Digital Forensic Techniques for Static Analysis of NTFS File System Images
Total Page:16
File Type:pdf, Size:1020Kb
Forensic Identification and Detection of Hidden and Obfuscated Malware Mamoun Atef Alazab Bachelor degree of Computer Science Higher Diploma degree of Computer Science Master degree of Information Technology This thesis is submitted in total fulfilment of the requirements for the degree of Doctor of Philosophy School of Science, Information Technology and Engineering University of Ballarat PO Box 663 University Drive, Mount Helen Ballarat, Victoria 3353 Australia January 2012 Principal Supervisor: Dr Sitalakshmi Venkatraman Associate Supervisor: Associate Professor Paul Watters ii Statement of Authorship Except where explicit reference is made in the text of the thesis, this thesis contains no material published elsewhere or extracted in whole or in part from a thesis by which I have qualified for or been awarded another degree or diploma. No other person‘s work has been relied upon or used without due acknowledgement in the main text and bibliography of the thesis. Signed: Name: Dated: iii Forensic Identification and Detection of Hidden and Obfuscated Malware Mamoun Alazab January 2012 iv Dedication To my parents, who gave me what I need to get here. Your love and support have given me the biggest strength. v Acknowledgements During the duration of my PhD study I was blessed with a combination of excellent supervision, institutional assistance, inspirational colleagues, industry encouragement and a supportive family. I have been fortunate to have enjoyed this level of support throughout this endeavour. It is not possible to acknowledge everyone who has made a contribution to this study, but special thanks go to those who have given me generous support and encouragement during my time as a PhD student and during the process of writing this dissertation, who have supported me greatly during my PhD. It has been a difficult time and without them I could not have done it. First, special thanks to my wonderful parents: my dad and my mum who have provided much support and encouragements over the years. Very special recognition is due to my principal supervisor, Dr Sitalakshmi Venkatraman. Without her encouragement, mentorship and her continuous support, I doubt I would find myself here. I am indebted to Dr Venkatraman for her feedback, enthusiasm, editing skills, wisdom, insight and expertise in the field of computer security, without which this dissertation would undoubtedly be a lesser contribution to knowledge. I also thank her for her tireless support, motivation and encouragement throughout my studies, for the many hours she devoted in supervising my work, and for setting an exceptional role model in research excellence. I also would like to thank her for her 5 P‘s (Plan, Prepare, Passion, Persistence and Patience) and for reminding me when they were needed. vi My biggest thanks must be given to my Associate Professor Paul Watters for his unconditional support, respect and belief in me. I appreciate his vast profound knowledge and skills in many areas. I am greatly indebted for his valuable instructions and suggestions in my research work. I have learnt from him a lot not only about academic studies, but also the professional ethics. This research has been supported by IBM, Westpac, the Victorian Government and the Australian Federal Police, the shared communications between these sectors has been invaluable and has offered insight where blindness would have ensued. The team at Westpac in particular have been invaluable with their knowledge, insight and feedback, and have provided me with lots of opportunities to improve as a researcher and as a professional. I would like to express my heartfelt gratitude to Simon Brown of Westpac for his valuable ideas, suggestions, constant encouragement and guidance during my research work. Without such inputs, this thesis would not have reached the required practical applicability that has been achieved, which is an important aspect in cybercrime research. I would also like to thank numerous colleagues, who offered advice and constant encouragement, I would like to acknowledge the helpful support in particular: Kylie Turville, Rosemary Torney, Oarabile Maruatona, and Mofakharul Islam, for their patience, support, guidance and being a great friend throughout the last 3 years of my study and I hope to have the opportunity to continue to interact with all of them in the future. Special thanks to my colleague Robert Layton, who gave me support and assist at important times as research assistance during data collection and data analysis. vii I would like to thank my two brothers Ammar Alazab and Moutaz Alazab for being with me in this long journey and joining me in Australia to be as a family. Also, I would like to thank all my siblings; Abed Almajed Alazab, Omar Alazab, my only sister Remah Alazab, who have all given me support throughout my life, have helped to make this possible, and have ultimately made the end result mean much more than just obtaining a degree. Also, I would like to thank my patient and wonderful partner, Penny Butler, who copyedited my first PhD paper in this dissertation and proofread some of my emails, for her deep understanding, profound encouragements, unlimited support, constant belief, love, help, and patience. The wonderful staff of the University of Ballarat, those within the Research and Graduate Studies Office, in particular Diane Clingin and Elanor Mahon, and the School of Science, Information Technology and Engineering, in particular Prof. John Yearwood (Dean) with administrative support from Maxine Kingston, Yve Rowe and Rebecca Davis. The support offered by the Internet Commerce Security Laboratory team has been invaluable to me. Finally, I would also like to take this opportunity to thank the examiners for their time and devotion in regarding my PhD thesis. viii List of Publications The following papers, I author and co-author, which have been previously published or are currently in submission, are reprinted in this dissertation with the full permission of all co-authors of the papers: JOURNAL PUBLICATIONS 23- Mamoun Alazab, Shamsul Huda, Paul Watters, Sitalakshmi Venkataraman and John Yearwood ―A novel Malware detection using hybrid Wrapper-Filter approach and op-code frequency statistics based on extended x86 IA-32 binary assembly instructions‖, (submitted). 22- Salah Al-Hyari, Moutaz Alazab, Sitalakshmi Venkatraman, Mamoun Alazab, and Ammar Alazab ―Six Sigma Approach to Improve Quality in e-Services – An Empirical Study in Jordan‖ (Accepted) IGI Global, The International Journal of Electronic Government Research (IJEGR), 2011. 21- Salah Al-Hyari, Moutaz Alazab, Sitalakshmi Venkatraman, Mamoun Alazab, and Ammar Alazab ―Performance Evaluation of E-Government Services Using Balance Scorecard An Empirical Study Jordan E-Government‖ (Accepted) Benchmarking: an International Journa, Taylor & Francis, Local Government Studies, 2011. 20- Mamoun Alazab, Mohammad Alkadiri, and Sitalakshmi Venkatraman ―Multivariate Logistic regression model for Malware anomaly detection based on operation code instructions‖, (Submitted) Journal of Computing, 2011. 19- Said Elaiwat, Ammar Alazab, Sitalakshmi Venkatraman and Mamoun Alazab "Applying Genetic Algorithm for Optimizing Broadcasting Process in Ad-hoc Network", The International Journal of Recent Trends in Engineering and Technology, The Association of ix Computer Electronics and Electrical Engineers , ISSN: 1797-9617, Vol.4, No.1, 2010, pp. 68 – 72. 18- Mamoun Alazab, Sitalakshmi Venkataraman and Paul Watters ―Effective digital forensic analysis of the NTFS disk image‖, Ubiquitous Computing and Communication Journal, ISSN 1994-4608, Vol. 4, No. 3, 2009, pp. 551- 558. BOOK CHAPTERS 17- Mamoun Alazab, Paul Watters, Sitalakshmi Venkatraman, and Moutaz Alazab ―Malware Forensics: The Art of Detecting Hidden Maliciousness‖ Book Title: IT Security Governance Innovations: Theory and Research, (Accepted to publish), IGI Global, 2011. 16- Ammar Alazab, Sitalakshmi Venkatraman, Jemal Abawajy, and Mamoun Alazab "An Optimal Transportation Routing Approach using GIS-based Dynamic Traffic Flows", Book Title: Management Technology and Applications Proceedings of the International Conference on. In Rawani, A. & Zhang C. (Eds), ISBN 978-981-08-6884-0, Research Publishing Services, 2010, pp. 168 – 174. 15- Mofakharul Islam, Sitalakshmi Venkatraman and Mamoun Alazab ―Stochastic Model Based Approach for Biometric Identification‖, Book Title: Technological Developments in Networking, Education and Automation. In K. Elleithy, T. Sobh, M. Iskander, V. Kapila, M. A. Karim & A. Mahmood (Eds.) Engineering, ISBN: 978-90-481-9151-2, Springer Netherlands, 2010, pp. 303-308. 14- Mamoun Alazab, Mofakharul Islam, Sitalakshmi Venkatraman ―Towards Automatic Image Segmentation Using Optimised Region Growing Technique‖, Book Title: AI 2009: Advances in Artificial Intelligence. In A. Nicholson & X. Li (Eds.) Lecture Notes in x Computer Science, ISBN: 978-3-642-10438-1, Springer-Verlag Berlin Heidelberg, 2009, Vol.5866, pp. 131-139. CONFERENCE PUBLICATIONS 13- Mamoun Alazab, Sitalakshmi Venkatraman, Paul Watters, and Moutaz Alazab "Zero-day Malware Detection based on Supervised Learning Algorithms of API call Signatures" Ninth Australasian Data Mining Conference: AusDM 2011, CRPIT series, 1-2 December 2011, Ballarat, Victoria, Australia. 12- Mamoun Alazab, Paul Watters, Sitalakshmi Venkatraman, Ammar Alazab, and Moutaz Alazab ―Cybercrime: Current Trends of Malware Threats‖ International Conference in Global Security Safety and Sustainability / International