October 15, 2015
Antonio Nappa
Cybercriminals use different types of geographically distributed servers to run their operations such as C&C servers for managing their malware, exploit servers to distribute the malware, payment servers for monetization, and redirectors for anonymity. Identifying the server infrastructure used by a cybercrime operation is fundamental for defenders, as it enables take-downs that can disrupt the operation and is a critical step towards identifying the criminals behind it.
In this presentation we will show advances in malicious server infrastructure analysis and detection, solving two fundamental problems: 1. attribution, that is identify which servers belong to which operation and 2. enumeration, that is detection of all the servers of a given operation. We have analyzed more than 500 exploit servers in the wild for a period of 11 months, we collect over time how exploit servers are configured, which exploits they use, and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 h, long-lived operations exist that operate for several months. To sustain long-lived operations, miscreants are turning to the cloud, with 60 % of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. Furthermore we expand our analysis beyond exploit servers, to this end we have developed different tools codenamed CyberProbe and AutoProbe that are able to scan the internet looking for any kind of malicious servers. We have used CyberProbe and AutoProbe to identify different malicious operations in the wild. Our tools achive 4 times better coverage than existing on-line services that report malicious servers.