Analysis and Concealment of Malware in an Adversarial Environment

Nowadays, users and devices are rapidly growing, and there is a massive migration of data and infrastructure from physical systems to virtual ones. Moreover, people are always connected and deeply dependent on information and communications. Thanks to the massive growth of Internet of Things applications, this phenomenon also affects everyday objects such as home appliances and vehicles. This extensive interconnection implies a significant rate of potential security threats for systems, devices, and virtual identities. For this reason, malware detection and analysis is one of the most critical security topics. The used detection strategies are well suited to analyze and respond to potential threats, but they are vulnerable and can be bypassed under specific conditions. In light of this scenario, this thesis highlights the existent detection strategies and how it is possible to deceive them using malicious contents concealment strategies, such as code obfuscation and adversarial attacks. Moreover, the ultimate goal is to explore new viable ways to detect and analyze embedded malware and study the feasibility of generating adversarial attacks. In line with these two goals, in this thesis, I present two research contributions. The first one proposes a new viable way to detect and analyze the malicious contents inside Microsoft Office documents (even when concealed). The second one proposes a study about the feasibility of generating Android malicious applications capable of bypassing a real-world detection system. Firstly, I present Oblivion, a static and dynamic system for large-scale analysis of Office documents with embedded (and most of the time concealed) malicious contents. Oblivion performs instrumentation of the code and executes the Office documents in a virtualized environment to de-obfuscate and reconstruct their behavior. In particular, Oblivion can systematically extract embedded PowerShell and non-PowerShell attacks and reconstruct the employed obfuscation strategies. This research work aims to provide a scalable system that allows analysts to go beyond simple malware detection by performing a real, in-depth inspection of macros. To evaluate the system, a large-scale analysis of more than 40,000 Office documents has been performed. The attained results show that Oblivion can efficiently de-obfuscate malicious macro-files by revealing a large corpus of PowerShell and non-PowerShell attacks in a short amount of time. Then, the focus is on presenting an Android adversarial attack framework. This research work aims to understand the feasibility of generating adversarial samples specifically through the injection of Android system API calls only. In particular, the constraints necessary to generate actual adversarial samples are discussed. To evaluate the system, I employ an interpretability technique to assess the impact of specific API calls on the evasion. It is also assessed the vulnerability of the used detection system against mimicry and random noise attacks. Finally, it is proposed a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. This thesis aims to improve the security landscape in both the research and industrial world by exploring a hot security topic and proposing two novel research works about embedded malware. The main conclusion of this research experience is that systems and devices can be secured with the most robust security processes. At the same time, it is fundamental to improve user awareness and education in detecting and preventing possible attempts of malicious infections

PowerDrive: Accurate De-Obfuscation and Analysis of PowerShell Malware

PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. PowerDrive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used PowerDrive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis

On the Feasibility of Adversarial Sample Creation Using the Android System API

Due to its popularity, the Android operating system is a critical target for malware attacks. Multiple security efforts have been made on the design of malware detection systems to identify potentially harmful applications. In this sense, machine learning-based systems, leveraging both static and dynamic analysis, have been increasingly adopted to discriminate between legitimate and malicious samples due to their capability of identifying novel variants of malware samples. At the same time, attackers have been developing several techniques to evade such systems, such as the generation of evasive apps, i.e., carefully-perturbed samples that can be classified as legitimate by the classifiers. Previous work has shown the vulnerability of detection systems to evasion attacks, including those designed for Android malware detection. However, most works neglected to bring the evasive attacks onto the so-called problem space, i.e., by generating concrete Android adversarial samples, which requires preserving the app’s semantics and being realistic for human expert analysis. In this work, we aim to understand the feasibility of generating adversarial samples specifically through the injection of system API calls, which are typical discriminating characteristics for malware detectors. We perform our analysis on a state-of-the-art ransomware detector that employs the occurrence of system API calls as features of its machine learning algorithm. In particular, we discuss the constraints that are necessary to generate real samples, and we use techniques inherited from interpretability to assess the impact of specific API calls to evasion. We assess the vulnerability of such a detector against mimicry and random noise attacks. Finally, we propose a basic implementation to generate concrete and working adversarial samples. The attained results suggest that injecting system API calls could be a viable strategy for attackers to generate concrete adversarial samples. However, we point out the low suitability of mimicry attacks and the necessity to build more sophisticated evasion attacks

RAPPORTO ATTIVITA' UR-INGV

In questo rapporto di attività viene illustrata la seconda fase delle ricerche svolte dall’UR-INGV nei due comuni selezionati ai fini del progetto, Nocera Umbra e Cerreto di Spoleto. Per quanto riguarda Nocera Umbra, si sono analizzati i dati sismometrici registrati durante un esperimento mediante array sismico a piccola apertura, appositamente installato sulla collina di Nocera Umbra per lo studio dell'effetto topografico e la quantificazione del ruolo delle variazioni topografiche locali sull'input sismico. Va ricordato che la torre campanaria, pesantemente danneggiata durante le scosse più forti del Settembre e Ottobre 1997, come pure l’intero centro storico di Nocera Umbra, sono situati sulla sommità di una collina. E' apparso pertanto importante valutare gli effetti di amplificazione del moto del suolo con grande dettaglio spaziale nella zona dove sono localizzati gli edifici monumentali e la parte storica della città. Sono stati anche effettuati due profili geoelettrici a cavallo della faglia, probabilmente inattiva, che attraversa Nocera Umbra, e tramite inversione tomografica dei dati di resistività si è cercata una conferma dell’estensione laterale della zona di faglia, alla cui presenza è stata attribuita la causa principale dell’accelerazione di 0.6 g registrata nella stazione della rete accelerometrica nazionale ubicata nella cabina ENEL di Nocera Umbra, a circa 20 m dalla parete della faglia stessa. E' stato infine analizzato in dettaglio il ruolo giocato dalla zona di faglia nella propagazione delle onde sismiche, sia in termini di picchi di accelerazione e velocità che di amplificazioni spettrali, in campo lineare e non lineare. L’intervento su Cerreto di Spoleto ha visto l’installazione di stazioni sismiche nell’area urbana congiuntamente all’UR-ENEA, e l’esecuzione di misure geoelettriche per la definizione delle geometrie sepolte nella piana di Borgo Cerreto. Inoltre, si è studiato in dettaglio l’effetto di amplificazione in prossimità di una faglia che attraversa il centro storico di Cerreto di Spoleto, dove le registrazioni sismiche hanno evidenziato, analogamente al caso di Nocera Umbra, un forte effetto di canalizzazione dell’energia incidente sotto forma di "trapped waves", e dove precedentemente si era constatata la massima concentrazione dei danni durante le più forti scosse, localizzate nella zona di Sellano-Preci, dell’Ottobre 1997. Nei successivi paragrafi vengono mostrati i risultati di queste indagini

Shallow subsurface geology and seismic microzonation in a deep continental basin. The Avezzano Town, Fucino basin (central Italy)

We present detailed geological investigations aimed at the reconstruction of the shallow subsurface geology, and associated local seismic hazard, of the Avezzano town in the Quaternary Fucino basin (central Apennines). This work shows a basic (Level 1) seismic microzonation (SM) of the Avezzano town, focusing the attention on geologic constraints. We also discuss some methodological procedures of SM. Level 1 SM involves a reconstruction of the subsurface geological model achieved by a multidisciplinary approach synthesized in two main thematic maps and geologic sections. The first map, containing essential geologic information, is formed by overlapping layers (geological units, litho-technical units, and geomorphological/structural features). The second map is a summary map, easily accessible to non-geologist earthquake scientists/technicians, which synthesizes surface geology, subsurface data and resonance frequencies into homogeneous microzones. The two maps are tools for land and urban planning. The Avezzano area provides a case study of shallow subsurface geology and site effects in a deep continental basin environment, and is of potential interest for similar geologic contexts worldwide. Within the investigated area, almost all the possible earthquake-induced effects can occur, such as (a) stratigraphic amplifications in a wide range of resonance frequencies (from 0.4 to > 10 Hz); (b) liquefaction; (c) coseismic surface faulting; (d) basin-edge effects; and (e) slope instability

Liquid Phase Infiltration of Block Copolymers

Novel materials with defined composition and structures at the nanoscale are increasingly desired in several research fields spanning a wide range of applications. The development of new approaches of synthesis that provide such control is therefore required in order to relate the material properties to its functionalities. Self-assembling materials such as block copolymers (BCPs), in combination with liquid phase infiltration (LPI) processes, represent an ideal strategy for the synthesis of inorganic materials into even more complex and functional features. This review provides an overview of the mechanism involved in the LPI, outlining the role of the different polymer infiltration parameters on the resulting material properties. We report newly developed methodologies that extend the LPI to the realisation of multicomponent and 3D inorganic nanostructures. Finally, the recently reported implementation of LPI into different applications such as photonics, plasmonics and electronics are highlighted

Chronostratigraphic study of the Grottaperfetta alluvial valley in the city of Rome (Italy): investigating possible interaction between sedimentary and tectonic processes

We carried out geomorphologic and geological investigations in a south-eastern tributary valley of the Tiber River in Rome, the Grottaperfetta valley, aimed to reconstruct its buried geometry. Since results of the geomorphologic study evidenced anomalies of the stream beds, we performed geoelectric and boreholes prospecting to check whether recent faulting, rather than an inherited structural control, possibly contributed to the evolution of the alluvial valley. Vertical offsets of the stratigraphic horizons across adjacent boreholes were evidenced within the Late Pleistocene-Holocene alluvium and its substratum. In order to rule out the effects of irregular geometry of the alluvial deposits, we focussed on sectors where vertical offsets affected all the stratigraphic horizons (alluvium and pre-Holocene substratum), showing an increasing displacement with depth. We identified a site where repeated displacements occur coupled with a lateral variation of soil resistivity, and we drilled an oblique borehole aimed to cross and sample the possible fault zone affecting the terrain. A 7 cm thick granular layer, inclined 50°÷70° on the horizontal, was recovered 5 m b.g., and it was interpreted as the filling material of a fracture. The convergence of the reported features with independent evidence from geoelectric and geomorphologic investigations leads to hypothesize the presence of a faulting zone within the Holocene alluvial terrains and to propose the excavation of a trench to verify this hypothesis

Site characterization of station IV.LAV9 (LANUVIO) of Italian National Seismic Network

Final report illustrating array measurements performed at IV.LAV9 station of the Italian national seismic network. This report is part of the Project: DPC-INGV 2016 agreement All. B2 Task B: Seismic characterization of accelerometric sites

MICROTREMOR MEASUREMENTS IN PALERMO, ITALY: A COMPARISON WITH MACROSEISMIC INTENSITY AND EARTHQUAKE GROUND MOTION

The city of Palermo is an appropriate test site where the efficiency of microtremors in predicting ground motion properties during earthquakes can be checked. Palermo is a densely populated city with important historical heritage and was object of previous studies. Areas of local amplification of damage were identified in downtown Palermo using historical macroseismic data. Moreover, aftershocks of the September 6, 2002, earthquake (Mw 5.9, 40 km offshore) provided a dataset of seismograms that quantify spatial variations of ground motion. The availability of more than 2000 boreholes in the city allowed a reconstruction of the 3D structure of surface geology, indicating that all the higher damage zones correspond to sediment-filled valleys. The high variability of the surface geology is mostly due to the presence of two filled river-beds of about 150 m width. In the framework of the SESAME project (Seismic EffectS assessment using Ambient Exctations, funded by the European Union), 90 microtremor measurements were performed across several profiles crossing the soft sediment bodies. The measurement points were intensified close to the valley edges (every 20 m), according to our geological reconstruction. H/V spectral ratio on ambient noise (HVSR) show significant variations along each profile: as soon as the transition stiff to soft is crossed, a typical spectral peak exceeding a factor of 3 in amplitude appears in the HVSR. The peak falls between 1 and 2 Hz and, along each profile, the peak disappears as soon as the other edge of the valley is crossed. These results indicate that microtremors are sensitive to the presence of large impedance contrasts of deep soft soil, at least in the Palermo area, with an important implication: the HVSR method seems to be able to recognize conditions potentially favourable to the occurrence of higher damage even when local geological characters are masked by the urban growth. However, we were not able to establish a quantitative correlation between microtremor properties and ground motion (or damage) amplification