University of Antwerp
Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim's machine. In this paper, the authors analyze and characterize 23 Windows-based malware downloaders. They first show a high diversity in downloaders' communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces from over two years, they observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. They then describe how attackers choose resilient server infrastructures. For example, they reveal that 20% of the C&C servers remain operable on long term.