Analysis and Categorization of Drive-by Download Malware

Abstract

With the increase in the usage of websites as the main source of information gathering, malicious activity especially drive-by download has exponentially increased. A drive-by download refers to unintentional download of malicious code to a user computer that leaves the user open to a cyberattack. It has become the preferred distribution vector for many malware families. The purpose of this research is to analyze the malware that were obtained from visiting approximately 100,000 malicious URLs and running these binaries in sandboxes and then analyzing their runtime behavior with a software tool (YARA) to categorize them and classify the malware family to which they belong. Out of the 1414 executables (binaries), 1000 binaries were executed and 99 were identified as false-positive. Out of the 901 binaries, 867 of them were identified as Trojan Horse and we were able to identify 53 type of malware families, with one particular family, Kyrptik, being the largest. It is concluded that about 12% of the binaries were having office macros that were establishing C2 servers once they were executed in Microsoft Word/Excel. Also, a total of 105 binaries which had the same name and were extracted from the same website but had different hashes and the mean difference between the first store and the last store was 17 days and about 5% of these binaries were showing different results from the first store of the binary to the last store of the binary were also identified.