Hunting for new threats in a feed of malicious samples

Hoy en día, las compañias de seguridad recolectan cantidades masivas de malware y otros posibles ficheros benignos. Encontrar amenazas interesantes entre millones de ficheros recolectados es un gran desafío. Una de las plataformas de seguridad más populares, VirusTotal (VT), permite consultar informes de archivos que los usuarios envían. En este proyecto profundizaremos en el feed de ficheros de VT, analizamos 328.3M de reports de archivos escaneados por VT durante un año, que pertenecen a 235.7M de muestras y observamos que 209.6M de muestras son nuevas (89%). Utilizamos los reports de un año para caracterizar el VT Feed, y lo comparamos con la telemetría de uno de los motores de antivirus más grandes del planeta. Utilizamos ambos datasets para responder a reponder a estas preguntas: ¿Cómo de diverso es el feed? ¿Cuál es la distribución de los tipos de ficheros a lo largo del año? ¿Cuál de ambas plataformas detecta antes los archivos maliciosos? ¿Podemos detectar archivos maliciosos detectados por VirusTotal pero no por el motor de antivirus de la telemetría? ¿Cuál es la distribución del malware a lo largo de un año? A continuación, analizamos 3 estrategias de clustering sobre Windows y APKs ground truths datasets, Hierarchical DBSCAN (HDBSCAN), HAC-T, un HAC mejorado que agrupa sobre TLSH, que reduce la complejidad de O(n2) a O(n log n), y Feature Value Grouping (FVG). Consideramos que solo HAC-T y FVG producen clustering de alta precisión. Nuestros resultados muestran que FVG es la única estrategia escalable sobre el VT File Feed dataset de un año. Ademas, hemos desarrollado un técnica novedosa de threat hunting para identificar muestras maliciosas que supuestamente son benignas, por ejemplo, sin detecciones por motores de AV. Cuando lo aplicamos sobre los 235M del VT feed, nuestra encontramos 190K muestras benignas (no detectadas por ninguna empresa de antivirus) que pertenecen a 29K clústers maliciosos, es decir, la mayoría de las muestras de los clústers son maliciosos.Nowadays, security companies collect massive amounts of malware and other possibly benign files. Finding interesting threats among many millions of files collected is a very challenging task. One of the most popular security platforms, VirusTotal (VT), allows querying for reports of files that the users has submitted. VT offers the VT File Feed (i.e., a stream of reports), in this project we deep dive into the VT File Feed, we analyze 328.3M reports scanned by VirusTotal during one year, that belongs to 235.7M samples, we observe that 209.6M samples were new (89%). We use the one-year reports to characterize the VirusTotal Feed, and we compare it with the telemetry of a large antivirus vendor. With both datasets we want to answer the following questions: How diverse is the feed? What is the filetype distribution over a year? Which of both platforms detects earlier malicious files? Could we detect malicious files detected by VirusTotal but not by the large security vendor telemetry? What is the malware distribution over one year? Then, we evaluate three clustering approaches over windows and apk ground truth datasets, Hierarchical DBSCAN (HDBSCAN), HAC-T, an improved Hierarchical Agglomerative Clustering (HAC) over TLSH that reduces complexity from O(n2) to O(n log n), and Feature Value Grouping (FVG). We conclude that only HAC-T and FVG produces highly precission clusterings. Our results show that FVG is the only approach that scales the full one-year VT File Feed dataset. Then, we develop a novel threat hunting approach to identify malicious samples that were supposedly benign, i.e., have zero detections by AV engines. When applied on 235M samples in the VT feed, our approach identifies 190K possibly not-so-benign samples that belong to 29K malicious clusters, i.e., most cluster samples are malicious.Máster Universitario en Ciberseguridad (M179

Cybercrime Bitcoin Revenue Estimations: Quantifying the Impact of Methodology and Coverage

Multiple works have leveraged the public Bitcoin ledger to estimate the revenue cybercriminals obtain from their victims. Estimations focusing on the same target often do not agree, due to the use of different methodologies, seed addresses, and time periods. These factors make it challenging to understand the impact of their methodological differences. Furthermore, they underestimate the revenue due to the (lack of) coverage on the target's payment addresses, but how large this impact remains unknown. In this work, we perform the first systematic analysis on the estimation of cybercrime bitcoin revenue. We implement a tool that can replicate the different estimation methodologies. Using our tool we can quantify, in a controlled setting, the impact of the different methodology steps. In contrast to what is widely believed, we show that the revenue is not always underestimated. There exist methodologies that can introduce huge overestimation. We collect 30,424 payment addresses and use them to compare the financial impact of 6 cybercrimes (ransomware, clippers, sextortion, Ponzi schemes, giveaway scams, exchange scams) and of 141 cybercriminal groups. We observe that the popular multi-input clustering fails to discover addresses for 40% of groups. We quantify, for the first time, the impact of the (lack of) coverage on the estimation. For this, we propose two techniques to achieve high coverage, possibly nearly complete, on the DeadBolt server ransomware. Our expanded coverage enables estimating DeadBolt's revenue at $2.47M, 39 times higher than the estimation using two popular Internet scan engines

Análisis de procedimientos de escalada de privilegios basado en el framework MITRE ATT&CK

Este documento pretende mostrar y analizar las distintas técnicas existentes que han sido utilizadas en ataques reales para escalar privilegios en una máquina. Basándonos en el framework MITTRE ATT&CK se ha realizado un estudio para auditar los sistemas operativos Windows y Linux frente a un equipo Blue Team. Se ha propuesto desarrollar una herramienta que descubra y notifique los puntos débiles de un sistema para escalar privilegios, estudiaremos cuál es el funcionamiento de los sistemas Windows y Linux y con ello abordaremos las principales debilidades que tienen estos sistemas, para posteriormente notificarlas en caso de que no se encuentre debidamente configuradas.This document aims to show and analyze the various existing techniques that have been used in real attacks to escalate privileges on a machine. Based on the MITTRE ATT&CK framework, a study has been carried out to audit the Windows and Linux operating systems against a Blue Team. We have proposed to develop a tool that discovers and notifies the weak points of a system for escalating privileges. We will study how the Windows and Linux systems work and with this we will cover the main weaknesses that these systems have, to later notify them in case they are not properly configured.Grado en Ingeniería de Computadore

The effect of electrical neurostimulation on collateral perfusion during acute coronary occlusion

<p>Abstract</p> <p>Background</p> <p>Electrical neurostimulation can be used to treat patients with refractory angina, it reduces angina and ischemia. Previous data have suggested that electrical neurostimulation may alleviate myocardial ischaemia through increased collateral perfusion. We investigated the effect of electrical neurostimulation on functional collateral perfusion, assessed by distal coronary pressure measurement during acute coronary occlusion. We sought to study the effect of electrical neurostimulation on collateral perfusion.</p> <p>Methods</p> <p>Sixty patients with stable angina and significant coronary artery disease planned for elective percutaneous coronary intervention were split in two groups. In all patients two balloon inflations of 60 seconds were performed, the first for balloon dilatation of the lesion (first episode), the second for stent delivery (second episode). The Pw/Pa ratio (wedge pressure/aortic pressure) was measured during both ischaemic episodes. Group 1 received 5 minutes of active neurostimulation before plus 1 minute during the first episode, group 2 received 5 minutes of active neurostimulation before plus 1 minute during the second episode.</p> <p>Results</p> <p>In group 1 the Pw/Pa ratio decreased by 10 ± 22% from 0.20 ± 0.09 to 0.19 ± 0.09 (p = 0.004) when electrical neurostimulation was deactivated. In group 2 the Pw/Pa ratio increased by 9 ± 15% from 0.22 ± 0.09 to 0.24 ± 0.10 (p = 0.001) when electrical neurostimulation was activated.</p> <p>Conclusion</p> <p>Electrical neurostimulation induces a significant improvement in the Pw/Pa ratio during acute coronary occlusion.</p

Transthoracic coronary flow reserve and dobutamine derived myocardial function: a 6-month evaluation after successful coronary angioplasty

After percutaneous transluminal coronary angioplasty (PTCA), stress-echocardiography and gated single photon emission computerized tomography (g-SPECT) are usually performed but both tools have technical limitations. The present study evaluated results of PTCA of left anterior descending artery (LAD) six months after PTCA, by combining transthoracic Doppler coronary flow reserve (CFR) and color Tissue Doppler (C-TD) dobutamine stress. Six months after PTCA of LAD, 24 men, free of angiographic evidence of restenosis, underwent standard Doppler-echocardiography, transthoracic CFR of distal LAD (hyperemic to basal diastolic coronary flow ratio) and C-TD at rest and during dobutamine stress to quantify myocardial systolic (S(m)) and diastolic (E(m )and A(m), E(m)/A(m )ratio) peak velocities in middle posterior septum. Patients with myocardial infarction, coronary stenosis of non-LAD territory and heart failure were excluded. According to dipyridamole g-SPECT, 13 patients had normal perfusion and 11 with perfusion defects. The 2 groups were comparable for age, wall motion score index (WMSI) and C-TD at rest. However, patients with perfusion defects had lower CFR (2.11 ± 0.4 versus 2.87 ± 0.6, p < 0.002) and septal S(m )at high-dose dobutamine (p < 0.01), with higher WMSI (p < 0.05) and stress-echo positivity of LAD territory in 5/11 patients. In the overall population, CFR was related negatively to high-dobutamine WMSI (r = -0.50, p < 0.01) and positively to high-dobutamine S(m )of middle septum (r = 0.55, p < 0.005). In conclusion, even in absence of epicardial coronary restenosis, stress perfusion imaging reflects a physiologic impairment in coronary microcirculation function whose magnitude is associated with the degree of regional functional impairment detectable by C-TD

Plasma Chemokine Levels Are Associated with the Presence and Extent of Angiographic Coronary Collaterals in Chronic Ischemic Heart Disease

In patients with chronic ischemic heart disease (IHD), the presence and extent of spontaneously visible coronary collaterals are powerful determinants of clinical outcome. There is marked heterogeneity in the recruitment of coronary collaterals amongst patients with similar degrees of coronary artery stenoses, but the biological basis of this heterogeneity is not known. Chemokines are potent mediators of vascular remodeling in diverse biological settings. Their role in coronary collateralization has not been investigated. We sought to determine whether plasma levels of angiogenic and angiostatic chemokines are associated with of the presence and extent of coronary collaterals in patients with chronic IHD.We measured plasma concentrations of angiogenic and angiostatic chemokine ligands in 156 consecutive subjects undergoing coronary angiography with at least one ≥90% coronary stenosis and determined the presence and extent of spontaneously visible coronary collaterals using the Rentrop scoring system. Eighty-eight subjects (56%) had evidence of coronary collaterals. In a multivariable regression model, the concentration of the angiogenic ligands CXCL5, CXCL8 and CXCL12, hyperlipidemia, and an occluded artery were associated with the presence of collaterals; conversely, the concentration of the angiostatic ligand CXCL11, interferon-γ, hypertension and diabetes were associated with the absence of collaterals (ROC area 0.91). When analyzed according to extent of collateralization, higher Rentrop scores were significantly associated with increased concentration of the angiogenic ligand CXCL1 (p<0.0001), and decreased concentrations of angiostatic ligands CXCL9 (p<0.0001), CXCL10 (p = 0.002), and CXCL11 (p = 0.0002), and interferon-γ (p = 0.0004).Plasma chemokine concentrations are associated with the presence and extent of spontaneously visible coronary artery collaterals and may be mechanistically involved in their recruitment