Example of a malware strategy pattern

A lot of malware works through web browsers. As users browse various sites, some compromised sites can infect the user's computer with bad packets. Packet capture tools (like tcpdump or the related Wireshark can capture packet data. But typically packet captures are very large; it is hard to make out what is bad in such captures.

For example, we can consider the picture here. See the red and blue circles? Those are examples of malware. The traffic associated with these, i.e. the size of the flows, is nothing remarkable. The difference is in the behavior of this malware. Our focus is on finding these behaviors.

The following considers traffic patterns associated with a particular malware. This is discussed in a Sans institute report the packet capture data associated with this is in http://www.malware-traffic-analysis.net/2015/07/05/index2.html

In this example, the malware is loaded into flash in a web page that has been modified by the crooks. Flash (and various other other plugins) can be made to execute something locally. Once you give that capability, it can very well allow malicious script to download and execute an "exploit", in this case something that locks your computer and demands a ransom. Unfortunately such attacks are common. The ransom demanded is usually not a very large amount so that organizations would pay rather than suffer through a long data outage.

The following pictures show patterns of how this malware work in various situations. The different little squares represent various web pages (or parts of pages.) The user is browsing the one of the top left. Typically a web page contains various other pieces that are also fetched. These may be ads or scripts to make the page attractive. In this case, some malicious scripts are also executed. These drag in the "exploit kit" that subsequently locks the user's files.

Sample 0

Sample 1

Sample 2

Sample 3

Sample 4

Sample 5

Sample 6

Sample 7

Sample 8

Sample 9

Even though each of these pictures are a little different, there is the same type of activity in all. We can show this with a simple picture

Main malware pattern
The picture above illustrates the strategy behind the malware. The crooks first modify a page that an innocent user may browse. In some of the examples here, the pages modified were at a site helping people who are depressed. The site is modified so that when the user browses, another page is dragged in. This page in turn executes a script at a third site which downloads and executes the malware.

The strategy here can be determined from the steps involved. The strategy always has to drag in another page, which happens to be hidden in obfuscated javascript. Then it downloads the actual exploit from a site registered in China. In between various other sites may be accessed, thus we cannot expect a strict match between all the instances of this exploit. But the strategy has to achieve certain key steps. As such steps are accomplished, we can get a close match of the strategy in all the different instances.