219 research outputs found
Creating a Malware Analysis Lab and Basic Malware Analysis
In tying together information learned in the Information Assurance program at Iowa State this paper goes over an introduction to malware, basic malware analysis, and setting up a manual malware analysis lab. Malware is malicious software that causes harm. The average malware will have 125 lines of code. Generally, malware consists of 3 components: a concealer, a replicator, and a bomb. Malware is classified based on its nature and functionality. The 3 most common we see are viruses, worms, and Trojans. Malware generally falls into two categories based on its target: mass malware and targeted malware. Four general stages of malware analysis are manual code reversing, interactive behavior analysis, static properties analysis, and automated analysis. The paper goes over basic static and basic dynamic analysis. It briefly touches on advanced static and advanced dynamic analysis to cover 3 of the stages above. Sandboxes are covered and Cuckoo is talked about to cover automated analysis. Setting up a malware analysis lab is talked about as a physical lab or a virtual lab can be set up. Steps are given to use VMWare Workstation Pro to set up a manual malware analysis lab, getting a Microsoft Windows virtual machine, and installing Fireeye’s flare-vm on it. In closing, some work that can be expanded on and done in the future is discussed
A Quantum Algorithm To Locate Unknown Hashes For Known N-Grams Within A Large Malware Corpus
Quantum computing has evolved quickly in recent years and is showing
significant benefits in a variety of fields. Malware analysis is one of those
fields that could also take advantage of quantum computing. The combination of
software used to locate the most frequent hashes and -grams between benign
and malicious software (KiloGram) and a quantum search algorithm could be
beneficial, by loading the table of hashes and -grams into a quantum
computer, and thereby speeding up the process of mapping -grams to their
hashes. The first phase will be to use KiloGram to find the top- hashes and
-grams for a large malware corpus. From here, the resulting hash table is
then loaded into a quantum machine. A quantum search algorithm is then used
search among every permutation of the entangled key and value pairs to find the
desired hash value. This prevents one from having to re-compute hashes for a
set of -grams, which can take on average time, whereas the quantum
algorithm could take in the number of table lookups to find the
desired hash values.Comment: IEEE Quantum Week 2020 Conferenc
Security source code analysis of applications in Android OS
It is a known fact that Android mobile phones' security has room for improvement. Many malicious app developers have targeted android mobile phones, mainly because android as an open operating system provides great flexibility to developers and there are many android phones which do not have the latest security updates. With the update of marshmallow in android, applications request permission only during runtime, but not all users have this update. This is important because user permission is required to perform certain actions. The permissions may be irrelevant to the features provided by an application. The purpose of this research is to investigate the use and security risk of seeming irrelevant permissions in applications available from Google store. Two different applications which seem to ask irrelevant permissions during installation were selected from Google store. To test these applications, static analysis, dynamic analysis and reverse engineering tools were used. Findings show potentially malicious behavior, demonstrating that downloading apps from Google play store do not guarantee security
On the Reverse Engineering of the Citadel Botnet
Citadel is an advanced information-stealing malware which targets financial
information. This malware poses a real threat against the confidentiality and
integrity of personal and business data. A joint operation was recently
conducted by the FBI and the Microsoft Digital Crimes Unit in order to take
down Citadel command-and-control servers. The operation caused some disruption
in the botnet but has not stopped it completely. Due to the complex structure
and advanced anti-reverse engineering techniques, the Citadel malware analysis
process is both challenging and time-consuming. This allows cyber criminals to
carry on with their attacks while the analysis is still in progress. In this
paper, we present the results of the Citadel reverse engineering and provide
additional insight into the functionality, inner workings, and open source
components of the malware. In order to accelerate the reverse engineering
process, we propose a clone-based analysis methodology. Citadel is an offspring
of a previously analyzed malware called Zeus; thus, using the former as a
reference, we can measure and quantify the similarities and differences of the
new variant. Two types of code analysis techniques are provided in the
methodology, namely assembly to source code matching and binary clone
detection. The methodology can help reduce the number of functions requiring
manual analysis. The analysis results prove that the approach is promising in
Citadel malware analysis. Furthermore, the same approach is applicable to
similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper
appeared in FPS 201
- …