DOCSLIB.ORG

SYMANTEC INTELLIGENCE REPORT NOVEMBER 2014 P

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

SYMANTEC INTELLIGENCE REPORT NOVEMBER 2014 p. 2 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 CONTENTS 3 Summary 15 SOCIAL MEDIA + MOBILE THREATS 4 TARGETED ATTACKS + DATA BREACHES 16 Mobile 5 Targeted Attacks 16 Mobile Malware Families by Month, Android 5 Attachments Used in Spear-Phishing Emails 17 Mobile Threat Classifications 5 Spear-Phishing Attacks by Size of 18 Social Media Targeted Organization 18 Social Media 5 Average Number of Spear-Phishing Attacks Per Day 6 Top-Ten Industries Targeted 19 PHISHING, SPAM + EMAIL THREATS in Spear-Phishing Attacks 20 Phishing and Spam 7 Data Breaches 20 Phishing Rate 7 Timeline of Data Breaches 20 Global Spam Rate 8 Total Identities Exposed 8 Top Causes of Data Breaches 21 Email Threats 8 Total Data Breaches 21 Proportion of Email Traffic Containing URL Malware 9 Top-Ten Types of Information Breached 21 Proportion of Email Traffic in Which Virus Was Detected 10 MALWARE TACTICS 22 About Symantec 11 Malware Tactics 22 More Information 11 Top-Ten Malware 11 Top-Ten Mac OSX Malware Blocked on OSX Endpoints 12 Ransomware Over Time 12 Top-Ten Botnets 13 Vulnerabilities 13 Number of Vulnerabilities 13 Zero-Day Vulnerabilities 14 Browser Vulnerabilities 14 Plug-in Vulnerabilities p. 3 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Summary Welcome to the November edition of the There was a significant jump in emails containing malicious URLs during the month of November, where 41 percent of email- Symantec Intelligence report. Symantec borne malware contained a link to a malicious or compromised Intelligence aims to provide the latest website. The last time we saw this level of activity was back in analysis of cyber security threats, trends, August of 2013. Since then, URL malware had been present in 3 to 16 percent of malicious emails each month, until this recent and insights concerning malware, spam, and surge. other potentially harmful business risks. We have reason to believe that the Cutwail botnet is responsible for some of this increase. However, this botnet only makes up Symantec has established the most 3.7 percent of total botnet activity tracked in November. Kelihos and Gamut appear to be in the number one and two positions, comprehensive source of Internet threat comprising 19.2 and 18.8 percent respectively. data in the world through the Symantec™ The topics in the campaigns we’ve seen so far include fake Global Intelligence Network, which is made telecom billing notices, as well as fax and voicemail spam, and up of more than 41.5 million attack sensors government levied fines. The URLs in the first two campaigns appear to be downloaders that will install further malware on a and records thousands of events per second. compromised computer, while the third campaign leads to fake This network monitors threat activity in captcha sites hosting crypto-ransomware. over 157 countries and territories through Ransomware as a whole continues to decline as the year progresses. However, the amount of crypto-ransomware seen a combination of Symantec products and continues to comprise a larger portion of this type of malware. services such as Symantec DeepSight™ This particularly aggressive form of ransomware made up 38 Threat Management System, Symantec™ percent of all ransomware in the month of November. We hope that you enjoy this month’s report and feel free to Managed Security Services, Norton™ contact us with any comments or feedback. consumer products, and other third-party data sources. Ben Nahorney, Cyber Security Threat Analyst [email protected] p. 4 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 + DATA BREACHES + DATA TARGETED ATTACKS p. 5 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Targeted Attacks Average Number of Spear-Phishing At a Glance Attacks Per Day • The average number of Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 spear-phishing attacks 250 dropped to 43 per day in 225 November, down from 45 in October. 200 • The .doc file type was the 175 165 most common attachment type used in spear-phishing 150 141 attacks. The .exe file type came in second. 125 • Organizations with 2500+ 100 84 84 88 employees were the most 75 likely to be targeted in 54 54 54 53 November. 50 45 43 • Non-Traditional Services 25 20 narrowly lead the Top- Ten Industries targeted, followed by Manufacturing. D J F M A M J J A S O N The difference between the 2014 two industries was 0.07 percentage points. Attachments Used in Spear-Phishing Spear-Phishing Attacks by Size Emails of Targeted Organization Source: Symantec :: NOVEMBER 2014 Source: Symantec :: NOVEMBER 2014 Executable type November October Organization Size November October .doc 25.9% 62.5% 1-250 34.4% 27.1% .exe 16.4% 14.4% .au3 8.6% – 251-500 8.4% 6.6% .scr 5.3% 0.1% .jpg 4.8% 0.2% 501-1000 8.8% 8.9% .class 2.2% – 1001-1500 3.2% 2.9% .pdf 1.6% 4.4% .bin 1.6% – 1501-2500 4.5% 11.2% .txt 1.3% 11.2% 2500+ 40.7% 43.3% .dmp 1.0% 0.1% p. 6 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Top-Ten Industries Targeted in Spear-Phishing Attacks Source: Symantec :: NOVEMBER 2014 Services - Non Traditional 20% Manufacturing 20 Finance, insurance & Real Estate 17 Services - Professional 11 Wholesale 10 Transportation, communications, electric 7 Public Administration 5 Retail 3 Mining 1 Construction 1 p. 7 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Data Breaches Timeline of Data Breaches Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 40 160 147 35 130 140 30 30 27 27 120 25 25 24 100 78 20 22 80 21 20 19 15 59 60 NUMBER OF INCIDENTS 15 16 10 31.5 12 40 IDENTITIESEXPOSED (MILLIONS) 5 20 8.1 10 6.4 2.6 1.7 1 1 D J F M A M J J A S O N 2014 INCIDENTS IDENTITIES EXPOSED (Millions) At a Glance • The two largest data breaches reported to have occurred in November resulted in the exposure of 3.6 million and 2.7 million identities each. • Hackers have been responsible for 57 percent of data breach- es in the last 12 months. • Real names, government ID numbers, such as Social Security numbers, and home addresses were the top three types of data exposed in data breaches. p. 8 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Total Data Total Identities Breaches Exposed DECEMBER 2013 — NOVEMBER 2014 DECEMBER 2013 — NOVEMBER 2014 258 476 Million Top Causes of Data Breaches Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 Number of Incidents Hackers 57% 147 Accidentally % Made Public 18 46 Theft or Loss of Computer % 46 or Drive 18 Insider Theft 7% 19 TOTAL 258 p. 9 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Top-Ten Types of Information Breached Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 01 Real Names 67% 02 Gov ID numbers (Soc Sec) 43% 03 Home Address 42% 04 Birth Dates 38% 05 Financial Information 35% 06 Medical Records 28% 07 Email Addresses 21% 08 Phone Numbers 19% 09 Usernames & Passwords 16% 10 Insurance 9% Methodology This data is procured from the Norton Cybercrime Index (CCI). The Norton CCI is a statistical model that measures the levels of threats, including malicious software, fraud, identity theft, spam, phishing, and social engineering daily. The data breach section of the Norton CCI is derived from data breaches that have been reported by legitimate media sources and have exposed personal information. In some cases a data breach is not publicly reported during the same month the incident occurred, or an adjustment is made in the number of identities reportedly exposed. In these cases, the data in the Norton CCI is updated. This causes fluctuations in the numbers reported for previous months when a new report is released. p. 10 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 MALWARE TACTICS MALWARE p. 11 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Malware Tactics Top-Ten Malware At a Glance Source: Symantec :: NOVEMBER 2014 Rank Name November October • W32.Ramnit variants continue to dominate the top-ten malware list. 1 W32.Sality.AE 4.8% 4.1% • The most common 2 W32.Almanahe.B!inf 4.5% 3.7% OSX threat seen on OSX was OSX.Flashback.K, 3 W32.Ramnit!html 4.4% 4.0% making up 15.7 percent of all OSX malware found 4 W32.Ramnit.B 2.7% 2.7% on OSX Endpoints. 5 W32.Downadup.B 3.0% 2.5% • Overall ransomware activity has remained low 6 W32.Ramnit.B!inf 2.3% 2.1% since March of this year. However, crypto-style 7 W32.SillyFDC.BDP!lnk 1.6% 1.4% ransomware continues to make up a larger percent- 8 W32.Virut.CF 1.5% 1.3% age of ransomware, comprising 38 percent in 9 Trojan.Zbot 1.5% 1.3% November. • Kelihos and Gamut are 10 Trojan.Swifi 1.4% – the two most commonly encountered botnets, making up 19.2 and 18.8 percent of botnet traffic Top-Ten Mac OSX Malware Blocked respectively. on OSX Endpoints Source: Symantec :: NOVEMBER 2014 Rank Malware Name November October 1 OSX.Flashback.K 15.7% 5.4% 2 OSX.Okaz 13.4% 28.8% 3 OSX.Keylogger 11.8% 9.3% 4 OSX.RSPlug.A 11.0% 14.0% 5 OSX.Klog.A 8.4% 5.2% 6 OSX.Stealbit.B 7.6% 4.7% 7 OSX.Crisis 3.7% 4.8% 8 OSX.Netweird 3.7% 3.7% 9 OSX.Flashback 3.3% 4.0% 10 OSX.Imuler 2.5% – p. 12 Symantec Corporation Symantec Intelligence Report :: NOVEMBER 2014 Ransomware Over Time Source: Symantec :: DECEMBER 2013 — NOVEMBER 2014 800 700 660 600 500 465 425 400 THOUSANDS 342 300 200 230 183 156 143 149 100 95 80 77 D J F M A M J J A S O N 2014 Top-Ten Botnets Source: Symantec :: NOVEMBER 2014 Rank Botnet name Percent 1 Kelihos 19.2% 2 Gamut 18.8% 3 Snowshoe 8.0% 4 Cutwail 3.7% 5 Darkmailer 1.0% 6 Asprox 0.7% 7 Grum 0.03% 8 Festi 0.0165% 9 Esxvaql 0.0162% 10 Darkmailer2 0.0151% p.
Recommended publications
  • Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    Botection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A

    BOTection: Bot Detection by Building Markov Chain Models of Bots Network Behavior Bushra A. Alahmadi Enrico Mariconti Riccardo Spolaor University of Oxford, UK University College London, UK University of Oxford, UK [email protected] [email protected] [email protected] Gianluca Stringhini Ivan Martinovic Boston University, USA University of Oxford, UK [email protected] [email protected] ABSTRACT through DDoS (e.g. DDoS on Estonia [22]), email spam (e.g. Geodo), Botnets continue to be a threat to organizations, thus various ma- ClickFraud (e.g. ClickBot), and spreading malware (e.g. Zeus). 10,263 chine learning-based botnet detectors have been proposed. How- malware botnet controllers (C&C) were blocked by Spamhaus Mal- ever, the capability of such systems in detecting new or unseen ware Labs in 2018 alone, an 8% increase from the number of botnet 1 botnets is crucial to ensure its robustness against the rapid evo- C&Cs seen in 2017. Cybercriminals are actively monetizing bot- lution of botnets. Moreover, it prolongs the effectiveness of the nets to launch attacks, which are evolving significantly and require system in detecting bots, avoiding frequent and time-consuming more effective detection mechanisms capable of detecting those classifier re-training. We present BOTection, a privacy-preserving which are new or unseen. bot detection system that models the bot network flow behavior Botnets rely heavily on network communications to infect new as a Markov Chain. The Markov Chains state transitions capture victims (propagation), to communicate with the C&C server, or the bots’ network behavior using high-level flow features as states, to perform their operational task (e.g.
  • 2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    2015 Threat Report Provides a Comprehensive Overview of the Cyber Threat Landscape Facing Both Companies and Individuals

    THREAT REPORT 2015 AT A GLANCE 2015 HIGHLIGHTS A few of the major events in 2015 concerning security issues. 08 07/15: Hacking Team 07/15: Bugs prompt 02/15: Europol joint breached, data Ford, Range Rover, 08/15: Google patches op takes down Ramnit released online Prius, Chrysler recalls Android Stagefright botnet flaw 09/15: XcodeGhost 07/15: Android 07/15: FBI Darkode tainted apps prompts Stagefright flaw 08/15: Amazon, ENFORCEMENT bazaar shutdown ATTACKS AppStore cleanup VULNERABILITY reported SECURITYPRODUCT Chrome drop Flash ads TOP MALWARE BREACHING THE MEET THE DUKES FAMILIES WALLED GARDEN The Dukes are a well- 12 18 resourced, highly 20 Njw0rm was the most In late 2015, the Apple App prominent new malware family in 2015. Store saw a string of incidents where dedicated and organized developers had used compromised tools cyberespionage group believed to be to unwittingly create apps with malicious working for the Russian Federation since behavior. The apps were able to bypass at least 2008 to collect intelligence in Njw0rm Apple’s review procedures to gain entry support of foreign and security policy decision-making. Angler into the store, and from there into an ordinary user’s iOS device. Gamarue THE CHAIN OF THE CHAIN OF Dorkbot COMPROMISE COMPROMISE: 23 The Stages 28 The Chain of Compromise Nuclear is a user-centric model that illustrates Kilim how cyber attacks combine different Ippedo techniques and resources to compromise Dridex devices and networks. It is defined by 4 main phases: Inception, Intrusion, WormLink Infection, and Invasion. INCEPTION Redirectors wreak havoc on US, Europe (p.28) INTRUSION AnglerEK dominates Flash (p.29) INFECTION The rise of rypto-ransomware (p.31) THREATS BY REGION Europe was particularly affected by the Angler exploit kit.
  • Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    Power-Law Properties in Indonesia Internet Traffic. Why Do We Care About It

    by Bisyron Wahyudi Muhammad Salahuddien Amount of malicious traffic circulating on the Internet is increasing significantly. Increasing complexity and rapid change in hosts and networks technology suggests that there will be new vulnerabilities. Attackers have interest in identifying networks and hosts to expose vulnerabilities : . Network scans . Worms . Trojans . Botnet Complicated methods of attacks make difficult to identify the real attacks : It is not simple as filtering out the traffic from some sources Security is implemented like an “add on” module for the Internet. Understanding nature behavior of malicious sources and targeted ports is important to minimize the damage by build strong specific security rules and counter measures Help the cyber security policy-making process, and to raise public awareness Questions : . Do malicious sources generate the attacks uniformly ? . Is there any pattern specific i.e. recurrence event ? . Is there any correlation between the number of some attacks over specific time ? Many systems and phenomena (events) are distributed according to a “power law” When one quantity (say y) depends on another (say x) raised to some power, we say that y is described by a power law A power law applies to a system when: . large is rare and . small is common Collection of System logs from Networked Intrusion Detection System (IDS) The NIDS contains 11 sensors installed in different core networks in Indonesian ISP (NAP) Period : January, 2012 - September, 2012 . Available fields : ▪ Event Message, Timestamp, Dest. IP, Source IP, Attacks Classification, Priority, Protocol, Dest. Port/ICMP code, Source Port/ICMP type, Sensors ID Two quantities x and y are related by a power law if y is proportional to x(-c) for a constant c y = .x(-c) If x and y are related by a power law, then the graph of log(y) versus log(x) is a straight line log(y) = -c.log(x) + log() The slope of the log-log plot is the power exponent c Destination Port Distribution .
  • The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles a Journey to Infamy

    The Botnet Chronicles A Journey to Infamy Trend Micro, Incorporated Rik Ferguson Senior Security Advisor A Trend Micro White Paper I November 2010 The Botnet Chronicles A Journey to Infamy CONTENTS A Prelude to Evolution ....................................................................................................................4 The Botnet Saga Begins .................................................................................................................5 The Birth of Organized Crime .........................................................................................................7 The Security War Rages On ........................................................................................................... 8 Lost in the White Noise................................................................................................................. 10 Where Do We Go from Here? .......................................................................................................... 11 References ...................................................................................................................................... 12 2 WHITE PAPER I THE BOTNET CHRONICLES: A JOURNEY TO INFAMY The Botnet Chronicles A Journey to Infamy The botnet time line below shows a rundown of the botnets discussed in this white paper. Clicking each botnet’s name in blue will bring you to the page where it is described in more detail. To go back to the time line below from each page, click the ~ at the end of the section. 3 WHITE
  • An Introduction to Malware

    An Introduction to Malware

    Downloaded from orbit.dtu.dk on: Sep 24, 2021 An Introduction to Malware Sharp, Robin Publication date: 2017 Document Version Publisher's PDF, also known as Version of record Link back to DTU Orbit Citation (APA): Sharp, R. (2017). An Introduction to Malware. General rights Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. Users may download and print one copy of any publication from the public portal for the purpose of private study or research. You may not further distribute the material or use it for any profit-making activity or commercial gain You may freely distribute the URL identifying the publication in the public portal If you believe that this document breaches copyright please contact us providing details, and we will remove access to the work immediately and investigate your claim. An Introduction to Malware Robin Sharp DTU Compute Spring 2017 Abstract These notes, written for use in DTU course 02233 on Network Security, give a short introduction to the topic of malware. The most important types of malware are described, together with their basic principles of operation and dissemination, and defenses against malware are discussed. Contents 1 Some Definitions............................2 2 Classification of Malware........................2 3 Vira..................................3 4 Worms................................
  • Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    Transition Analysis of Cyber Attacks Based on Long-Term Observation—

    2-3 nicterReport —TransitionAnalysisofCyberAttacksBasedon Long-termObservation— NAKAZATO Junji and OHTAKA Kazuhiro In this report, we provide a statistical data concerning cyber attacks and malwares based on a long-term network monitoring on the nicter. Especially, we show a continuous observation report of Conficker, which is a pandemic malware since November 2008. In addition, we report a transition analysis of the scale of botnet activities. Keywords Incident analysis, Darknet, Network monitoring, Malware analysis 1 Introduction leverages the traffic as detected by the four black hole sensors placed on different network We have been monitoring the IP address environments as shown by Fig. 1. space that is reachable and unused on the ● Sensor I : Structure where live nets and Internet (i.e. darknets) on a large-scale to darknets coexist in a class B understand the overall impact inflicted by network infectious activities including malware. This ● Sensor II : Structure where only darknets report analyzes the darknet traffic that has exist in a class B network been monitored and accumulated over six ● Sensor III : Structure where a /24 subnet years by an incident analysis center named in a class B network is a dark- *1 the nicter[1][2] to provide changing trends of net cyber attacks and fluctuation of attacker host ● Sensor IV : Structure where live nets and activities as obtained by long-term monitor- darknets coexist in a class B ing. In particular, we focus on Conficker, a network worm that has triggered large-scale infections The traffic obtained by these four sensors since November 2008, and report its impact on is analyzed by different analysis engines[3][4] the Internet and its current activities.
  • Symantec Intelligence Report: June 2011

    Symantec Intelligence Report: June 2011

    Symantec Intelligence Symantec Intelligence Report: June 2011 Three-quarters of spam send from botnets in June, and three months on, Rustock botnet remains dormant as Cutwail becomes most active; Pharmaceutical spam in decline as new Wiki- pharmacy brand emerges Welcome to the June edition of the Symantec Intelligence report, which for the first time combines the best research and analysis from the Symantec.cloud MessageLabs Intelligence Report and the Symantec State of Spam & Phishing Report. The new integrated report, the Symantec Intelligence Report, provides the latest analysis of cyber security threats, trends and insights from the Symantec Intelligence team concerning malware, spam, and other potentially harmful business risks. The data used to compile the analysis for this combined report includes data from May and June 2011. Report highlights Spam – 72.9% in June (a decrease of 2.9 percentage points since May 2011): page 11 Phishing – One in 330.6 emails identified as phishing (a decrease of 0.05 percentage points since May 2011): page 14 Malware – One in 300.7 emails in June contained malware (a decrease of 0.12 percentage points since May 2011): page 15 Malicious Web sites – 5,415 Web sites blocked per day (an increase of 70.8% since May 2011): page 17 35.1% of all malicious domains blocked were new in June (a decrease of 1.7 percentage points since May 2011): page 17 20.3% of all Web-based malware blocked was new in June (a decrease of 4.3 percentage points since May 2011): page 17 Review of Spam-sending botnets in June 2011: page 3 Clicking to Watch Videos Leads to Pharmacy Spam: page 6 Wiki for Everything, Even for Spam: page 7 Phishers Return for Tax Returns: page 8 Fake Donations Continue to Haunt Japan: page 9 Spam Subject Line Analysis: page 12 Best Practices for Enterprises and Users: page 19 Introduction from the editor Since the shutdown of the Rustock botnet in March1, spam volumes have never quite recovered as the volume of spam in global circulation each day continues to fluctuate, as shown in figure 1, below.
  • The Trojan Wars: Building the Big Picture to Combat Efraud

    The Trojan Wars: Building the Big Picture to Combat Efraud

    THE TROJAN WARS: BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC THREAT INTELLIGENCE UNIT White Paper TABLE OF CONTENTS INTRODUCTION ................................................................................3 THE INITIAL TORPIG CAMPAIGN ......................................................4 • Infection Cycles ..........................................................................................5 • Ice IX – Downloading Torpig and Pushdo ...................................................6 • Torpig Campaign C&C infrastructure ..........................................................9 • Ice IX Takedown Avoidance Technique .......................................................10 THE FOLLOW-ON P2P ZEUS CAMPAIGN ..........................................11 • Infection Cycles ...........................................................................................12 • Neurevt – Downloading P2P Zeus ..............................................................13 THE WAY FORWARD: CONCLUSIONS AND RECOMMENDATIONS ....14 ABOUT MNEMONIC ..........................................................................15 REFERENCES ...................................................................................16 THE TROJAN WARS - BUILDING THE BIG PICTURE TO COMBAT EFRAUD MNEMONIC AS INTRODUCTION Trojans are a very sophisticated type of malware and their use by cybercriminals to perform widespread eFraud is now well established. They are rarely operated in a standalone mode and the infrastructure used to spread and maintain Trojans is
  • Downloading and Running

    Downloading and Running

    City Research Online City, University of London Institutional Repository Citation: Meng, X. (2018). An integrated networkbased mobile botnet detection system. (Unpublished Doctoral thesis, City, Universtiy of London) This is the accepted version of the paper. This version of the publication may differ from the final published version. Permanent repository link: https://openaccess.city.ac.uk/id/eprint/19840/ Link to published version: Copyright: City Research Online aims to make research outputs of City, University of London available to a wider audience. Copyright and Moral Rights remain with the author(s) and/or copyright holders. URLs from City Research Online may be freely distributed and linked to. Reuse: Copies of full items can be used for personal research or study, educational, or not-for-profit purposes without prior permission or charge. Provided that the authors, title and full bibliographic details are credited, a hyperlink and/or URL is given for the original metadata page and the content is not changed in any way. City Research Online: http://openaccess.city.ac.uk/ [email protected] AN INTEGRATED NETWORK- BASED MOBILE BOTNET DETECTION SYSTEM Xin Meng Department of Computer Science City, University of London This dissertation is submitted for the degree of Doctor of Philosophy City University London June 2017 Declaration I hereby declare that except where specific reference is made to the work of others, the contents of this dissertation are original and have not been submitted in whole or in part for consideration for any other degree or qualification in this, or any other University. This dissertation is the result of my own work and includes nothing which is the outcome of work done in collaboration, except where specifically indicated in the text.
  • An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers

    An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers

    applied sciences Article An Adaptive Multi-Layer Botnet Detection Technique Using Machine Learning Classifiers Riaz Ullah Khan 1,* , Xiaosong Zhang 1, Rajesh Kumar 1 , Abubakar Sharif 1, Noorbakhsh Amiri Golilarz 1 and Mamoun Alazab 2 1 Center of Cyber Security, School of Computer Science & Engineering, University of Electronic Science and Technology of China, Chengdu 611731, China; [email protected] (X.Z.); [email protected] (R.K.); [email protected] (A.S.); [email protected] (N.A.G.) 2 College of Engineering, IT and Environment, Charles Darwin University, Casuarina 0810, Australia; [email protected] * Correspondence: [email protected]; Tel.: +86-155-2076-3595 Received: 19 March 2019; Accepted: 24 April 2019; Published: 11 June 2019 Abstract: In recent years, the botnets have been the most common threats to network security since it exploits multiple malicious codes like a worm, Trojans, Rootkit, etc. The botnets have been used to carry phishing links, to perform attacks and provide malicious services on the internet. It is challenging to identify Peer-to-peer (P2P) botnets as compared to Internet Relay Chat (IRC), Hypertext Transfer Protocol (HTTP) and other types of botnets because P2P traffic has typical features of the centralization and distribution. To resolve the issues of P2P botnet identification, we propose an effective multi-layer traffic classification method by applying machine learning classifiers on features of network traffic. Our work presents a framework based on decision trees which effectively detects P2P botnets. A decision tree algorithm is applied for feature selection to extract the most relevant features and ignore the irrelevant features.
  • Fortinet Threat Landscape Report Q3 2017

    Fortinet Threat Landscape Report Q3 2017

    THREAT LANDSCAPE REPORT Q3 2017 TABLE OF CONTENTS TABLE OF CONTENTS Introduction . 4 Highlights and Key Findings . 5 Sources and Measures . .6 Infrastructure Trends . 8 Threat Landscape Trends . 11 Exploit Trends . 12 Malware Trends . 17 Botnet Trends . 20 Exploratory Analysis . 23 Conclusion and Recommendations . 25 3 INTRODUCTION INTRODUCTION Q3 2017 BY THE NUMBERS: Exploits nn5,973 unique exploit detections nn153 exploits per firm on average nn79% of firms saw severe attacks nn35% reported Apache.Struts exploits Malware nn14,904 unique variants The third quarter of the year should be filled with family vacations and the back-to-school hubbub. Q3 2017 felt like that for a nn2,646 different families couple of months, but then the security industry went into a nn25% reported mobile malware hubbub of a very different sort. Credit bureau Equifax reported nn22% detected ransomware a massive data breach that exposed the personal information of Botnets approximately 145 million consumers. nn245 unique botnets detected That number in itself isn’t unprecedented, but the public nn518 daily botnet comms per firm and congressional outcry that followed may well be. In a congressional hearing on the matter, one U.S. senator called nn1.9 active botnets per firm the incident “staggering,” adding “this whole industry should be nn3% of firms saw ≥10 botnets completely transformed.” The impetus, likelihood, and extent of such a transformation is yet unclear, but what is clear is that Equifax fell victim to the same basic problems we point out Far from attempting to blame and shame Equifax (or anyone quarter after quarter in this report.
  • FORECAST – Skimming Off the Malware Cream

    FORECAST – Skimming Off the Malware Cream

    FORECAST – Skimming off the Malware Cream Matthias Neugschwandtner1, Paolo Milani Comparetti1, Gregoire Jacob2, and Christopher Kruegel2 1Vienna University of Technology, {mneug,pmilani}@seclab.tuwien.ac.at 2University of California, Santa Barbara, {gregoire,chris}@cs.ucsb.edu ABSTRACT Malware commonly employs various forms of packing and ob- To handle the large number of malware samples appearing in the fuscation to resist static analysis. Therefore, the most widespread wild each day, security analysts and vendors employ automated approach to the analysis of malware samples is currently based on tools to detect, classify and analyze malicious code. Because mal- executing the malicious code in a controlled environment to ob- ware is typically resistant to static analysis, automated dynamic serve its behavior. Dynamic analysis tools such as CWSandbox [3], analysis is widely used for this purpose. Executing malicious soft- Norman Sandbox and Anubis [13, 2] execute a malware sample in ware in a controlled environment while observing its behavior can an instrumented sandbox and record its interactions with system provide rich information on a malware’s capabilities. However, and network resources. This information can be distilled into a running each malware sample even for a few minutes is expensive. human-readable report that provides an analyst with a high level For this reason, malware analysis efforts need to select a subset of view of a sample’s behavior, but it can also be fed as input to fur- samples for analysis. To date, this selection has been performed ei- ther automatic analysis tasks. Execution logs and network traces ther randomly or using techniques focused on avoiding re-analysis provided by dynamic analysis have been used to classify malware of polymorphic malware variants [41, 23].