172 research outputs found
Framework for botnet emulation and analysis
Criminals use the anonymity and pervasiveness of the Internet to commit fraud, extortion, and theft. Botnets are used as the primary tool for this criminal activity. Botnets allow criminals to accumulate and covertly control multiple Internet-connected computers. They use this network of controlled computers to flood networks with traffic from multiple sources, send spam, spread infection, spy on users, commit click fraud, run adware, and host phishing sites. This presents serious privacy risks and financial burdens to businesses and individuals. Furthermore, all indicators show that the problem is worsening because the research and development cycle of the criminal industry is faster than that of security research.
To enable researchers to measure botnet connection models and counter-measures, a flexible, rapidly augmentable framework for creating test botnets is provided. This botnet framework, written in the Ruby language, enables researchers to run a botnet on a closed network and to rapidly implement new communication, spreading, control, and attack mechanisms for study. This is a significant improvement over augmenting C++ code-bases for the most popular botnets, Agobot and SDBot. Rubot allows researchers to implement new threats and their corresponding defenses before the criminal industry can. The Rubot experiment framework includes models for some of the latest trends in botnet operation such as peer-to-peer based control, fast-flux DNS, and periodic updates.
Our approach implements the key network features from existing botnets and provides the required infrastructure to run the botnet in a closed environment.Ph.D.Committee Chair: Copeland, John; Committee Member: Durgin, Gregory; Committee Member: Goodman, Seymour; Committee Member: Owen, Henry; Committee Member: Riley, Georg
Dissection of Modern Malicious Software
The exponential growth of the number of malicious software samples, known by malware in
the specialized literature, constitutes nowadays one of the major concerns of cyber-security
professionals. The objectives of the creators of this type of malware are varied, and the means
used to achieve them are getting increasingly sophisticated. The increase of the computation
and storage resources, as well as the globalization have been contributing to this growth, and
fueling an entire industry dedicated to developing, selling and improving systems or solutions for
securing, recovering, mitigating and preventing malware related incidents. The success of these
systems typically depends of detailed analysis, often performed by humans, of malware samples
captured in the wild. This analysis includes the search for patterns or anomalous behaviors that
may be used as signatures to identify or counter-attack these threats.
This Master of Science (Ms.C.) dissertation addresses problems related with dissecting and analyzing
malware. The main objectives of the underlying work were to study and understand the
techniques used by this type of software nowadays, as well as the methods that are used by
specialists on that analysis, so as to conduct a detailed investigation and produce structured
documentation for at least one modern malware sample. The work was mostly focused in malware
developed for the Operating Systems (OSs) of the Microsoft Windows family for desktops.
After a brief study of the state of the art, the dissertation presents the classifications applied to
malware, which can be found in the technical literature on the area, elaborated mainly by an
industry community or seller of a security product. The structuring of the categories is nonetheless
the result of an effort to unify or complete different classifications. The families of some of
the most popular or detected malware samples are also presented herein, initially in a tabular
form and, subsequently, via a genealogical tree, with some of the variants of each previously
described family. This tree provides an interesting perspective over malware and is one of the
contributions of this programme.
Within the context of the description of functionalities and behavior of malware, some advanced
techniques, with which modern specimens of this type of software are equipped to ease their
propagation and execution, while hindering their detection, are then discussed with more detail.
The discussion evolves to the presentation of the concepts related to the detection and defense
against modern malware, along with a small introduction to the main subject of this work. The
analysis and dissection of two samples of malware is then the subject of the final chapters of the
dissertation. A basic static analysis is performed to the malware known as Stuxnet, while the
Trojan Banker known as Tinba/zuzy is subdued to both basic and advanced dynamic analysis.
The results of this part of the work emphasize difficulties associated with these tasks and the
sophistication and dangerous level of samples under investigation.O crescimento exponencial do número de amostras de software malicioso, conhecido na gíria
informática como malware, constitui atualmente uma das maiores preocupações dos profissionais
de cibersegurança. São vários os objetivos dos criadores deste tipo de software e a forma
cada vez mais sofisticada como os mesmos são alcançados. O aumento da computação e capacidade
de armazenamento, bem como a globalização, têm contribuído para este crescimento, e
têm alimentado toda uma indústria dedicada ao desenvolvimento, venda e melhoramento de
sistemas ou soluções de segurança, recuperação, mitigação e prevenção de incidentes relacionados
com malware. O sucesso destes sistemas depende normalmente da análise detalhada, feita
muitas vezes por humanos, de peças de malware capturadas no seu ambiente de atuação. Esta
análise compreende a procura de padrões ou de comportamentos anómalos que possam servir
de assinatura para identificar ou contra-atacar essas ameaças.
Esta dissertação aborda a problemática da análise e dissecação de malware. O trabalho que
lhe está subjacente tinha como objetivos estudar e compreender as técnicas utilizadas por este
tipo de software hoje em dia, bem como as que são utilizadas por especialistas nessa análise,
de forma a conduzir uma investigação detalhada e a produzir documentação estruturada sobre
pelo menos uma amostra de malware moderna. O trabalho focou-se, sobretudo, em malware
desenvolvido para os sistemas operativos da família Microsoft Windows para computadores de
secretária. Após um breve estudo ao estado da arte, a dissertação apresenta as classificações
de malware encontradas na literatura técnica da especialidade, principalmente usada pela indústria,
resultante de um esforço de unificação das mesmas. São também apresentadas algumas
das famílias de malware mais detetadas da atualidade, inicialmente através de uma tabela e,
posteriormente, através de uma árvore geneológica, com algumas das variantes de cada uma das
famílias descritas previamente. Esta árvore fornece uma perspetiva interessante sobre malware
e constitui uma das contribuições deste programa de mestrado.
Ainda no âmbito da descrição de funcionalidades e comportamentos do malware, são expostas,
com algum detalhe, algumas técnicas avançadas com as quais os programas maliciosos mais
modernos são por vezes munidos com o intuito a facilitar a sua propagação e execução, dificultando
a sua deteção. A descrição evolui para a apresentação dos conceitos adjacentes à deteção
e combate ao malware moderno, assim como para uma pequena introdução ao tema principal
deste trabalho. A análise e dissecação de duas amostras de malware moderno surgem nos capítulos
finais da dissertação. Ao malware conhecido por Stuxnet é feita a análise básica estática,
enquanto que ao Trojan Banker Tinba/zusy é feita e demonstrada a análise dinâmica básica e
avançada. Os resultados desta parte são demonstrativos do grau de sofisticação e perigosidade
destas amostras e das dificuldades associadas a estas tarefas
Modeling the propagation and defense study of internet malicious information
Dr. Wen\u27s research includes modelling the propagation dynamics of malicious information, exposing the most influential people and source identification of epidemics in social networks. His research is beneficial to both academia and industry in the field of Internet social networks
Dynamic Behavioral Analysis of Malicious Software with Norman Sandbox
Current signature-based Anti-Virus (AV) detection approaches take, on average, two weeks from discovery to definition update release to AV users. In addition, these signatures get stale quickly: AV products miss between 25%-80% of new malicious software within a week of not updating. This thesis researches and develops a detection/classification mechanism for malicious software through statistical analysis of dynamic malware behavior. Several characteristics for each behavior type were stored and analyzed such as function DLL names, function parameters, exception thread ids, exception opcodes, pages accessed during faults, port numbers, connection types, and IP addresses. Behavioral data was collected via Norman Sandbox for storage and analysis. We proposed to find which statistical measures and metrics can be collected for use in the detection and classification of malware. We conclude that our logging and cataloging procedure is a potentially viable method in creating behavior-based malicious software detection and classification mechanisms
- …