Techniques for the reverse engineering of banking malware

Malware attacks are a significant and frequently reported problem, adversely affecting the productivity of organisations and governments worldwide. The well-documented consequences of malware attacks include financial loss, data loss, reputation damage, infrastructure damage, theft of intellectual property, compromise of commercial negotiations, and national security risks. Mitiga-tion activities involve a significant amount of manual analysis. Therefore, there is a need for automated techniques for malware analysis to identify malicious behaviours. Research into automated techniques for malware analysis covers a wide range of activities. This thesis consists of a series of studies: an anal-ysis of banking malware families and their common behaviours, an emulated command and control environment for dynamic malware analysis, a technique to identify similar malware functions, and a technique for the detection of ransomware. An analysis of the nature of banking malware, its major malware families, behaviours, variants, and inter-relationships are provided in this thesis. In doing this, this research takes a broad view of malware analysis, starting with the implementation of the malicious behaviours through to detailed analysis using machine learning. The broad approach taken in this thesis differs from some other studies that approach malware research in a more abstract sense. A disadvantage of approaching malware research without domain knowledge, is that important methodology questions may not be considered. Large datasets of historical malware samples are available for countermea-sures research. However, due to the age of these samples, the original malware infrastructure is no longer available, often restricting malware operations to initialisation functions only. To address this absence, an emulated command and control environment is provided. This emulated environment provides full control of the malware, enabling the capabilities of the original in-the-wild operation, while enabling feature extraction for research purposes. A major focus of this thesis has been the development of a machine learn-ing function similarity method with a novel feature encoding that increases feature strength. This research develops techniques to demonstrate that the machine learning model trained on similarity features from one program can find similar functions in another, unrelated program. This finding can lead to the development of generic similar function classifiers that can be packaged and distributed in reverse engineering tools such as IDA Pro and Ghidra. Further, this research examines the use of API call features for the identi-fication of ransomware and shows that a failure to consider malware analysis domain knowledge can lead to weaknesses in experimental design. In this case, we show that existing research has difficulty in discriminating between ransomware and benign cryptographic software. This thesis by publication, has developed techniques to advance the disci-pline of malware reverse engineering, in order to minimize harm due to cyber-attacks on critical infrastructure, government institutions, and industry.Doctor of Philosoph

Dataset Construction and Analysis of Screenshot Malware

Among the various types of spyware, screenloggers are distinguished by their ability to capture screenshots. This gives them considerable nuisance capacity, giving rise to theft of sensitive data or, failing that, to serious invasions of the privacy of users. Several examples of attacks relying on this screen capture feature have been documented in recent years. However, there is not sufficient empirical and experimental evidence on this topic. Indeed, to the best of our knowledge, there is no dataset dedicated to screenshot-taking malware until today. The lack of datasets or common testbed platforms makes it difficult to analyse and study their behaviour in order to develop effective countermeasures. The screenshot feature is often a smart feature that does not activate automatically once the malware has infected the machine; the activation mechanisms of this function are often more complex. Consequently, a dataset which is completely dedicated to them would make it possible to better understand the subtleties of triggering screenshots and even to learn to distinguish them from the legitimate applications widely present on devices. The main purpose of this paper is to build such a dataset and analyse the behaviour of screenloggers

Comparing Three Countries’ Higher Education Students’ Cyber Related Perceptions and Behaviours during COVID-19

In 2020, a global pandemic led to lockdowns, and subsequent social and business restrictions. These required overnight implementation of emergency measures to permit continued functioning of vital industries. Digital technologies and platforms made this switch feasible, but it also introduced several cyber related vulnerabilities, which students might not have known how to mitigate. For this study, the Global Cyber Security Index and the Cyber Risk literacy and education index were used to provide a cyber security context for each country. This research project—an international, cross-university, comparative, quantitative project—aimed to explore the risk attitudes and concerns, as well as protective behaviours adopted by, students at a South African, a Welsh and a Hungarian University, during the pandemic. This study’s findings align with the relative rankings of the Oliver Wyman Risk Literacy and Education Index for the countries in which the universities reside. This study revealed significant differences between the student behaviours of students within these universities. The most important differences were identified between students’ risk attitudes and concerns. It was also discovered that South African students reported having changed their protective online behaviours to the greatest extent, since the pandemic commenced. Recommendations are made suggesting that cyber security training and education, as well as improving the digital trust and confidence in digital platforms, are critical

Have Usability and Security Trade-offs in Mobile Financial Services (MFS) become Untrustworthy?

The trade-off between Usability and Security has been well researched with various models proposed on how best to improve Usability without jeopardizing Security and vice visa. Usable Security has become a key factor in Mobile Financial Services (MFS), the new frontier for mobile phones utilisation. However, have the compromises gone too far? The trustworthiness of MFS system has already slowed down new adoption and impacted ongoing security trust issues and user confidence in spite of potential MFS benefits for its users. To understand this growing lack of trust with MFS, we need to comprehend the nature of Usable Security in assuring the behaviours of MFS users and determine the right trade-off to improve trust whilst facilitating future uptake. We conducted an empirical survey of 698 user’s experience of MFS and here present our findings of this investigation for further synthesis towards proposing practical control elements to assure Usable Security in MFS

A Conceptual Framework for Smartphone Security Among Arab Millennials

The rapid growth of smartphone adoption and use in the Middle East has led to some critical post-adoption issues, including ensuring that smartphones are used securely. Moreover, there is a gap in the existing literature on the perceptions and behaviour of individual consumers, especially millennials, in relation to mobile security and dealing with smartphone security threats. Little research on this subject has been carried out in developing countries, particularly in the Middle East, in a cross-national context. Therefore, this research aims to analyse the factors that can affect smartphone security behaviour among millennials in a cross-national context in the Middle East. The model developed in this research is based on a combination of the protection motivation theory (PMT) and the extended unified theory of acceptance and use of technology (UTAUT2), with additional factors specifically related to millennials’ smartphone security behaviour in the Middle East. The initial findings indicate that (1) there is a gap in research on the security behaviour of Arab millennials, despite the existence of serious security threats associated with their use of these technologies; and (2) there is a gap in research on similarities and differences in smartphone security behaviour among consumers in a cross-national context. A questionnaire will be distributed online to consumers who are 18–29 years old in Iraq, Jordan and the UAE. This is the first research to study millennial Arabs’ security behaviour around smartphones and mobile applications in a cross- national context. In addition, the conceptual framework proposed in this research combines the PMT and the UTAUT2, with a further extension via the inclusion of three additional factors: privacy concerns; security threats related to smartphone-specific characteristics; and cybersecurity acculturation. Furthermore, this research bridges the gap in knowledge in terms of addressing the lack of research on millennials smartphone users in the Middle East region as they form the largest segment of the population

A cyber-kill-chain based taxonomy of crypto-ransomware features

In spite of being just a few years old, ransomware is quickly becoming a serious threat to our digital infrastructures, data and services. Majority of ransomware families are requesting for a ransom payment to restore a custodian access or decrypt data which were encrypted by the ransomware earlier. Although the ransomware attack strategy seems to be simple, security specialists ranked ransomware as a sophisticated attack vector with many variations and families. Wide range of features which are available in different families and versions of ransomware further complicates their detection and analysis. Though the existing body of research provides significant discussions about ransomware details and capabilities, the all research body is fragmented. Therefore, a ransomware feature taxonomy would advance cyber defenders’ understanding of associated risks of ransomware. In this paper we provide, to the best of our knowledge, the first scientific taxonomy of ransomware features, aligned with Lockheed Martin Cyber Kill Chain (CKC) model. CKC is a well-established model in industry that describes stages of cyber intrusion attempts. To ease the challenge of applying our taxonomy in real world, we also provide the corresponding ransomware defence taxonomy aligned with Courses of Action matrix (an intelligence-driven defence model). We believe that this research study is of high value for the cyber security research community, as it provides the researchers with a means of assessing the vulnerabilities and attack vectors towards the intended victims

Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime

Cybercrime is a complex phenomenon that spans both technical and human aspects. As such, two disjoint areas have been studying the problem from separate angles: the information security community and the environmental criminology one. Despite the large body of work produced by these communities in the past years, the two research efforts have largely remained disjoint, with researchers on one side not benefitting from the advancements proposed by the other. In this paper, we argue that it would be beneficial for the information security community to look at the theories and systematic frameworks developed in environmental criminology to develop better mitigations against cybercrime. To this end, we provide an overview of the research from environmental criminology and how it has been applied to cybercrime. We then survey some of the research proposed in the information security domain, drawing explicit parallels between the proposed mitigations and environmental criminology theories, and presenting some examples of new mitigations against cybercrime. Finally, we discuss the concept of cyberplaces and propose a framework in order to define them. We discuss this as a potential research direction, taking into account both fields of research, in the hope of broadening interdisciplinary efforts in cybercrime researc