Large-scale analysis of malware downloaders

Christian Rossow*, Christian Dietrich, Herbert Bos

*Corresponding author for this work

Research output: Chapter in Book / Report / Conference proceedingConference contributionAcademicpeer-review


Downloaders are malicious programs with the goal to subversively download and install malware (eggs) on a victim's machine. In this paper, we analyze and characterize 23 Windows-based malware downloaders. We first show a high diversity in downloaders' communication architectures (e.g., P2P), carrier protocols and encryption schemes. Using dynamic malware analysis traces from over two years, we observe that 11 of these downloaders actively operated for at least one year, and identify 18 downloaders to be still active. We then describe how attackers choose resilient server infrastructures. For example, we reveal that 20% of the C&C servers remain operable on long term. Moreover, we observe steady migrations between different domains and TLD registrars, and notice attackers to deploy critical infrastructures redundantly across providers. After revealing the complexity of possible counter-measures against downloaders, we present two generic techniques enabling defenders to actively acquire malware samples. To do so, we leverage the publicly accessible downloader infrastructures by replaying download dialogs or observing a downloader's process activities from within the Windows kernel. With these two techniques, we successfully milk and analyze a diverse set of eggs from downloaders with both plain and encrypted communication channels.

Original languageEnglish
Title of host publicationDetection of Intrusions and Malware, and Vulnerability Assessment
Subtitle of host publication9th International Conference, DIMVA 2012, Revised Selected Papers
EditorsUlrich Flegel, Evangelos Markatos, William Robertson
PublisherSpringer LNCS
Number of pages20
ISBN (Electronic)9783642373008
ISBN (Print)9783642372995
Publication statusPublished - 2013
Event9th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2012 - Heraklion, Crete, Greece
Duration: 26 Jul 201227 Jul 2012

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349


Conference9th GI International Conference on Detection of Intrusions and Malware and Vulnerability Assessment, DIMVA 2012
CityHeraklion, Crete


  • Downloader
  • Dropper
  • Dynamic Analysis
  • Malware


Dive into the research topics of 'Large-scale analysis of malware downloaders'. Together they form a unique fingerprint.

Cite this