DOCSLIB.ORG

Statistical Structures: Fingerprinting Malware for Classification and Analysis

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Statistical Structures: Fingerprinting Malware for Classification and Analysis Statistical Structures: Fingerprinting Malware for Classification and Analysis Daniel Bilar Wellesley College (Wellesley, MA) Colby College (Waterville, ME) bilar <at> alum dot dartmouth dot org Why Structural Fingerprinting? Goal: Identifying and classifying malware Problem: For any single fingerprint, balance between over-fitting (type II error) and under- fitting (type I error) hard to achieve Approach: View binaries simultaneously from different structural perspectives and perform statistical analysis on these ‘structural fingerprints’ Different Perspectives Idea: Multiple perspectives may increase likelihood of correct identification and classification Structural Description Statistical static / Perspective Fingerprint dynamic? Assembly Count different Opcode Primarily instruction instructions frequency static distribution Win 32 API Observe API calls API call vector Primarily call made dynamic System Explore graph- Graph structural Primarily Dependence modeled control and properties static Graph data dependencies Fingerprint: Opcode frequency distribution Synopsis: Statically disassemble the binary, tabulate the opcode frequencies and construct a statistical fingerprint with a subset of said opcodes. Goal: Compare opcode fingerprint across non- malicious software and malware classes for quick identification and classification purposes. Main result: ‘Rare’ opcodes explain more data variation then common ones Goodware: Opcode Distribution 1, 2 ---------.exe Procedure: -------.exe 1. Inventoried PEs (EXE, DLL, ---------.exe etc) on XP box with Advanced Disk Catalog 2. Chose random EXE samples size: 122880 with MS Excel and Index totalopcodes: 10680 3, 4 your Files compiler: MS Visual C++ 6.0 3. Ran IDA with modified class: utility (process) InstructionCounter plugin on sample PEs 0001. 002145 20.08% mov 4. Augmented IDA output files 0002. 001859 17.41% push with PEID results (compiler) 0003. 000760 7.12% call and general ‘functionality 0004. 000759 7.11% pop class’ (e.g. file utility, IDE, network utility, etc) 0005. 000641 6.00% cmp 5. Wrote Java parser for raw data files and fed JAMA’ed 5 matrix into Excel for analysis Malware: Opcode Distribution Procedure: Giri.5209 Gobi.a 1. Booted VMPlayer with XP AFXRK2K4.root.exe image ---------.b 2,3 vanquish.dll 2. Inventoried PEs from C. Ries malware collection with Advanced Disk Catalog size: 12288 3. Fixed 7 classes (e.g. virus,, totalopcodes: 615 rootkit, etc), chose random compiler: unknown 4, 5 PEs samples with MS Excel class: virus and Index your Files 4. Ran IDA with modified InstructionCounter plugin on 0001. 000112 18.21% mov sample PEs 0002. 000094 15.28% push 5. Augmented IDA output files 0003. 000052 8.46% call with PEID results (compiler, 0004. 000051 8.29% cmp packer) and ‘class’ 0005. 000040 6.50% add 6. Wrote Java parser for raw data 1 files and fed JAMA’ed matrix into Excel for analysis 6 Aggregate (Goodware): Opcode Breakdown retn xor and 20 EXEs 2% 2% 1% 20 EXEs jnz (size-blocked (size-blocked random random samples samples from 3% mov 538 frominventoried 538 inventoried EXEs) EXEs) 25% add ~1,520,000~1,520,000 opcodes opcodes read read 3% 192 out of 398 possible opcodes jmp 192 out of 420 possible found 3% opcodes found test 72 opcodes72 opcodes in pie in chartpie chart account for 3% >99.8%account for >99.8% lea push 14 opcodes14 opcodes labelled labelled account account for ~90% 4% jz 19% for ~90% 4% cmp Top 5 opcodes account for ~64 % 5% pop call 6% Top 5 opcodes account for 9% ~64 % Aggregate (Malware): Opcode Breakdown 67 67PEs PEs sub jnz xor (class-blocked(class-blocked random random samples samples 3% 1% retn 3% fromfrom 250 250 inventoried inventoried PEs) PEs) 3% ~665,000~665,000 opcodes opcodes read read test mov 3% 30% 141141 out out of of420 398 possible possible add opcodes found (two undocu- 3% opcodes found (two undocu- mented)mented) lea 3% jmp 6060 opcodes opcodes in piein pie chart chart 3% accountaccount for for >99.8% >99.8% jz 4% 14 14opcodes opcodes labelled labelled account account forfor >92% >92% cmp push pop 4% 16% Top 5 opcodes account for 6% call Top 5 opcodes account for ~65% 10% ~65% Class-blocked (Malware): Opcode Breakdown Comparison xor jnz sub Aggregate retn worms test virus rootkit (kernel) add mov lea rootkit (user) trojan bots s jmp tools jz Aggregate breakdown mov 30 % lea 3% cmp push 16 % add 3% call 10 % test 3% pop 6 % retn 3% pop cmp 4 % jnz 2% push jz 4 % xor 2% call jmp 4 % sub 1% Top 14 Opcodes: Frequency Opcode Goodware Kernel User Tools Bot Trojan Virus Worms RK RK mov 25.3% 37.0% 29.0% 25.4% 34.6% 30.5% 16.1% 22.2% push 19.5% 15.6% 16.6% 19.0% 14.1% 15.4% 22.7% 20.7% call 8.7% 5.5% 8.9% 8.2% 11.0% 10.0% 9.1% 8.7% pop 6.3% 2.7% 5.1% 5.9% 6.8% 7.3% 7.0% 6.2% cmp 5.1% 6.4% 4.9% 5.3% 3.6% 3.6% 5.9% 5.0% jz 4.3% 3.3% 3.9% 4.3% 3.3% 3.5% 4.4% 4.0% lea 3.9% 1.8% 3.3% 3.1% 2.6% 2.7% 5.5% 4.2% test 3.2% 1.8% 3.2% 3.7% 2.6% 3.4% 3.1% 3.0% jmp 3.0% 4.1% 3.8% 3.4% 3.0% 3.4% 2.7% 4.5% add 3.0% 5.8% 3.7% 3.4% 2.5% 3.0% 3.5% 3.0% jnz 2.6% 3.7% 3.1% 3.4% 2.2% 2.6% 3.2% 3.2% retn 2.2% 1.7% 2.3% 2.9% 3.0% 3.2% 2.0% 2.3% xor 1.9% 1.1% 2.3% 2.1% 3.2% 2.7% 2.1% 2.3% and 1.3% 1.5% 1.0% 1.3% 0.5% 0.6% 1.5% 1.6% Comparison Opcode Frequencies Opcode Goodware Kernel User Tools Bot Trojan Virus Worms RK PerformRK distribution tests for top mov 25.3% 37.0%14 opcodes29.0% 25.4% on 734.6% classes30.5% of 16.1% 22.2% push 19.5% 15.6%malware16.6% :19.0% 14.1% 15.4% 22.7% 20.7% call 8.7% 5.5% 8.9% 8.2% 11.0% 10.0% 9.1% 8.7% pop 6.3% 2.7%Rootkit5.1% (kernel5.9% 6.8% + user)7.3% 7.0% 6.2% cmp 5.1% 6.4% 4.9% 5.3% 3.6% 3.6% 5.9% 5.0% jz 4.3% 3.3%Virus3.9% and4.3% Worms3.3% 3.5% 4.4% 4.0% lea 3.9% 1.8%Trojan3.3% and3.1% Tools2.6% 2.7% 5.5% 4.2% test 3.2% 1.8% 3.2% 3.7% 2.6% 3.4% 3.1% 3.0% jmp 3.0% 4.1%Bots3.8% 3.4% 3.0% 3.4% 2.7% 4.5% add 3.0% 5.8% 3.7% 3.4% 2.5% 3.0% 3.5% 3.0% jnz 2.6% 3.7%Investigate:3.1% 3.4% Wh2.2%ich,2.6% if any,3.2% 3.2% retn 2.2% 1.7%opcode2.3% frequency2.9% 3.0% is3.2% significantly2.0% 2.3% xor 1.9% 1.1%different2.3% 2.1%for malware3.2% 2.7%? 2.1% 2.3% and 1.3% 1.5% 1.0% 1.3% 0.5% 0.6% 1.5% 1.6% Top 14 Opcode Testing (z-scores) O p c Opcode Kernel User Tools Bot Trojan Virus Worms Higher o RK RK d High e mov 36.8 20.6 2.0 70.1 28.7 -27.9 -20.1 F Similar r push -15.5 -21.0 4.6 -59.9 -31.2 12.1 6.9 e q Low u call -17.0 1.2 5.2 26.0 10.6 2.6 -0.3 e Lower n pop -22.0 -13.5 4.9 5.1 9.8 4.8 -1.1 c y cmp 7.4 -3.5 -0.6 -30.8 -21.2 4.7 -1.8 jz -7.4 -6.1 0.9 -20.9 -11.0 1.4 -4.4 Tests lea -16.2 -8.4 10.9 -29.2 -18.3 11.5 4.2 suggests test -12.2 0.0 -6.6 -14.6 1.8 -0.2 -3.4 opcode frequency jmp 8.5 11.7 -5.0 -2.2 5.0 -2.3 20.4 roughly add 22.9 10.8 -6.4 -13.5 -0.1 4.3 0.5 jnz 8.7 7.4 -11.7 -12.2 -0.9 5.3 8.0 1/3 same retn -5.5 2.5 -12.3 18.4 17.8 -1.4 2.6 1/3 lower 1/3 higher xor -8.9 6.7 -2.6 29.5 15.3 2.7 7.7 and 1.9 -7.3 -0.7 -33.6 -17.0 2.4 5.9 vs goodware Top 14 Opcodes Results Interpretation Cramer’s V 10.3 6.1 4.0 15.0 9.5 5.6 5.2 Most frequent 14 (in %) opcodes weak Op Krn Usr Tools Bot Trojan Virus Worm mov predictor push call Explains just 5-15% of pop variation! cmp jz lea Higher O test p c High jmp F add r Similar e jnz q retn Low xor Lower and Tools: (almost) no Virus + Worms: Kernel-mode Rootkit: deviation in top 5 few # of deviations; most # of deviations opcodes more more jumps smaller handcoded assembly; ‘benign’ (i.e. similar size, simpler malicious ‘evasive’ opcodes ? to goodware) ? function, more control flow ? Rare 14 Opcodes (parts per million) Opcode Goodware Kernel User Tools Bot Trojan Virus Worms RK RK bt 30 0 34 47 70 83 0 118 fdivp 37 0 0 35 52 52 0 59 fild 357 0 45 0 133 115 0 438 fstcw 11 0 0 0 22 21 0 12 imul 1182 1629 1849 708 726 406 755 1126 int 25 4028 981 921 0 0 108 0 nop 216 136 101 71 7 42 647 83 pushf 116 0 11 59 0 0 54 12 rdtsc 12 0 0 0 11 0 108 0 sbb 1078 588 1330 1523 431 458 1133 782 setb 6 0 68 12 22 52 0 24 setle 20 0 0 0 0 21 0 0 shld 22 0 45 35 4 0 54 24 std 20 272 56 35 48 31 0 95 Rare 14 Opcode Testing (z-scores) O p c Opcode Kernel User Tools Bot Trojan Virus Worms Higher o RK RK d High e bt -1.2 -0.4 0.7 6.6 5.9 -0.7 4.8 F Similar r fdivp -1.3 -2.2 -0.3 3.8 2.8 -0.8 1.3 e q Low u fild -4.3 -6.5 -6.1 -1.5 -0.8 -2.6 2.1 e Lower n fstcw -0.7 -1.2 -1.0 3.3 2.2 -0.4 0.2 c y imul -3.3 1.3 -5.9 4.4 -1.4 -1.7 0.9 int 45.0 26.2 28.7 -1.8 -1.0 2.4 -1.4 Tests nop -2.3 -3.6 -3.2 -5.0 -1.6 4.5 -2.3 suggests pushf -2.4 -3.7 -1.8 -3.9 -2.2 -0.7 -2.6 opcode frequency rdtsc -0.7 -1.2 -1.1 1.1 -0.7 3.8 -0.9 roughly sbb -6.5 -2.0 3.4 -2.2 0.3 0.8 -2.0 setb -0.5 4.7 0.6 4.6 7.9 -0.3 2.1 1/10 lower setle -1.0 -1.6 -1.4 -1.6 1.3 -0.6 -1.2 1/5 higher 7/10 same shld -1.0 0.6 0.6 -1.1 -0.9 1.0 0.2 std 4.8 1.4 0.8 0.3 2.4 -0.6 4.8 vs goodware Rare 14 Opcodes: Interpretation Cramer’s V 63 36 42 17 16 10 12 Infrequent 14 opcodes (in %) much better Op Krn Usr Tools Bot Trojan Virus Worm bt predictor! fdivp Explains 12-63% of fild fstcw variation imul int nop Higher O p pushf c High F rdtsc r sbb Similar e q setb Low setle Lower shld std NOP: INT: Rooktkits (and tools) make Virus makes use heavy use of software interrupts NOP sled, padding ? tell-tale sign of RK ? Summary: Opcode Distribution Compare opcode Giri.5209 fingerprints against Gobi.a AFXRK2K4.root.exe ---------.b various software classes vanquish.dll for quick identification size: 12288 and classification totalopcodes: 615 compiler: unknown Malware opcode class: virus frequency distribution seems to deviate 0001.
Load more

Recommended publications
  • Exploring Corporate Decision Makers' Attitudes Towards Active Cyber
    Protecting the Information Society: Exploring Corporate Decision Makers’ Attitudes towards Active Cyber Defence as an Online Deterrence Option by Patrick Neal A Dissertation Submitted to the College of Interdisciplinary Studies in Partial Fulfilment of the Requirements for the Degree of DOCTOR OF SOCIAL SCIENCES Royal Roads University Victoria, British Columbia, Canada Supervisor: Dr. Bernard Schissel February, 2019 Patrick Neal, 2019 COMMITTEE APPROVAL The members of Patrick Neal’s Dissertation Committee certify that they have read the dissertation titled Protecting the Information Society: Exploring Corporate Decision Makers’ Attitudes towards Active Cyber Defence as an Online Deterrence Option and recommend that it be accepted as fulfilling the dissertation requirements for the Degree of Doctor of Social Sciences: Dr. Bernard Schissel [signature on file] Dr. Joe Ilsever [signature on file] Ms. Bessie Pang [signature on file] Final approval and acceptance of this dissertation is contingent upon the candidate’s submission of the final copy of the dissertation to Royal Roads University. The dissertation supervisor confirms to have read this dissertation and recommends that it be accepted as fulfilling the dissertation requirements: Dr. Bernard Schissel[signature on file] Creative Commons Statement This work is licensed under the Creative Commons Attribution-NonCommercial- ShareAlike 2.5 Canada License. To view a copy of this license, visit http://creativecommons.org/licenses/by-nc-sa/2.5/ca/ . Some material in this work is not being made available under the terms of this licence: • Third-Party material that is being used under fair dealing or with permission. • Any photographs where individuals are easily identifiable. Contents Creative Commons Statement............................................................................................
    [Show full text]
  • GQ: Practical Containment for Measuring Modern Malware Systems
    GQ: Practical Containment for Measuring Modern Malware Systems Christian Kreibich Nicholas Weaver Chris Kanich ICSI & UC Berkeley ICSI & UC Berkeley UC San Diego [email protected] [email protected] [email protected] Weidong Cui Vern Paxson Microsoft Research ICSI & UC Berkeley [email protected] [email protected] Abstract their behavior, sometimes only for seconds at a time (e.g., to un- Measurement and analysis of modern malware systems such as bot- derstand the bootstrapping behavior of a binary, perhaps in tandem nets relies crucially on execution of specimens in a setting that en- with static analysis), but potentially also for weeks on end (e.g., to ables them to communicate with other systems across the Internet. conduct long-term botnet measurement via “infiltration” [13]). Ethical, legal, and technical constraints however demand contain- This need to execute malware samples in a laboratory setting ex- ment of resulting network activity in order to prevent the malware poses a dilemma. On the one hand, unconstrained execution of the from harming others while still ensuring that it exhibits its inher- malware under study will likely enable it to operate fully as in- ent behavior. Current best practices in this space are sorely lack- tended, including embarking on a large array of possible malicious ing: measurement researchers often treat containment superficially, activities, such as pumping out spam, contributing to denial-of- sometimes ignoring it altogether. In this paper we present GQ, service floods, conducting click fraud, or obscuring other attacks a malware execution “farm” that uses explicit containment prim- by proxying malicious traffic.
    [Show full text]
  • Workaround for Welchia and Sasser Internet Worms in Kumamoto University
    Workaround for Welchia and Sasser Internet Worms in Kumamoto University Yasuo Musashi, Kenichi Sugitani,y and Ryuichi Matsuba,y Center for Multimedia and Information Technologies, Kumamoto University, Kumamoto 860-8555 Japan, E-mail: [email protected], yE-mail: [email protected], yE-mail: [email protected] Toshiyuki Moriyamaz Department of Civil Engineering, Faculty of Engineering, Sojo University, Ikeda, Kumamoto 860-0081 Japan, zE-mail: [email protected] Abstract: The syslog messages of the iplog-2.2.3 packet capture in the DNS servers in Ku- mamoto University were statistically investigated when receiving abnormal TCP packets from PC terminals infected with internet worms like W32/Welchia and/or W32/Sasser.D worms. The inter- esting results are obtained: (1) Initially, the W32/Welchia worm-infected PC terminals for learners (920 PCs) considerably accelerates the total W32/Welchia infection. (2) We can suppress quickly the W32/Sasser.D infection in our university when filtering the access between total and the PC terminal’s LAN segments. Therefore, infection of internet worm in the PC terminals for learners should be taken into consideration to suppress quickly the infection. Keywords: Welchia, Sasser, internet worm, system vulnerability, TCP port 135, TCP port 445, worm detection 1. Introduction defragmentation, TCP stream reassembling (state- less/stateful), and content matcher (detection engine). Recent internet worms (IW) are mainly categorized The other is iplog[11], a packet logger that is not so into two types, as follows: one is a mass-mailing-worm powerful as Snort but it is slim and light-weighted so (MMW) which transfers itself by attachment files of that it is useful to get an IP address of the client PC the E-mail and the other is a system-vulnerability- terminal.
    [Show full text]
  • Shoot the Messenger: IM Worms Infectionvectors.Com June 2005
    Shoot the Messenger: IM Worms infectionvectors.com June 2005 Overview Instant Messaging (IM) has rapidly gained popularity, making it an attractive medium for malware coders. However, without the universal interoperation of email, instant messaging worms have so far been much slower to propagate and gain widespread success compared to their SMTP-based cousins. As such, the amount of attention (and development) they have received from malware authors is significantly less than the mass mailer worms. Nonetheless, IM-based malware is a threat to all organizations and should be addressed by both policy and technical safeguards. IM-founded malware carries the same potential for compromising data as any other malcode (and has adopted the tactics of more successful varieties exceptionally quickly). This paper examines the development and importance of IM worms. Messaging Overview Instant messaging generically refers to real-time text communications between two or more clients (although, it is important to note many new services such as video and voice are available through these clients). Generally, messages are passed from a client to a server and vice versa. Some IM clients are capable of transmitting files between one another without a central server (once a communications channel is established) and can allow for a remarkable degree of command execution. This is represented simply below: Messaging Server Presence data transferred to clients from servers. Message/file transfer. Compatible Clients Shoot the Messenger: IM Worms 2 IM protocols range from relatively simple to quite complex and generally include some form of “presence” detection and notification (the ability to indicate whether a contact is online at any given time).
    [Show full text]
  • The Blaster Worm: Then and Now
    Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c).
    [Show full text]
  • Common Threats to Cyber Security Part 1 of 2
    Common Threats to Cyber Security Part 1 of 2 Table of Contents Malware .......................................................................................................................................... 2 Viruses ............................................................................................................................................. 3 Worms ............................................................................................................................................. 4 Downloaders ................................................................................................................................... 6 Attack Scripts .................................................................................................................................. 8 Botnet ........................................................................................................................................... 10 IRCBotnet Example ....................................................................................................................... 12 Trojans (Backdoor) ........................................................................................................................ 14 Denial of Service ........................................................................................................................... 18 Rootkits ......................................................................................................................................... 20 Notices .........................................................................................................................................
    [Show full text]
  • Emerging Threats and Attack Trends
    Emerging Threats and Attack Trends Paul Oxman Cisco Security Research and Operations PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 1 Agenda What? Where? Why? Trends 2008/2009 - Year in Review Case Studies Threats on the Horizon Threat Containment PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 2 What? Where? Why? PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 3 What? Where? Why? What is a Threat? A warning sign of possible trouble Where are Threats? Everywhere you can, and more importantly cannot, think of Why are there Threats? The almighty dollar (or euro, etc.), the underground cyber crime industry is growing with each year PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 4 Examples of Threats Targeted Hacking Vulnerability Exploitation Malware Outbreaks Economic Espionage Intellectual Property Theft or Loss Network Access Abuse Theft of IT Resources PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 5 Areas of Opportunity Users Applications Network Services Operating Systems PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 6 Why? Fame Not so much anymore (more on this with Trends) Money The root of all evil… (more on this with the Year in Review) War A battlefront just as real as the air, land, and sea PSIRT_2009 © 2009 Cisco Systems, Inc. All rights reserved. Cisco Public 7 Operational Evolution of Threats Emerging Threat Nuisance Threat Threat Evolution Unresolved Threat Policy and Process Reactive Process Socialized Process Formalized Process Definition Reaction Mitigation Technology Manual Process Human “In the Automated Loop” Response Evolution Burden Operational End-User “Help-Desk” Aware—Know End-User No End-User Increasingly Self- Awareness Knowledge Enough to Call Burden Reliant Support PSIRT_2009 © 2009 Cisco Systems, Inc.
    [Show full text]
  • The Ecology of Malware
    The Ecology of Malware Jedidiah R. Crandall Roya Ensafi Stephanie Forrest University of New Mexico University of New Mexico University of New Mexico Dept. of Computer Science Dept. of Computer Science Dept. of Computer Science Mail stop: MSC01 1130 Mail stop: MSC01 1130 Mail stop: MSC01 1130 1 University of New Mexico 1 University of New Mexico 1 University of New Mexico Albuquerque, NM 87131-0001 Albuquerque, NM 87131-0001 Albuquerque, NM 87131-0001 [email protected] [email protected] [email protected] Joshua Ladau Bilal Shebaro Santa Fe Institute University of New Mexico 1399 Hyde Park Road Dept. of Computer Science Santa Fe, New Mexico 87501 Mail stop: MSC01 1130 [email protected] 1 University of New Mexico Albuquerque, NM 87131-0001 [email protected] ABSTRACT General Terms The fight against malicious software (or malware, which includes Security everything from worms to viruses to botnets) is often viewed as an “arms race.” Conventional wisdom is that we must continu- Keywords ally “raise the bar” for the malware creators. However, the mul- titude of malware has itself evolved into a complex environment, malware ecology, malware analysis, worms, viruses, botnets and properties not unlike those of ecological systems have begun to emerge. This may include competition between malware, fa- 1. INTRODUCTION cilitation, parasitism, predation, and density-dependent population regulation. Ecological principles will likely be useful for under- Modern malware defense involves a variety of activities and is standing the effects of these ecological interactions, for example, quickly becoming unsustainable. So many malware samples are carrying capacity, species-time and species-area relationships, the collected from the wild each day that triaging is necessary to deter- unified neutral theory of biodiversity, and the theory of island bio- mine which samples warrant further analysis.
    [Show full text]
  • Computer Viruses, in Order to Detect Them
    Behaviour-based Virus Analysis and Detection PhD Thesis Sulaiman Amro Al amro This thesis is submitted in partial fulfilment of the requirements for the degree of Doctor of Philosophy Software Technology Research Laboratory Faculty of Technology De Montfort University May 2013 DEDICATION To my beloved parents This thesis is dedicated to my Father who has been my supportive, motivated, inspired guide throughout my life, and who has spent every minute of his life teaching and guiding me and my brothers and sisters how to live and be successful. To my Mother for her support and endless love, daily prayers, and for her encouragement and everything she has sacrificed for us. To my Sisters and Brothers for their support, prayers and encouragements throughout my entire life. To my beloved Family, My Wife for her support and patience throughout my PhD, and my little boy Amro who has changed my life and relieves my tiredness and stress every single day. I | P a g e ABSTRACT Every day, the growing number of viruses causes major damage to computer systems, which many antivirus products have been developed to protect. Regrettably, existing antivirus products do not provide a full solution to the problems associated with viruses. One of the main reasons for this is that these products typically use signature-based detection, so that the rapid growth in the number of viruses means that many signatures have to be added to their signature databases each day. These signatures then have to be stored in the computer system, where they consume increasing memory space. Moreover, the large database will also affect the speed of searching for signatures, and, hence, affect the performance of the system.
    [Show full text]
  • Modeling of Computer Virus Spread and Its Application to Defense
    University of Aizu, Graduation Thesis. March, 2005 s1090109 1 Modeling of Computer Virus Spread and Its Application to Defense Jun Shitozawa s1090109 Supervised by Hiroshi Toyoizumi Abstract 2 Two Systems The purpose of this paper is to model a computer virus 2.1 Content Filtering spread and evaluate content filtering and IP address blacklisting with a key parameter of the reaction time R. Content filtering is a containment system that has a We model the Sasser worm by using the Pure Birth pro- database of content signatures known to represent par- cess in this paper. Although our results require a short ticular worms. Packets containing one of these signa- reaction time, this paper is useful to obviate the outbreak tures are dropped when a containment system member of the new worms having high reproduction rate λ. receives the packets. This containment system is able to stop computer worm outbreaks immediately when the systems obtain information of content signatures. How- 1 Introduction ever, it takes too much time to create content signatures, and this system has no effect on polymorphic worms In recent years, new computer worms are being created at a rapid pace with around 5 new computer worms per a [10]. A polymorphic worm is one whose code is trans- day. Furthermore, the speed at which the new computer formed regularly, so no single signature identifies it. worms spread is amazing. For example, Symantec [5] 2.2 The IP Address Blacklisting received 12041 notifications of an infection by Sasser.B in 7 days. IP address blacklisting is a containment system that has Computer worms are a kind of computer virus.
    [Show full text]
  • Security and Privacy Implications of Third-Party Access to Online Social Networks
    Die approbierte Originalversion dieser Dissertation ist in der Hauptbibliothek der Technischen Universität Wien aufgestellt und zugänglich. http://www.ub.tuwien.ac.at The approved original version of this thesis is available at the main library of the Vienna University of Technology. http://www.ub.tuwien.ac.at/eng Security and Privacy Implications of Third-Party Access to Online Social Networks PhD THESIS submitted in partial fulfillment of the requirements of Doctor of Technical Sciences within the Vienna PhD School of Informatics by Markus Huber, M.Sc. Registration Number 0306665 to the Faculty of Informatics at the Vienna University of Technology Advisor: Privatdoz. Dipl.-Ing. Mag.rer.soc.oec. Dr.techn. Edgar Weippl Second advisor: o.Univ.Prof. Dipl.Ing. Dr. A Min Tjoa External reviewers: Assoc. Prof. Dr. Engin Kirda. Northeastern University, USA. Prof. Dr. Stefan Katzenbeisser. Technische Universität Darmstadt, Germany. Wien, 27.08.2013 (Signature of Author) (Signature of Advisor) Technische Universität Wien A-1040 Wien Karlsplatz 13 Tel. +43-1-58801-0 www.tuwien.ac.at Declaration of Authorship Markus Huber, M.Sc. Burggasse 102/8, AT-1070 Vienna, Austria I hereby declare that I have written this Doctoral Thesis independently, that I have com- pletely specified the utilized sources and resources and that I have definitely marked all parts of the work - including tables, maps and figures - which belong to other works or to the internet, literally or extracted, by referencing the source as borrowed. (Vienna, 27/08/2013) (Signature of Author) i Acknowledgements I am grateful to my supervisor Edgar R. Weippl for his excellent mentoring over the course of my postgraduate studies and for giving me the freedom to pursue my own research ideas.
    [Show full text]
  • Fondamentaux & Domaines
    Septembre 2020 Marie Lechner & Yves Citton Angles morts du numérique ubiquitaire Sélection de lectures, volume 2 Fondamentaux & Domaines Sommaire Fondamentaux Mike Ananny, Toward an Ethics of Algorithms: Convening, Observation, Probability, and Timeliness, Science, Technology, & Human Values, 2015, p. 1-25 . 1 Chris Anderson, The End of Theory: The Data Deluge Makes the Scientific Method Obsolete, Wired, June 23, 2008 . 26 Mark Andrejevic, The Droning of Experience, FibreCultureJournal, FCJ-187, n° 25, 2015 . 29 Franco ‘Bifo’ Berardi, Concatenation, Conjunction, and Connection, Introduction à AND. A Phenomenology of the End, New York, Semiotexte, 2015 . 45 Tega Brain, The Environment is not a system, Aprja, 2019, http://www.aprja.net /the-environment-is-not-a-system/ . 70 Lisa Gitelman and Virginia Jackson, Introduction to Raw Data is an Oxymoron, MIT Press, 2013 . 81 Orit Halpern, Robert Mitchell, And Bernard & Dionysius Geoghegan, The Smartness Mandate: Notes toward a Critique, Grey Room, n° 68, 2017, pp. 106–129 . 98 Safiya Umoja Noble, The Power of Algorithms, Introduction to Algorithms of Oppression. How Search Engines Reinforce Racism, NYU Press, 2018 . 123 Mimi Onuoha, Notes on Algorithmic Violence, February 2018 github.com/MimiOnuoha/On-Algorithmic-Violence . 139 Matteo Pasquinelli, Anomaly Detection: The Mathematization of the Abnormal in the Metadata Society, 2015, matteopasquinelli.com/anomaly-detection . 142 Iyad Rahwan et al., Machine behavior, Nature, n° 568, 25 April 2019, p. 477 sq. 152 Domaines Ingrid Burrington, The Location of Justice: Systems. Policing Is an Information Business, Urban Omnibus, Jun 20, 2018 . 162 Kate Crawford, Regulate facial-recognition technology, Nature, n° 572, 29 August 2019, p. 565 . 185 Sidney Fussell, How an Attempt at Correcting Bias in Tech Goes Wrong, The Atlantic, Oct 9, 2019 .
    [Show full text]