PeerViewer: Behavioral tracking and classification of P2P malware

Abstract

To keep pace with the rampant malware threat, security analysts operate tools that collect and observe malicious content on the internet. Since malware is robust against static analysis, dynamic environments are being used for this purpose. They use automated platforms that execute malware and acquire knowledge about its runtime behavior. Today, malware analysis platforms are powerful in characterizing the system behavior of malware. However, little research is being done to automatically charaterize malicious code according to its network communication protocols. Yet this is becoming a real challenge as modern botnets increasingly adopte hybrid topologies that use custom P2P protocols for command and control. This paper presents PeerViewer, a system that automatically classifies malware according to its network P2P behavior. Nowadays P2P malware either uses variants of known P2P protocols, or it builds its custom P2P protocols as for Sality and zeroAccess. PeerViewer builds classifiers for known P2P malware families. Then it builds a network footprint for malicious code running in a sandbox, and compares this footprint with those for known P2P malware families. It associates malicious code with a known botnet family where possible, or it notifies the security analysts of a new or unknown P2P malware family, so it can be considered for a deeper analysis. Our experimental results prove the ability of PeerViewer to accurately classify P2P malware, with a very low false positives rate. © Springer International Publishing Switzerland 2013.