Title:  Towards Large-Scale Monitoring of C&C Infrastructures via Over-Permissioned Malware Practices

Committee: 

Dr. Saltaformaggio, Advisor    

Dr. Frank Li, Chair

Dr. Ahamad

Abstract: The objective of the proposed research is to investigate commonly used standard protocols and web services in malware towards covert C&C infrastructure monitoring, a fundamental enabler of botnet disruptions and takedowns. Current techniques to monitor botnets are likely to result in inaccurate data gathered about the botnet or be detected by C&C orchestrators. To provide a comprehensive analysis, this work will evaluate a large corpus of malware and conduct a temporal analysis over the last two decades. Preliminary results show that of 200k malware captured since 2006 revealed 62,202 bots (nearly 1 in3) that contain over-permissioned protocols with a steady increase of over-permissioned protocol use over the last 15 years and 443,905 C&C monitoring capabilities. Due to their ubiquity, we conclude that even though over-permissioned protocols allow for C&C server infiltration and monitoring, the efficiency and ease of use they provide continue to make them prevalent in the malware operational landscape. Based on these findings, we move to study the prevalence of malware using web services to hide C&C server rendezvous points. Specifically, we will study the types of web services abused by malware, the means and mode of their abuse, and develop techniques to trace bot orchestrators’ migration of C&C servers through web service updates towards covert C&C infrastructure monitoring.