Towards Adversarial Malware Detection: Lessons Learned from PDF-based Attacks

Malware still constitutes a major threat in the cybersecurity landscape, also due to the widespread use of infection vectors such as documents. These infection vectors hide embedded malicious code to the victim users, facilitating the use of social engineering techniques to infect their machines. Research showed that machine-learning algorithms provide effective detection mechanisms against such threats, but the existence of an arms race in adversarial settings has recently challenged such systems. In this work, we focus on malware embedded in PDF files as a representative case of such an arms race. We start by providing a comprehensive taxonomy of the different approaches used to generate PDF malware, and of the corresponding learning-based detection systems. We then categorize threats specifically targeted against learning-based PDF malware detectors, using a well-established framework in the field of adversarial machine learning. This framework allows us to categorize known vulnerabilities of learning-based PDF malware detectors and to identify novel attacks that may threaten such systems, along with the potential defense mechanisms that can mitigate the impact of such threats. We conclude the paper by discussing how such findings highlight promising research directions towards tackling the more general challenge of designing robust malware detectors in adversarial settings

Cyber Threat Intelligence : Challenges and Opportunities

The ever increasing number of cyber attacks requires the cyber security and forensic specialists to detect, analyze and defend against the cyber threats in almost realtime. In practice, timely dealing with such a large number of attacks is not possible without deeply perusing the attack features and taking corresponding intelligent defensive actions, this in essence defines cyber threat intelligence notion. However, such an intelligence would not be possible without the aid of artificial intelligence, machine learning and advanced data mining techniques to collect, analyse, and interpret cyber attack evidences. In this introductory chapter we first discuss the notion of cyber threat intelligence and its main challenges and opportunities, and then briefly introduce the chapters of the book which either address the identified challenges or present opportunistic solutions to provide threat intelligence.Comment: 5 Page

PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis

Ransomware in High-Risk Environments

In today’s modern world, cybercrime is skyrocketing globally, which impacts a variety of organizations and endpoint users. Hackers are using a multitude of approaches and tools, including ransomware threats, to take over targeted systems. These acts of cybercrime lead to huge damages in areas of business, healthcare systems, industry sectors, and other fields. Ransomware is considered as a high risk threat, which is designed to hijack the data. This paper is demonstrating the ransomware types, and how they are evolved from the malware and trojan codes, which is used to attack previous incidents, and explains the most common encryption algorithms such as AES, and RSA, ransomware uses them during infection process in order to produce complex threats. The practical approach for data encryption uses python programming language to show the efficiency of those algorithms in real attacks by executing this section on Ubuntu virtual machine. Furthermore, this paper analyzes programming languages, which is used to build ransomware. An example of ransomware code is being demonstrated in this paper, which is written specifically in C sharp language, and it has been tested out on windows operating system using MS visual studio. So, it is very important to recognize the system vulnerability, which can be very useful to prevent the ransomware. In contrast, this threat might sneak into the system easily, allowing for a ransom to be demanded. Therefore, understanding ransomware anatomy can help us to find a better solution in different situations. Consequently, this paper shows a number of outstanding removal techniques to get rid from ransomware attacks in the system

Ransomware in High-Risk Environments

In today’s modern world, cybercrime is skyrocketing globally, which impacts a variety of organizations and endpoint users. Hackers are using a multitude of approaches and tools, including ransomware threats, to take over targeted systems. These acts of cybercrime lead to huge damages in areas of business, healthcare systems, industry sectors, and other fields. Ransomware is considered as a high risk threat, which is designed to hijack the data. This paper is demonstrating the ransomware types, and how they are evolved from the malware and trojan codes, which is used to attack previous incidents, and explains the most common encryption algorithms such as AES, and RSA, ransomware uses them during infection process in order to produce complex threats. The practical approach for data encryption uses python programming language to show the efficiency of those algorithms in real attacks by executing this section on Ubuntu virtual machine. Furthermore, this paper analyzes programming languages, which is used to build ransomware. An example of ransomware code is being demonstrated in this paper, which is written specifically in C sharp language, and it has been tested out on windows operating system using MS visual studio. So, it is very important to recognize the system vulnerability, which can be very useful to prevent the ransomware. In contrast, this threat might sneak into the system easily, allowing for a ransom to be demanded. Therefore, understanding ransomware anatomy can help us to find a better solution in different situations. Consequently, this paper shows a number of outstanding removal techniques to get rid from ransomware attacks in the system

Honey Sheets: What Happens to Leaked Google Spreadsheets?

Cloud-based documents are inherently valuable, due to the volume and nature of sensitive personal and business content stored in them. Despite the importance of such documents to Internet users, there are still large gaps in the understanding of what cybercriminals do when they illicitly get access to them by for example compromising the account credentials they are associated with. In this paper, we present a system able to monitor user activity on Google spreadsheets. We populated 5 Google spreadsheets with fake bank account details and fake funds transfer links. Each spreadsheet was configured to report details of accesses and clicks on links back to us. To study how people interact with these spreadsheets in case they are leaked, we posted unique links pointing to the spreadsheets on a popular paste site. We then monitored activity in the accounts for 72 days, and observed 165 accesses in total. We were able to observe interesting modifications to these spreadsheets performed by illicit accesses. For instance, we observed deletion of some fake bank account information, in addition to insults and warnings that some visitors entered in some of the spreadsheets. Our preliminary results show that our system can be used to shed light on cybercriminal behavior with regards to leaked online documents

Vulnerable GPU Memory Management: Towards Recovering Raw Data from GPU

In this paper, we present that security threats coming with existing GPU memory management strategy are overlooked, which opens a back door for adversaries to freely break the memory isolation: they enable adversaries without any privilege in a computer to recover the raw memory data left by previous processes directly. More importantly, such attacks can work on not only normal multi-user operating systems, but also cloud computing platforms. To demonstrate the seriousness of such attacks, we recovered original data directly from GPU memory residues left by exited commodity applications, including Google Chrome, Adobe Reader, GIMP, Matlab. The results show that, because of the vulnerable memory management strategy, commodity applications in our experiments are all affected

The economic impact of cybercrime and cyber espionage

Introduction Is cybercrime, cyber espionage, and other malicious cyber activities what some call “the greatest transfer of wealth in human history,” or is it what others say is a “rounding error in a fourteen trillion dollar economy?” The wide range of existing estimates of the annual loss—from a few billion dollars to hundreds of billions—reflects several difficulties. Companies conceal their losses and some are not aware of what has been taken. Intellectual property is hard to value. Some estimates relied on surveys, which provide very imprecise results unless carefully constructed. One common problem with cybersecurity surveys is that those who answer the questions “self-select,” introducing a possible source of distortion into the results. Given the data collection problems, loss estimates are based on assumptions about scale and effect— change the assumption and you get very different results. These problems leave many estimates open to question. The Components of Malicious Cyber Activity In this initial report we start by asking what we should count in estimating losses from cybercrime and cyber espionage. We can break malicious cyber activity into six parts: The loss of intellectual property and business confidential information Cybercrime, which costs the world hundreds of millions of dollars every year The loss of sensitive business information, including possible stock market manipulation Opportunity costs, including service and employment disruptions, and reduced trust for online activities The additional cost of securing networks, insurance, and recovery from cyber attacks Reputational damage to the hacked company Put these together and the cost of cybercrime and cyber espionage to the global economy is probably measured in the hundreds of billions of dollars. To put this in perspective, the World Bank says that global GDP was about $70 trillion in 2011. A$400 billion loss—the high end of the range of probable costs—would be a fraction of a percent of global income. But this begs several important questions about the full benefit to the acquirers and the damage to the victims from the cumulative effect of cybercrime and cyber espionage