DOCSLIB.ORG

Android Malware Detection Using Data Mining Techniques on Process Control Block Information

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Android Malware Detection Using Data Mining Techniques on Process Control Block Information Android Malware Detection Using Data Mining Techniques on Process Control Block Information by Heba Ziad Alawneh A dissertation submitted to the Graduate Faculty of Auburn University in partial fulfillment of the requirements for the Degree of Doctor of Philosophy Auburn, Alabama August 8, 2020 Keywords: Dynamic Malware Detection, Android smartphones, Recurrent Neural Networks, Convolutional Neural Networks, Long short-term memory, Deep Learning Copyright 2020 by Heba Ziad Alawneh Committee Members David Umphress, Chair, Professor of Computer Science and Software Engineering Anh Nguyen, Assistant Professor of Computer Science and Software Engineering Daniel Tauritz, Associate Professor of Computer Science and Software Engineering Anthony Skjellum, Professor of Computer Science and Engineering, University of Tennessee at Chattanooga Abstract Because smartphones are increasingly becoming the mobile computing device of choice, we are experiencing an increase in the number and sophistication of mobile-computing-based malware attacks. A lot of these attacks target users’ sensitive information, such as banking usernames, and passwords. A widespread type of malicious app encrypts user data locking their devices with passwords and asking money to decrypt it. Moreover, they can illegitimately collect browsing-related information or install other apps. Available malware detection techniques can be categorized as dynamic or static based on the type of features used in the analysis. Using process behavior (as in dynamic analysis) to detect malware is generally more reliable than examining application files only (as in static analysis). Nonetheless, dynamic analysis is more time and computationally intensive. Hence, real-time malware detection is considered a challenging task. The limitations of mobile devices, such as storage, computing capacity, and battery life, make the task even more challenging. In this research, we propose a dynamic malware detection approach that identifies mali- cious behavior using deep learning techniques on Process Control Block (PCB) information mined over the process execution time. Our mining approach is performed at the kernel level and synchronized with the process CPU utilization. It precisely tracks changes in PCB parame- ters over the execution time. It does not only represent the process behavior efficiently but also all threads created by that process. We then use the PCB sequence information to train a deep learning model to identify ma- licious behavior. We validated our approach using 2600 benign and 2500 malware-infested recent Android applications. Our mining approach successfully captured more than 99% of context switches for the vast majority of tested applications. Furthermore, our detection model was able to identify malicious behavior at various points of the process execution time using 12 PCBs only with an F1-score of 95.8%. To the best of our knowledge, no available dynamic malware detection technique has achieved such minimal detection time. We also introduce a ii closed dynamic malware analysis framework for application testing running on multiple An- droid phones concurrently. iii Acknowledgments First and foremost, I would like to thank God Almighty for giving me the strength, ded- ication, and ability to finish this work. I am also deeply thankful for those who supported me professionally and personally throughout my journey here at Auburn University. I am grateful, especially to my mentor, and advisor, Dr. David Umphress. Thank you for your effort and support. Mostly, thank you for encouraging me to freely pursue my research interests while guiding me to stay on course. I wish to express my sincere thanks to my dissertation committee members. Dr. Anthony Skjellum, for his support to start my Ph.D. studies, Dr. Anh Nguyen, and Dr. Daniel Tauritz. Thank you all for your guidance and valuable input. Finally, I would like to thank my companion Hamza Alkofahi, for the endless support and always pushing me to achieve my best, my kids Qais and Omar for keeping me happy, my parents Helwa and Ziad Alawneh for believing in me, my brothers and sisters, and to all my friends and family. Thank you for your prayers, love, and support. Without you, my journey would not have been possible. iv Table of Contents Abstract . ii Acknowledgments . iv 1 Introduction . 1 2 Literature Review . 4 2.1 Malware Targeting Android Smartphones . 4 2.2 Malware Detection Techniques . 6 2.3 Android PCB Features . 9 3 Mining PCB information & Building the Application Dataset for Android Malware Detection . 12 3.1 Introduction . 12 3.2 Application Data Collection . 13 3.2.1 Benign Application Collection . 13 3.2.2 Malware-infested Application Collection . 13 3.2.3 The Android Application Dataset . 14 3.3 Data Collection Architecture . 16 3.3.1 Android Test Devices: Phone, Android, and Kernel Versions . 16 3.3.2 Automated Input Generation for Android Application Testing . 17 3.3.3 Network Configuration for Application Testing . 19 3.4 Mining PCB Information . 19 3.4.1 Tasks Management & Preparation . 20 v 3.4.2 Application Testing & PCB Data Collection . 21 3.4.3 Storing & Analyzing Results . 25 3.5 The PCB Dataset . 26 3.6 Discussion . 28 3.7 Conclusion . 31 4 Android Malware Detection using Deep Learning on PCB Information . 33 4.1 Introduction . 33 4.2 Using Deep Learning & PCB information to Identify Android Malware Attacks 34 4.2.1 Data Preprocessing . 34 4.2.2 Model Architecture . 34 4.3 Experiments & Results . 36 4.3.1 Dataset Design Impact on Classifier Performance . 36 4.3.2 Measuring Features Importance . 39 4.4 Conclusion . 43 5 Conclusion & Future Work . 45 5.1 Conclusion . 45 5.2 Future Work . 48 Appendices . 51 A The Kernel-Space System Components Pseudocode . 51 A.1 The Data Collector Pseudocode . 51 A.2 The modified CPU Scheduler Pseudocode . 54 B Struct task struct . 57 vi List of Figures 2.1 (a) Android Malware distribution in 2018 (b) Top 10 Android malware in 2018. 6 3.1 Summary statistics of the benign dataset: applications are distributed by (a) category, (b) application rating, and (c) minimum number of installs. 15 3.2 The distribution of the malware samples based on the year the malware sample was first seen . 16 3.3 Distribution of malware families within the malware dataset . 17 3.4 The network setup for malware dynamic analysis . 20 3.5 Main manager running tasks concurrently on all connected devices . 21 3.6 Sequence diagram of task management and preparation . 22 3.7 The sequence diagram of the application testing and PCB data collection work- flow ........................................ 24 3.8 Sequence diagram of post application testing and data collection process . 26 3.9 The distribution of app tests based on the number of threads running each app . 27 3.10 Distribution of app tests for malware-infested and benign based on (a) the PCB miss ratio for all threads during the application test (b) the PCB miss ratio of the main thread during the application test . 28 3.11 Distribution of app tests for malware-infested and benign based on (a) the num- ber of context switches for all threads combined (b) the number of context switches of the main thread that occurred during the application test . 29 4.1 The network architecture for detecting Android malware . 35 4.2 The F1-scores and their variations of the classifier models trained with the fol- lowing PCB sequence setting: zero or random starting point and a sequence size of n PCBs. 37 4.3 PCBs Features categories based on the Feature Importance Score (FI) . 40 4.4 Heatmap of malware and benign processes for the top 10% features ranked by FI score. 42 vii List of Tables 2.1 CPU scheduling sched info Features within task struct. 10 2.2 Memory management mm struct Features within task struct. 10 2.3 Signal information signal struct Features within task struct. 10 2.4 Process information within task struct. ..................... 11 3.1 Comparing statistics of our proposed approach with a previous method. 30 3.2 Comparing the proposed mining approach with the available methods [70, 88, 96] ........................................ 30 3.3 Comparing statistics of the datasets collected using our proposed mining ap- proach and another available method. 31 4.1 Evaluating the random models on the random-starting point versus on the ex- panded test set. 38 4.2 Evaluating the classifier models trained and tested using the expanded dataset. 39 viii Chapter 1 Introduction Today, smartphone users number more than 5.1 billion [28], with smartphone penetration rates increasing as well. Many smartphone users are unaware of the fact that most of the malicious smartphone software targets users’ private information without their permission. The majority of commercial anti-virus tools follow a signature-based malware detection approach (i.e., they look for specific fingerprints of already discovered malware), and are thus unable to detect new malware (also known as zero-day malware attacks)[104]. According to StatCounter [57], Android is the most popular operating system worldwide. It’s also the second most targeted platform after Microsoft Windows. However, only a few An- droid mobile devices provide effective virus protection, while the majority remaining are poorly protected. Moreover, the number and sophistication of new malware attacks grew significantly during the past two years [1], making it harder with time to detect such attacks. Over 90% of malware targeting Android platforms in 2018 were Trojan attacks [18]. A Trojan attack is a harmful app that appears as legitimate; however, it performs malicious ac- tivity unbeknownst to the user [43]. Trojans can be used for stealing confidential information, creating backdoors, and activating viruses or other malware. Banking and password Trojan attacks tripled within the first quarter of 2018 alone [18]. The latest state-of-the-art banking Trojan named Gustuff can steal the login information of over 100 banking apps and 30 cryp- tocurrency apps.
Load more

Recommended publications
  • AV-TEST Security Report for 2016/2017
    FACTS AND FIGURES SECURITY REPORT The AV-TEST Security Report 2 WINDOWS Security Status 5 macOS Security Status 10 ANDROID Security Status 13 INTERNET THREATS Security Status 16 IoT Security Status 19 2016/17 Test Statistics 22 FACTS AND FIGURES Declining malware statistics It remains positive to note that the declining malware trend in 2016 The AV-TEST provided some relief, at least quantitatively. Thus, compared to 2015, detection systems were required to seek out and defend against 14% fewer Security Report malware samples. In total, this amounted to precisely 11,725,292 fewer newly developed malware programs than in the previous year. It should not be The best news right off the bat: forgotten, however, that the volume of newly developed malware in 2016 still represented the second-highest since the beginning of measurements by Compared to the previous year, the AV-TEST systems. In addition, 2015 saw skyrocketing growth in malware the detection systems of AV-TEST showed programs and in comparison to 2014, practically a doubling of the sample statistics. The overall number of malware programs for all operating systems a slight decline in the development currently exceeds 640 million. of malware programs for the year 2016. Without wanting to belittle the positive trend for 2016, the fact remains that Overall, that is a pleasing trend, however there have been several short-term downward trends since the beginning of by no means any reason to celebrate, measurements in 1984, a total of six times, without seriously influencing the clear, long-term trend – towards more malware. Despite declining numbers, as evidenced by the AV-TEST Institute‘s in 2016, the AV-TEST analysis systems still recorded an average of 350,000 statistics of this year‘s Security Report.
    [Show full text]
  • Global 2000 Bank Secures 9,000 Android Smartphones to Fulfill Internal Compliance Requirements
    CASE STUDY Global 2000 bank secures 9,000 Android smartphones to fulfill internal compliance requirements Customer Profile This financial services firm is based in the middle east, has an international network of 1400 branches globally, and is a member of the Forbes Global 2000 list. Industry: Financial services Mobility Policy: COPE EMM Solution: VMware AirWatch The Solution The Challenge • Lookout Mobile Endpoint Security To enable their Corporate Owned, Personally Enabled (COPE) mobility policy, The Results this leading bank needed a mobile security solution that would comply with their • Achieved compliance with internal internal policy for data protection, integrate with VMware AirWatch, and provide policies for endpoint protection visibility into mobile threats encountered by their international workforce. • Gained visibility into high-risk The IT team decided to implement a COPE mobility policy in order to reduce threats support time by having a limited number of device models and Android versions • Improved employee productivity to maintain. In addition, the bank has developed their own enterprise application with no increase in support tickets that enables their employees to deliver banking services to customers via mobile devices. With no visibility into threats or data leakage on mobile devices, the IT mobility team knew that their unprotected mobile endpoints were an attack surface that presented a major security risk. 1 CASE STUDY The Results Lookout delivers a solution that collects The bank is very happy with how quickly they were able to “ deploy Lookout, including pushing the Lookout For Work app threat data from around the world, and out to 2,000 devices a day towards the end of the process.
    [Show full text]
  • VOL.80 August, 2016 ASEC REPORT VOL.80 August, 2016
    Security Trend ASEC REPORT VOL.80 August, 2016 ASEC REPORT VOL.80 August, 2016 ASEC (AhnLab Security Emergency Response Center) is a global security response group consisting of virus analysts and security experts. This monthly report is published by ASEC and focuses on the most significant security threats and latest security technologies to guard against such threats. For further details, please visit AhnLab, Inc.’s homepage (www. ahnlab.com). SECURITY TREND OF August 2016 Table of Contents 1 01 Malware Statistics 4 02 Web Security Statistics 6 SECURITY STATISTICS 03 Mobile Malware Statistics 7 Ransomware Disguised as PokemonGo to Catch 10 2 Users SECURITY ISSUE Locky Ransomware Disguised as .DLL File 13 3 Appears IN-DEPTH ANALYSIS ASEC REPORT 80 | Security Trend 2 1 SECURITY STATISTICS 01 Malware Statistics 02 Web Security Statistics 03 Mobile Malware Statistics ASEC REPORT 80 | Security Trend SECURITY STATISTICS 01 Malware Statistics According to the ASEC (AhnLab Security Emergency Response Center), 8,793,413 malware were detected in August 2016. The number of detected malware decreased by 955,541 from 9,748,954 detected in the previous month as shown in Figure 1-1. A total of 4,986,496 malware samples were collected in August. 11,000,000 10,000,000 10,467,643 9,748,954 9,000,000 8,793,413 8,000,000 7,000,000 6,000,000 5,000,000 4,000,000 3,000,000 2,000,000 1,000,000 Detected Samples 3,022,206 6,121,096 4,986,496 Collected Samples June July August [Figure 1-1] Malware Trend * “Detected Samples” refers to the number of malware detected by AhnLab products deployed by our customers.
    [Show full text]
  • Linux Kernel and Driver Development Training Slides
    Linux Kernel and Driver Development Training Linux Kernel and Driver Development Training © Copyright 2004-2021, Bootlin. Creative Commons BY-SA 3.0 license. Latest update: October 9, 2021. Document updates and sources: https://bootlin.com/doc/training/linux-kernel Corrections, suggestions, contributions and translations are welcome! embedded Linux and kernel engineering Send them to [email protected] - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 1/470 Rights to copy © Copyright 2004-2021, Bootlin License: Creative Commons Attribution - Share Alike 3.0 https://creativecommons.org/licenses/by-sa/3.0/legalcode You are free: I to copy, distribute, display, and perform the work I to make derivative works I to make commercial use of the work Under the following conditions: I Attribution. You must give the original author credit. I Share Alike. If you alter, transform, or build upon this work, you may distribute the resulting work only under a license identical to this one. I For any reuse or distribution, you must make clear to others the license terms of this work. I Any of these conditions can be waived if you get permission from the copyright holder. Your fair use and other rights are in no way affected by the above. Document sources: https://github.com/bootlin/training-materials/ - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 2/470 Hyperlinks in the document There are many hyperlinks in the document I Regular hyperlinks: https://kernel.org/ I Kernel documentation links: dev-tools/kasan I Links to kernel source files and directories: drivers/input/ include/linux/fb.h I Links to the declarations, definitions and instances of kernel symbols (functions, types, data, structures): platform_get_irq() GFP_KERNEL struct file_operations - Kernel, drivers and embedded Linux - Development, consulting, training and support - https://bootlin.com 3/470 Company at a glance I Engineering company created in 2004, named ”Free Electrons” until Feb.
    [Show full text]
  • Android Malware Category and Family Detection and Identification Using Machine Learning
    Android Malware Category and Family Detection and Identification using Machine Learning Ahmed Hashem El Fiky1*, Ayman El Shenawy1, 2, Mohamed Ashraf Madkour1 1 Systems and Computer Engineering Dept., Faculty of Engineering, Al-Azhar University, Cairo, Egypt. 1 Systems and Computer Engineering Dept., Faculty of Engineering, Al-Azhar University, Cairo, Egypt. 2 Software Engineering and Information Technology, Faculty of Engineering and Technology, Egyptian Chinese University, Cairo, Egypt. [email protected] [email protected] [email protected] Abstract: Android malware is one of the most dangerous threats on the internet, and it's been on the rise for several years. Despite significant efforts in detecting and classifying android malware from innocuous android applications, there is still a long way to go. As a result, there is a need to provide a basic understanding of the behavior displayed by the most common Android malware categories and families. Each Android malware family and category has a distinct objective. As a result, it has impacted every corporate area, including healthcare, banking, transportation, government, and e-commerce. In this paper, we presented two machine- learning approaches for Dynamic Analysis of Android Malware: one for detecting and identifying Android Malware Categories and the other for detecting and identifying Android Malware Families, which was accomplished by analyzing a massive malware dataset with 14 prominent malware categories and 180 prominent malware families of CCCS-CIC- AndMal2020 dataset on Dynamic Layers. Our approach achieves in Android Malware Category detection more than 96 % accurate and achieves in Android Malware Family detection more than 99% accurate. Our approach provides a method for high-accuracy Dynamic Analysis of Android Malware while also shortening the time required to analyze smartphone malware.
    [Show full text]
  • Mobile Threat
    Mobile threat February 2018 David Bird FBCS considers threats via mobile devices and explains why he thinks the future may not be so bright. The unprecedented WannaCry ransomware and subsequent Petya destruct-ware outbreaks have caused mayhem internationally. As a result of a remote execution vulnerability, malware has propagated laterally due to two basic root-causes: (a) out-dated operating systems (OS), and/or (b) in-effective patching regimes. Here we have a commonality with the mobile device domain. There are many older generation devices that have different legacy mobile OSes installed that are no longer supported or updated. Legacy connected Microsoft Pocket PC palmtops and Windows CE or Windows Mobile devices are examples of tech still being used by delivery firms and supermarkets; even though they have been end-of-extended support since 2008 and 2014 respectively. So, do we have a problem? With over two and a half billion smartphones globally in 2016, the market is anticipated to reach at least six billion by 2020 due to the convenience of mobile back-end-as-a-service. Apparently, one vulnerability is disclosed every day, in which 10 per cent of those are critical. This figure does not include the number of internet-enabled tablets that are in circulation; in 2015, there were one billion globally, and this is expected to rise to almost one and a half billion by 2018. Today both Android-centric manufacturers and Apple fight for dominance in the mobile device market - squeezing out Blackberry’s enterprise smartphone monopoly. This has resulted in unsupported Blackberry smart-devices persisting in circulation, closely followed by successive versions of Windows Phone OS - with only 10 left supported.
    [Show full text]
  • SUSE Linux Enterprise Server 11 SP4 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 11 SP4
    SUSE Linux Enterprise Server 11 SP4 System Analysis and Tuning Guide System Analysis and Tuning Guide SUSE Linux Enterprise Server 11 SP4 Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006– 2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third party trademarks are the property of their respective owners. A trademark symbol (®, ™ etc.) denotes a SUSE or Novell trademark; an asterisk (*) denotes a third party trademark. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE LLC, its aliates, the authors nor the translators shall be held liable for possible errors or the consequences thereof. Contents About This Guide xi 1 Available Documentation xii 2 Feedback xiv 3 Documentation Conventions xv I BASICS 1 1 General Notes on System Tuning 2 1.1 Be Sure What Problem to Solve 2 1.2 Rule Out Common Problems 3 1.3 Finding the Bottleneck 3 1.4 Step-by-step Tuning 4 II SYSTEM MONITORING 5 2 System Monitoring Utilities 6 2.1 Multi-Purpose Tools 6 vmstat 7
    [Show full text]
  • Red Hat Enterprise Linux for Real Time 7 Tuning Guide
    Red Hat Enterprise Linux for Real Time 7 Tuning Guide Advanced tuning procedures for Red Hat Enterprise Linux for Real Time Radek Bíba David Ryan Cheryn Tan Lana Brindley Alison Young Red Hat Enterprise Linux for Real Time 7 Tuning Guide Advanced tuning procedures for Red Hat Enterprise Linux for Real Time Radek Bíba Red Hat Customer Content Services [email protected] David Ryan Red Hat Customer Content Services [email protected] Cheryn Tan Red Hat Customer Content Services Lana Brindley Red Hat Customer Content Services Alison Young Red Hat Customer Content Services Legal Notice Copyright © 2015 Red Hat, Inc. This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed. Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law. Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, MetaMatrix, Fedora, the Infinity Logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries. Linux ® is the registered trademark of Linus Torvalds in the United States and other countries. Java ® is a registered trademark of Oracle and/or its affiliates. XFS ® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
    [Show full text]
  • Linux Kernel Development
    Linux Kernel Development Third Edition Developer’s Library ESSENTIAL REFERENCES FOR PROGRAMMING PROFESSIONALS Developer’s Library books are designed to provide practicing programmers with unique, high-quality references and tutorials on the programming languages and technologies they use in their daily work. All books in the Developer’s Library are written by expert technology practitioners who are especially skilled at organizing and presenting information in a way that’s useful for other programmers. Key titles include some of the best, most widely acclaimed books within their topic areas: PHP & MySQL Web Development Python Essential Reference Luke Welling & Laura Thomson David Beazley ISBN 978-0-672-32916-6 ISBN-13: 978-0-672-32978-6 MySQL Programming in Objective-C 2.0 Paul DuBois Stephen G. Kochan ISBN-13: 978-0-672-32938-8 ISBN-13: 978-0-321-56615-7 Linux Kernel Development PostgreSQL Robert Love Korry Douglas ISBN-13: 978-0-672-32946-3 ISBN-13: 978-0-672-33015-5 Developer’s Library books are available at most retail and online bookstores, as well as by subscription from Safari Books Online at safari.informit.com Developer’s Library informit.com/devlibrary Linux Kernel Development Third Edition Robert Love Upper Saddle River, NJ • Boston • Indianapolis • San Francisco New York • Toronto • Montreal • London • Munich • Paris • Madrid Cape Town • Sydney • Tokyo • Singapore • Mexico City Linux Kernel Development Acquisitions Editor Third Edition Mark Taber Development Copyright © 2010 Pearson Education, Inc. Editor All rights reserved. Printed in the United States of America. This publication is protected by Michael Thurston copyright, and permission must be obtained from the publisher prior to any prohibited repro- Technical Editor duction, storage in a retrieval system, or transmission in any form or by any means, elec- Robert P.
    [Show full text]
  • The GNU General Public License (GPL) Does Govern All Other Use of the Material That Constitutes the Autoconf Macro
    Notice About this document The following copyright statements and licenses apply to software components that are distributed with various versions of the StorageGRID PreGRID Environment products. Your product does not necessarily use all the software components referred to below. Where required, source code is published at the following location: ftp://ftp.netapp.com/frm-ntap/opensource/ 215-10078_A0_ur001-Copyright 2015 NetApp, Inc. All rights reserved. 1 Notice Copyrights and licenses The following component is subject to the BSD 1.0 • Free BSD - 44_lite BSD 1.0 Copyright (c) 1982, 1986, 1990, 1991, 1993 The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. • All advertising materials mentioning features or use of this software must display the following acknowledgement: This product includes software developed by the University of California, Berkeley and its contributors. • Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
    [Show full text]
  • New Developments in Trojan Virus Engineering Author: Mengze Li ▪ Advisor: Sonja Streuber
    The Wars in Your Machine: New Developments in Trojan Virus Engineering Author: Mengze Li ▪ Advisor: Sonja StreuBer INTRODUCTION THREE NEW TROJANS Definition: Shedun: Android Trojan Cockroach Trojan Polymorphic JavaScript Trojan The Trojan Virus is a malicious computer program that is used to • Runs on Android mobile devices; has been seen pre- • Steals the sensitive data, such as user name, • Spread as email attachments compromise a computer by fooling users about its real intent. installed on cellphones and tablets from China. password, time, date, email, and every key stroke • In different emails, the cipher, string literals • Downloads and installs adware; launches popup and emails the data back to the host. and variable names are different which • Unlike computer viruses, or worms, the Trojan does not directly advertisements • Spread among Windows PCs through USB drives. makes itself less detectable. attack operating systems • Roughly 20,000 popular Android applications • Very hard to detect with anti-virus software. • Meant to be run from disk, which gives it • Modern forms act as a backdoor to grant access without infected (Twitter, Facebook, Snapchat, etc.) permissions to attack system globally. authorization. Analysis • Help attackers to break the confidentiality, integrity and Analysis Analysis availability of data • Can cause a huge impact to both, private users and public organizations, such as exposing the user’s credit card information, or other personal identity information (PII). Method: • Variable names and string literals encoded. • In this study, we are reviewing and analyzing the actual code of three famous modern Trojans in order to learn their most • Transmit target email with Transmit.exe file.
    [Show full text]
  • Interaction Between the User and Kernel Space in Linux
    1 Interaction Between the User and Kernel Space in Linux Kai Lüke, Technische Universität Berlin F Abstract—System calls based on context switches from user to kernel supported in POSIX as well as System V style. A very space are the established concept for interaction in operating systems. common principle for IPC are sockets, and pipes can be seen On top of them the Linux kernel offers various paradigms for commu- as their most simple case. Besides the popular IP family with nication and management of resources and tasks. The principles and TCP/UDP, the local Unix domain sockets play a big role basic workings of system calls, interrupts, virtual system calls, special for many applications, while Netlink sockets are specific purpose virtual filesystems, process signals, shared memory, pipes, Unix or IP sockets and other IPC methods like the POSIX or System V to the Linux kernel and are not often found in user space message queue and Netlink are are explained and related to each other applications due to portability to other operating systems. in their differences. Because Linux is not a puristic project but home for There have been attempts to bring the D-BUS IPC into many different concepts, only a mere overview is presented here with the kernel with a Netlink implementation, kdbus and then focus on system calls. Bus1, but this will not be covered here. Also comparative studies with other operating systems are out of scope. 1 INTRODUCTION 2 KERNEL AND USER SPACE ERNELS in the Unix family are normally not initiating K any actions with outside effects, but rely on requests The processes have virtualized access to the memory as well from user space to perform these actions.
    [Show full text]