535 research outputs found
On the Reverse Engineering of the Citadel Botnet
Citadel is an advanced information-stealing malware which targets financial
information. This malware poses a real threat against the confidentiality and
integrity of personal and business data. A joint operation was recently
conducted by the FBI and the Microsoft Digital Crimes Unit in order to take
down Citadel command-and-control servers. The operation caused some disruption
in the botnet but has not stopped it completely. Due to the complex structure
and advanced anti-reverse engineering techniques, the Citadel malware analysis
process is both challenging and time-consuming. This allows cyber criminals to
carry on with their attacks while the analysis is still in progress. In this
paper, we present the results of the Citadel reverse engineering and provide
additional insight into the functionality, inner workings, and open source
components of the malware. In order to accelerate the reverse engineering
process, we propose a clone-based analysis methodology. Citadel is an offspring
of a previously analyzed malware called Zeus; thus, using the former as a
reference, we can measure and quantify the similarities and differences of the
new variant. Two types of code analysis techniques are provided in the
methodology, namely assembly to source code matching and binary clone
detection. The methodology can help reduce the number of functions requiring
manual analysis. The analysis results prove that the approach is promising in
Citadel malware analysis. Furthermore, the same approach is applicable to
similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper
appeared in FPS 201
A Threat to Cyber Resilience : A Malware Rebirthing Botnet
This paper presents a threat to cyber resilience in the form of a conceptual model of a malware rebirthing botnet which can be used in a variety of scenarios. It can be used to collect existing malware and rebirth it with new functionality and signatures that will avoid detection by AV software and hinder analysis. The botnet can then use the customized malware to target an organization with an orchestrated attack from the member machines in the botnet for a variety of malicious purposes, including information warfare applications. Alternatively, it can also be used to inject known malware signatures into otherwise non malicious code and traffic to overloading the sensors and processing systems employed by intrusion detection and prevention systems to create a denial of confidence of the sensors and detection systems. This could be used as a force multiplier in asymmetric warfare applications to create confusion and distraction whilst attacks are made on other defensive fronts
Pattern for malware remediation â A last line of defence tool against Malware in the global communication platform
Malware is becoming a major problem to every organization that operates on the global communication platform. The malicious software programs are advancing in sophistication in many ways in order to defeat harden deployed defenses. When an organizationâs defense fails to keep this malice invasion out, the organization would incur significant amount of risks and damages. Risks include data leakage, inability to operate and tarnished corporate image. Damages include compensation costs to customers and partners, service unavailability and loss of customersâ and partnersâ confidence in the organization. This in turn will affect the organizationâs business continuity. In order to manage the risks and damages induced by Malware incidents, incident responders are called upon to be the last line of defense against the digital onslaught assault. However incident responders are challenged too by the deep levels of knowledge, skills and experience required to contain the ever advancing and persistent Malware. This paper proposes the establishment of a Pattern template for Malware Remediation to aid incident responders to overcome their competency limitations in order to provide organizations the tool to repel Malware and to reduce the associated risks. Examples and details of the proposed patters are provided with discussions on future direction of the research work
Analysis and Diversion of Duqu's Driver
The propagation techniques and the payload of Duqu have been closely studied
over the past year and it has been said that Duqu shared functionalities with
Stuxnet. We focused on the driver used by Duqu during the infection, our
contribution consists in reverse-engineering the driver: we rebuilt its source
code and analyzed the mechanisms it uses to execute the payload while avoiding
detection. Then we diverted the driver into a defensive version capable of
detecting injections in Windows binaries, thus preventing further attacks. We
specifically show how Duqu's modified driver would have detected Duqu.Comment: Malware 2013 - 8th International Conference on Malicious and Unwanted
Software (2013
CryptoKnight:generating and modelling compiled cryptographic primitives
Cryptovirological augmentations present an immediate, incomparable threat. Over the last decade, the substantial proliferation of crypto-ransomware has had widespread consequences for consumers and organisations alike. Established preventive measures perform well, however, the problem has not ceased. Reverse engineering potentially malicious software is a cumbersome task due to platform eccentricities and obfuscated transmutation mechanisms, hence requiring smarter, more efficient detection strategies. The following manuscript presents a novel approach for the classification of cryptographic primitives in compiled binary executables using deep learning. The model blueprint, a Dynamic Convolutional Neural Network (DCNN), is fittingly configured to learn from variable-length control flow diagnostics output from a dynamic trace. To rival the size and variability of equivalent datasets, and to adequately train our model without risking adverse exposure, a methodology for the procedural generation of synthetic cryptographic binaries is defined, using core primitives from OpenSSL with multivariate obfuscation, to draw a vastly scalable distribution. The library, CryptoKnight, rendered an algorithmic pool of AES, RC4, Blowfish, MD5 and RSA to synthesise combinable variants which automatically fed into its core model. Converging at 96% accuracy, CryptoKnight was successfully able to classify the sample pool with minimal loss and correctly identified the algorithm in a real-world crypto-ransomware applicatio
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware
This paper focuses on the anticipatory enhancement of methods of detecting stealth software. Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attacks which use malware. In this paper, we will present first an idea of the highest stealth malware, as this is the most complicated scenario for detection because it combines both existing anti-forensic techniques together with their potential improvements. Second, we will present new detection methods which are resilient to this hidden prototype. To help solve this detection challenge, we have analyzed Windowsâ memory content using a new method of Shannon Entropy calculation; methods of digital photogrammetry; the ZipfâMandelbrot law, as well as by disassembling the memory content and analyzing the output. Finally, we present an idea and architecture of the software tool, which uses CUDA-enabled GPU hardware, to speed-up memory forensics. All three ideas are currently a work in progress.
Keywords: rootkit detection, anti-forensics, memory analysis, scattered fragments, anticipatory enhancement, CUDA
Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware
This paper focuses on the anticipatory enhancement of methods of detecting
stealth software. Cyber security detection tools are insufficiently powerful to
reveal the most recent cyber-attacks which use malware. In this paper, we will
present first an idea of the highest stealth malware, as this is the most
complicated scenario for detection because it combines both existing
anti-forensic techniques together with their potential improvements. Second, we
present new detection methods, which are resilient to this hidden prototype. To
help solve this detection challenge, we have analyzed Windows memory content
using a new method of Shannon Entropy calculation; methods of digital
photogrammetry; the Zipf Mandelbrot law, as well as by disassembling the memory
content and analyzing the output. Finally, we present an idea and architecture
of the software tool, which uses CUDA enabled GPU hardware to speed-up memory
forensics. All three ideas are currently a work in progress
Investigation of Malicious Portable Executable File Detection on the Network using Supervised Learning Techniques
Malware continues to be a critical concern for everyone from home users to enterprises. Today, most devices are connected through networks to the Internet. Therefore, malicious code can easily and rapidly spread. The objective of this paper is to examine how malicious portable executable (PE) files can be detected on the network by utilizing machine learning algorithms. The efficiency and effectiveness of the network detection rely on the number of features and the learning algorithms. In this work, we examined 28 features extracted from metadata, packing, imported DLLs and functions of four different types of PE files for malware detection. The returned results showed that the proposed system can achieve 98.7% detection rates, 1.8% false positive rate, and with an average scanning speed of 0.5 seconds per file in our testing environment
- âŠ