Evasive Windows Malware

Total Page:16

File Type:pdf, Size:1020Kb

Evasive Windows Malware Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures Cédric Herzog, Valérie Viet Triem Tong, Pierre Wilke, Arnaud van Straaten, Jean-Louis Lanet To cite this version: Cédric Herzog, Valérie Viet Triem Tong, Pierre Wilke, Arnaud van Straaten, Jean-Louis Lanet. Eva- sive Windows Malware: Impact on Antiviruses and Possible Countermeasures. SECRYPT 2020 - 17th International Conference on Security and Cryptography, Jul 2020, Lieusaint - Paris, France. pp.302-309, 10.5220/0009816703020309. hal-02949067 HAL Id: hal-02949067 https://hal.archives-ouvertes.fr/hal-02949067 Submitted on 25 Sep 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Evasive Windows Malware: Impact on Antiviruses and Possible Countermeasures Cedric´ Herzog1, Valerie´ Viet Triem Tong1, Pierre Wilke1, Arnaud Van Straaten1, and Jean-Louis Lanet1 a 1Inria, CentraleSuplec, Univ Rennes, CNRS, IRISA, Rennes, France ff author, s [email protected] Keywords: Antivirus, Evasion, Windows Malware, Windows API Abstract: The perpetual opposition between antiviruses and malware leads both parties to evolve continuously. On the one hand, antiviruses put in place solutions that are more and more sophisticated and propose more complex detection techniques in addition to the classic signature analysis. This sophistication leads antiviruses to leave more traces of their presence on the machine they protect. To remain undetected as long as possible, malware can avoid executing within such environments by hunting down the modifications left by the antiviruses. This paper aims at determining the possibilities for malware to detect the antiviruses and then evaluating the efficiency of these techniques on a panel of antiviruses that are the most used nowadays. We then collect samples showing this kind of behavior and propose to evaluate a countermeasure that creates false artifacts, thus forcing malware to evade. 1 INTRODUCTION Second, we design and evaluate a countermeasure, mentioned by (Chen et al., 2008) and (Chen et al., There is a permanent confrontation between malware 2016), that simply consists of reproducing the pres- and antiviruses (AVs).1 On the one hand, malware ence of the artifacts on computers by instrumenting mainly intend to infect devices in a short amount of the Windows API in order to force malware to evade. time, while remaining undetected for as long as pos- The purpose of this countermeasure is to limit the in- sible. On the other hand, of course, AVs aim at de- fection’s spread and not to replace malware detection. tecting malware in the fastest way possible. We study the impact of this approach on both mal- When a new malware is detected, AVs lead fur- ware and legitimate software before concluding on its ther analysis to produce a signature and keep their limitations. To evaluate these experiments, we create database up-to-date quickly. Malware authors, will- a small dataset and discuss the problem of collecting ing to create long-lasting malware at low cost, can evasive samples. then use simple methods to avoid being detected and We give an overview of AV abilities and evasion analyzed deeply by these AVs. To this end, a malware techniques in Section 3 and Section 4. We evaluate can search for the presence of traces or artifacts left AV’s abilities to detect new evasive malware in Sec- by an AV, and then decide whether or not they exe- tion 5. Then, we present the countermeasure and the cute their malicious payload. We call such a malware construction of the dataset used for its evaluation in an evasive malware. Section 6 and Section 7. Finally, before concluding, This article focuses on the evaluation of the eva- we discuss the limitations of this study in Section 8. sion techniques used by Windows malware in the wild. First, we evaluate how common AVs cope both with unknown malware and well-known evasion tech- 2 STATE OF THE ART niques. To this end, we develop and use Nuky, a ran- somware targeting Windows, and implementing sev- There are multiple definitions of evasive malware eral evasion techniques. in the literature. For instance, (Naval et al., 2015) define environment-reactive malware as: a https://orcid.org/0000-0002-4751-3941 1https://www.av-test.org/en/statistics/malware/ Detection-aware malware carrying multiple payloads to remain invisible to any protection For this reason, we decide to do the opposite of a system and to persist for a more extended pe- transparent environment by creating an environment riod. The environment aware payloads deter- containing artificial dissimilarities. To the best of our mine the originality of the running environ- knowledge, this idea was already discussed by (Chen ment. If the environment is not real, then the et al., 2008) but never tested on real malware. actual malicious payload is not delivered. Af- ter detecting the presence of a virtual or emu- lated environment, malware either terminates its execution or mimics a benign/unusual be- havior. 3 ANTIVIRUS ABILITIES However, this definition designates malware aim- ing at detecting virtual or emulated environments AVs are tools that aim at detecting and stopping the only. We complete this definition using part of the execution of new malware samples. They are an ag- proposition made by (Tan and Yap, 2016) that calls a gregate of many features designed to detect the mal- malware detecting “dynamic analysis environments, ware’s presence by different means, as described by security tools, VMs, etc., as anti-analysis malware”. (Koret and Bachaalany, 2015). Using these features We choose to use this definition for the term incurs overhead that, if too significant, can hinder the “evasive malware” instead of the proposed terms use of legitimate programs. In order to stay compet- “environment-reactive malware” or “anti-analysis itive, AV editors have to limit this overhead. For this malware”, because we believe this is the term that is reason, it is difficult for them to apply time demand- the most used by both researchers and malware writ- ing techniques. ers. Most AVs use signature checking by comparing One possibility for malware to detect unwanted the file against a database of specific strings, for in- environments is to search for specific artifacts present stance. The signature database needs to be updated only in these environments. For instance, (Black- regularly to detect the latest discovered malware.23 thorne et al., 2016) detail an experiment that extracts Fewer AVs use features that produce significant over- fingerprints about AV’s emulators, and (Yokoyama heads, such as running the malware in an emulator.45 et al., 2016) extract predefined features from a Win- dows computer. Once the harvest of artifacts com- During its installation, an AV adds files and mod- pleted, malware can then decide whether they are run- ifies the guest OS. For instance, an AV can load its ning in an AVenvironment or a standard environment. features by manually allocating memory pages or by Malware then use these artifacts to create evasion using the LoadLibrary API to load a DLL file, as de- tests, as described by (Bulazel and Yener, 2017), (Afi- scribed by (Koret and Bachaalany, 2015). As we de- anian et al., 2020) and (Miramirkhani et al., 2017). It tail in the following section, evasive malware can de- is also possible to artificially add artifacts by using tect these modifications and then adapt their behavior. implants as detailed by (Tanabe et al., 2018). Once a new malware is detected, AVs send the To detect evasive malware, we can compare the sample to their server for further analysis. To ana- malware’s behavior launched in an analysis environ- lyze malware more deeply, an analyst can use multi- ment and on a bare-metal environment. To compare ple tools such as debugger to break at particular in- behaviors, (Kirat and Vigna, 2015) search for differ- structions or Virtual Machines (VMs) and emulators ences in the system call traces. (Kirat et al., 2014) to analyze it in a closed environment. extract raw data from the disk of each environment A malware willing to last longer can then try to and compare file and registry operations, among oth- complicate the analyst’s work by using anti-debugger ers, to detect a deviation of behavior. Finally, (Lindor- or anti-VM techniques to slow down the analysis. fer et al., 2011) compare the behavior of malware be- tween multiple analysis sandboxes and discover mul- tiple evasion techniques. 2https://support.avast.com/en-us/article/22/ It is possible to create an analysis environment 3 that is indistinguishable from a real one, called a https://www.kaspersky.co.uk/blog/the-wonders-of- hashing/3629/ transparent environment, as presented by (Dinaburg 4https://i.blackhat.com/us-18/Thu-August-9/us- et al., 2008). However, (Garfinkel et al., 2007) gives 18-Bulazel-Windows-Offender-Reverse-Engineering- reservations about the possibilities of creating a fully Windows-Defenders-Antivirus-Emulator.pdf transparent environment as for them, “virtual and na- 5https://eugene.kaspersky.com/2012/03/07/emulation- tive hardware are likely to remain dissimilar”. a-headache-to-develop-but-oh-so-worth-it/ 4 AV EVASIONS Table 1: Artifacts searched by Nuky for each category. Artifacts Debugger AV VM In the previous section, we gave details about the Process Names × × × environment in which we are interested. We now de- GUI Windows Names × tail possible ways for evasive malware to detect the Debugger registers values × presence of such environments.
Recommended publications
  • Ironpython in Action
    IronPytho IN ACTION Michael J. Foord Christian Muirhead FOREWORD BY JIM HUGUNIN MANNING IronPython in Action Download at Boykma.Com Licensed to Deborah Christiansen <[email protected]> Download at Boykma.Com Licensed to Deborah Christiansen <[email protected]> IronPython in Action MICHAEL J. FOORD CHRISTIAN MUIRHEAD MANNING Greenwich (74° w. long.) Download at Boykma.Com Licensed to Deborah Christiansen <[email protected]> For online information and ordering of this and other Manning books, please visit www.manning.com. The publisher offers discounts on this book when ordered in quantity. For more information, please contact Special Sales Department Manning Publications Co. Sound View Court 3B fax: (609) 877-8256 Greenwich, CT 06830 email: [email protected] ©2009 by Manning Publications Co. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by means electronic, mechanical, photocopying, or otherwise, without prior written permission of the publisher. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in the book, and Manning Publications was aware of a trademark claim, the designations have been printed in initial caps or all caps. Recognizing the importance of preserving what has been written, it is Manning’s policy to have the books we publish printed on acid-free paper, and we exert our best efforts to that end. Recognizing also our responsibility to conserve the resources of our planet, Manning books are printed on paper that is at least 15% recycled and processed without the use of elemental chlorine.
    [Show full text]
  • Thriving in a Crowded and Changing World: C++ 2006–2020
    Thriving in a Crowded and Changing World: C++ 2006–2020 BJARNE STROUSTRUP, Morgan Stanley and Columbia University, USA Shepherd: Yannis Smaragdakis, University of Athens, Greece By 2006, C++ had been in widespread industrial use for 20 years. It contained parts that had survived unchanged since introduced into C in the early 1970s as well as features that were novel in the early 2000s. From 2006 to 2020, the C++ developer community grew from about 3 million to about 4.5 million. It was a period where new programming models emerged, hardware architectures evolved, new application domains gained massive importance, and quite a few well-financed and professionally marketed languages fought for dominance. How did C++ ś an older language without serious commercial backing ś manage to thrive in the face of all that? This paper focuses on the major changes to the ISO C++ standard for the 2011, 2014, 2017, and 2020 revisions. The standard library is about 3/4 of the C++20 standard, but this paper’s primary focus is on language features and the programming techniques they support. The paper contains long lists of features documenting the growth of C++. Significant technical points are discussed and illustrated with short code fragments. In addition, it presents some failed proposals and the discussions that led to their failure. It offers a perspective on the bewildering flow of facts and features across the years. The emphasis is on the ideas, people, and processes that shaped the language. Themes include efforts to preserve the essence of C++ through evolutionary changes, to simplify itsuse,to improve support for generic programming, to better support compile-time programming, to extend support for concurrency and parallel programming, and to maintain stable support for decades’ old code.
    [Show full text]
  • Cornell CS6480 Lecture 3 Dafny Robbert Van Renesse Review All States
    Cornell CS6480 Lecture 3 Dafny Robbert van Renesse Review All states Reachable Ini2al states states Target states Review • Behavior: infinite sequence of states • Specificaon: characterizes all possible/desired behaviors • Consists of conjunc2on of • State predicate for the inial states • Acon predicate characterizing steps • Fairness formula for liveness • TLA+ formulas are temporal formulas invariant to stuering • Allows TLA+ specs to be part of an overall system Introduction to Dafny What’s Dafny? • An imperave programming language • A (mostly funconal) specificaon language • A compiler • A verifier Dafny programs rule out • Run2me errors: • Divide by zero • Array index out of bounds • Null reference • Infinite loops or recursion • Implementa2ons that do not sa2sfy the specifica2ons • But it’s up to you to get the laFer correct Example 1a: Abs() method Abs(x: int) returns (x': int) ensures x' >= 0 { x' := if x < 0 then -x else x; } method Main() { var x := Abs(-3); assert x >= 0; print x, "\n"; } Example 1b: Abs() method Abs(x: int) returns (x': int) ensures x' >= 0 { x' := 10; } method Main() { var x := Abs(-3); assert x >= 0; print x, "\n"; } Example 1c: Abs() method Abs(x: int) returns (x': int) ensures x' >= 0 ensures if x < 0 then x' == -x else x' == x { x' := 10; } method Main() { var x := Abs(-3); print x, "\n"; } Example 1d: Abs() method Abs(x: int) returns (x': int) ensures x' >= 0 ensures if x < 0 then x' == -x else x' == x { if x < 0 { x' := -x; } else { x' := x; } } Example 1e: Abs() method Abs(x: int) returns (x': int) ensures
    [Show full text]
  • Advance Dynamic Malware Analysis Using Api Hooking
    www.ijecs.in International Journal Of Engineering And Computer Science ISSN:2319-7242 Volume – 5 Issue -03 March, 2016 Page No. 16038-16040 Advance Dynamic Malware Analysis Using Api Hooking Ajay Kumar , Shubham Goyal Department of computer science Shivaji College, University of Delhi, Delhi, India [email protected] [email protected] Abstract— As in real world, in virtual world also there are type of Analysis is ineffective against many sophisticated people who want to take advantage of you by exploiting you software. Advanced static analysis consists of reverse- whether it would be your money, your status or your personal engineering the malware’s internals by loading the executable information etc. MALWARE helps these people into a disassembler and looking at the program instructions in accomplishing their goals. The security of modern computer order to discover what the program does. Advanced static systems depends on the ability by the users to keep software, analysis tells you exactly what the program does. OS and antivirus products up-to-date. To protect legitimate users from these threats, I made a tool B. Dynamic Malware Analysis (ADVANCE DYNAMIC MALWARE ANAYSIS USING API This is done by watching and monitoring the behavior of the HOOKING) that will inform you about every task that malware while running on the host. Virtual machines and software (malware) is doing over your machine at run-time Sandboxes are extensively used for this type of analysis. The Index Terms— API Hooking, Hooking, DLL injection, Detour malware is debugged while running using a debugger to watch the behavior of the malware step by step while its instructions are being processed by the processor and their live effects on I.
    [Show full text]
  • Neufuzz: Efficient Fuzzing with Deep Neural Network
    Received January 15, 2019, accepted February 6, 2019, date of current version April 2, 2019. Digital Object Identifier 10.1109/ACCESS.2019.2903291 NeuFuzz: Efficient Fuzzing With Deep Neural Network YUNCHAO WANG , ZEHUI WU, QIANG WEI, AND QINGXIAN WANG China National Digital Switching System Engineering and Technological Research Center, Zhengzhou 450000, China Corresponding author: Qiang Wei ([email protected]) This work was supported by National Key R&D Program of China under Grant 2017YFB0802901. ABSTRACT Coverage-guided graybox fuzzing is one of the most popular and effective techniques for discovering vulnerabilities due to its nature of high speed and scalability. However, the existing techniques generally focus on code coverage but not on vulnerable code. These techniques aim to cover as many paths as possible rather than to explore paths that are more likely to be vulnerable. When selecting the seeds to test, the existing fuzzers usually treat all seed inputs equally, ignoring the fact that paths exercised by different seed inputs are not equally vulnerable. This results in wasting time testing uninteresting paths rather than vulnerable paths, thus reducing the efficiency of vulnerability detection. In this paper, we present a solution, NeuFuzz, using the deep neural network to guide intelligent seed selection during graybox fuzzing to alleviate the aforementioned limitation. In particular, the deep neural network is used to learn the hidden vulnerability pattern from a large number of vulnerable and clean program paths to train a prediction model to classify whether paths are vulnerable. The fuzzer then prioritizes seed inputs that are capable of covering the likely to be vulnerable paths and assigns more mutation energy (i.e., the number of inputs to be generated) to these seeds.
    [Show full text]
  • Intel® Software Guard Extensions: Data Center Attestation Primitives
    Intel® Software Guard Extensions Data Center Attestation Primitives Installation Guide For Windows* OS Revision <1.0> <3/10/2020> Table of Contents Introduction .......................................................................................................................... 3 Components – Detailed Description ....................................................................................... 4 Platform Configuration .......................................................................................................... 6 Windows* Server OS Support ................................................................................................. 7 Installation Instructions ......................................................................................................... 8 Windows* Server 2016 LTSC ................................................................................................................. 8 Downloading the Software ........................................................................................................................... 8 Installation .................................................................................................................................................... 8 Windows* Server 2019 Installation ....................................................................................................... 9 Downloading the Software ........................................................................................................................... 9 Installation
    [Show full text]
  • Fine-Grained Energy Profiling for Power-Aware Application Design
    Fine-Grained Energy Profiling for Power-Aware Application Design Aman Kansal Feng Zhao Microsoft Research Microsoft Research One Microsoft Way, Redmond, WA One Microsoft Way, Redmond, WA [email protected] [email protected] ABSTRACT changing from double precision to single), or quality of service pro- Significant opportunities for power optimization exist at applica- vided [10]. Third, energy usage at the application layer may be tion design stage and are not yet fully exploited by system and ap- made dynamic [8]. For instance, an application hosted in a data plication designers. We describe the challenges developers face in center may decide to turn off certain low utility features if the en- optimizing software for energy efficiency by exploiting application- ergy budget is being exceeded, and an application on a mobile de- level knowledge. To address these challenges, we propose the de- vice may reduce its display quality [11] when battery is low. This velopment of automated tools that profile the energy usage of vari- is different from system layer techniques that may have to throttle ous resource components used by an application and guide the de- the throughput resulting in users being denied service. sign choices accordingly. We use a preliminary version of a tool While many application specific energy optimizations have been we have developed to demonstrate how automated energy profiling researched, there is a lack of generic tools that a developer may use helps a developer choose between alternative designs in the energy- at design time. Application specific optimizations require signif- performance trade-off space. icant development effort and are often only applicable to specific scenarios.
    [Show full text]
  • A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University
    Dakota State University Beadle Scholar Masters Theses & Doctoral Dissertations Spring 3-2019 A Malware Analysis and Artifact Capture Tool Dallas Wright Dakota State University Follow this and additional works at: https://scholar.dsu.edu/theses Part of the Information Security Commons, and the Systems Architecture Commons Recommended Citation Wright, Dallas, "A Malware Analysis and Artifact Capture Tool" (2019). Masters Theses & Doctoral Dissertations. 327. https://scholar.dsu.edu/theses/327 This Dissertation is brought to you for free and open access by Beadle Scholar. It has been accepted for inclusion in Masters Theses & Doctoral Dissertations by an authorized administrator of Beadle Scholar. For more information, please contact [email protected]. A MALWARE ANALYSIS AND ARTIFACT CAPTURE TOOL A dissertation submitted to Dakota State University in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Cyber Operations March 2019 By Dallas Wright Dissertation Committee: Dr. Wayne Pauli Dr. Josh Stroschein Dr. Jun Liu ii iii Abstract Malware authors attempt to obfuscate and hide their execution objectives in their program’s static and dynamic states. This paper provides a novel approach to aid analysis by introducing a malware analysis tool which is quick to set up and use with respect to other existing tools. The tool allows for the intercepting and capturing of malware artifacts while providing dynamic control of process flow. Capturing malware artifacts allows an analyst to more quickly and comprehensively understand malware behavior and obfuscation techniques and doing so interactively allows multiple code paths to be explored. The faster that malware can be analyzed the quicker the systems and data compromised by it can be determined and its infection stopped.
    [Show full text]
  • Adding Self-Healing Capabilities to the Common Language Runtime
    Adding Self-healing capabilities to the Common Language Runtime Rean Griffith Gail Kaiser Columbia University Columbia University [email protected] [email protected] Abstract systems can leverage to maintain high system availability is to perform repairs in a degraded mode of operation[23, 10]. Self-healing systems require that repair mechanisms are Conceptually, a self-managing system is composed of available to resolve problems that arise while the system ex- four (4) key capabilities [12]; Monitoring to collect data ecutes. Managed execution environments such as the Com- about its execution and operating environment, performing mon Language Runtime (CLR) and Java Virtual Machine Analysis over the data collected from monitoring, Planning (JVM) provide a number of application services (applica- an appropriate course of action and Executing the plan. tion isolation, security sandboxing, garbage collection and Each of the four functions participating in the Monitor- structured exception handling) which are geared primar- Analyze-Plan-Execute (MAPE) loop consumes and pro- ily at making managed applications more robust. How- duces knowledgewhich is integral to the correct functioning ever, none of these services directly enables applications of the system. Over its execution lifetime the system builds to perform repairs or consistency checks of their compo- and refines a knowledge-base of its behavior and environ- nents. From a design and implementation standpoint, the ment. Information in the knowledge-base could include preferred way to enable repair in a self-healing system is patterns of resource utilization and a “scorecard” tracking to use an externalized repair/adaptation architecture rather the success of applying specific repair actions to detected or than hardwiring adaptation logic inside the system where it predicted problems.
    [Show full text]
  • Formalized Mathematics in the Lean Proof Assistant
    Formalized mathematics in the Lean proof assistant Robert Y. Lewis Vrije Universiteit Amsterdam CARMA Workshop on Computer-Aided Proof Newcastle, NSW June 6, 2019 Credits Thanks to the following people for some of the contents of this talk: Leonardo de Moura Jeremy Avigad Mario Carneiro Johannes Hölzl 1 38 Table of Contents 1 Proof assistants in mathematics 2 Dependent type theory 3 The Lean theorem prover 4 Lean’s mathematical libraries 5 Automation in Lean 6 The good and the bad 2 38 bfseries Proof assistants in mathematics Computers in mathematics Mathematicians use computers in various ways. typesetting numerical calculations symbolic calculations visualization exploration Let’s add to this list: checking proofs. 3 38 Interactive theorem proving We want a language (and an implementation of this language) for: Defining mathematical objects Stating properties of these objects Showing that these properties hold Checking that these proofs are correct Automatically generating these proofs This language should be: Expressive User-friendly Computationally eicient 4 38 Interactive theorem proving Working with a proof assistant, users construct definitions, theorems, and proofs. The proof assistant makes sure that definitions are well-formed and unambiguous, theorem statements make sense, and proofs actually establish what they claim. In many systems, this proof object can be extracted and verified independently. Much of the system is “untrusted.” Only a small core has to be relied on. 5 38 Interactive theorem proving Some systems with large
    [Show full text]
  • 1. with Examples of Different Programming Languages Show How Programming Languages Are Organized Along the Given Rubrics: I
    AGBOOLA ABIOLA CSC302 17/SCI01/007 COMPUTER SCIENCE ASSIGNMENT ​ 1. With examples of different programming languages show how programming languages are organized along the given rubrics: i. Unstructured, structured, modular, object oriented, aspect oriented, activity oriented and event oriented programming requirement. ii. Based on domain requirements. iii. Based on requirements i and ii above. 2. Give brief preview of the evolution of programming languages in a chronological order. 3. Vividly distinguish between modular programming paradigm and object oriented programming paradigm. Answer 1i). UNSTRUCTURED LANGUAGE DEVELOPER DATE Assembly Language 1949 FORTRAN John Backus 1957 COBOL CODASYL, ANSI, ISO 1959 JOSS Cliff Shaw, RAND 1963 BASIC John G. Kemeny, Thomas E. Kurtz 1964 TELCOMP BBN 1965 MUMPS Neil Pappalardo 1966 FOCAL Richard Merrill, DEC 1968 STRUCTURED LANGUAGE DEVELOPER DATE ALGOL 58 Friedrich L. Bauer, and co. 1958 ALGOL 60 Backus, Bauer and co. 1960 ABC CWI 1980 Ada United States Department of Defence 1980 Accent R NIS 1980 Action! Optimized Systems Software 1983 Alef Phil Winterbottom 1992 DASL Sun Micro-systems Laboratories 1999-2003 MODULAR LANGUAGE DEVELOPER DATE ALGOL W Niklaus Wirth, Tony Hoare 1966 APL Larry Breed, Dick Lathwell and co. 1966 ALGOL 68 A. Van Wijngaarden and co. 1968 AMOS BASIC FranÇois Lionet anConstantin Stiropoulos 1990 Alice ML Saarland University 2000 Agda Ulf Norell;Catarina coquand(1.0) 2007 Arc Paul Graham, Robert Morris and co. 2008 Bosque Mark Marron 2019 OBJECT-ORIENTED LANGUAGE DEVELOPER DATE C* Thinking Machine 1987 Actor Charles Duff 1988 Aldor Thomas J. Watson Research Center 1990 Amiga E Wouter van Oortmerssen 1993 Action Script Macromedia 1998 BeanShell JCP 1999 AngelScript Andreas Jönsson 2003 Boo Rodrigo B.
    [Show full text]
  • Practical Malware Analysis
    PRAISE FOR PRACTICAL MALWARE ANALYSIS Digital Forensics Book of the Year, FORENSIC 4CAST AWARDS 2013 “A hands-on introduction to malware analysis. I’d recommend it to anyone who wants to dissect Windows malware.” —Ilfak Guilfanov, CREATOR OF IDA PRO “The book every malware analyst should keep handy.” —Richard Bejtlich, CSO OF MANDIANT & FOUNDER OF TAOSECURITY “This book does exactly what it promises on the cover; it’s crammed with detail and has an intensely practical approach, but it’s well organised enough that you can keep it around as handy reference.” —Mary Branscombe, ZDNET “If you’re starting out in malware analysis, or if you are are coming to analysis from another discipline, I’d recommend having a nose.” —Paul Baccas, NAKED SECURITY FROM SOPHOS “An excellent crash course in malware analysis.” —Dino Dai Zovi, INDEPENDENT SECURITY CONSULTANT “The most comprehensive guide to analysis of malware, offering detailed coverage of all the essential skills required to understand the specific challenges presented by modern malware.” —Chris Eagle, SENIOR LECTURER OF COMPUTER SCIENCE AT THE NAVAL POSTGRADUATE SCHOOL “A great introduction to malware analysis. All chapters contain detailed technical explanations and hands-on lab exercises to get you immediate exposure to real malware.” —Sebastian Porst, GOOGLE SOFTWARE ENGINEER “Brings reverse-engineering to readers of all skill levels. Technically rich and accessible, the labs will lead you to a deeper understanding of the art and science of reverse-engineering. I strongly believe this will become the defacto text for learning malware analysis in the future.” —Danny Quist, PHD, FOUNDER OF OFFENSIVE COMPUTING “An awesome book .
    [Show full text]