DOCSLIB.ORG

Classification of Malware Persistence Mechanisms Using Low-Artifact Disk

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Classification of Malware Persistence Mechanisms Using Low-Artifact Disk CLASSIFICATION OF MALWARE PERSISTENCE MECHANISMS USING LOW-ARTIFACT DISK INSTRUMENTATION A Dissertation Presented by Jennifer Mankin to The Department of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Electrical and Computer Engineering in the field of Computer Engineering Northeastern University Boston, Massachusetts September 2013 Abstract The proliferation of malware in recent years has motivated the need for tools to an- alyze, classify, and understand intrusions. Current research in analyzing malware focuses either on labeling malware by its maliciousness (e.g., malicious or benign) or classifying it by the variant it belongs to. We argue that, in addition to provid- ing coarse family labels, it is useful to label malware by the capabilities they em- ploy. Capabilities can include keystroke logging, downloading a file from the internet, modifying the Master Boot Record, and trojanizing a system binary. Unfortunately, labeling malware by capability requires a descriptive, high-integrity trace of malware behavior, which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis, we present Dione, a flexible rule-based disk I/O monitoring and analysis infrastructure. Dione interposes between a system-under-analysis and its hard disk, intercepting disk accesses and re- constructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of Dione, and show that it can achieve 100% accuracy in reconstructing file system operations, with a performance penalty less than 2% in many cases. ii Given the trustworthy behavioral traces obtained by Dione, we convert file system- level events to high-level capabilities. For this, we use model checking, a formal veri- fication approach that compares a model extracted from a behavioral trace to a given specification. Since we use Dione traces of file system and registry events, we aim to label persistence capabilities|that is, we label a sample by the mechanism it uses not only to persist on disk, but to restart after a system boot. We model the Windows service, a commonly-employed capability used by malware to persist, load a binary after reboot, and even load dangerous code into the kernel. We model the installation of a Windows service, the system boot, and the file access of the service binary. We test our models on over 1000 real-world malware samples, and show that it success- fully identifies service-installing malware samples over 99% of the time, and malware that loads that service over 98% of the time. Moreover, we demonstrate that we are able to use traces of disk reads to differentiate between two types of file accesses. We show that we can not only detect when a persistence mechanism is installed, but also that the persistence mechanism is successful because we detect the automatic load of the program binary after a system reboot. We correctly identify file access types from disk access patterns with less than 4% of samples mislabeled, and demonstrate that even an expert analyst would have difficulty correctly identifying the mislabeled accesses. iii Acknowledgements First and foremost, I would like to thank my husband Dana. Not only would it have been nearly impossible to complete this work without his love and support, but it most definitely would not have been this much fun! I would also like to thank my family for everything they've done for me and for supporting me throughout the years. I specifically owe my success to my parents for instilling in me a love of learning and logic, and for emphasizing to me the most important thing is to try. The insightful and inspiring help from both my academic and industry advisors was critical throughout this entire process, culminating with this dissertation. I would like to acknowledge the tremendous support of my advisor at Northeastern, Dr. David Kaeli, and thank him for his many years of dedication to helping his students achieve great things. I also want to thank my technical supervisors at MIT Lincoln Labo- ratory, Charles Wright and Graham Baker, for developing this exciting research and guiding me throughout the process. Finally, I would like to thank my colleagues at Northeastern and MIT Lincoln Labs for their invaluable feedback and discussions. iv [This page intentionally left blank.] v Contents Abstract ii Acknowledgements iv v 1 Introduction 1 1.1 Motivation . 3 1.2 Contributions . 10 1.3 Organization of Dissertation . 12 2 Background 14 2.1 Malicious Software . 15 2.1.1 Malware Types . 15 2.1.2 Anti-Forensics Techniques . 16 2.1.3 Evasion Techniques . 18 2.2 Malware Analysis . 26 2.2.1 Static Binary Analysis . 27 2.2.2 Dynamic Analysis . 28 2.3 Windows Concepts . 30 vi 2.3.1 The Windows Registry . 30 2.3.2 NTFS File System . 33 2.3.3 Performance Optimizations for Disk Accesses . 36 2.4 Formal Verification and Model Checking . 37 2.4.1 Predicate Logic . 39 2.4.2 Temporal Logic . 41 2.4.3 Linear Temporal Predicate Logic . 43 2.5 Summary . 44 3 Related Work 45 3.1 Malware Analysis and Instrumentation . 45 3.2 Characterizing Malware Behavior . 52 3.2.1 Characterizing Malware with Machine Learning . 53 3.2.2 Characterizing Malware Using Modeling . 55 4 Dione: A Disk Instrumentation Framework 60 4.1 Threat Model and Assumptions . 60 4.2 Dione Operation . 61 4.2.1 Dione Policy Commands . 64 4.2.2 Dione State Commands . 65 4.3 Live Updating . 66 4.3.1 Live Updating Challenges . 66 4.3.2 Live Updating Operation . 68 4.4 Disk Sensor Integration . 70 4.5 Experimental Results . 72 4.5.1 Experimental Setup . 72 vii 4.5.2 Evaluation of Live Updating Accuracy . 72 4.5.3 Evaluation of Performance . 74 4.6 Registry Monitoring . 81 5 Labeling Malware Persistence Mechanisms with Dione 84 5.1 Modeling Persistence Mechanisms with LTPL . 84 5.1.1 System Boot . 87 5.1.2 Service Install . 87 5.1.3 File Access . 88 5.1.4 Persistent Service Load . 89 5.2 Dione Capability Labeler Implementation . 90 5.3 Experimental Setup . 91 5.3.1 Testbeds . 91 5.3.2 Malware Corpus . 93 5.3.3 Assignment of \Truth" Labels . 94 5.3.4 Model Checker Results . 98 5.4 Labeling File Access Type . 103 5.4.1 Motivation . 104 5.4.2 Program Binary Load Classifier . 107 5.4.3 SVM Classifier Implementation . 108 5.4.4 Results . 110 6 Directions for Future Work 117 7 Thesis Summary and Contributions 119 8 Appendix 122 viii 8.1 Tables . 122 Bibliography 137 ix Chapter 1 Introduction The past decade has been boldly marked by the ongoing arms race between mali- cious software creators and security researchers. Not only are security companies and researchers overwhelmed by the several million new unique samples discovered each month, but the sophistication of malicious software continues to increase as well [46]. Malicious software, or malware, can take many forms. While the amount of harm caused by a malware sample can vary, all malware share the property of having not been installed with the full consent and knowledge of the user. Spyware or adware can be installed on a user's system, causing annoying pop-ups or violating privacy expectations by tracking user habits [54]. Alternatively, malware may force the system to become part of a network of hijacked machines used to send spam, hijack other systems, or perpetuate Distributed Denial of Service (DDOS) attacks on banks or targets of political protest [10]. Increasingly, malware is used for financial gain. For example, banking threats seek to steal credentials from users or banking systems in order to perpetuate financial crimes, while fake-alert and ransomware threats trick the user into paying either for impostor security software or for the safe return of 1 their \ransomed" data [45]. Rootkits can be particularly dangerous, as they exist to provide additional stealth measures to prevent the user or security products from detecting the presence of the rootkit and any other malware it is packaged with [10]. Rootkits can execute with administrator privilege by attacking and patching the code of the operating system. Though the number of new rootkits discovered in the wild has been decreasing since 2011, tens of thousands of new samples are still discovered every month [46]. Furthermore, there is a common adage in security that the winner between malware and a security product is that which was loaded first. As a result, rootkits are increasingly turning to infecting the Master Boot Record (MBR); since it performs key startup operations, infection of the MBR is a devastating attack on the system [45]. Once a rootkit has breached kernel-level code, it is difficult to trust any security product or malware analyzer running on the infected system. In the past couple decades, research into labeling malware has focused on identi- fying the malware by family or variant. While having labels available for new samples is useful to provide a coarse-grained identification, we argue that labeling the behav- ior of the malware could be more useful than identifying the family it belongs to. Capability labeling is a promising solution to understanding how malware behaves. Instead of identifying malware by its family or strain, identifying malware by the capabilities it possesses allows security products to identify the high-level behaviors that new malware is employing. There are several benefits to labeling or identifying capabilities present in malware or software. A system equipped with on-the-fly capability detection could provide notifications to users when software or malware is installed with certain malicious ca- pabilities.
Load more

Recommended publications
  • BEGIN README.TXT-- PC Media Antivirus (PCMAV)
    --BEGIN README.TXT-- PC Media Antivirus (PCMAV) 9.9.1 Copyright (c) 2006-2014 Majalah PC Media Pinpoint Publications Group ************************************************************************ MEMANFAATKAN/MENGGUNAKAN PCMAV BERARTI ANDA MENGERTI DAN SETUJU DENGAN SELURUH KETENTUAN YANG ADA DI BAGIAN "KETENTUAN PENGGUNAAN (END-USER LICENSE)" YANG TERDAPAT PADA FILE README.TXT INI. PCMAV INI DIBUAT KHUSUS DAN DIPERSEMBAHKAN BAGI "PEMBACA SETIA" PC MEDIA DAN YANG KAMI CINTAI. MAKA DARI ITU, JIKA ANDA ADALAH PENGGUNA PEMULA DAN ATAU MERASA KESULITAN MEMAHAMI ISI README.TXT INI, BAIK SEBAGIAN MAUPUN SECARA KESELURUHAN, MAKA KAMI SANGAT MENYARANKAN ANDA UNTUK BERKONSULTASI TERLEBIH DULU DENGAN REKAN ANDA YANG LEBIH BERPENGALAMAN DALAM BERKOMPUTER. ATAU DEMI KENYAMANAN ANDA, MAKA KAMI SARANKAN UNTUK TIDAK MENGGUNAKAN PCMAV SAMA SEKALI. ************************************************************************ ------------------------------ ANTIVIRUS KEBANGGAAN INDONESIA ------------------------------ Tidak ada antivirus lain yang mampu mengatasi secara tuntas virus komputer, baik lokal maupun asing, yang banyak menyebar di Indonesia sebaik dan seaman PCMAV. Umumnya antivirus yang ada hanya mampu mengenali dan menghapus file yang dideteksi bervirus. PCMAV menyempurnakannya dengan tingkat akurasi pendeteksian yang lebih tinggi, sehingga lebih handal dalam mengembalikan file, dokumen dan sistem yang menjadi sasaran serangan virus hingga pulih 100%. Dengan PCMAV, Anda akan mendapatkan antivirus yang bukan hanya sekadar mendeteksi namun daya basminya
    [Show full text]
  • Effective Malicious Features Extraction and Classification for Incident Handling Systems
    EFFECTIVE MALICIOUS FEATURES EXTRACTION AND CLASSIFICATION FOR INCIDENT HANDLING SYSTEMS CHO CHO SAN UNIVERSITY OF COMPUTER STUDIES, YANGON OCTOBER, 2019 Effective Malicious Features Extraction and Classification for Incident Handling Systems Cho Cho San University of Computer Studies, Yangon A thesis submitted to the University of Computer Studies, Yangon in partial fulfillment of the requirements for the degree of Doctor of Philosophy October, 2019 Statement of Originality I hereby certify that the work embodied in this thesis is the result of original research and has not been submitted for a higher degree to any other University or Institution. …..…………………………… .…………........………………………… Date Cho Cho San ACKNOWLEDGEMENTS First of all, I would like to thank Hist Excellency, the Minister for the Ministry of Education, for providing full facilities support during the Ph.D. course at the University of Computer Studies, Yangon. Secondly, my profound gratitude goes to Dr. Mie Mie Thet Thwin, Rector of the University of Computer Studies, Yangon, for allowing me to develop this research and giving me general guidance during the period of my study. I would like to express my greatest pleasure and the deepest appreciation to my supervisor, Dr. Mie Mie Su Thwin, Professor, the University of Computer Studies, Yangon, for her excellent guidance, caring, patient supervision, and providing me with excellent ideas throughout the study of this thesis. I would also like to extend my special appreciation to Dr. Khine Moe Nwe, Professor and Course-coordinator of the Ph.D. 9th Batch, the University of Computer Studies, Yangon, for her useful comments, advice, and insight which are invaluable through the process of researching and writing this dissertation.
    [Show full text]
  • Malware Behavior Comportamento De Programas Maliciosos
    Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Campinas 2012 i ii Universidade Estadual de Campinas Faculdade de Engenharia El´etrica e de Computa¸c~ao Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Doctorate thesis presented to the School of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor in Electrical Engineering. Concentration area: Computer Engineering. Tese de doutorado apresentada `aFaculdade de Engenharia El´etrica e de Computa¸c~ao como parte dos requisitos exigidos para a obten¸c~aodo t´ıtulo de Doutor em Engenharia El´etrica. Area´ de concentra¸c~ao: Engenharia de Computa¸c~ao. Orientador (Tutor): Prof. Dr. Mario Jino Co-orientador (Co-Tutor): Prof. Dr. Paulo Licio de Geus Este exemplar corresponde `avers~aofinal da tese defendida pelo aluno, e orientada pelo Prof. Dr. Mario Jino. Campinas 2012 iii FICHA CATALOGRÁFICA ELABORADA PELA BIBLIOTECA DA ÁREA DE ENGENHARIA E ARQUITETURA - BAE - UNICAMP Grégio, André Ricardo Abed G861c Comportamento de programas maliciosos / André Ricardo Abed Grégio. --Campinas, SP: [s.n.], 2012. Orientador: Mario Jino. Coorientador: Paulo Licio de Geus. Tese de Doutorado - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação. 1. Redes de computadores - Medidas de segurança. 2. Tecnologia da informação - Segurança. 3. Software - Segurança. 4. Virus de computador. 5. Taxonomia. I. Jino, Mario, 1943-. II. Geus, Paulo Licio de, 1956-. III. Universidade
    [Show full text]
  • G Data Malwarereport Half-Yearly Report July
    G Data MalwareReport Half-yearly report July - December 2010 Ralf Benzmüller & Sabrina Berkenkopf G Data SecurityLabs 2010 - MalwareReport_2 Go safe. Go safer. G Data. G Data MalwareReport 2/2010 Contents At a Glance ............................................................................................................................................ 2 Malware: Facts and Figures ................................................................................................................. 3 The end of the growth? ........................................................................................................................................... 3 Malware categories ................................................................................................................................................... 4 Malware families ........................................................................................................................................................ 4 Platforms: Windows and Web ............................................................................................................................... 6 Trends for 2011 ........................................................................................................................................................... 7 Top subjects for the second half of 2010 ............................................................................................ 7 WikiLeaks brings 'Hacktivists' into the arena ..................................................................................................
    [Show full text]
  • CONTENTS in THIS ISSUE Fighting Malware and Spam
    APRIL 2010 Fighting malware and spam CONTENTS IN THIS ISSUE 2 COMMENT A FUTILE BATTLE? Are takedowns an exercise in futility? Mary Landesman evaluates recent botnet takedown efforts. 3 NEWS page 2 VB2010 programme announced CYBER WARFARE All star superstars Terry Zink looks at the increasingly common Dangerous places to be online phenomenon of hacktivism and details three recent cyber warfare attacks. 3 VIRUS PREVALENCE TABLE page 11 FEATURES EXPLOIT KIT EXPLOSION 4 Evasions in Intrusion Prevention/ In the fi rst of a two-part series introducing exploit Detection Systems kits Mark Davis outlines the basic details of the dime-a-dozen kits used in drive-by browser-based 11 Botnets, politics and hacktivism – an interesting partnership attacks. page 21 15 ‘Signatures are dead.’ ‘Really? And what about pattern matching?’ RECORD VB100 ON XP In VB’s largest ever VB100 21 TUTORIAL comparative review, a total of 60 Exploit kit explosion – part one products are put to the test on April 2010 Windows XP. John Hawes has all 23 COMPARATIVE REVIEW the details. page 23 VB100 – Windows XP SP3 68 END NOTES & NEWS ISSN 1749-7027 COMMENT ‘There is often little Troyak-AS resumed service under a new upstream provider, and this pattern was repeated numerous times. incentive for domain These less than dramatic results beg the registrars or hosting (multi)-million-dollar question: are such takedown providers to make efforts an exercise in futility? it more diffi cult for Certainly if one focuses only on short-term statistics, the answer would appear to be ‘yes’. However, if one criminals to obtain focuses on some of the precedents set during the fi rst services.’ quarter, tangible long-term impact may become a reality.
    [Show full text]
  • Microsoft | Security Intelligence Report
    Battling Botnets for Control of Computers Microsoft | Security Intelligence Report Volume 9 January through June 2010 Microsoft | Security Intelligence Report Microsoft Security Intelligence Report This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMA- TION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet Web site references, may change without notice. You bear the risk of using it. Copyright © 2010 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 January through June 2010 Authors David Anselmi Jimmy Kuo Navaneethan Santhanam Digital Crimes Unit Microsoft Malware Protection Center Bing Richard Boscovich Scott Molenkamp Christian Seifert Digital Crimes Unit Microsoft Malware Protection Center Bing T.J. Campana Michelle Meyer Frank Simorjay Digital Crimes Unit Microsoft Trustworthy Computing Microsoft Trustworthy Computing Neil Carpenter Bala Neerumalla Holly Stewart CSS Security Microsoft Secure SQL Initiative Team Microsoft Malware Protection Center Greg Cottingham Daryl Pecelj Adrian Stone CSS Security Microsoft IT Information Security and Risk Management Microsoft Security Response Center Joe Faulhaber Anthony Penta Matt Thomlinson Microsoft Malware Protection Center Microsoft Windows Safety Platform Microsoft Security Response Center Vinny Gullotto Paul Pottorff Jossie
    [Show full text]
  • Generic Binary Unpacking with Orders-Of-Magnitude Performance Boost
    Session 3A: Binary Analysis CCS’18, October 15-19, 2018, Toronto, ON, Canada Towards Paving the Way for Large-Scale Windows Malware Analysis: Generic Binary Unpacking with Orders-of-Magnitude Performance Boost Binlin Cheng∗‡ Jiang Ming∗† Jianming Fu†‡ Wuhan University & Hubei Normal University of Texas at Arlington Wuhan University University Arlington, TX 76019, USA Wuhan, Hubei 430072, China Wuhan, Hubei 430072, China [email protected] [email protected] [email protected] Guojun Peng‡ Ting Chen Xiaosong Zhang Wuhan University University of Electronic Science and University of Electronic Science and Wuhan, Hubei 430072, China Technology of China Technology of China [email protected] Chengdu, Sichuan 611731, China Chengdu, Sichuan 611731, China [email protected] [email protected] Jean-Yves Marion Université de Lorraine, CNRS, LORIA F-54000 Nancy, France [email protected] ABSTRACT dynamic loader, will reconstruct IAT before original code resumes Binary packing, encoding binary code prior to execution and deco- execution. During a packed malware execution, if an API is invo- ding them at run time, is the most common obfuscation adopted ked through looking up a rebuilt IAT, it indicates that the original by malware authors to camouflage malicious code. Especially, most payload has been restored. This insight motivates us to design an packers recover the original code by going through a set of “written- efficient unpacking approach, called BinUnpack. Compared to the then-executed” layers, which renders determining the end of the previous methods that suffer from multiple “written-then-executed” unpacking increasingly difficult. Many generic binary unpacking unpacking layers, BinUnpack is free from tedious memory access approaches have been proposed to extract packed binaries without monitoring, and therefore it introduces very small runtime over- the prior knowledge of packers.
    [Show full text]
  • Open Sirinda Main Final.Pdf
    The Pennsylvania State University The Graduate School College of Engineering A FRAMEWORK FOR MINING SIGNIFICANT SUBGRAPHS AND ITS APPLICATION IN MALWARE ANALYSIS A Dissertation in Computer Science and Engineering by Sirinda Palahan © 2014 Sirinda Palahan Submitted in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy August 2014 The dissertation of Sirinda Palahan was reviewed and approved∗ by the following: Daniel Kifer Assistant Professor of Computer Science and Engineering Dissertation Advisor, Chair of Committee Robert Collins Associate Professor of Computer Science and Engineering John Hannan Associate Professor of Computer Science and Engineering C. Lee Giles David Reese Professor of Information Sciences and Technology Lee Coraor Associate Professor of Computer Science and Engineering, Graduate Officer ∗Signatures are on file in the Graduate School. ii Abstract The growth of graph data has encouraged research in graph mining algorithms, especially subgraph pattern mining from graph databases. Discovered patterns could help researchers understand inherent properties and characteristics in large and complex graphs. Frequent subgraph mining has been widely applied successfully in many applications, such as mining network motifs in a complex network, identifying malicious behaviors or mining biochemical structures. However, the high frequency of a subgraph does not always indicate that a subgraph is statistically significant. In this dissertation, we propose a framework for mining statistically significant subgraphs. Our framework is based on a new method for measuring the statistical significance of subgraphs. Given a training set of graphs from two classes (e.g., positive and negative graphs), our method utilizes the class labels provided in the training data to calculate p-values.
    [Show full text]
  • 1. 9002 2. Adore 3. Agobot 4. Alina 5. Allaple 6. Alureon 7. Andromeda 8
    LISTA DE CÓDIGO MALICIOSO PARA EL EJERCICIO 2 OJO: En algunos casos los nombres hacen referencia al resultado de la ejecución del código malicioso o la aplicación a la que afecta, además de al código malicioso en sí (por ejemplo, hacen referencia a un troyano y a la botnet creada con él o al programa que instala). 1. 9002 44. Bytverify 86. Gaobot 2. Adore 45. Carberp 87. Gapz 3. Agobot 46. ChePro 88. Geinimi 4. Alina 47. Chernobyl 89. Gh0st 5. Allaple 48. Citadel 90. Ghostball 6. Alureon 49. Citifraud 91. Gingermaster 7. Andromeda 50. Clippo 92. Gozi 8. Animal 51. CodeRed 93. Graybird 9. Anna-Kournikova 52. Commwarrior 94. Happy99 11. Arcom 53. Conficker 95. HellRaiser 12. Ardamax 54. Cookies 96. Hikit 13. Asprox 55. Coswid 97. Hiloti 14. Avatar 56. Creeper 98. HOIC 15. Back Orifice 57. Cryptolocker 99. Horst 16. Badtrans 58. Cutwail 100. Hotbar 17. Bagle 59. CyberGate 101. Hupigon 18. Bamital 60. Dalbot 102. Ikee 19. Banbra 61. DarkComet 103. ILoveYou 20. Bandook 62. Darkmegi 104. Imaut 21. BaneChant 63. DaVinci 105. IXESHE 22. Banload 64. Daws 106. JBOSS 23. Barrotes 65. Depyot 107. Joshi 24. Beast 66. Destory 108. Kak 25. Beebone 67. Dexter 109. Karagany 26. Beebus 68. DirDel 110. Kelihos 27. Benjamin 69. DirtJumper 111. Kenzero 28. Bifrose 70. Distrack 112. Klez 29. Bitcoinminer 71. DNSChanger 113. Koobface 30. Blaster 72. Dokstormac 114. Krbanker 31. Blazebot 73. Dozer 115. Krotten 32. Bohmini 74. Droiddream 116. Kuluoz 33. Bohu 75. BlackPOS 117. Laroux 34. Bolgimo 76. Duqu 118. Leap 35. Boran 77.
    [Show full text]
  • Arxiv:1312.4814V1 [Cs.CR] 17 Dec 2013 Can Be Grouped Into Families, Sets of Malware Sharing a Common Trait
    Mining malware specifications through static reachability analysis Hugo Daniel Macedo1 and Tayssir Touili1 LIAFA, CNRS and Univ. Paris Diderot, France {macedo,touili}@liafa.univ-paris-diderot.fr Abstract. The number of malicious software (malware) is growing out of con- trol. Syntactic signature based detection cannot cope with such growth and man- ual construction of malware signature databases needs to be replaced by com- puter learning based approaches. Currently, a single modern signature capturing the semantics of a malicious behavior can be used to replace an arbitrarily large number of old-fashioned syntactical signatures. However teaching computers to learn such behaviors is a challenge. Existing work relies on dynamic analysis to extract malicious behaviors, but such technique does not guarantee the cover- age of all behaviors. To sidestep this limitation we show how to learn malware signatures using static reachability analysis. The idea is to model binary pro- grams using pushdown systems (that can be used to model the stack operations occurring during the binary code execution), use reachability analysis to extract behaviors in the form of trees, and use subtrees that are common among the trees extracted from a training set of malware files as signatures. To detect malware we propose to use a tree automaton to compactly store malicious behavior trees and check if any of the subtrees extracted from the file under analysis is malicious. Experimental data shows that our approach can be used to learn signatures from a training set of malware files and use them to detect a test set of malware that is 5 times the size of the training set.
    [Show full text]
  • Microsoft Security Intelligence Report
    Security Intelligence Report MICROSOFT SECURITY INTELLIGENCE REPORT Volume 9 (January 2010 through June 2010) www.microsoft.com/sir About Security Intelligence Report volume 9 Malware Key findings covers – Vulnerability Disclosures – Usage Trends for Windows update, and Microsoft update – Security Breach Trends – Malware and Potentially Unwanted Software trends – Email Threats – Malicious and Compromised Websites – Phishing Sites and Traffic – Analysis of Malware Hosts Report Report – Analysis od Drive-By Downloads Sites – Automated SQL Injection Attacks Contains data and intelligence from the past several years, but focuses on the first two quarters of 2010 Intelligence (1Q10, 2Q10) Security Security Intelligence Report volume 9 Data sources Spyware and Potentially Main Customer Segment Malicious Software Available at Unwanted Software Main No Product Name Distribution Additional Scan and Real-time Scan and Real-time Methods Consumers Business Charge Remove Protection Remove Protection Prevalent Windows Malicious Software WU/AU ● Malware ● Removal Tool Download Center Families Download Center Windows Defender ● ● ● ● Windows Vista/ Windows 7 Windows Live OneCare ● ● ● ● Cloud safety scanner Microsoft Security Essentials ● ● ● ● ● ● Cloud Forefront Online Protection for ● ● ● Cloud Exchange Forefront Client Security ● ● ● ● ● Volume Licensing Report Report Hotmail - more than 280 million active users Internet Explorer the world’s most popular browser with SmartScreen, Microsoft Phishing Filter Microsoft Forefront Online Security for Exchange
    [Show full text]
  • Analysis Avoidance Techniques of Malicious Software
    Edith Cowan University Research Online Theses: Doctorates and Masters Theses 2010 Analysis avoidance techniques of malicious software Murray Brand Edith Cowan University Follow this and additional works at: https://ro.ecu.edu.au/theses Part of the Computer Sciences Commons Recommended Citation Brand, M. (2010). Analysis avoidance techniques of malicious software. https://ro.ecu.edu.au/theses/138 This Thesis is posted at Research Online. https://ro.ecu.edu.au/theses/138 Edith Cowan University Copyright Warning You may print or download ONE copy of this document for the purpose of your own research or study. The University does not authorize you to copy, communicate or otherwise make available electronically to any other person any copyright material contained on this site. You are reminded of the following: Copyright owners are entitled to take legal action against persons who infringe their copyright. A reproduction of material that is protected by copyright may be a copyright infringement. Where the reproduction of such material is done without attribution of authorship, with false attribution of authorship or the authorship is treated in a derogatory manner, this may be a breach of the author’s moral rights contained in Part IX of the Copyright Act 1968 (Cth). Courts have the power to impose a wide range of civil and criminal sanctions for infringement of copyright, infringement of moral rights and other offences under the Copyright Act 1968 (Cth). Higher penalties may apply, and higher damages may be awarded, for offences and infringements
    [Show full text]