Scheduled System Maintenance:
On Monday, April 27th, IEEE Xplore will undergo scheduled maintenance from 1:00 PM - 3:00 PM ET (17:00 - 19:00 UTC). No interruption in service is anticipated.
By Topic

Malicious and Unwanted Software: "The Americas" (MALWARE), 2013 8th International Conference on

Date 22-24 Oct. 2013

Filter Results

Displaying Results 1 - 18 of 18
  • [Front matter]

    Publication Year: 2013 , Page(s): i - ix
    Save to Project icon | Request Permissions | PDF file iconPDF (328 KB)  
    Freely Available from IEEE
  • Noninvasive detection of anti-forensic malware

    Publication Year: 2013 , Page(s): 1 - 10
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (277 KB) |  | HTML iconHTML  

    Modern malicious programs often escape dynamic analysis, by detecting forensic instrumentation within their own runtime environment. This has become a major challenge for malware researchers and analysts. Current defensive analysis of anti-forensic malware often requires painstaking step-by-step manual inspection. Code obfuscation may further complicate proper analysis. Furthermore, current defensive countermeasures are usually effective only against anti-forensic techniques which have already been identified. In this paper we propose a new method to detect and classify anti-forensic behavior, by comparing the trace-logs of the suspect program between different environments. Unlike previous works, the presented method is essentially noninvasive (does not interfere with original program flow). We separately trace the flow of instructions (Opcode) and the flow of Input-Output operations (IO). The two dimensions (Opcode and IO) complement each other to provide reliable classification. Our method can identify split behavior of suspected programs without prior knowledge of any specific anti-forensic technique; furthermore, it relieves the malware analyst from tedious step-by-step inspection. Those features are critical in the modern Cyber arena, where rootkits and Advanced Persistent Threats (APTs) are constantly adopting new sophisticated anti-forensic techniques to deceive analysis. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Heuristic malware detection via basic block comparison

    Publication Year: 2013 , Page(s): 11 - 18
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (177 KB) |  | HTML iconHTML  

    Each day, malware analysts are tasked with more samples than they have the ability to analyze by hand. To produce this trend, malware authors often reuse a significant portion of their code. In this paper, we introduce a technique to statically decompose malicious software to identify shared code. This technique variably applies a sliding-window methodology to either full files or individual basic blocks to produce representative similarity ratios either between two binaries or between two functionalities within binaries, respectively. This grants the ability to apply heuristic detection via threshold similarity matching as well as full-inclusivity matching for malicious functionality. Additionally, we apply generalization techniques to minimize local assembly variants while still maintaining consistent structural matching. We also identify improvements that this technique provides over previous technologies and demonstrate its success in practical sample detection. Finally, we suggest further applications of this technique and highlight possible contributions to modern malware detection. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Dynamic classification of packing algorithms for inspecting executables using entropy analysis

    Publication Year: 2013 , Page(s): 19 - 26
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (938 KB) |  | HTML iconHTML  

    Packing is widely used for bypassing anti-malware systems, and the proportion of packed malware has been growing rapidly, making up over 80% of malware. Few studies on detecting packing algorithms have been conducted during last two decades. In this paper, we propose a method to classify packing algorithms of given packed executables. First, we convert entropy values of the packed executables loaded in memory into symbolic representations. Our proposed method uses SAX (Symbolic Aggregate Approximation) which is known to be good at large data conversion. Due to its advantage of simplifying complicated patterns, symbolic representation is commonly used in bio-informatics and data mining fields. Second, we classify the distribution of symbols using supervised learning classifications, i.e., Naive Bayes and Support Vector Machines. Results of our experiments with a collection of 466 programs and 15 packing algorithms demonstrated that our method can identify packing algorithms of given executables with a high accuracy of 94.2%, recall of 94.7% and precision of 92.7%. It has been confirmed that packing algorithms can be identified using entropy analysis, which is a measure of uncertainty of running executables, without a prior knowledge of the executable. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Measuring the effectiveness of modern security products to detect and contain emerging threats — A consensus-based approach

    Publication Year: 2013 , Page(s): 27 - 34
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (848 KB) |  | HTML iconHTML  

    Increasingly the idea that cyber-attacks can be stopped at the periphery of the network has become a fool's errand. In today's computing environment and cyber-threat landscape, individuals as well as corporations have recognized the fact that (i) with the emergence of cloud based computing there are no longer network boundaries under your control that can be protected, (ii) threats are often distributed in nature both in time and space - making detection extremely difficult, and (iii) the working assumption is not that you can prevent infections (the goal of 100% prevention is no longer practical) but rather, given that your "system" will be compromised, how quickly can you detect the breach and how do you minimize the impact of such an event. In this new environment, the idea that measuring the number of infected files detected within end-point devices is a good measure of the effectiveness of Anti-Malware and Security related products seems foolish. Instead, the industry has recognized that time to detect, time to countermeasure issuance, and ability to identify short-lived C&C sites are more relevant to determining the "goodness" of security products. Within this context, the authors have undertaken to develop benchmark metrics to test the ability of commercial automated gateway and endpoint security services to classify and categorize different types of web traffic (malicious content, malicious activity, non-malicious category). A test methodology has been developed for this purpose, based on the Wireless Systems Security Research Laboratory (WSSRL) test methodology, and extensions to CheckVir Battery Test. Using this methodology, eight gateway protection services were tested and classified for their ability to identify the incoming traffic as malicious, C&C communications, and non-malicious content. A key component of the methodology is the concept of eventual consensus, a methodology whereas new threats are classified as malicious or not when (n/2- 1) security products agree on the nature of the threat over time. The methodology was developed as a simplified extension of the well known Byzantine Agreement protocol first discussed by Leslie Lamport. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Use-case-specific metrics for comparative testing of endpoint security products

    Publication Year: 2013 , Page(s): 35 - 40
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (494 KB) |  | HTML iconHTML  

    A battery of protection and resource performance tests were conducted using commercial internet security suites designed for general purpose usage with a Windows 8 personal computer (PC). Six classes of PC users were identified: Internet addict; network businessman; socializer; basic user; gamer; self-presenter; infrequent user. Recognizing that practical Internet security is different for each of these user groups, the importance of each component protection and resource performance test was assessed independently for each PC user group. By weighting component results to match relative importance for each user group, separate overall comparative assessments of the tested internet security suite products were obtained separately for each user group. From this, a more effective assessment of the value of commercial anti-malware protection is obtained specific to a customer's PC usage. When third party commercial anti-malware products were compared to the protection application provided by Microsoft, the average improvement ranged from 5% to 10% when measured separately for each PC user group. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Synthesizing near-optimal malware specifications from suspicious behaviors

    Publication Year: 2013 , Page(s): 41 - 50
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (223 KB) |  | HTML iconHTML  

    Behavior-based detection techniques are a promising solution to the problem of malware proliferation. However, they require precise specifications of malicious behavior that do not result in an excessive number of false alarms, while still remaining general enough to detect new variants before traditional signatures can be created and distributed. In this paper, we present an automatic technique for extracting optimally discriminative specifications, which uniquely identify a class of programs. Such a discriminative specification can be used by a behavior-based malware detector. Our technique, based on graph mining and stochastic optimization, scales to large classes of programs. When this work was originally published, the technique yielded favorable results on malware targeted towards workstations (~86% detection rates on new malware). We believe that it can be brought to bear on emerging malware-based threats for new platforms, and discuss several promising avenues for future work in this direction. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • It's you on photo?: Automatic detection of Twitter accounts infected with the Blackhole Exploit Kit

    Publication Year: 2013 , Page(s): 51 - 58
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (926 KB) |  | HTML iconHTML  

    The Blackhole Exploit Kit (BEK) has been called the “Toyota Camry” of exploit kits - cheap, readily available and reliable. According to some estimates, it was used to enable the majority of malware infections in 2012. One major infection vector for BEK is through Twitter. In this paper, we analyze over two months of Twitter data from May through July of 2012 and identify user accounts affected by BEK. Based on reports that BEK infected tweets containing the string ”It's you on photo?” were being used to lure victims to BEK infected sites, we identified matching messages and analyzed the associated accounts. We then identified a wider range of message types associated with BEK infection and developed an automated mechanism for identifying infectious accounts - both accounts that were created specifically for malware distribution and legitimate accounts that began distributing malware after the owner's system was infected. Specifically, we find that BEK infectious accounts are characterized by tweets with an entropy lower than 4.5, tweets that are sent using the Mobile Web API and tweets containing an embedded URL. We present an automated method for isolating the point at which an account becomes infectious based on changes in the entropy of tweets from the account. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • PANDORA applies non-deterministic obfuscation randomly to Android

    Publication Year: 2013 , Page(s): 59 - 67
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (176 KB) |  | HTML iconHTML  

    Android, a Linux-based operating system, is currently the most popular platform for mobile devices like smart-phones and tablets. Recently, two closely related security threats have become a major concern of the research community: software piracy and malware. This paper studies the capabilities of code obfuscation for the purposes of plagiarized software and malware diversification. Within the scope of this work, the PANDORA (PANDORA Applies Non-Deterministic Obfuscation Randomly to Android) transformation system for Android bytecode was designed and implemented, combining techniques for data and object-oriented design obfuscation. Our evaluation results indicate deficiencies of the malware detection engines currently used in 46 popular antivirus products, which in most cases were not able to detect samples obfuscated with PANDORA. Furthermore, this paper reveals shortcomings of the Androsim tool and potentially other static software similarity algorithms, recently proposed to address the piracy problem in Android. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • First byte: Force-based clustering of filtered block N-grams to detect code reuse in malicious software

    Publication Year: 2013 , Page(s): 68 - 76
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (654 KB) |  | HTML iconHTML  

    Detecting code reuse in malicious software is complicated by the lack of source code. The same circumstance that makes code reuse detection in malicious software desirable, that is, the limited availability of original source code, also contributes to the difficulty of detecting code reuse. In this paper, we propose a method for detecting code reuse in software, specifically malicious software, that moves beyond the limitations of targeting variant detection (categorization of families). This method expands n-gram analysis to target basic blocks extracted from compiled code vice entire text sections. It also targets individual relationships between basic blocks found in localized code reuse, while preserving the ability to detect variants and families of variants found with generalized code reuse. We demonstrate the limitations of similarity calculated without first disassembling the instructions and show that our First Byte normalization gives dramatic improvements in detection of code reuse. To visualize results, our method proposes force-based clustering as a solution to rapidly detect relationships between compiled binaries and detect relationships without complex analysis. Our methods retain the previously demonstrated ability of n-gram analysis to detect variants, while adding the ability to detect code reuse in non-variant malware. We show that our proposed filtering method reduces the number of similarity calculations and highlights only meaningful relationships in our malware set. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • An antivirus API for Android malware recognition

    Publication Year: 2013 , Page(s): 77 - 84
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (162 KB) |  | HTML iconHTML  

    On the Android platform, antivirus software suffers from significant deficiencies. Due to platform limitations, it cannot access or monitor an Android device's file system, or dynamic behavior of installed apps. This includes the downloading of malicious files after installation, and other file system alterations. That has grave consequences for device security, as any app - even without openly malicious code in its package file - can still download and execute malicious files without any danger of being detected by antivirus software. In this paper, we present a proposal for an antivirus interface to be added to the Android API. It allows for three primary operations: (1) on-demand file system scanning and traversal, (2) on-change file system monitoring, (3) a set of basic operations that allow for scanning of arbitrary file system objects without disclosing their contents. This interface can enable Android antivirus software to deploy techniques for malware recognition similar to those of desktop antivirus systems. The proposed measures comply with Android's security architecture and user data privacy is maintained. Through our approach, antivirus software on the Android platform would reach a level of effectiveness significantly higher than currently, and comparable to that of desktop antivirus software. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Countering malware evolution using cloud-based learning

    Publication Year: 2013 , Page(s): 85 - 94
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (910 KB) |  | HTML iconHTML  

    Recent years have seen an explosion in the number and sophistication of malware attacks. The sheer volume of novel malware has made purely manual signature development impractical and has led to research on applying machine learning and data mining to automatically infer malware signatures in the wild. Unfortunately, researchers have recently found ways to game the machine learning algorithms and learn to predict which samples the learning algorithms will classify as benign or malicious, thus opening the door for innovative deception on the part of malware developers. To counter this threat, we are developing our Semi-Supervised Algorithms against Malware Evolution (SESAME) program, which uses online learning to evolve as new malware is encountered, recognizing novel families and adapting its model of families as they themselves evolve. It uses semi-supervised learning to enable it to learn from both labeled and unlabeled malware. SESAME combines a rich feature set with deep learning algorithms to learn the essential characteristics of malware that enable us to relate novel malware to existing malware. SESAME is being designed to be an enterprise-based system with learning in the cloud and rapid endpoint classification. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • REcompile: A decompilation framework for static analysis of binaries

    Publication Year: 2013 , Page(s): 95 - 102
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (380 KB) |  | HTML iconHTML  

    Reverse engineering of binary code is an essential step for malware analysis. However, it is a tedious and time-consuming task. Decompilation facilitates this process by transforming machine code into a high-level representation that is more concise and easier to understand. This paper describes REcompile, an efficient and extensible decompilation framework. REcompile uses the static single assignment form (SSA) as its intermediate representation and performs three main classes of analysis. Data flow analysis removes machine-specific details from code and transforms it into a concise high-level form. Type analysis finds variable types based on how those variables are used in code. Control flow analysis identifies high-level control structures such as conditionals, loops, and switch statements. These steps enable REcompile to produce well-readable decompiled code. The overall evaluation, using real programs and malware samples, shows that REcompile achieves a comparable and in many cases better performance than state-of-the-art decompilers. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Circumventing keyloggers and screendumps

    Publication Year: 2013 , Page(s): 103 - 108
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (5946 KB) |  | HTML iconHTML  

    We consider keyloggers (hardware or software) and screendumps of virtual keyboards by the local machine. To counter these attacks, we use DirectX 9 libraries[3] on Windows or Linux[5] operating systems. Our approach uses a remote server that communicates securely with the local process. The Direct X mode that we use executes in the GPU while being directly displayed on the screen. There is no direct communication between the operating system and the GPU storage, which allows us to communicate with the user securely even if the local machine is compromised. We present a simple prototype application of this approach, which supports web browsing. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Analysis and diversion of Duqu's driver

    Publication Year: 2013 , Page(s): 109 - 115
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (7546 KB) |  | HTML iconHTML  

    The propagation techniques and the payload of Duqu have been closely studied over the past year and it has been said that Duqu shared functionalities with Stuxnet. We focused on the driver used by Duqu during the infection, our contribution consists in reverse-engineering the driver: we rebuilt its source code and analyzed the mechanisms it uses to execute the payload while avoiding detection. Then we diverted the driver into a defensive version capable of detecting injections in Windows binaries, thus preventing further attacks. We specifically show how Duqu's modified driver would have detected Duqu. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Highly resilient peer-to-peer botnets are here: An analysis of Gameover Zeus

    Publication Year: 2013 , Page(s): 116 - 123
    Cited by:  Papers (2)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (150 KB) |  | HTML iconHTML  

    Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable. Through a detailed analysis of this new Zeus variant, we demonstrate the high resilience of state of the art peer-to-peer botnets in general, and of peer-to-peer Zeus in particular. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • A simple client-side defense against environment-dependent web-based malware

    Publication Year: 2013 , Page(s): 124 - 131
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (331 KB) |  | HTML iconHTML  

    Web-based malware tend to be environment-dependent, which poses a significant challenge on defending web-based attacks, because the malicious code - which may be exposed and activated only under specific environmental conditions such as the version of the browser - may not be triggered during analysis. This paper proposes a simple approach for defending environment-dependent malware. Instead of increasing analysis coverage in detector, the goal of this technique is to ensure that the client will take the same execution path as the one examined by the detector. This technique is designed to work alongside a detector, it can handle cases existing multi-path exploration techniques are incapable of, and provides an efficient way to identify discrepancies in a JavaScript program's execution behavior in a user's environment compared to its behavior in a sandboxed detector, thereby detecting false negatives that may have been caused by environment dependencies. Experiment shows that this technique can effectively detect environment-dependent behavior discrepancy of various forms, including those seen in real malware. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.
  • Static malware detection with Segmented Sandboxing

    Publication Year: 2013 , Page(s): 132 - 141
    Cited by:  Papers (1)
    Save to Project icon | Request Permissions | Click to expandQuick Abstract | PDF file iconPDF (183 KB) |  | HTML iconHTML  

    Traditionally, dynamic detection approaches to Malware identification are commended for their simplicity and small sized signature database. In practice they suffer from two major defects. First, Malware might need to be emulated for a long time before traces of harmful behavior are first exhibited. Second, a few Anti-VM techniques are widely known and can be easily employed by any program to thwart the attempt of having it executed in a sandbox and observe its original behavior, rendering the approach less than effective. On the other hand, static detection approaches, have their own limitations, ranging from parsing obfuscated executables to the scalability issues due to the ever-increasing size of the signature database. Fundamentally, in the last 10-15 years polymorphic and metamorphic obfuscation techniques have become prevalent making static approaches less than effective due to the sheer magnitude of the sample set1. While the benefits of either dynamic or static approaches look quite tempting from each of their counterparts perspectives, their weakness are daunting in their own sight as well. In this manuscript we attempted to combine the best part of both worlds, without bringing in the disadvantage of either of them. We call this mixed approach “Segmented Sandboxing”. View full abstract»

    Full text access may be available. Click article title to sign in or learn about subscription options.