Malware Detection Advances in Information Security
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress
Order Code RL32114 Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Updated January 29, 2008 Clay Wilson Specialist in Technology and National Security Foreign Affairs, Defense, and Trade Division Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress Summary Cybercrime is becoming more organized and established as a transnational business. High technology online skills are now available for rent to a variety of customers, possibly including nation states, or individuals and groups that could secretly represent terrorist groups. The increased use of automated attack tools by cybercriminals has overwhelmed some current methodologies used for tracking Internet cyberattacks, and vulnerabilities of the U.S. critical infrastructure, which are acknowledged openly in publications, could possibly attract cyberattacks to extort money, or damage the U.S. economy to affect national security. In April and May 2007, NATO and the United States sent computer security experts to Estonia to help that nation recover from cyberattacks directed against government computer systems, and to analyze the methods used and determine the source of the attacks.1 Some security experts suspect that political protestors may have rented the services of cybercriminals, possibly a large network of infected PCs, called a “botnet,” to help disrupt the computer systems of the Estonian government. DOD officials have also indicated that similar cyberattacks from individuals and countries targeting economic, -
The Downadup Codex a Comprehensive Guide to the Threat’S Mechanics
Security Response The Downadup Codex A comprehensive guide to the threat’s mechanics. Edition 2.0 Introduction Contents Introduction.............................................................1 Since its appearance in late-2008, the Downadup worm has become Editor’s Note............................................................5 one of the most wide-spread threats to hit the Internet for a number of Increase in exploit attempts against MS08-067.....6 years. A complex piece of malicious code, this threat was able to jump W32.Downadup infection statistics.........................8 certain network hurdles, hide in the shadows of network traffic, and New variants of W32.Downadup.B find new ways to propagate.........................................10 defend itself against attack with a deftness not often seen in today’s W32.Downadup and W32.Downadup.B threat landscape. Yet it contained few previously unseen features. What statistics................................................................12 set it apart was the sheer number of tricks it held up its sleeve. Peer-to-peer payload distribution...........................15 Geo-location, fingerprinting, and piracy...............17 It all started in late-October of 2008, we began to receive reports of A lock with no key..................................................19 Small improvements yield big returns..................21 targeted attacks taking advantage of an as-yet unknown vulnerability Attempts at smart network scanning...................23 in Window’s remote procedure call (RPC) service. Microsoft quickly Playing with Universal Plug and Play...................24 released an out-of-band security patch (MS08-067), going so far as to Locking itself out.................................................27 classify the update as “critical” for some operating systems—the high- A new Downadup variant?......................................29 Advanced crypto protection.................................30 est designation for a Microsoft Security Bulletin. -
Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G
Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere, and Michel J.G. van Eeten, Delft University of Technology https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/asghari This paper is included in the Proceedings of the 24th USENIX Security Symposium August 12–14, 2015 • Washington, D.C. ISBN 978-1-939133-11-3 Open access to the Proceedings of the 24th USENIX Security Symposium is sponsored by USENIX Post-Mortem of a Zombie: Conficker Cleanup After Six Years Hadi Asghari, Michael Ciere and Michel J.G. van Eeten Delft University of Technology Abstract more sophisticated C&C mechanisms that are increas- ingly resilient against takeover attempts [30]. Research on botnet mitigation has focused predomi- In pale contrast to this wealth of work stands the lim- nantly on methods to technically disrupt the command- ited research into the other side of botnet mitigation: and-control infrastructure. Much less is known about the cleanup of the infected machines of end users. Af- effectiveness of large-scale efforts to clean up infected ter a botnet is successfully sinkholed, the bots or zom- machines. We analyze longitudinal data from the sink- bies basically remain waiting for the attackers to find hole of Conficker, one the largest botnets ever seen, to as- a way to reconnect to them, update their binaries and sess the impact of what has been emerging as a best prac- move the machines out of the sinkhole. This happens tice: national anti-botnet initiatives that support large- with some regularity. The recent sinkholing attempt of scale cleanup of end user machines. -
Undergraduate Report
UNDERGRADUATE REPORT Attack Evolution: Identifying Attack Evolution Characteristics to Predict Future Attacks by MaryTheresa Monahan-Pendergast Advisor: UG 2006-6 IINSTITUTE FOR SYSTEMSR RESEARCH ISR develops, applies and teaches advanced methodologies of design and analysis to solve complex, hierarchical, heterogeneous and dynamic problems of engineering technology and systems for industry and government. ISR is a permanent institute of the University of Maryland, within the Glenn L. Martin Institute of Technol- ogy/A. James Clark School of Engineering. It is a National Science Foundation Engineering Research Center. Web site http://www.isr.umd.edu Attack Evolution 1 Attack Evolution: Identifying Attack Evolution Characteristics To Predict Future Attacks MaryTheresa Monahan-Pendergast Dr. Michel Cukier Dr. Linda C. Schmidt Dr. Paige Smith Institute of Systems Research University of Maryland Attack Evolution 2 ABSTRACT Several approaches can be considered to predict the evolution of computer security attacks, such as statistical approaches and “Red Teams.” This research proposes a third and completely novel approach for predicting the evolution of an attack threat. Our goal is to move from the destructive nature and malicious intent associated with an attack to the root of what an attack creation is: having successfully solved a complex problem. By approaching attacks from the perspective of the creator, we will chart the way in which attacks are developed over time and attempt to extract evolutionary patterns. These patterns will eventually -
Datalog Disassembly
Datalog Disassembly Antonio Flores-Montoya Eric Schulte GrammaTech, Inc. GrammaTech, Inc. [email protected] [email protected] Abstract Instruction boundaries Recovering where instructions start and end can be challenging especially in architectures Disassembly is fundamental to binary analysis and rewrit- such as x64 that have variable length instructions, dense ing. We present a novel disassembly technique that takes a instruction sets1, and sometimes interleave code and data. stripped binary and produces reassembleable assembly code. This problem is also referred as content classification. The resulting assembly code has accurate symbolic informa- Symbolization information In binaries, there is no distinc- tion, providing cross-references for analysis and to enable ad- tion between a number that represents a literal and a justment of code and data pointers to accommodate rewriting. reference that points to a location in the code or data. If Our technique features multiple static analyses and heuris- we modify a binary—e.g., by moving a block of code— tics in a combined Datalog implementation. We argue that all references pointing to that block, and to all of the Datalog’s inference process is particularly well suited for dis- subsequently shifted blocks, have to be updated. On the assembly and the required analyses. Our implementation and other hand, literals, even if they coincide with the address experiments support this claim. We have implemented our ap- of a block, have to remain unchanged. This problem is proach into an open-source tool called Ddisasm. In extensive also referred to as Literal Reference Disambiguation. experiments in which we rewrite thousands of x64 binaries We have developed a disassembler that infers precise infor- we find Ddisasm is both faster and more accurate than the mation for both questions and thus generates reassembleable current state-of-the-art binary reassembling tool, Ramblr. -
Miscellaneous: Malware Cont'd & Start on Bitcoin
Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s -
NMOS 6510 Unintended Opcodes No More Secrets (V0.95 - 24/12/20)
NMOS 6510 Unintended Opcodes no more secrets (v0.95 - 24/12/20) (w) 2013-2020 groepaz/solution, all rights reversed Contents Preface...................................................................................................................................................I Scope of this Document....................................................................................................................I Intended Audience............................................................................................................................I License..............................................................................................................................................I What you get...................................................................................................................................II Naming Conventions.....................................................................................................................III Address-Mode Abbreviations...................................................................................................III Mnemonics................................................................................................................................III Processor Flags.........................................................................................................................IV Opcode Matrix......................................................................................................................................1 Unintended -
The Blaster Worm: Then and Now
Worms The Blaster Worm: Then and Now The Blaster worm of 2003 infected at least 100,000 Microsoft Windows systems and cost millions in damage. In spite of cleanup efforts, an antiworm, and a removal tool from Microsoft, the worm persists. Observing the worm’s activity can provide insight into the evolution of Internet worms. MICHAEL n Wednesday, 16 July 2003, Microsoft and continued to BAILEY, EVAN Security Bulletin MS03-026 (www. infect new hosts COOKE, microsoft.com/security/incident/blast.mspx) more than a year later. By using a wide area network- FARNAM O announced a buffer overrun in the Windows monitoring technique that observes worm infection at- JAHANIAN, AND Remote Procedure Call (RPC) interface that could let tempts, we collected observations of the Blaster worm DAVID WATSON attackers execute arbitrary code. The flaw, which the during its onset in August 2003 and again in August 2004. University of Last Stage of Delirium (LSD) security group initially This let us study worm evolution and provides an excel- Michigan uncovered (http://lsd-pl.net/special.html), affected lent illustration of a worm’s four-phase life cycle, lending many Windows operating system versions, including insight into its latency, growth, decay, and persistence. JOSE NAZARIO NT 4.0, 2000, and XP. Arbor When the vulnerability was disclosed, no known How the Blaster worm attacks Networks public exploit existed, and Microsoft made a patch avail- The initial Blaster variant’s decompiled source code re- able through their Web site. The CERT Coordination veals its unique behavior (http://robertgraham.com/ Center and other security organizations issued advisories journal/030815-blaster.c). -
Grammatech Codesonar Product Datasheet
GRAMMATECH CODESONAR PRODUCT DATASHEET Static Code Analysis and Static Application Security Testing Software Assurance Services Delivered by a senior software CodeSonar empowers teams to quickly analyze and validate the code – source and/or binary – engineer, the software assurance identifying serious defects or bugs that cause cyber vulnerabilities, system failures, poor services focus on automating reliability, or unsafe conditions. reporting on your software quality, creating an improvement plan and GrammaTech’s Software Assurance Services provide the benets of CodeSonar to your team in measuring your progress against that an accelerated timeline and ensures that you make the best use of SCA and SAST. plan. This provides your teams with reliable, fast, actionable data. GrammaTech will manage the static Enjoy the Benets of the Deepest Static Analysis analysis engine on your premises for you, such that your resources can Employ Sophisticated Algorithms Comply with Coding Standards focus on developing software. The following activities are covered: CodeSonar performs a unied dataow and CodeSonar supports compliance with standards symbolic execution analysis that examines the like MISRA C:2012, IS0-26262, DO-178B, Integration in your release process computation of the entire program. The US-CERT’s Build Security In, and MITRE’S CWE. Integration in check-in process approach does not rely on pattern matching or similar approximations. CodeSonar’s deeper Automatic assignment of defects analysis naturally nds defects with new or Reduction of parse errors unusual patterns. Review of warnings Analyze Millions of Lines of Code Optimization of conguration CodeSonar can perform a whole-program Improvement plan and tracking analysis on 10M+ lines of code. -
Detecting Botnets Using File System Indicators
Detecting botnets using file system indicators Master's thesis University of Twente Author: Committee members: Peter Wagenaar Prof. Dr. Pieter H. Hartel Dr. Damiano Bolzoni Frank Bernaards LLM (NHTCU) December 12, 2012 Abstract Botnets, large groups of networked zombie computers under centralised control, are recognised as one of the major threats on the internet. There is a lot of research towards ways of detecting botnets, in particular towards detecting Command and Control servers. Most of the research is focused on trying to detect the commands that these servers send to the bots over the network. For this research, we have looked at botnets from a botmaster's perspective. First, we characterise several botnet enhancing techniques using three aspects: resilience, stealth and churn. We see that these enhancements are usually employed in the network communications between the C&C and the bots. This leads us to our second contribution: we propose a new botnet detection method based on the way C&C's are present on the file system. We define a set of file system based indicators and use them to search for C&C's in images of hard disks. We investigate how the aspects resilience, stealth and churn apply to each of the indicators and discuss countermeasures botmasters could take to evade detection. We validate our method by applying it to a test dataset of 94 disk images, 16 of which contain C&C installations, and show that low false positive and false negative ratio's can be achieved. Approaching the botnet detection problem from this angle is novel, which provides a basis for further research. -
Product Datasheet Cyber Hardening
PRODUCT CYBER HARDENING SERVICES DATASHEET Secure Your Systems in Today’s Connected World The cyber world is evolving rapidly. New threats are discovered every day and your existing systems are likely vulnerable against them. Fixing these threats is expensive in time and money as it involves going back and making changes to the software, re-testing and then re-delivering. This is not an option as the lead-time is too great, the original source code or build environment is not available, or because of a myriad of other reasons. Cyber Grand Challenge GrammaTech Cyber Hardening Services change the game and allow you to x GrammaTech’s Cyber Hardening cyber security vulnerabilities directly in the binary executable for your systems Services were demonstrated in the without having to go back to source code. DARPA Cyber Grand Challenge, a machine against machine hacking GrammaTech’s Cyber Hardening has been proven to protect from both common competition. GrammaTech took programming errors as well as control ow hijacking attacks. away the second price in this competition and had the highest Hardened defensive score. Application Application Binary Cyber Hardening Real-World Example: Binary Analysis Transformation Do you have a deployed system with OpenSSL version 1.0.1 prior to 1.0.1g? If so, your system is likely • Error amplication • Vulnerability discovery vulnerable to the Heartbleed bug • Generic hardening (CVE-2014-0160). GrammaTech’s • Exploitability • Point patching Cyber Hardening Services can secure your system against Heartbleed without making any changes to your software’s source code. Overview There is no one-size-ts-all approach to security. -
CURRICULUM VITAE THOMAS REPS July 2021 J. Barkley Rosser Professor & Rajiv and Ritu Batra Chair
CURRICULUM VITAE THOMAS REPS September 2021 J. BarkleyRosser Professor & Rajivand Ritu Batra Chair (608) 262-2091 (Office) Computer Sciences Department (608) 262-1204 (Secretary) University of Wisconsin [email protected] 1210 West Dayton Street http://pages.cs.wisc.edu/~reps/ Madison, Wisconsin 53706 Birth: May 28, 1956 (Ithaca, NY USA) Citizenship: United States EDUCATION 1982 Ph.D., Cornell University Computer Science 1982 M.S., Cornell University Computer Science 1977 B.A., cum laude,Harvard University Applied Mathematics POSITIONS 2007−08 Guest Professor,University of Paris 7, Paris, France 2000−01 Visiting Researcher,Consiglio Nazionale delle Ricerche (CNR), Pisa, Italy 1993−94 Guest Professor,Datalogisk Institut, University of Copenhagen, Copenhagen, Denmark 1990−93 Associate Chairman, Computer Sciences Department, University of Wisconsin 1988−2019 Co-founder and President, GrammaTech, Inc. 1985− Professor,Comp. Sci. Dept., Univ. ofWisconsin, (Asst.: 85−88; Assoc.: 88−94; Full: 94−) 1984−85 Research Associate, Department of Computer Science, Cornell University 1982−83 Visiting Researcher,INRIA, Rocquencourt, France 1982−84 Post-Doctoral Associate, Department of Computer Science, Cornell University AW ARDS AND HONORS 2017 ACM SIGPLAN Programming Languages Achievement Award 2015 WARF Named Professorship, University of Wisconsin 2014 #4 (field rating) and #7 (citations) on Microsoft Academic Search’slist of most-highly-cited authors in Programming Languages (as of 8/27/2014) 2014 #13 (field rating) and #19 (citations) on Microsoft Academic Search’slist of most-highly-cited authors in Software Engineering (as of 8/27/2014) 2013 Foreign member,Academia Europaea 2005 ACM Fellow 2003 Recognized as a “Highly Cited Researcher” in the field of Comp.