Analysis of malware download sites by focusing on time series variation of malware

Abstract

As the use of Internet increases, malicious activity has become increasingly problematic. In particular, drive-by download attacks have become a serious problem. As part of an exploit-as-a-service ecosystem for drive-by download attacks, malware download sites play a particularly important role. In this study, we analyzed approximately 43,000 malware download URLs to investigate malware distribution and the behavior of malware download sites over an extended period, i.e., over 1.5 years. We found that some sites survive for a very long time and are revived frequently, a finding not revealed in previous research. By focusing on the malware variation, we have identified three categories of malware download sites, i.e., unchanged, every time changed, changed occasionally. We found that 10% of unchanged sites survived for more than 500 days, and 10% of changed occasionally sites were revived more than 15 times in the entire observation period. We also analyzed sites in terms of IP address changes, anti-virus application results, URL features, and VirusTotal results. We found that each category had different attacker operational and resource characteristics. Finally, based on our findings, we discuss effective countermeasures for each category.