Fighting Evasive Malware with DVasion

Malware is a foundational component of cyber crime that enables an attacker to modify the normal operation of a computer or access sensitive, digital information. Despite the extensive research performed to identify such programs, existing schemes fail to detect evasive malware, an increasingly popular class of malware that can alter its behavior at run-time, making it difficult to detect using today’s state of the art malware analysis systems. In this thesis, we present DVasion, a comprehensive strategy that exposes such evasive behavior through a multi-execution technique. DVasion successfully detects behavior that would have been missed by traditional, single-execution approaches, while addressing the limitations of previously proposed multi-execution systems. We demonstrate the accuracy of our system through strong parallels with existing work on evasive malware, as well as uncover the hidden behavior within 167 of 1,000 samples.

Prävention, Detektion und Reaktion gegen drei Ausprägungsformen automotiver Malware : eine methodische Analyse im Spektrum von Manipulationen und Schutzkonzepten

Magdeburg, Univ., Fak. für Informatik, Diss., 2014

Plataforma automatizada de detección de malware

Es descriu el disseny i posterior implementació de la nova plataforma d’automatització del servei ofert per Internet Security Auditors, S.L. destinada a l’anàlisi de dominis d’Internet amb la finalitat de detectar possibles infeccions que afectin a usuaris de la web. El sistema actual conté algunes deficiències, de manera que aquest text presenta una nova versió, la qual aporta millores molt significatives com ara una gestió més òptima, o un disseny renovat i escalable de la informació i els diferents processos. Així mateix es dota al sistema d’un control d’errors centralitzat, amb enviament d’alàrmes en temps real, i una agrupació i centralització dels resultats.

Malware al context del programari lliure

Aquest document mostra els resultats d'una recerca basada en un cas d'estudi on s'avalua la fortalesa de dos comunitats de programari lliure. L'avaluació d'aquesta fortalesa es du a terme amb una exploració que té com a objectiu esbrinar si aquestes comunitats acompleixen una sèrie de procediments que les ajuden a protegir-se davant d'atacs.

IRP Poster - The Evolution of Malware

IRP poster for "The Evolution of Malware"

Evasive Maneuvers in Space Debris Environment and Technological Parameters

Conselho Nacional de Desenvolvimento Científico e Tecnológico (CNPq)

Malware distributed collection and pre-classification system using honeypot technology

Malware has become a major threat in the last years due to the ease of spread through the Internet. Malware detection has become difficult with the use of compression, polymorphic methods and techniques to detect and disable security software. Those and other obfuscation techniques pose a problem for detection and classification schemes that analyze malware behavior. In this paper we propose a distributed architecture to improve malware collection using different honeypot technologies to increase the variety of malware collected. We also present a daemon tool developed to grab malware distributed through spam and a pre-classification technique that uses antivirus technology to separate malware in generic classes. © 2009 SPIE.

A malware detection system inspired on the human immune system

Malicious programs (malware) can cause severe damage on computer systems and data. The mechanism that the human immune system uses to detect and protect from organisms that threaten the human body is efficient and can be adapted to detect malware attacks. In this paper we propose a system to perform malware distributed collection, analysis and detection, this last inspired by the human immune system. After collecting malware samples from Internet, they are dynamically analyzed so as to provide execution traces at the operating system level and network flows that are used to create a behavioral model and to generate a detection signature. Those signatures serve as input to a malware detector, acting as the antibodies in the antigen detection process. This allows us to understand the malware attack and aids in the infection removal procedures. © 2012 Springer-Verlag.

Processing optimized for symmetry in the problem of evasive maneuvers

The increasing number of space debris in operating regions around the earth constitutes a real threat to space missions. The goal of the research is to establish appropriate scientific-technological conditions to prevent the destruction and/or impracticability of spacecraft in imminent collision in these regions. A definitive solution to this problem has not yet been reached with the degree of precision that the dynamics of spatial objects (vehicle and debris) requires mainly due to the fact that collisions occur in chains and fragmentation of these objects in the space environment. This fact threatens the space missions on time and with no prospects for a solution in the near future. We present an optimization process in finding the initial conditions (CIC) to collisions, considering the symmetry of the distributions of maximum relative positions between spatial objects with respect to the spherical angles. For this, we used the equations of the dynamics on the Clohessy-Witshire, representing a limit of validation that is highly computationally costly. We simulate different maximum relative positions values of the corresponding initial conditions given in terms of spherical angles. Our results showed that there are symmetries that significantly reduce operating costs, such that the search of the CIC is advantageously carried out up to 4 times the initial processing routine. Knowledge of CIC allows the propulsion system operating vehicle implement evasive maneuvers before impending collisions with space debris.

Cryptolocker, trick or threat: phishing e malware alla ricerca dell'anello debole

Il Cryptolocker è un malware diffuso su scala globale appartenente alla categoria ransomware. La mia analisi consiste nel ripercorrere le origini dei software maligni alla ricerca di rappresentanti del genere con caratteristiche simili al virus che senza tregua persevera a partire dal 2013: il Cryptolocker. Per imparare di più sul comportamento di questa minaccia vengono esposte delle analisi del malware, quella statica e quella dinamica, eseguite sul Cryptolocker (2013), CryptoWall (2014) e TeslaCrypt (2015). In breve viene descritta la parte operativa per la concezione e la configurazione di un laboratorio virtuale per la successiva raccolta di tracce lasciate dal malware sul sistema e in rete. In seguito all’analisi pratica e alla concentrazione sui punti deboli di queste minacce, oltre che sugli aspetti tecnici alla base del funzionamento dei crypto, vengono presi in considerazione gli aspetti sociali e psicologici che caratterizzano un complesso background da cui il virus prolifica. Vengono confrontate fonti autorevoli e testimonianze per chiarire i dubbi rimasti dopo i test. Saranno questi ultimi a confermare la veridicità dei dati emersi dai miei esperimenti, ma anche a formare un quadro più completo sottolineando quanto la morfologia del malware sia in simbiosi con la tipologia di utente che va a colpire. Capito il funzionamento generale del crypto sono proprio le sue funzionalità e le sue particolarità a permettermi di stilare, anche con l’aiuto di fonti esterne al mio operato, una lista esauriente di mezzi e comportamenti difensivi per contrastarlo ed attenuare il rischio d’infezione. Vengono citati anche le possibili procedure di recupero per i dati compromessi, per i casi “fortunati”, in quanto il recupero non è sempre materialmente possibile. La mia relazione si conclude con una considerazione da parte mia inaspettata: il potenziale dei crypto, in tutte le loro forme, risiede per la maggior parte nel social engineering, senza il quale (se non per certe categorie del ransomware) l’infezione avrebbe percentuali di fallimento decisamente più elevate.

Na 1 Nachlass Max Horkheimer, 711 - Zu "Image de la France. Un sondage de l'opinion publique allemande" und "Enquête sur l'écoute et les conditions d'efficacité des émissions en langue allemande de la Radiodiffusion Francais à destination de l'Allemangne" sowie "The Effectiveness of Candid versus Evasive German-Language Broadcasts of the Voice of America. Final Report" (p. IX 185.3-22 - IX 186)

3. "Plan d'ensemble d'une enquête sur les attitudes generales de la population allemande a l'egard de la France et leurs consequences en ce qui concerne l'orientation des emissions en langue allemande de la radiodiffusion francaise", 18.05.1953. Typoskript, 7 Blatt; 4. "Note" Über Methode, Forschungsrichtung und Reichweite der Ergebnisse der Untersuchung; 18.05.1953; Typoskript, 7 Blatt; 5. "Note" Über Geschichte und Tätigkeit des Instituts für Sozialforschung; 18.05.1953; Typoskript, 5 Blatt; 6. Memorandum des Instituts zu Verfahren und ergebnissen der Untersuchung; 1954 [?]; Typoskript, 2 Blatt; 7.-17. Décamps, Jacques: Memoranden; 7. Memorandum, 12.09.1953; Typoskript, 1 Blatt; 8. "Memorandum re: Besprechung in Bad Godesberg in Bezug auf die französische Studie, am 04.September 1953", 10.09.1953. Typoskript, 1 Blatt; 9. "Memorandum re: Vorhaben des 'Centre d'Etudes Sociologiques, Paris', eine deutsch-französische Arbeitsgemeinschft für die Durchführung von Gemeindestudien zu gründen", 15.06.1953. Typoskript, 1 Blatt; 10. "Memorandum über den Besuch von M. Jean L. Pelosse, Centre d'Etudes sociologiques Paris", 12.06.1953. Typoskript, 3 Blatt; 11. "Bericht über die 'Journées d'Etudes eurropéennes sur la Population' Paris, 21., 22. und 23. Mai 1953", 01.06.1953; 12. "Bericht über den Stand der Verhandlungen mit dem Französischen Auswärtigen Amt und dem französischem Rundfunk. Besprechungen in Paris am 27. und 28. Mai 1953", 01.06.1953. Typoskript, 2 Blatt; 13. Angaben für Max Horkheimer zur Übergabe von Memoranden, Projektbeschreibungen und Briefentwürfen, Mai 1953; Typoskript, 1 Blatt; 14. "Bericht über das 'Institut National d'Etudes Démographiques'", 07.05.1953. Typoskript, 4 Blatt; 15. "Memorandum re: Methode der Gruppendiskussion", 04.05.1953. Typoskript, 1 Blatt; 16. "Besprechung im 'Institut francaise d'Opinion Publique, Paris' und bei der hohen Behörde Luxemburg" 30.04.1953; 17. "Besprechung im Auswärtigen Amt und bei dem französischen Rundfunk", 29.04.1953. Typoskript, 6 Blatt; 18. Horkheimer, Max: 1 Brief an den französischen Botschafter in der Bundesrepublik Deutschland, ohen Ort, ohne Datum; Typoskript, 1 Blatt; 19. Radiodiffusion-Télévision Francaise, le Directeur: 1 Briefabschrift an Jacques Décamps, Paris, 09.03.1954; 1 Blatt; 20. Plessner, Helmuth: 1 Brief an den französischen Außenminister, ohne Ort, 18.05.1953; 1 Blatt; 21. Plessner, Helmuth: 1 Brief an Radiodiffusion Francaise, ohne Ort, 18.05.1953; 1 Blatt; 22. Plessner, Helmuth: 1 Brief an den Ministerialrat der Sektion "Agences et Radio" im französischem Außenministerium, ohne Ort, 18.05.1953; 1 Blatt; "The Effectiveness of Candid versus Evasive German-Language Broadcasts of the Voice of America. Final Report", 1953. Typoskript, gebunden, 432 Blatt;

Análisis de características estáticas de ficheros ejecutables para la clasificación de Malware

El Malware es una grave amenaza para la seguridad de los sistemas. Con el uso generalizado de la World Wide Web, ha habido un enorme aumento en los ataques de virus, haciendo que la seguridad informática sea esencial para todas las computadoras y se expandan las áreas de investigación sobre los nuevos incidentes que se generan, siendo una de éstas la clasificación del malware. Los “desarrolladores de malware” utilizan nuevas técnicas para generar malware polimórfico reutilizando los malware existentes, por lo cual es necesario agruparlos en familias para estudiar sus características y poder detectar nuevas variantes de los mismos. Este trabajo, además de presentar un detallado estado de la cuestión de la clasificación del malware de ficheros ejecutables PE, presenta un enfoque en el que se mejora el índice de la clasificación de la base de datos de Malware MALICIA utilizando las características estáticas de ficheros ejecutables Imphash y Pehash, utilizando dichas características se realiza un clustering con el algoritmo clustering agresivo el cual se cambia con la clasificación actual mediante el algoritmo de majority voting y la característica icon_label, obteniendo un Precision de 99,15% y un Recall de 99,32% mejorando la clasificación de MALICIA con un F-measure de 99,23%.---ABSTRACT---Malware is a serious threat to the security of systems. With the widespread use of the World Wide Web, there has been a huge increase in virus attacks, making the computer security essential for all computers. Near areas of research have append in this area including classifying malware into families, Malware developers use polymorphism to generate new variants of existing malware. Thus it is crucial to group variants of the same family, to study their characteristics and to detect new variants. This work, in addition to presenting a detailed analysis of the problem of classifying malware PE executable files, presents an approach in which the classification in the Malware database MALICIA is improved by using static characteristics of executable files, namely Imphash and Pehash. Both features are evaluated through clustering real malware with family labels with aggressive clustering algorithm and combining this with the current classification by Majority voting algorithm, obtaining a Precision of 99.15% and a Recall of 99.32%, improving the classification of MALICIA with an F-measure of 99,23%.