Skip to main content
SpringerLink
Log in

A Look into 30 Years of Malware Development from a Software Metrics Perspective

  • Conference paper
  • First Online:
Research in Attacks, Intrusions, and Defenses (RAID 2016)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9854))

Abstract

During the last decades, the problem of malicious and unwanted software (malware) has surged in numbers and sophistication. Malware plays a key role in most of today’s cyber attacks and has consolidated as a commodity in the underground economy. In this work, we analyze the evolution of malware since the early 1980s to date from a software engineering perspective. We analyze the source code of 151 malware samples and obtain measures of their size, code quality, and estimates of the development costs (effort, time, and number of people). Our results suggest an exponential increment of nearly one order of magnitude per decade in aspects such as size and estimated effort, with code quality metrics similar to those of regular software. Overall, this supports otherwise confirmed claims about the increasing complexity of malware and its production progressively becoming an industry.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Available at: http://www.seg.inf.uc3m.es/~accortin/RAID_2016.html.

References

  1. CLOC - count lines of code. http://github.com/AlDanial/cloc. Accessed 22 Sep 2015

  2. Eclipse metrics plugin. https://marketplace.eclipse.org/content/eclipse-metrics. Accessed 4 Apr 2016

  3. Jhawk. http://www.virtualmachinery.com/jhawkprod.htm. Accessed 4 Apr 2016

  4. Radon. https://pypi.python.org/pypi/radon. Accessed 4 Apr 2016

  5. Symantec’s 2015 internet security threat report. https://www.symantec.com/security_response/publications/threatreport.jsp. Accessed 6 Apr 2016

  6. Unified code counter. http://csse.usc.edu/ucc_wp/. Accessed 4 Apr 2016

  7. Albrecht, A.J.: Measuring Application Development Productivity. In: IBM Application Development Symposium, pp. 83–92. IBM Press, October 1979

    Google Scholar 

  8. Albrecht, A.J., Gaffney, J.E.: Software function, source lines of code, and development effort prediction: a software science validation. IEEE Trans. Softw. Eng. 9(6), 639–648 (1983)

    Article  Google Scholar 

  9. Allodi, L., Kotov, V., Massacci, F.: MalwareLab: experimentation with cybercrime attack tools. In: USENIX Workshop on Cyber Security Experimentation and Test, Washington D.C., August 2013

    Google Scholar 

  10. Arce, I., Levy, E.: An analysis of the slapper worm. IEEE Secur. Priv. 1(1), 82–87 (2003)

    Article  Google Scholar 

  11. Barford, P., Yegneswaran, V.: An Inside Look at Botnets. In: Christodorescu, M., Jha, S., Maughan, D., Song, D., Wang, C. (eds.) Malware Detection. Advances in Information Security, vol. 27, pp. 171–191. Springer, Heidelberg (2007)

    Chapter  Google Scholar 

  12. Boehm, B.W.: Software Engineering Economics. Prentice-Hall, Upper Saddle River (1981)

    MATH  Google Scholar 

  13. Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring pay-per-install: the commoditization of malware distribution. In: Proceedings of the 20th USENIX Conference on Security, p. 13, SEC 2011. USENIX Association, Berkeley (2011)

    Google Scholar 

  14. Caballero, J., Poosankam, P., McCamant, S., Babic, D., Song, D.: Input generation via decomposition and re-stitching: finding bugs in malware. In: ACM Conference on Computer and Communications Security, Chicago, IL, October 2010

    Google Scholar 

  15. Caliskan-Islam, A., Harang, R., Liu, A., Narayanan, A., Voss, C., Yamaguchi, F., Greenstadt, R.: De-anonymizing programmers via code stylometry. In: USENIX Security Symposium (2015)

    Google Scholar 

  16. Diestel, R.: Graph Theory. Graduate Texts in Mathematics, vol. 173, 4th edn. Springer, New York (2012)

    MATH  Google Scholar 

  17. Eshete, B., Alhuzali, A., Monshizadeh, M., Porras, P., Venkatakrishnan, V., Yegneswaran, V.: EKHunter: a counter-offensive toolkit for exploit kit infiltration. In: Network and Distributed System Security Symposium, February 2015

    Google Scholar 

  18. Eshete, B., Venkatakrishnan, V.N.: WebWinnow: leveraging exploit kit workflows to detect malicious urls. In: ACM Conference on Data and Application Security and Privacy (2014)

    Google Scholar 

  19. Frantzeskou, G., MacDonell, S., Stamatatos, E., Gritzalis, S.: Examining the significance of high-level programming features in source code author classification. J. Syst. Softw. 81(3), 447–460 (2008). http://dx.doi.org/10.1016/j.jss.2007.03.004

    Article  Google Scholar 

  20. Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A., Provos, N., Rafique, M.Z., Rajab, M.A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G.M.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 821–832, CCS 2012. ACM, New York (2012)

    Google Scholar 

  21. Halstead, M.H.: Elements of Software Science (Operating and Programming Systems Series). Elsevier Science Inc., New York (1977)

    MATH  Google Scholar 

  22. Holz, T.: A short visit to the bot zoo. IEEE Secur. Priv. 3(3), 76–79 (2005)

    Article  Google Scholar 

  23. IEEE: IEEE standard for software productivity metrics (IEEE std. 1045–1992). Technical report (1992)

    Google Scholar 

  24. Jones, C.: Programming Languages Table, Version 8.2. Software Productivity Research, Burlington (1996)

    Google Scholar 

  25. Jones, C.: Backfiring: converting lines-of-code to function points. Computer 28(11), 87–88 (1995)

    Article  Google Scholar 

  26. Kotov, V., Massacci, F.: Anatomy of exploit kits. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  27. Lehman, M.M.: Laws of software evolution revisited. In: Montangero, C. (ed.) EWSPT 1996. LNCS, vol. 1149, pp. 108–124. Springer, Heidelberg (1996)

    Chapter  Google Scholar 

  28. McCabe, T.J.: A complexity measure. In: Proceedings of the 2nd International Conference on Software Engineering, ICSE 1976, CA, USA, p. 407. IEEE Computer Society Press, Los Alamitos (1976)

    Google Scholar 

  29. Nguyen, V., Deeds-rubin, S., Tan, T., Boehm, B.: A SLOC counting standard. In: COCOMO II Forum 2007 (2007)

    Google Scholar 

  30. Oman, P., Hagemeister, J.: Metrics for assessing a software system’s maintainability. In: Proceedings of Conference on Software Maintenance, pp. 337–344 (1992)

    Google Scholar 

  31. Park, R.E.: Software size measurement: a framework for counting source statements. Technical report CMU/SEI-92-TR- 20, ESC-TR-92-20, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213, September 1992

    Google Scholar 

  32. Security, P.: 27 % of all recorded malware appeared in 2015. http://www.pandasecurity.com/mediacenter/press-releases/all-recorded-malware-appeared-in-2015. Accessed 6 Apr 2016

  33. Software Engineering Institute: C4 Software Technology Reference Guide - A Prototype. Technical report CMU/SEI-97-HB-001, January 1997

    Google Scholar 

  34. Sommerville, I.: Software Engineering: (Update) (8th Edn.) (International Computer Science). Addison-Wesley Longman Publishing Co. Inc., Boston (2006)

    Google Scholar 

  35. Stringhini, G., Hohlfeld, O., Kruegel, C., Vigna, G.: The harvester, the botmaster, and the spammer: n the relations between the different actors in the spam landscape. In: Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, pp. 353–364. ASIA CCS 2014, NY, USA. ACM, New York (2014)

    Google Scholar 

  36. Suarez-Tangil, G., Tapiador, J.E., Peris-Lopez, P., Ribagorda, A.: Evolution, detection and analysis of malware for smart devices. IEEE Commun. Surv. Tutorials 16(2), 961–987 (2014)

    Article  Google Scholar 

  37. Thomas, K., Huang, D., Wang, D., Bursztein, E., Grier, C., Holt, T.J., Kruegel, C., McCoy, D., Savage, S., Vigna, G.: Framing dependencies introduced by underground commoditization. In: Workshop on the Economics of Information Security (2015)

    Google Scholar 

  38. Watson, A.H., Mccabe, T.J., Wallace, D.R.: Special publication 500–235, structured testing: a software testing methodology using the cyclomatic complexity metric. In: U.S. Department of Commerce/National Institute of Standards and Technology (1996)

    Google Scholar 

Download references

Acknowledgments

We are very grateful to the anonymous reviewers for constructive feedback and insightful suggestions. This work was supported by the MINECO grant TIN2013- 46469-R (SPINY: Security and Privacy in the Internet of You), the CAM grant S2013/ICE-3095 (CIBERDINE: Cybersecurity, Data, and Risks), the Regional Government of Madrid through the N-GREENS Software-CM project S2013/ICE-2731 and by the Spanish Government through the Dedetis Grant TIN2015-7013-R.

Author information

Authors and Affiliations

  1. Department of Computer Science, Universidad Carlos III de Madrid, Getafe, Spain

    Alejandro Calleja & Juan Tapiador

  2. IMDEA Software Institute, Madrid, Spain

    Juan Caballero

Authors
  1. Alejandro Calleja
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Juan Tapiador
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Juan Caballero
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alejandro Calleja .

Editor information

Editors and Affiliations

  1. University of North Carolina at Chapel H , Chapel-Hill, USA

    Fabian Monrose

  2. Qatar Computing Research Institute , Doha, Qatar

    Marc Dacier

  3. Université Paris-Saclay , Evry, France

    Gregory Blanc

  4. TELECOM SudParis , EVRY, France

    Joaquin Garcia-Alfaro

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Calleja, A., Tapiador, J., Caballero, J. (2016). A Look into 30 Years of Malware Development from a Software Metrics Perspective. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds) Research in Attacks, Intrusions, and Defenses. RAID 2016. Lecture Notes in Computer Science(), vol 9854. Springer, Cham. https://doi.org/10.1007/978-3-319-45719-2_15

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-45719-2_15

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-45718-5

  • Online ISBN: 978-3-319-45719-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation