Check out the new USENIX Web site.

Overlapping landing sites.

We further evaluate the overlap between the landing sites that point to the different malware distribution sites. To do so, we calculate the pairwise intersection between the sets of the landing sites pointing to each of the distribution sites in our data set. For a distribution network $ i$ with a set of landing sites $ X_i$ and network $ j$ with the set of landing sites $ X_j$ , the normalized pairwise intersection of the two networks, $ C_{i,j}$ , is calculated as,

$\displaystyle C_{i,j} = \frac{\lvert X_{i} \cap X_j \rvert}{ \lvert X_i\rvert}$ (1)

Where $ \lvert X \rvert$ is the number of elements in the set $ X$ . Interestingly, our results showed that $ 80\%$ of the distribution networks share at least one landing page. Figure 12 shows the normalized pair-wise landing sets intersection across these distribution networks. The graph reveals a strong overlap among the landing sites for the related network pairs. These results suggest that many landing sites are shared among multiple distribution networks. For example, in several cases we observed landing pages with multiple IFRAMEs linking to different malware distribution sites. Finally, we note that the sudden jump to a pair-wise score of one is mostly due to network pairs in which the landing sites for one network are a subset of those for the other network.

Figure 13: CDF of the normalized pairwise intersection between malware hashes across distribution networks.
\includegraphics[width=3in]{graphs/cdf-hashes.confusion.eps}

Niels Provos 2008-05-13