
[11] Microsoft, “/SAFESEH (Image has Safe ExceptionHandlers),” tech. rep., Microsoft, 2017. MSDNArticle: https://msdn.microsoft.com/en-us/library/9a89h429(v=vs.110).aspx.
[12] Microsoft, “PE Format (Windows),” tech.rep., Microsoft, 2017. MSDN Article:https://msdn.microsoft.com/en-us/library/windows/desktop/ms680547(v=vs.85).aspx.
[13] N. A. Quynh, “Capstone disassembly engine.”http://www.capstone-engine.org/.
[14] D. Andriesse, J. Slowinska, and H. Bos, “Compileragnosticfunction detection in binaries,” in Proceedingsof the 2nd IEEE European Symposiumon Security and Privacy (EuroS&P), Paris, France,2017.
[15] Microsoft, “Debug Interface Access SDK,” 2015.MSDN Article: https://msdn.microsoft.com/en-us/library/x93ctkx8.aspx.
[16] M. Russinovich and D. A. Solomon, Windows Internals:Including Windows Server 2008 and WindowsVista, Fifth Edition. Microsoft Press, 5th ed.,2009.
[17] M. Galkovsky, “DLLs the Dynamic Way,”November 1999. Article for MSDN:https://msdn.microsoft.com/en-us/library/ms810279.aspx.
[18] M. Suenaga, “A Museum of API Obfuscation onWin32,” tech. rep., Symantec, 2009.
[19] B. Farinholt, M. Rezaeirad, P. Pearce, H. Dharmdasani,H. Yin, S. Le Blond, D. McCoy, andK. Levchenko, “To catch a ratter: Monitoring thebehavior of amateur darkcomet rat operators inthe wild,” in Proceedings of the 38th IEEE Symposiumon Security and Privacy (S&P), San Jose, CA,2017.
[20] T. Gardon, “New self-protecting USB trojan able toavoid detection,” March 2016. Blog post for ESET:https://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-ableto-avoid-detection/.
[21] FireEye, “Tracking Malware with Import Hashing,”January 2014. Blog post for FireEye:https://www.fireeye.com/blog/threatresearch/2014/01/tracking-malwareimport-hashing.html.
[22] S. Tomonaga, “Malware Clustering usingimpfuzzy and Network Analysis,”March 2017. Blog post for JPCERT/CC:http://blog.jpcert.or.jp/2017/03/malwareclustering-using-impfuzzy-and-networkanalysis---impfuzzy-for-neo4j-.html.
[23] Y. Nativ, L. Ludar, and S. Shalev, “theZoo,” 2014.GitHub Repository: https://github.com/ytisf/theZoo.
[24] E. Freyssinet, Lutte contre les botnets : analyse etstratégie. PhD thesis, Université Pierre et MarieCurie - Paris VI, 2015.
[25] E. Freyssinet, “Botnets.fr,” 2011. Wiki: https://www.botnets.fr/wiki/Main_Page.
[26] Various, “Malware Wiki,” 2009. Wiki: http://malware.wikia.com/wiki/Main_Page.
[27] MITRE, “Adversarial Tactics, Techniques, andCommon Knowledge (ATT&CK),” 2015. Wiki:https://attack.mitre.org/wiki/Main_Page.
[28] MalwareHunterTeam, “ID Ransomware,” April2016. WebService: https://id-ransomware.malwarehunterteam.com/index.php.
[29] M. Hypponen, “Malware Museum,” February2016. Archive: https://archive.org/details/malwaremuseum.
[30] F. Skulason, A. Solomon, and V. Bontchev, “A new virus naming convention,” 1991. Article by CARO:http://www.caro.org/articles/naming.html.
[31] CME Editorial Board, “The Common Malware Enumeration (CME),” November 2006. Articleby CARO: https://cme.mitre.org/about/faqs.html.
[32] M. Sebastián, R. Rivera, P. Kotzias, and J. Caballero, “Avclass: A tool for massive malware labeling,” in Proceedings of the 19th International Symposium on Research in Attacks, Intrusions, and Defenses (RAID), Evry, France, 2016.
[33] C. Lever, P. Kotzias, D. Balzarotti, J. Caballero, and M. Antonakakis, “A lustrum of malware network communication: Evolution and insights,” in Proceedings of the 38th IEEE Symposium on Security and Privacy (S&P), San Jose, CA, 2017.
[34] Y. Ye, T. Li, D. Adjeroh, and S. S. Iyengar, “A survey on malware detection using data mining techniques,” ACM Computing Surveys (CSUR), 2017.
[35] M. Belaoued and S. Mazouzi, “An MCA Based Method for API Association Extraction for PE Malware Categorization,” International Journal of Information and Electronics Engineering, 2015.
Published
2017-12-31
How to Cite
PLOHMANN, Daniel; CLAUß, Martin; PADILLA, Elmar. Malpedia: A Collaborative Effort to Inventorize the Malware Landscape. The Journal on Cybercrime & Digital Investigations, [S.l.], v. 3, n. 1, p. 1-19, dec. 2017. ISSN 2494-2715. Available at: <https://journal.cecyf.fr/ojs/index.php/cybin/article/view/17>. Date accessed: 20 july 2018. doi: https://doi.org/10.18464/cybin.v3i1.17.
Section
Conference proceedings