Listening to botnet communication channels to protect information systems

Botnets are a weapon of choice for people who wish to exploit information systems for economic advantage. A large percentage of high value commercial targets such as banking transaction systems and human customers are web connected so that access is gained through Internet services. A Botnet is designed to maximise the possibility of an economic success through the low cost of attacks and the high number that may be attempted in any small time unit. In this paper we report exploratory research into the communications of Botnets. The research question was: How do Botnets talk with the command and control channels? The research method is to catch binaries in a low interaction honey pot and then to provide a secure test bed in which the binaries can demonstrate the actions of malicious activity. One of the actions performed by a binary is communication with the Bot master and this action is the focus of our study. We also provide a feedback loop in which suggestions are made to protect an Information System and the users

Instructions-Based Detection of Sophisticated Obfuscation and Packing

Every day thousands of malware are released online. The vast majority of these malware employ some kind of obfuscation ranging from simple XOR encryption, to more sophisticated anti-analysis, packing and encryption techniques. Dynamic analysis methods can unpack the file and reveal its hidden code. However, these methods are very time consuming when compared to static analysis. Moreover, considering the large amount of new malware being produced daily, it is not practical to solely depend on dynamic analysis methods. Therefore, finding an effective way to filter the samples and delegate only obfuscated and suspicious ones to more rigorous tests would significantly improve the overall scanning process. Current techniques of identifying obfuscation rely mainly on signatures of known packers, file entropy score, or anomalies in file header. However, these features are not only easily bypass-able, but also do not cover all types of obfuscation. In this paper, we introduce a novel approach to identify obfuscated files based on anomalies in their instructions-based characteristics. We detect the presence of interleaving instructions which are the result of the opaque predicate anti-disassembly trick, and present distinguishing statistical properties based on the opcodes and control flow graphs of obfuscated files. Our detection system combines these features with other file structural features and leads to a very good result of detecting obfuscated malware

Machine Learning Aided Static Malware Analysis: A Survey and Tutorial

Malware analysis and detection techniques have been evolving during the last decade as a reflection to development of different malware techniques to evade network-based and host-based security protections. The fast growth in variety and number of malware species made it very difficult for forensics investigators to provide an on time response. Therefore, Machine Learning (ML) aided malware analysis became a necessity to automate different aspects of static and dynamic malware investigation. We believe that machine learning aided static analysis can be used as a methodological approach in technical Cyber Threats Intelligence (CTI) rather than resource-consuming dynamic malware analysis that has been thoroughly studied before. In this paper, we address this research gap by conducting an in-depth survey of different machine learning methods for classification of static characteristics of 32-bit malicious Portable Executable (PE32) Windows files and develop taxonomy for better understanding of these techniques. Afterwards, we offer a tutorial on how different machine learning techniques can be utilized in extraction and analysis of a variety of static characteristic of PE binaries and evaluate accuracy and practical generalization of these techniques. Finally, the results of experimental study of all the method using common data was given to demonstrate the accuracy and complexity. This paper may serve as a stepping stone for future researchers in cross-disciplinary field of machine learning aided malware forensics.Comment: 37 Page

Reverse Engineering Analysis Statis Forensic Malware Webc2-Div

At this paper focus on Malicious Software also known as Malware APT1 (Advance Persistent Threat) codename WEBC2-DIV the most variants malware has criteria consists of Virus, Worm, Trojan, Adware, Spyware, Backdoor either Rootkit. Although, malware could avoidance scanning antivirus but reverse engineering could be know how dangerous malware infect computer client. Lately, malware attack as a form espionage (cyberwar) one of the most topic on security internet, because of has massive impact. Forensic malware becomes indicator successful user to realized about malware infect. This research about reverse engineering. A few steps there are scanning, suspected  packet in network and analysis of malware behavior and disassembler body malware

Botnet Forensic Investigation Techniques and Cost Evaluation

Botnets are responsible for a large percentage of damages and criminal activity on the Internet. They have shifted attacks from push activities to pull techniques for the distribution of malwares and continue to provide economic advantages to the exploiters at the expense of other legitimate Internet service users. In our research we asked; what is the cost of the procedural steps for forensically investigating a Botnet attack? The research method applies investigation guidelines provided by other researchers and evaluates these guidelines in terms of the cost to a digital forensic investigator. We conclude that investigation of Botnet attacks is both possible and procedurally feasible for a forensic investigator; but that scope management is critical for controlling the cost of investigation. We recommend quantifying Botnet investigations into five levels of cost based on time, complexity and technical requirements. Keywords: Botnets, Cybercrime, Investigating, Techniques, Costs, Researc

A survey on botnets, issues, threats, methods, detection and prevention

Botnets have become increasingly common and progressively dangerous to both business and domestic networks alike. Due to the Covid-19 pandemic, a large quantity of the population has been performing corporate activities from their homes. This leads to speculation that most computer users and employees working remotely do not have proper defences against botnets, resulting in botnet infection propagating to other devices connected to the target network. Consequently, not only did botnet infection occur within the target user’s machine but also neighbouring devices. The focus of this paper is to review and investigate current state of the art and research works for both methods of infection, such as how a botnet could penetrate a system or network directly or indirectly, and standard detection strategies that had been used in the past. Furthermore, we investigate the capabilities of Artificial Intelligence (AI) to create innovative approaches for botnet detection to enable making predictions as to whether there are botnets present within a network. The paper also discusses methods that threat-actors may be used to infect target devices with botnet code. Machine learning algorithms are examined to determine how they may be used to assist AI-based detection and what advantages and disadvantages they would have to compare the most suitable algorithm businesses could use. Finally, current botnet prevention and countermeasures are discussed to determine how botnets can be prevented from corporate and domestic networks and ensure that future attacks can be prevented

Denial-of-Service Attacks on Host-Based Generic Unpackers

China National Science FoundationThis research was mostly done when the first three authors, Limin Liu, Jiang Ming, and Zhi Wang, were researchers working in Singapore Management University. It was partially supported by National Science Foundation (NSF) China under the agreements 90718005, 70890084/G021102, and 60573015.</p