CISPA
Browse
cispa_all_2922.pdf (350.59 kB)

MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware

Download (350.59 kB)
conference contribution
posted on 2023-11-29, 18:10 authored by Sebastian Walla, Christian RossowChristian Rossow
Law enforcement agencies regularly take down botnets as the ultimate defense against global malware operations. By arresting malware authors, and simultaneously infiltrating or shutting down a botnet’s network infrastructures (such as C2 servers), defenders stop global threats and mitigate pending infections. In this paper, we propose malware tarpits, an orthogonal defense that does not require seizing botnet infrastructures, and at the same time can also be used to slow down malware spreading and infiltrate its monetization techniques. A tarpit is a network service that causes a client to stay busy with a network operation. Our work aims to automatically identify network operations used by malware that will block the malware either forever or for a significant amount of time. We describe how to non-intrusively exploit such tarpit vulnerabilities in malware to slow down or, ideally, even stop malware. Using dynamic malware analysis, we monitor how malware interacts with the POSIX and Winsock socket APIs. From this, we infer network operations that would have blocked when provided certain network inputs. We augment this vulnerability search with an automated generation of tarpits that exploit the identified vulnerabilities. We apply our prototype MALPITY on six popular malware families and discover 12 previously-unknown tarpit vulnerabilities, revealing that all families are susceptible to our defense. We demonstrate how to, e.g., halt Pushdo’s DGA-based C2 communication, hinder SalityP2P peers from receiving commands or updates, and stop Bashlite’s spreading engine.

History

Preferred Citation

Sebastian Walla and Christian Rossow. MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware. In: IEEE European Symposium on Security and Privacy (EuroS&P). 2019.

Primary Research Area

  • Threat Detection and Defenses

Name of Conference

IEEE European Symposium on Security and Privacy (EuroS&P)

Legacy Posted Date

2019-06-23

Open Access Type

  • Unknown

BibTeX

@inproceedings{cispa_all_2922, title = "MALPITY: Automatic Identification and Exploitation of Tarpit Vulnerabilities in Malware", author = "Walla, Sebastian and Rossow, Christian", booktitle="{IEEE European Symposium on Security and Privacy (EuroS&P)}", year="2019", }

Usage metrics

    Categories

    No categories selected

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC