Scheduled System Maintenance:
Some services will be unavailable Sunday, March 29th through Monday, March 30th. We apologize for the inconvenience.
By Topic

Malicious and Unwanted Software (MALWARE), 2012 7th International Conference on

Date 16-18 Oct. 2012

Filter Results

Displaying Results 1 - 18 of 18
  • [Front matter]

    Publication Year: 2012 , Page(s): i - xii
    Save to Project icon | Request Permissions | PDF file iconPDF (2074 KB)  
    Freely Available from IEEE
  • Rogue software: Protection against potentially unwanted applications

    Publication Year: 2012 , Page(s): 1 - 8
    Cited by:  Patents (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (624 KB) |  | HTML iconHTML  

    Rogue software are applications which purport to perform some function, but, although appearing to, do not perform the stated function - often prompting the user to purchase the product. Tests by independent testing labs to measure the protection that commercial security products provide against rogue software usually assume general consensus that an application is either rogue or not. In practice, rogue applications may be unwanted by some users but tolerated by others. This has given rise to the term “potentially unwanted application” (PUA). Security product vendors have responded to this by selectively allowing some types of rogue software. This paper examines the patterns of rogue software allowance and detection by security applications. Three main groups of rogue software are identified: Affiliate PUAs, Pay-per-install PUAs, and Financial PUAs. Each group is analyzed in an attempt to understand their differing business dynamics and basis for security vendors deciding to detect or allow the rogue applications. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • The power of obfuscation techniques in malicious JavaScript code: A measurement study

    Publication Year: 2012 , Page(s): 9 - 16
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (770 KB) |  | HTML iconHTML  

    JavaScript based attacks have been reported as the top Internet security threats in recent years. Since most of the Internet users rely on anti-virus software to protect themselves from malicious JavaScript code, attackers exploit JavaScript obfuscation techniques to evade the detection of anti-virus software. To better understand the obfuscation techniques adopted by malicious JavaScript code, we conduct a measurement study. We first categorize observed JavaScript obfuscation techniques. Then we conduct a statistic analysis on the usage of different categories of obfuscation techniques in real-world malicious JavaScript samples. We also study the detection effectiveness of 20 most popular anti-virus software against obfuscation techniques. Based on the results, we analyze the cause of the popularity of obfuscation in malicious JavaScript code; the reason behind the choice of obfuscation techniques and the difference between benign obfuscation and malicious obfuscation. Moreover, we also provide suggestions for designing effective obfuscation detection approaches in future. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A transformation-based model of malware derivation

    Publication Year: 2012 , Page(s): 17 - 25
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (237 KB) |  | HTML iconHTML  

    Since most malware is derived from prior code, understanding malware derivation and evolution is essential for many types of malware analysis. However prior models of malware relationships are insufficiently precise or fail to capture important relationships. A framework is proposed that treats both production and evolution uniformly as compositions of code transformations, and distinguishes disjoint but interleaved evolution of production code and malware code. Evolution relations are defined in terms of path patterns on derivation graphs; this generalizes and formalizes the relationship between phylogenies and provenance graphs. The comprehensiveness of the modeling framework is demonstrated using examples from the literature; implications for future work in relationship reconstruction are drawn. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analysis and detection of malicious data exfiltration in web traffic

    Publication Year: 2012 , Page(s): 26 - 31
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (341 KB) |  | HTML iconHTML  

    Data stealing botnets pose a great risk to the security of networks and the privacy of their users. Most of these botnets use the web as a medium for communication, making them difficult to detect given that web traffic constitutes about 70% of Internet traffic. In addition, they use obfuscation techniques, primarily encryption, to hide their communications and data exfiltration attempts making current botnet detection techniques that depend on content inspection ineffective. In this paper, we present an analysis of the data stealing behaviors of one of the most notorious data stealing botnets, Zeus. In addition, we propose a classification algorithm to identify malicious data stealing attempts within web traffic. Our classifier uses entropy and byte frequency distribution of HTTP POST request contents as features. Our evaluation of the classifier shows high accuracy and high efficiency making it applicable at network perimeter monitoring devices and web proxies. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Circumventing cryptography in virtualized environments

    Publication Year: 2012 , Page(s): 32 - 38
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (1618 KB) |  | HTML iconHTML  

    The use of cryptography is becoming increasingly prevalent, and we see it in more and more contexts -on both sides of the fence. It is used to protect data from unauthorized access, but is also being used by adversaries - often for botnet C&C, manual control of compromised hosts, and data exfiltration. Virtual Machine Introspection (VMI) provides a mechanism by which the state of a virtual machine can be examined in real time (or near real time) from a vantage point external to the VM being monitored (e.g., the hypervisor or some other VM it delegates VMI capability to). This paper describes the results of a DARPA Cyber Fast Track project to develop a method that provides a hypervisor owner (e.g., government or corporate enterprise, a cloud provider, or honeynet operator) with the ability to recover and inspect the plaintext of encrypted data and communication channels within virtual machines. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Malware Analysis and attribution using Genetic Information

    Publication Year: 2012 , Page(s): 39 - 45
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (411 KB) |  | HTML iconHTML  

    As organizations become ever more dependent on networked operations, they are increasingly vulnerable to attack by a variety of attackers, including criminals, terrorists and nation states using cyber attacks. New malware attacks, including viruses, Trojans, and worms, are constantly and rapidly emerging threats. However, attackers often reuse code and techniques from previous attacks. Both by recognizing the reused elements from previous attacks and by detecting patterns in the types of modification and reuse observed, we can more rapidly develop defenses, make hypotheses about the source of the malware, and predict and prepare to defend against future attacks. We achieve these objectives in Malware Analysis and Attribution using Genetic Information (MAAGI) by adapting and extending concepts from biology and linguistics. First, analyzing the “genetics” of malware (i.e., reverse engineered representations of the original program) provides critical information about the program that is not available by looking only at the executable program. Second, the evolutionary process of malware (i.e., the transformation from one species of malware to another) can provide insights into the ancestry of malware, characteristics of the attacker, and where future attacks might come from and what they might look like. Third, functional linguistics is the study of the intent behind communicative acts; its application to malware characterization can support the study of the intent behind malware behaviors. To this point in the program, we developed a system that uses a range of reverse engineering techniques, including static, dynamic, behavioral, and functional analysis that clusters malware into families. We are also able to determine the malware lineage in some situations. Using behavioral and functional analysis, we are also able to identify a number of functions and purposes of malware. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • CIS: The Crypto Intelligence System for automatic detection and localization of cryptographic functions in current malware

    Publication Year: 2012 , Page(s): 46 - 53
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (166 KB) |  | HTML iconHTML  

    Finding and extracting crypto algorithms in binary code is often a tedious reverse engineering task. A significant amount of manual work is required when unknown implementations are used. This is especially true for malware that contains variants of existing or even completely new algorithms. So far, no flexible and generic crypto detection framework exists that can support analysts in this task. The framework must be able to handle various heuristics that each are ideal to detect specific types of cryptographic algorithms. In addition, a suitable set of heuristics must be selected that can identify a wide range of crypto algorithms from various classes since the type of crypto implemented in a binary is not always known. In this paper, we present the architecture of CIS, the Crypto Intelligence System, that fulfills the requirements for such a framework. Furthermore, we evaluate different heuristics for the real-world usage in the framework. The overall evaluation, using real programs, shows that CIS simplifies the job of an analysts significantly with a high detection and low false positive ratio. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Component protection metrics for security product development: I. AV-TEST Full Product Tests

    Publication Year: 2012 , Page(s): 54 - 61
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (602 KB) |  | HTML iconHTML  

    The AV-TEST Full Product Tests were used to perform iterative private tests on pre-release builds of version 6 of the Trend Micro Titanium Maximum Security Windows endpoint product. The Full Product Tests include separate measurements of the protection provided by the consumer endpoint security product including measurements of blocking “real world” attacks; detecting and removing rootkits; cleaning malware infections; blocking malware execution; and detecting and removing stored malware files. All tests were conducted as a private “piggyback” on regularly scheduled public tests of the new version's predecessor and currently released versions of competitor peer products. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Measuring security risk in the cloud-enabled enterprise

    Publication Year: 2012 , Page(s): 62 - 66
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (344 KB) |  | HTML iconHTML  

    Nowadays, the security problem of computer networks is bigger and bigger. There are threats using manual and purpose-designed tools as well. Attacks on computer networks usually use the communication among computers and computer users as well. For example, they are the worms spreading by using email messages, malware using botnet networks and attacks based on personal communication (social engineering). View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Click-fraud monetizing malware: A survey and case study

    Publication Year: 2012 , Page(s): 67 - 72
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (166 KB) |  | HTML iconHTML  

    Malware monetization via fraudulent ad traffic is lucrative and relatively easy. Not surprisingly, there is a higher incidence of malware that monetizes in this way today than in the past. Although this type of attack is not new, current methodologies to make malware-generated ad traffic appear organic, at such large scales, while remaining virtually undetected are novel. The on-line world of advertising is complex and not generally well understood. It is well funded and not well supervised. There is little transparency and there are conflicts of interest; thus creating a fertile ground for criminal activity. This paper provides a brief survey of this space, outlines an example analysis of current click-fraud malware, and presents new approaches to combat this type of malware monetization. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A trusted ecosystem for Android applications based on context-aware access control

    Publication Year: 2012 , Page(s): 73 - 78
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (207 KB) |  | HTML iconHTML  

    Private data stored on smartphones is a precious target for malware attacks. A constantly changing environment, e.g. switching network connections, can cause unpredictable threats, and require an adaptive approach to access control. Context-based access control is using dynamic environmental information, including it into access decisions. We propose an “ecosystem-in-an-ecosystem” which acts as a secure container for trusted software aiming at enterprise scenarios where users are allowed to use private devices. We have implemented a proof-of-concept prototype for an access control framework that processes changes to low-level sensors and semantically enriches them, adapting access control policies to the current context. This allows the user or the administrator to maintain fine-grained control over resource usage by compliant applications. Hence, resources local to the trusted container remain under control of the enterprise policy. Our results show that context-based access control can be done on smartphones without major performance impact. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Smartphone malware detection: From a survey towards taxonomy

    Publication Year: 2012 , Page(s): 79 - 86
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (295 KB) |  | HTML iconHTML  

    Smartphone malwares are serious threat. Malware detector is the primary tool to protect Smartphones against malwares. The malware detector efficiency is based on the technique it uses. In this paper, we survey the current state of the art of Smartphone malware detection techniques. Those techniques have been classified into a structured taxonomy based on 3 rules. Those rules are inferred and compiled from literature review. The rules are: reference behaviour, analysis approach and malware behaviour representation. According to reference behaviour rule, Smartphone malware detection techniques divided into two main classes: signature-based and anomaly-based. In side these classes, ramifications are then derived according to analysis approach rule and malware behaviour representation rule. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Exploring an open WiFi detection vulnerability as a malware attack vector on iOS devices

    Publication Year: 2012 , Page(s): 87 - 93
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (558 KB) |  | HTML iconHTML  

    This paper presents a vulnerability on devices running Apple iOS, and can be traced back to iOS 3. First discovered in 2009 on iOS, and again in 2011 on Mac OS X, the vulnerability exists in a feature which seeks to help the device user maintain internet connectivity when attached to open WiFi networks protected by a captive portal. Since many modern applications rely on an internet connection, to alert a user when the connection requires user input to proceed, vulnerable OSs periodically check for a connection to the Apple URL http://www.apple.com/library/test/success.html. When the response returned from the connection check is abnormal, a UIWebView instance is opened, allowing the user to accept a terms of service, or otherwise satisfy the Captive Portal or Paywall terms. This behavior allows an adversary a small window of opportunity to launch an attack, which can manifest as an ARP Poisoning Attack, DNS Poisoning Attack, or a Man-in-the-Middle Attack redirecting the requesting iOS device to a malicious location. We have confirmed this vulnerability continues to exist in both iOS 4 and iOS 5. Further we have compared both native as well as jailbroken devices, and successfully launched a BeEF hook to both with equal results. The danger of this vulnerability lies in the fact that no user intervention is requiredfor exploitation beyond initially joining the network, which is a common and generally accepted user activity. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A scalable search index for binary files

    Publication Year: 2012 , Page(s): 94 - 103
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (271 KB) |  | HTML iconHTML  

    The ability to locate specific byte-sequences in large collections of binary files is important in many applications, especially malware analysis. However, it can be a time consuming process. Researchers and analysts, such as those at CERT, often have to search terabytes of data for characteristic patterns and signatures, which can take upwards of days to complete. Although many search systems, designed specifically to expedite text and metadata queries, exist, these tools are unsuitable for searching files containing arbitrary bytes. By using probabilistic techniques to pre-filter likely search candidates, we present a scalable architecture for searching and indexing terabyte-size collections of binary files. Our implementation performs searches in minutes that would required days to complete using iterative techniques. It also reduces storage costs by balancing the amount of data indexed with the total time required to conduct and verify a query. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • BinGraph: Discovering mutant malware using hierarchical semantic signatures

    Publication Year: 2012 , Page(s): 104 - 111
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (566 KB) |  | HTML iconHTML  

    Malware landscape has been dramatically elevated over the last decade. The main reason of the increase is that new malware variants can be produced easily using simple code obfuscation techniques. Once the obfuscation is applied, the malware can change their syntactics while preserving semantics, and bypass anti-virus (AV) scanners. Malware authors, thus, commonly use the code obfuscation techniques to generate metamorphic malware. Nevertheless, signature based AV techniques are limited to detect the metamorphic malware since they are commonly based on the syntactic signature matching. In this paper, we propose BinGraph, a new mechanism that accurately discovers metamorphic malware. BinGraph leverages the semantics of malware, since the mutant malware is able to manipulate their syntax only. To this end, we first extract API calls from malware and convert to a hierarchical behavior graph that represents with identical 128 nodes based on the semantics. Later, we extract unique subgraphs from the hierarchical behavior graphs as semantic signatures representing common behaviors of a specific malware family. To evaluate BinGraph, we analyzed a total of 827 malware samples that consist of 10 malware families with 1,202 benign binaries. Among the malware, 20% samples randomly chosen from each malware family were used for extracting semantic signatures, and rest of them were used for assessing detection accuracy. Finally, only 32 subgraphs were selected as the semantic signatures. BinGraph discovered malware variants with 98% of detection accuracy. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Code synchronization by morphological analysis

    Publication Year: 2012 , Page(s): 112 - 119
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (915 KB) |  | HTML iconHTML  

    Reverse-engineering malware code is a difficult task, usually full of the traps put by the malware writers. Since the quality of defense softwares depends largely on the analysis of the malware, it becomes crucial to help the software investigators with automatic tools. We describe and present a tool which synchronizes two related binary programs. Our tool finds some common machine instructions between two programs and may display the correspondence instruction by instruction in IDA. Experiments were performed on many malware such as stuxnet, duqu, sality or waledac. We have rediscovered some of the links between duqu and stuxnet, and we point out OpenSSL's use within waledac. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • “TrustDroid™”: Preventing the use of SmartPhones for information leaking in corporate networks through the used of static analysis taint tracking

    Publication Year: 2012 , Page(s): 135 - 143
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (991 KB) |  | HTML iconHTML  

    Over the last 12 years three important dates have marked the beginning of a major paradigm shift in computing and the security models applied to protect an emerging computing environment - March 1999, January 9th, 2007, and July 2007. These dates roughly correspond to the birth of SalesForce.com, the most successful Software as a Service (SaS) provider to date, Steve Jobs introduction of the Iphone,, and the discovery of the Zeus Botnet. These innovations have been instrumental in enabling a paradigm shift in computing, away from a corporate network centric model with Windows end-point devices to what we called in this manuscript the Circa 2020 Computing Model. In the circa 2020 Computing model applications and data reside in the Cloud, the concept of an extended Trust Domain (network) disappears - there is no corporate network, and finally the end-point device is a SmartPhone owned and operated by employees - Bring Your Own Device (BYOD). In such an environment, the end-point device is not “Trusted”, and there is a high likelihood that the BYOD can be used as a channel to leak sensitive data. In this manuscript, we present a new mechanism to prevent such a situation. We called this mechanism “TrustDroid™”. TrustDroid™ is a static analyzer based on taint tracking that can be used to prevent leakage of sensitive information by an un-trusted Android SmartPhone. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.