Segurança da Informação e de Sistemas Computacionais: Um Estudo Prático sobre Ataques Utilizando Malwares

Abstract. Malware attacks are one of the most dangerous current threats to computer systems security. For this reason, it is crucial that students and professionals of computer science, especially those focused on information security and computer systems security, are prepared to react to those attacks. In this context, based on a reference scenario, a practical study on malware attacks is discussed in this work. For this, issues related to trojans, backdoors and keyloggers, among others malwares are addressed throughout the text. This discussion is important, for example, for the development of specific security mechanisms and for teaching and/or research activities related to the topic. Keywords: Computer Systems Security, Information Security, Malware.Resumo. Ataques utilizando malwares são uma das principais ameaças contra sistemas computacionais na atualidade. Por esse motivo, é crucial que estudantes e profissionais da área de informática, em especial, voltados para a segurança da informação e de sistemas computacionais, estejam preparados para lidar com tais ataques. Nesse contexto, a partir de um cenário de referência, um estudo prático sobre ataques utilizando malwares é abordado neste trabalho. Para tal, questões acerca de trojans, backdoors, keyloggers e outros malwares são discutidas ao longo do texto. Essa discussão é importante, por exemplo, para o desenvolvimento de mecanismos específicos de segurança, bem como em atividades de ensino e/ou de pesquisa relacionadas ao tema. Palavras-chave: Segurança em Sistemas Computacionais, Segurança da Informação, Malware

Function similarity using family context

Finding changed and similar functions between a pair of binaries is an important problem in malware attribution and for the identification of new malware capabilities. This paper presents a new technique called Function Similarity using Family Context (FSFC) for this problem. FSFC trains a Support Vector Machine (SVM) model using pairs of similar functions from two program variants. This method improves upon previous research called Cross Version Contextual Function Similarity (CVCFS) e epresenting a function using features extracted not just from the function itself, but also, from other functions with which it has a caller and callee relationship. We present the results of an initial experiment that shows that the use of additional features from the context of a function significantly decreases the false positive rate, obviating the need for a separate pass for cleaning false positives. The more surprising and unexpected finding is that the SVM model produced by FSFC can abstract function similarity features from one pair of program variants to find similar functions in an unrelated pair of program variants. If validated by a larger study, this new property leads to the possibility of creating generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra.This research was performed in the Internet Commerce Security Lab (ICSL), which is a joint venture with research partners Westpac, IBM, and Federation University Australia

A taxonomy for threat actors' persistence techniques

[EN] The main contribution of this paper is to provide an accurate taxonomy for Persistence techniques, which allows the detection of novel techniques and the identification of appropriate countermeasures. Persistence is a key tactic for advanced offensive cyber operations. The techniques that achieve persistence have been largely analyzed in particular environments, but there is no suitable platform¿agnostic model to structure persistence techniques. This lack causes a serious problem in the modeling of activities of advanced threat actors, hindering both their detection and the implementation of countermeasures against their activities. In this paper we analyze previous work in this field and propose a novel taxonomy for persistence techniques based on persistence points, a key concept we introduce in our work as the basis for the proposed taxonomy. Our work will help analysts to identify, classify and detect compromises, significantly reducing the amount of effort needed for these tasks. It follows a logical structure that can be easy to expand and adapt, and it can be directly used in commonly accepted industry standards such as MITRE ATT&CK.Villalón-Huerta, A.; Marco-Gisbert, H.; Ripoll-Ripoll, I. (2022). A taxonomy for threat actors' persistence techniques. Computers & Security. 121:1-14. https://doi.org/10.1016/j.cose.2022.10285511412

Techniques for the reverse engineering of banking malware

Malware attacks are a significant and frequently reported problem, adversely affecting the productivity of organisations and governments worldwide. The well-documented consequences of malware attacks include financial loss, data loss, reputation damage, infrastructure damage, theft of intellectual property, compromise of commercial negotiations, and national security risks. Mitiga-tion activities involve a significant amount of manual analysis. Therefore, there is a need for automated techniques for malware analysis to identify malicious behaviours. Research into automated techniques for malware analysis covers a wide range of activities. This thesis consists of a series of studies: an anal-ysis of banking malware families and their common behaviours, an emulated command and control environment for dynamic malware analysis, a technique to identify similar malware functions, and a technique for the detection of ransomware. An analysis of the nature of banking malware, its major malware families, behaviours, variants, and inter-relationships are provided in this thesis. In doing this, this research takes a broad view of malware analysis, starting with the implementation of the malicious behaviours through to detailed analysis using machine learning. The broad approach taken in this thesis differs from some other studies that approach malware research in a more abstract sense. A disadvantage of approaching malware research without domain knowledge, is that important methodology questions may not be considered. Large datasets of historical malware samples are available for countermea-sures research. However, due to the age of these samples, the original malware infrastructure is no longer available, often restricting malware operations to initialisation functions only. To address this absence, an emulated command and control environment is provided. This emulated environment provides full control of the malware, enabling the capabilities of the original in-the-wild operation, while enabling feature extraction for research purposes. A major focus of this thesis has been the development of a machine learn-ing function similarity method with a novel feature encoding that increases feature strength. This research develops techniques to demonstrate that the machine learning model trained on similarity features from one program can find similar functions in another, unrelated program. This finding can lead to the development of generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra. Further, this research examines the use of API call features for the identi-fication of ransomware and shows that a failure to consider malware analysis domain knowledge can lead to weaknesses in experimental design. In this case, we show that existing research has difficulty in discriminating between ransomware and benign cryptographic software. This thesis by publication, has developed techniques to advance the disci-pline of malware reverse engineering, in order to minimize harm due to cyber-attacks on critical infrastructure, government institutions, and industry.Doctor of Philosoph

Strategies Universities’ and Colleges’ IT Leaders Use to Prevent Malware Attacks

Information systems at universities and colleges are not exempt from the threat of malware. Preventing and mitigating malware attacks is important to universities’ and colleges’ IT leaders to protect sensitive data confidentiality. Grounded in general system theory, the purpose of this exploratory multiple case study was to explore strategies universities’ and colleges’ information technology (IT) leaders use to prevent and mitigate malware attacks. Participants consisted of 6 IT leaders from 3 universities and colleges in Southern California responsible for preventing and mitigating malware attacks. Data were collected through semistructured video teleconferences and 7 organizational documents. Three significant themes emerged through thematic analysis: personnel issues, security planning, and security management practices. A key recommendation is for IT leaders to implement a training and awareness program to address personnel issues. The implications for positive social change include IT leaders potential to secure students’, parents’, and faculty\u27s confidential information, thereby reducing IT protection costs and preventing identity theft

Cyber Security of Critical Infrastructures

Critical infrastructures are vital assets for public safety, economic welfare, and the national security of countries. The vulnerabilities of critical infrastructures have increased with the widespread use of information technologies. As Critical National Infrastructures are becoming more vulnerable to cyber-attacks, their protection becomes a significant issue for organizations as well as nations. The risks to continued operations, from failing to upgrade aging infrastructure or not meeting mandated regulatory regimes, are considered highly significant, given the demonstrable impact of such circumstances. Due to the rapid increase of sophisticated cyber threats targeting critical infrastructures with significant destructive effects, the cybersecurity of critical infrastructures has become an agenda item for academics, practitioners, and policy makers. A holistic view which covers technical, policy, human, and behavioural aspects is essential to handle cyber security of critical infrastructures effectively. Moreover, the ability to attribute crimes to criminals is a vital element of avoiding impunity in cyberspace. In this book, both research and practical aspects of cyber security considerations in critical infrastructures are presented. Aligned with the interdisciplinary nature of cyber security, authors from academia, government, and industry have contributed 13 chapters. The issues that are discussed and analysed include cybersecurity training, maturity assessment frameworks, malware analysis techniques, ransomware attacks, security solutions for industrial control systems, and privacy preservation methods