M. Zubair Rafique scite author profile

Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 hours, long-lived operations exist that operate for several months. To sustain long-lived operations miscreants are turning to the cloud, with 60% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. To understand how difficult is to take down exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61% of the reports are not even acknowledged. On average an exploit server still lives for 4.3 days after a report.

show abstract

FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors

Rafique

Caballero

2013

View full text Add to dashboard Cite

The ever-increasing number of malware families and polymorphic variants creates a pressing need for automatic tools to cluster the collected malware into families and generate behavioral signatures for their detection. Among these, network traffic is a powerful behavioral signature and network signatures are widely used by network administrators. In this paper we present FIRMA, a tool that given a large pool of network traffic obtained by executing unlabeled malware binaries, generates a clustering of the malware binaries into families and a set of network signatures for each family. Compared with prior tools, FIRMA produces network signatures for each of the network behaviors of a family, regardless of the type of traffic the malware uses (e.g., HTTP, IRC, SMTP, TCP, UDP). We have implemented FIRMA and evaluated it on two recent datasets comprising nearly 16,000 unique malware binaries. Our results show that FIRMA's clustering has very high precision (100% on a labeled dataset) and recall (97.7%). We compare FIRMA's signatures with manually generated ones, showing that they are as good (often better), while generated in a fraction of the time.

show abstract

The MALICIA dataset: identification and analysis of drive-by download operations

Nappa

Rafique

Caballero

2014

Int. J. Inf. Secur.

View full text Add to dashboard Cite

Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem, many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper, we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured, which exploits they use, and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 h, long-lived operations exist that operate for several months. To sustain long-lived operations, miscreants are turning to the cloud, with 60 % of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. Furthermore, we analyze the exploit polymorphism problem, measuring the repacking rate for different exploit types. To understand how difficult is to takedown exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that

show abstract

Nonsense Mutation Inside Anthocyanidin Synthase Gene Controls Pigmentation in Yellow Raspberry (Rubus idaeus L.)

et al. 2016

View full text Add to dashboard Cite

Yellow raspberry fruits have reduced anthocyanin contents and offer unique possibility to study the genetics of pigment biosynthesis in this important soft fruit. Anthocyanidin synthase (Ans) catalyzes the conversion of leucoanthocyanidin to anthocyanidin, a key committed step in biosynthesis of anthocyanins. Molecular analysis of the Ans gene enabled to identify an inactive ans allele in a yellow fruit raspberry (“Anne”). A 5 bp insertion in the coding region was identified and designated as ans+5. The insertion creates a premature stop codon resulting in a truncated protein of 264 amino acids, compared to 414 amino acids wild-type ANS protein. This mutation leads to loss of function of the encoded protein that might also result in transcriptional downregulation of Ans gene as a secondary effect, i.e., nonsense-mediated mRNA decay. Further, this mutation results in loss of visible and detectable anthocyanin pigments. Functional characterization of raspberry Ans/ans alleles via complementation experiments in the Arabidopsis thaliana ldox mutant supports the inactivity of encoded protein through ans+5 and explains the proposed block in the anthocyanin biosynthetic pathway in raspberry. Taken together, our data shows that the mutation inside Ans gene in raspberry is responsible for yellow fruit phenotypes.

show abstract

scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.

Contact Info

hi@scite.ai

10624 S. Eastern Ave., Ste. A-614

Henderson, NV 89052, USA

Blog Terms and Conditions API Terms Privacy Policy Contact Cookie Preferences Do Not Sell or Share My Personal Information

Made with 💙 for researchers

Part of the Research Solutions Family.

M. Zubair Rafique

Driving in the Cloud: An Analysis of Drive-by Download Operations and Abuse Reporting

FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors

The MALICIA dataset: identification and analysis of drive-by download operations

Nonsense Mutation Inside Anthocyanidin Synthase Gene Controls Pigmentation in Yellow Raspberry (Rubus idaeus L.)

Contact Info

Product

Resources

About