162 research outputs found
Adversarial behaviours knowledge area
The technological advancements witnessed by our society in recent decades have brought
improvements in our quality of life, but they have also created a number of opportunities for
attackers to cause harm. Before the Internet revolution, most crime and malicious activity
generally required a victim and a perpetrator to come into physical contact, and this limited
the reach that malicious parties had. Technology has removed the need for physical contact
to perform many types of crime, and now attackers can reach victims anywhere in the world, as long as they are connected to the Internet. This has revolutionised the characteristics of crime and warfare, allowing operations that would not have been possible before. In this document, we provide an overview of the malicious operations that are happening on the Internet today. We first provide a taxonomy of malicious activities based on the attacker’s motivations and capabilities, and then move on to the technological and human elements that adversaries require to run a successful operation. We then discuss a number of frameworks that have been proposed to model malicious operations. Since adversarial behaviours are not a purely technical topic, we draw from research in a number of fields (computer science, criminology, war studies). While doing this, we discuss how these frameworks can be used by researchers and practitioners to develop effective mitigations against malicious online operations.Published versio
Master of Puppets: Analyzing And Attacking A Botnet For Fun And Profit
A botnet is a network of compromised machines (bots), under the control of an
attacker. Many of these machines are infected without their owners' knowledge,
and botnets are the driving force behind several misuses and criminal
activities on the Internet (for example spam emails). Depending on its
topology, a botnet can have zero or more command and control (C&C) servers,
which are centralized machines controlled by the cybercriminal that issue
commands and receive reports back from the co-opted bots.
In this paper, we present a comprehensive analysis of the command and control
infrastructure of one of the world's largest proprietary spamming botnets
between 2007 and 2012: Cutwail/Pushdo. We identify the key functionalities
needed by a spamming botnet to operate effectively. We then develop a number of
attacks against the command and control logic of Cutwail that target those
functionalities, and make the spamming operations of the botnet less effective.
This analysis was made possible by having access to the source code of the C&C
software, as well as setting up our own Cutwail C&C server, and by implementing
a clone of the Cutwail bot. With the help of this tool, we were able to
enumerate the number of bots currently registered with the C&C server,
impersonate an existing bot to report false information to the C&C server, and
manipulate spamming statistics of an arbitrary bot stored in the C&C database.
Furthermore, we were able to make the control server inaccessible by conducting
a distributed denial of service (DDoS) attack. Our results may be used by law
enforcement and practitioners to develop better techniques to mitigate and
cripple other botnets, since many of findings are generic and are due to the
workflow of C&C communication in general
From ZeuS to Zitmo : trends in banking malware
In the crimeware world, financial botnets are a global threat to banking organizations. Such malware purposely performs financial fraud and steals critical information from clients' computers. A common example of banking malware is the ZeuS botnet. Recently, variants of this malware have targeted mobile platforms, as The-ZeuS-in-the-Mobile or Zitmo. With the rise in mobile systems, platform security is becoming a major concern across the mobile world, with rising incidence of compromising Android devices. In similar vein, there have been mobile botnet attacks on iPhones, Blackberry and Symbian devices. In this setting, we report on trends and developments of ZeuS and its variants
Master of puppets: analyzing and attacking a botnet for fun and profit
A botnet is a network of compromised machines (bots),
under the control of an attacker. Many of these machines
are infected without their owners’ knowledge, and botnets
are the driving force behind several misuses and criminal
activities on the Internet (for example spam emails). Depending
on its topology, a botnet can have zero or more
command and control (C&C) servers, which are centralized
machines controlled by the cybercriminal that issue
commands and receive reports back from the co-opted
bots.
In this paper, we present a comprehensive analysis of
the command and control infrastructure of one of the
world’s largest proprietary spamming botnets between
2007 and 2012: Cutwail/Pushdo. We identify the key
functionalities needed by a spamming botnet to operate
effectively. We then develop a number of attacks against
the command and control logic of Cutwail that target
those functionalities, and make the spamming operations
of the botnet less effective. This analysis was made possible
by having access to the source code of the C&C software,
as well as setting up our own Cutwail C&C server,
and by implementing a clone of the Cutwail bot. With the
help of this tool, we were able to enumerate the number
of bots currently registered with the C&C server, impersonate
an existing bot to report false information to the
C&C server, and manipulate spamming statistics of an arbitrary
bot stored in the C&C database. Furthermore, we
were able to make the control server inaccessible by conducting
a distributed denial of service (DDoS) attack. Our
results may be used by law enforcement and practitioners
to develop better techniques to mitigate and cripple other
botnets, since many of findings are generic and are due to
the workflow of C&C communication in general.First author draf
All Your IP Are Belong to Us: An Analysis of Intellectual Property Rights as Applied to Malware
The cybersecurity and cybercrime industries are tied together in an arms race where both seek out new security vulnerabilities to exploit on offense or to remediate on defense. Malware (malicious software) offers one of the primary weapons pioneering new computer technologies on both sides. However, the average Internet user sees malware at best as an annoyance that is merely the price of surfing the web.
It is clear that cybersecurity is a business and a successful one. The cybersecurity industry maintains copyrights and patents on our cyber defense technologies— antivirus software, firewalls, intrusion prevention systems, and more. There are no federal copyrights and patents on malware, even regarding the cybersecurity industry’s creations. From an intellectual property perspective, there is no difference between ordinary software and malicious software. Malware, as offensive software, can and should be protected, just as we protect our defensive software
Bridging Information Security and Environmental Criminology Research to Better Mitigate Cybercrime
Cybercrime is a complex phenomenon that spans both technical and human
aspects. As such, two disjoint areas have been studying the problem from
separate angles: the information security community and the environmental
criminology one. Despite the large body of work produced by these communities
in the past years, the two research efforts have largely remained disjoint,
with researchers on one side not benefitting from the advancements proposed by
the other. In this paper, we argue that it would be beneficial for the
information security community to look at the theories and systematic
frameworks developed in environmental criminology to develop better mitigations
against cybercrime. To this end, we provide an overview of the research from
environmental criminology and how it has been applied to cybercrime. We then
survey some of the research proposed in the information security domain,
drawing explicit parallels between the proposed mitigations and environmental
criminology theories, and presenting some examples of new mitigations against
cybercrime. Finally, we discuss the concept of cyberplaces and propose a
framework in order to define them. We discuss this as a potential research
direction, taking into account both fields of research, in the hope of
broadening interdisciplinary efforts in cybercrime researc
Quit playing games with my heart: Understanding online dating scams
© Springer International Publishing Switzerland 2015. Online dating sites are experiencing a rise in popularity, with one in five relationships in the United States starting on one of these sites. Online dating sites provide a valuable platform not only for single people trying to meet a life partner, but also for cybercriminals, who see in people looking for love easy victims for scams. Such scams span from schemes similar to traditional advertisement of illicit services or goods (i.e., spam) to advanced schemes, in which the victim starts a long-distance relationship with the scammer and is eventually extorted money. In this paper we perform the first large-scale study of online dating scams. We analyze the scam accounts detected on a popular online dating site over a period of eleven months, and provide a taxonomy of the different types of scammers that are active in the online dating landscape. We show that different types of scammers target a different demographics on the site, and therefore set up accounts with different characteristics. Our results shed light on the threats associated to online dating scams, and can help researchers and practitioners in developing effective countermeasures to fight them
You Can Tell a Cybercriminal by the Company they Keep: A Framework to Infer the Relevance of Underground Communities to the Threat Landscape
The criminal underground is populated with forum marketplaces where,
allegedly, cybercriminals share and trade knowledge, skills, and cybercrime
products. However, it is still unclear whether all marketplaces matter the same
in the overall threat landscape. To effectively support trade and avoid
degenerating into scams-for-scammers places, underground markets must address
fundamental economic problems (such as moral hazard, adverse selection) that
enable the exchange of actual technology and cybercrime products (as opposed to
repackaged malware or years-old password databases). From the relevant
literature and manual investigation, we identify several mechanisms that
marketplaces implement to mitigate these problems, and we condense them into a
market evaluation framework based on the Business Model Canvas. We use this
framework to evaluate which mechanisms `successful' marketplaces have in place,
and whether these differ from those employed by `unsuccessful' marketplaces. We
test the framework on 23 underground forum markets by searching 836 aliases of
indicted cybercriminals to identify `successful' marketplaces. We find evidence
that marketplaces whose administrators are impartial in trade, verify their
sellers, and have the right economic incentives to keep the market functional
are more likely to be credible sources of threat.Comment: The 22nd Workshop on the Economics of Information Security (WEIS'23),
July 05--08, 2023, Geneva, Switzerlan
Measuring and Disrupting Malware Distribution Networks: An Interdisciplinary Approach
Malware Delivery Networks (MDNs) are networks of webpages, servers, computers, and computer files that are used by cybercriminals to proliferate malicious software (or malware) onto victim machines. The business of malware delivery is a complex and multifaceted one that has become increasingly profitable over the last few years. Due to the ongoing arms race between cybercriminals and the security community, cybercriminals are constantly evolving and streamlining their techniques to beat security countermeasures and avoid disruption to their operations, such as by security researchers infiltrating their botnet operations, or law enforcement taking down their infrastructures and arresting those involved. So far, the research community has conducted insightful but isolated studies into the different facets of malicious file distribution. Hence, only a limited picture of the malicious file delivery ecosystem has been provided thus far, leaving many questions unanswered. Using a data-driven and interdisciplinary approach, the purpose of this research is twofold. One, to study and measure the malicious file delivery ecosystem, bringing prior research into context, and to understand precisely how these malware operations respond to security and law enforcement intervention. And two, taking into account the overlapping research efforts of the information security and crime science communities towards preventing cybercrime, this research aims to identify mitigation strategies and intervention points to disrupt this criminal economy more effectively
- …