A Forensic Study of the Effectiveness of Selected Anti-Virus Products Against SSDT Hooking Rootkits

For Microsoft Windows Operating Systems, both anti-virus products and kernel rootkits often hook the System Service Dispatch Table (SSDT). This research paper investigates the interaction between these two in terms of the SSDT. To investigate these matters, we extracted digital evidence from volatile memory, and studied that evidence using the Volatility framework. Due to the diversity in detection techniques used by the anti-virus products, and the diversity of infection techniques used by rootkits, our investigation produced diverse results, results that helped us to understand several SSDT hooking strategies, and the interaction between the selected anti-virus products and the rootkit samples. Keywords: System Service Dispatch Table (SSDT), Anti-virus, Rootkits, Memory Analysis, Volatilit

An analysis of malware evasion techniques against modern AV engines

This research empirically tested the response of antivirus applications to binaries that use virus-like evasion techniques. In order to achieve this, a number of binaries are processed using a number of evasion methods and are then deployed against several antivirus engines. The research also documents the process of setting up an environment for testing antivirus engines, including building the evasion techniques used in the tests. The results of the empirical tests illustrate that an attacker can evade multiple antivirus engines without much effort using well-known evasion techniques. Furthermore, some antivirus engines may respond to the occurrence of an evasion technique instead of the presence of any malicious code. In practical terms, this shows that while antivirus applications are useful for protecting against known threats, their effectiveness against unknown or modified threats is limited

Bridging the detection gap: a study on a behavior-based approach using malware techniques

In recent years the intensity and complexity of cyber attacks have increased at a rapid rate. The cost of these attacks on U.S. based companies is in the billions of dollars, including the loss of intellectual property and reputation. Novel and diverse approaches are needed to mitigate the cost of a security breach, and bridge the gap between malware detection and a security breach. This thesis focuses on the short term need to mitigate the impact of undetected shellcodes that cause security breaches. The thesis\u27s approach focuses on the agents driving the attacks, capturing their actions, in order to piece together the attacks for forensics purposes, as well as to better understand the opponent. The work presented in this thesis employs models of normal operating system behavior to detect access to the operating system\u27s shell interface. It also utilizes malware techniques to avoid detection and subsequent termination of the monitoring system, as well as dynamic shellcode execution methodologies in the testing of the thesis\u27 modules to implement a monitoring system --Document

On the malware detection problem : challenges and novel approaches

Orientador: André Ricardo Abed GrégioCoorientador: Paulo Lício de GeusTese (doutorado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa : Curitiba,Inclui referênciasÁrea de concentração: Ciência da ComputaçãoResumo: Software Malicioso (malware) é uma das maiores ameaças aos sistemas computacionais atuais, causando danos à imagem de indivíduos e corporações, portanto requerendo o desenvolvimento de soluções de detecção para prevenir que exemplares de malware causem danos e para permitir o uso seguro dos sistemas. Diversas iniciativas e soluções foram propostas ao longo do tempo para detectar exemplares de malware, de Anti-Vírus (AVs) a sandboxes, mas a detecção de malware de forma efetiva e eficiente ainda se mantém como um problema em aberto. Portanto, neste trabalho, me proponho a investigar alguns desafios, falácias e consequências das pesquisas em detecção de malware de modo a contribuir para o aumento da capacidade de detecção das soluções de segurança. Mais especificamente, proponho uma nova abordagem para o desenvolvimento de experimentos com malware de modo prático mas ainda científico e utilizo-me desta abordagem para investigar quatro questões relacionadas a pesquisa em detecção de malware: (i) a necessidade de se entender o contexto das infecções para permitir a detecção de ameaças em diferentes cenários; (ii) a necessidade de se desenvolver melhores métricas para a avaliação de soluções antivírus; (iii) a viabilidade de soluções com colaboração entre hardware e software para a detecção de malware de forma mais eficiente; (iv) a necessidade de predizer a ocorrência de novas ameaças de modo a permitir a resposta à incidentes de segurança de forma mais rápida.Abstract: Malware is a major threat to most current computer systems, causing image damages and financial losses to individuals and corporations, thus requiring the development of detection solutions to prevent malware to cause harm and allow safe computers usage. Many initiatives and solutions to detect malware have been proposed over time, from AntiViruses (AVs) to sandboxes, but effective and efficient malware detection remains as a still open problem. Therefore, in this work, I propose taking a look on some malware detection challenges, pitfalls and consequences to contribute towards increasing malware detection system's capabilities. More specifically, I propose a new approach to tackle malware research experiments in a practical but still scientific manner and leverage this approach to investigate four issues: (i) the need for understanding context to allow proper detection of localized threats; (ii) the need for developing better metrics for AV solutions evaluation; (iii) the feasibility of leveraging hardware-software collaboration for efficient AV implementation; and (iv) the need for predicting future threats to allow faster incident responses

Analysis and improvements of behaviour-based malware detection mechanisms

The massive growth of computer usage has led to an increase in the related security concerns. Malware, such as Viruses, Worms, and Trojans, have become a major issue due to the serious damages they cause. Since the first malware emerged, there has been a continuous battle between security researchers and malware writers, where the latter are constantly trying to evade detection by adopting new functionalities and malicious techniques. This thesis focuses on addressing some of the concerns and challenges encountered when detecting malware, based on their behavioural features observed; for each identified challenge, an approach that addresses the problem is proposed and evaluated. Firstly, the thesis provides an in-depth analysis of the underlying causes of malware misclassification when using machine learning-based malware detectors. Such causes need to be determined, so that the right mitigation can be adopted. The analysis shows that the misclassification is mostly due to changes in several malware variants without the family membership or the year of discovery being a factor. In addition, the thesis proposes a probabilistic approach for optimising the scanning performance of Forensic Virtual Machines (FVMs); which are cloud-based lightweight scanners that perform distributed monitoring of the cloud’s Virtual Machines (VMs). Finally, a market-inspired prioritisation approach is proposed to balance the trade-off between the consumption of VMs’ resources and accuracy when detecting malware on the cloud’s VMs using Virtual Machine Introspection-based lightweight monitoring approaches (e.g. FVMs). The thesis concludes by highlighting future work and new directions that have emerged from the work presented

Accessory Nucleases Provide Robust Antiparasite Immunity for Type III CRISPR-Cas Systems

To protect against parasites like bacteriophages and plasmids, bacteria employ diverse and sophisticated defence systems. Clustered, regularly interspaced short palindromic repeats (CRISPR)-Cas systems are adaptive immune systems that can integrate short “spacers” from a parasite into its CRISPR locus as a form of immunological memory. Upon reinfection, short RNAs transcribed from the CRISPR locus can guide Cas proteins to the viral genome through complementary base pairing. Cas nucleases then destroy the invader’s genome. To date, six major types and multiple subtypes of CRISPR systems exist, each with their own signature genes and mechanisms of action. Type III CRISPR systems are uniquely able to destroy both the parasite’s DNA and RNA. Type III loci contain Cas10 and Csm2-5, which make up the main Cas10-Csm targeting complex. In addition, loci typically contain an ancillary RNase, csm6 or csx1. Upon target transcription, the Cas10-Csm complex recognises a viral transcript containing a target, which activates DNase activity of Cas10, leading to the destruction of the invader. In addition, it was recently discovered that the Palm domain of Cas10 can synthesise cyclic oligoadenylate second messengers (cA). cA can activate Csm6 by binding to the latter’s CARF domain. In this work, I first elucidate and illuminate the role and mechanism of action of Csm6 during anti-plasmid immunity in staphylococci. I show that Csm6 is required for efficient immunity against a weakly transcribed target but is dispensable against a welltranscribed target. Moreover, in vivo, Csm6 is a non-specific RNase, targeting both host and invader transcripts. This induces a transient growth arrest in the host cell, which is relieved upon target clearance. This growth arrest “buys time” for the Cas10-Csm complex to eliminate the plasmid, which is required for clearance against weakly transcribed targets. Further, I expand and characterise broader arsenal of cA-activated CARF genes that type III systems use during immunity. I identify Card1, a nuclease that can degrade both ssDNA and ssRNA in vitro. These activities required divalent cations, and were activated by cA4. In Staphylococcus aureus, Card1 induces a growth arrest upon activation, and enhance anti-phage immunity. The protection is most likely primarily through the ssDNase activity, since no RNA degradation was detected in vivo. Together with collaborators, we were also able to solve the crystal structure of apo-, cA4-, and cA6- bound Card1 structures, revealing the conformational changes allowing catalysis upon ligand binding. I also identify TM-1, a transmembrane helix-CARF gene that also causes a growth arrest in S. aureus when stimulated by cA production. The mechanism of TM-1 remains to be elucidated, but likely represents the first CRISPR protection mechanism not mediated by degrading nucleic acid. Altogether, my work both deepens and broadens our understanding of the ligandmediated immune response of type III CRISPR systems. Robust immunity is obtained by coupling specific invader destruction (Cas10 DNase activity) with non-specific host and parasite growth arrest (Csm6/Card1/TM-1). This serves as a broader paradigm of how bacteria can use different catalytic activities and different systems to resist their parasites

Track The Planet: A Web-Scale Analysis Of How Online Behavioral Advertising Violates Social Norms

Various forms of media have long been supported by advertising as part of a broader social agreement in which the public gains access to monetarily free or subsidized content in exchange for paying attention to advertising. In print- and broadcast-oriented media distribution systems, advertisers relied on broad audience demographics of various publications and programs in order to target their offers to the appropriate groups of people. The shift to distributing media on the World Wide Web has vastly altered the underlying dynamic by which advertisements are targeted. Rather than rely on imprecise demographics, the online behavioral advertising (OBA) industry has developed a system by which individuals’ web browsing histories are covertly surveilled in order that their product preferences may be deduced from their online behavior. Due to a failure of regulation, Internet users have virtually no means to control such surveillance, and it contravenes a host of well-established social norms. This dissertation explores the ways in which the recent emergence of OBA has come into conflict with these societal norms. Rather than a mere process for targeting messages, OBA represents a profound shift in the underlying balance of power within society. This power balance is embedded in an information asymmetry which gives corporations and governments significantly more knowledge of, and power over, citizens than vice-versa. Companies do not provide the public with an accounting of their techniques or the scale at which they operate. In order to shed light on corporate behavior in the OBA sector, two new tools were developed for this dissertation: webXray and policyXray. webXray is the most powerful tool available for attributing the flow of user data on websites to the companies which receive and process it. policyXray is the first, and currently only, tool capable of auditing website privacy policies in order to evaluate disclosure of data transfers to specific parties. Both tools are highly resource efficient, allowing them to analyze millions of data flows and operate at a scale which is normally reserved for the companies collecting data. In short, these tools rectify the existing information asymmetry between the OBA industry and the public by leveraging the tools of mass surveillance for socially-beneficial ends. The research presented herein allows many specific existing social-normative concerns to be explored using empirical data in a way which was not previously possible. The impact of OBA on three main areas is investigated: regulatory norms, medical privacy norms, and norms related to the utility of the press. Through an examination of data flows on one million websites, and policies on 200,000 more, it is found in the area of regulatory norms that well-established Fair Information Practice Principles are severely undermined by the self-regulatory “notice and choice” paradigm. In the area of informational norms related to personal health, an analysis of data flows on 80,000 pages related to 2,000 medical conditions reveals that user health concerns are shared with a number of commercial parties, virtually no policies exist to restrict or regulate the practice, and users are at risk of embarrassment and discrimination. Finally, an analysis of 250,000 pages drawn from 5,000 U.S.-based media outlets demonstrates that core values of an independent and trustworthy press are undermined by commercial surveillance and centralized revenue systems. This surveillance may also transfer data to government entities, potentially resulting in chilling effects which compromise the ability of the press to serve as a check on power. The findings of this dissertation make it clear that current approaches to regulating OBA based on “notice and choice” have failed. The underlying “choice” of OBA is to sacrifice core social values in favor of increased profitability for primarily U.S.-based advertising firms. Therefore, new regulatory approaches based on mass surveillance of corporate, rather than user, behaviors must be pursued. Only by resolving the information asymmetry between the public, private corporations, and the state may social norms be respected in the online environment

Disruptive Technologies with Applications in Airline & Marine and Defense Industries

Disruptive Technologies With Applications in Airline, Marine, Defense Industries is our fifth textbook in a series covering the world of Unmanned Vehicle Systems Applications & Operations On Air, Sea, and Land. The authors have expanded their purview beyond UAS / CUAS / UUV systems that we have written extensively about in our previous four textbooks. Our new title shows our concern for the emergence of Disruptive Technologies and how they apply to the Airline, Marine and Defense industries. Emerging technologies are technologies whose development, practical applications, or both are still largely unrealized, such that they are figuratively emerging into prominence from a background of nonexistence or obscurity. A Disruptive technology is one that displaces an established technology and shakes up the industry or a ground-breaking product that creates a completely new industry.That is what our book is about. The authors think we have found technology trends that will replace the status quo or disrupt the conventional technology paradigms.The authors have collaborated to write some explosive chapters in Book 5:Advances in Automation & Human Machine Interface; Social Media as a Battleground in Information Warfare (IW); Robust cyber-security alterative / replacement for the popular Blockchain Algorithm and a clean solution for Ransomware; Advanced sensor technologies that are used by UUVs for munitions characterization, assessment, and classification and counter hostile use of UUVs against U.S. capital assets in the South China Seas. Challenged the status quo and debunked the climate change fraud with verifiable facts; Explodes our minds with nightmare technologies that if they come to fruition may do more harm than good; Propulsion and Fuels: Disruptive Technologies for Submersible Craft Including UUVs; Challenge the ammunition industry by grassroots use of recycled metals; Changing landscape of UAS regulations and drone privacy; and finally, Detailing Bioterrorism Risks, Biodefense, Biological Threat Agents, and the need for advanced sensors to detect these attacks.https://newprairiepress.org/ebooks/1038/thumbnail.jp

Biotechnology to Combat COVID-19

This book provides an inclusive and comprehensive discussion of the transmission, science, biology, genome sequencing, diagnostics, and therapeutics of COVID-19. It also discusses public and government health measures and the roles of media as well as the impact of society on the ongoing efforts to combat the global pandemic. It addresses almost every topic that has been studied so far in the research on SARS-CoV-2 to gain insights into the fundamentals of the disease and mitigation strategies. This volume is a useful resource for virologists, epidemiologists, biologists, medical professionals, public health and government professionals, and all global citizens who have endured and battled against the pandemic

Training Manual In the frame work of the project: DBT sponsored Three Months National Training in Molecular Biology and Biotechnology for Fisheries Professionals 2015-18

This is a limited edition of the CMFRI Training Manual provided to participants of the “DBT sponsored Three Months National Training in Molecular Biology and Biotechnology for Fisheries Professionals” organized by the Marine Biotechnology Division of Central Marine Fisheries Research Institute (CMFRI), from 2nd February 2015 - 31st March 2018