University of Wisconsin-Madison

Research: Malware Evolution

Joint work with fellow graduate student Pavan Kuppili and Prof. Aditya Akella and Prof. Paul Barford.

The diversity, sophistication and availability of malicious software (malcode/malware) pose enormous challenges for securing networks and end hosts from attacks. We analyze a large corpus of malcode meta data compiled over a period of 19 years. Our aim is to understand how malcode has evolved over the years, and in particular, how different instances of malcode relate to one another. We develop a novel graph pruning technique to establish the inheritance relationships between different instances of malcode based on temporal information and key common phrases identified in the malcode descriptions. Our algorithm enables a range of possible inheritance structures. We study the resulting "likely" malcode families, which we identify through extensive manual investigation. We present an evaluation of gross characteristics of malcode evolution and also drill down on the details of the most interesting and potentially dangerous malcode families.

Malware families

Some of the most interesting malware families which our algorithms unearthed are presented below. The names of the malware families here are the McAfee names of the most common malware in the family.

• Mytob family
• Bagle family
• Loveletter family
• A 'downloader' family
• A "joke" family

Some other uncategorized large families are presented here.

• 88 node family (Comprising of Keyloggers)
• 120 node family
• 68 node family (Comprising of Adware - spyware in software with Ads)
• 55 node family (Comprising of Word Macro viruses)
• 50 node family (Another Word Macro virus family)
• 63 node family (Yet another Word Macro virus family)

Menu

• Home
• Research
  • Redundancy
  • Malware
  • Buffer Cache
• Courses
• Resume
• Code
• Contact