DOCSLIB.ORG

Mobile Malware Visual Analytics and Similarities of Attack Toolkits Risksense® Technical White Paper Series

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

WHITE PAPER Mobile Malware Visual Analytics and Similarities of Attack Toolkits RiskSense® Technical White Paper Series Author: Anand Paturi, Manoj Cherukuri, John Donahue, and Dr. Srinivas Mukkamala Table of Contents Executive Summary 1 Introduction 2 Web Malware 3 Mobile Malware Analysis – Detecting Malcode In Repackaged Applications 3 Methodology 4 Attack Toolkits 5 Similarity Analysis of Attack Toolkits 6 Summary 9 WHITE PAPER • Mobile Malware Visual Analytics and Similarities of Attack Toolkits Executive Summary This paper discusses the use of Normalized Compression Distance (NCD), based on its capabilities to perform similarity measure of unstructured data, to enumerate code similarity between malicious Android applications and visualize their clusters. This document is part of the RiskSense Technical White Paper Series, which provides practical advice from a variety of RiskSense cybersecurity experts to assist security analysts in their day-to- day operations. The illustrated classification methods and visual analytics can help the anti-virus community to ensure that a variant of a known malware can still be detected without the need of creating a signature. This paper also showcases that the proposed methods can be used to understand the similarity / behavior with known malware families when a new malware is released. WHITE PAPER • Mobile Malware Visual Analytics and Similarities of Attack Toolkits WHITE PAPER • Mobile Malware Visual Analytics and Similarities of Attack Toolkits Page 1 Introduction Malicious applications installed on smart phones target them the same way as traditional malware would target personal computers since smart phones provide the same capabilities as handheld personal computers. A recent malware threat report from McAfee1 indicates that malicious applications increase by 100,000 samples a day and target smart phones, employing attack vectors that are the same as x86 and x64 malware. Most of the malicious mobile applications are the result Authors have implemented an application similarity measurement of repacking, which is a very common technique used by called DroidMOSS (using fuzzy hashing technique) to effectively adversaries whereby a legitimate application is modified by detect repackaged applications.4 Authors first perform feature injecting malicious code. Under this scenario, benign mobile extraction, which includes extracting of instructions in the applications are disassembled, embedded with malware, application and author information. They extract opcodes from re-assembled, and then re-packaged to look like benign the Dalvik bytecode for instructions and META-INF subdirectory applications. Finally, the embedded payload is launched when for author information of the application. Next fingerprint the application is activated. generation is performed, in which a sliding window hashing technique is used, whereby a sliding window starts from the very In prior reports, security researchers from the North Carolina beginning of the instruction sequence and moves forward until State University observed that much of Android malware is its rolling hashing value equals a pre-selected reset point, which repackaging other legitimate (popular) applications. After determines the boundary of the current piece. This hashing analyzing more than 1,200 Android malware samples, they technique is implemented on all instructions of the application, found that 86 percent repackaged legitimate applications to starting from the first instruction, a hash value is computed for include malicious payloads.2 In their recent experiments on (i + 1)th instruction to (j, (j +1)th) instruction to nth instruction. Android malware, they have observed that the detection rates of Additionally, a hash value is calculated for the entire instruction well-known anti-virus engines range from 51.02 percent to 100 sequence. The primary reason to calculate window hashes is to percent, while the detection rate of the Google App Verification find changes that could occur in a subset of instructions, which Service in Android 4.2 (JellyBean) is 20.41%.3 may be either adding or deleting instructions. Finally, authors perform similarity scoring to compute the distance between two fingerprints. This approach does not detect the malicious payload at source code level in the repackaged application and suffers from extracting features to perform the whole process. Authors propose a scalable infrastructure for code similarity analysis among Android applications.5 Initially, authors perform application pre-processing to represent it in a common XML- based format and then perform feature extraction using feature hashing. Finally, similarity measurement is performed to enumerate the similarity measure and extract the similar code. This methodology incurs the complexity of feature extraction, which might make it infeasible for quick analysis of repackaged applications over a large dataset. 1 https://threatpost.com/mobile-malware-way-mcafee-q2-threat-report-090412/76972/ 2 Y. Zhou, X, Jiang, “Dissecting Android Malware: Characterization and Evolution,” InProceedings of the 33rd IEEE Symposium on Security and Privacy (Oakland 2012), San Francisco, CA, May 2012 3 http://www.cs.ncsu.edu/faculty/jiang/appverify/ 4 W. Zhou, Y. Zhou, X. Jiang, and P. Ning. “Detecting Repackaged Smartphone Applicationsin Third-party Android Marketplaces,” In Proceedings of the Second ACM Conferenceon Data and Application Security and Privacy, CODASPY’12, pages 317-326, 2012 5 S. Hanna, L. Huang, E. Wu, S. Li, C. Chen, and D. Song. “Juxtapp: A Scalable System forDetecting Code Reuse Among Android Applications,” In Proceedings of the 9th Conferenceon Detection of Intrusions and Malware & Vulnerability Assessment, DIMVA’12 WHITE PAPER • Mobile Malware Visual Analytics and Similarities of Attack Toolkits Page 2 The approach that RiskSense cybersecurity experts propose, In our initial approaches we used Cosine measure to calculate the does not suffer from feature extraction, since they do not similarity between malware samples (Financial Crimeware and implement feature extraction to detect similarity in applications Attack Toolkits: Eleonore is similar to Fragus, IEKit, JustExploit, but rather use NCD for obtaining quick measurement of MyPloySploits, Neon, ExploitPack, and ZeroExploit). Cosine similarity analysis and then detect the degree of code similarity. Similarity is measured as the cosine of the angle between the In RiskSense’s current experiments for Mobile malware analysis two vectors (API sequence of malware samples). (focusing on DroidKungFu family), we calculate NCD between applications to measure their similarity and represent results in Our analysis shows that the shellcodes used as payloads, across a distance matrix. We apply a hierarchical clustering to group different attack kits, were nearly similar with scores over 90%. malware; the clusters are represented using a Pythagoras tree We observe that some of the attack kits released across different fractal. In our fractal visualization, all samples from the distance years had the same shellcodes. matrix are considered as a single square in the first step and from there on, two squares are constructed with each scaled down by a linear factor of 1⁄2 √2. With respect to mobile malware (DroidKungFu family) we can classify all the samples correctly and represent clusters (malware families and benign applications) using a Pythagoras tree fractal. Web Malware With perimeter defenses getting stronger over time, the Based on the results, similarity measures (Cosine Measure attackers have targeted the web for distributing malware. and Normalized Compression Distance) can be an effective Researchers have conducted several studies to understand the static mechanism to detect malware variants, shellcode based 6,7,8 life cycle of Web malware. Google had observed that about drive-by download attacks, attack toolkits, mobile malware, and 9 1.3 percent of the search queries result in a malicious link and repacked mobiles applications with malware. more than 60 percent of the Web attacks happen through the attack kits.10 Detection of shellcode for detecting the drive-by download attacks is one of the more focused approaches for preventing Web-based malware attacks. Previous researchers have published several approaches relying on heuristics and emulation for the detection of shellcodes.11, 12, 13 Mobile Malware Analysis: Detecting Malcode In Repackaged Applications In our methodology, mobile applications collected from multiple output of this method is a distance matrix based upon we application stores are passed through a pre-processing phase, visualize clusters of mobile applications, which shows the in which we convert each mobile application in to a pre-defined similarity between mobile applications based on their source format. Later we use gzip, bzip2, and rsynccompressors to code similarity. Using NCD enables us to perform similarity compress the pre-processed files (by defining a compression analysis without prior domain knowledge. block size) and then calculate the NCD between them. The 6 N. Provos, D. McNamee, P. Mavrommatis, K. Wang, and N. Modadugu. “The Ghost In The Browser Analysis of Web-based Malware,” In First Workshop on Hot Topics in Understanding Botnets, 2007 7 C. Kolbitsch, B. Livshits, B. Zorn, and C. Seifert. “Rozzle: De-cloaking internet malware,” Technical Report MSR-TR-2011- 94, Microsoft Research Technical Report, 2011 8 M. Polychronakis, and N. Provos. “Ghost turns zombie: Exploring the life
Recommended publications
  • Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications

    Identifying Threats Associated with Man-In-The-Middle Attacks During Communication Between a Mobile Device and the Back End Server in Mobile Banking Applications

    IOSR Journal of Computer Engineering (IOSR-JCE) e-ISSN: 2278-0661, p- ISSN: 2278-8727Volume 16, Issue 2, Ver. IX (Mar-Apr. 2014), PP 35-42 www.iosrjournals.org Identifying Threats Associated With Man-In-The-Middle Attacks during Communication between a Mobile Device and the Back End Server in Mobile Banking Applications Anthony Luvanda1,*Dr Stephen Kimani1 Dr Micheal Kimwele1 1. School of Computing and Information Technology, Jomo Kenyatta University of Agriculture and Technology, PO Box 62000-00200 Nairobi Kenya Abstract: Mobile banking, sometimes referred to as M-Banking, Mbanking or SMS Banking, is a term used for performing balance checks, account transactions, payments, credit applications and other banking transactions through a mobile device such as a mobile phone or Personal Digital Assistant (PDA). Mobile banking has until recently most often been performed via SMS or the Mobile Web. Apple's initial success with iPhone and the rapid growth of phones based on Google's Android (operating system) have led to increasing use of special client programs, called apps, downloaded to the mobile device hence increasing the number of banking applications that can be made available on mobile phones . This in turn has increased the popularity of mobile device use in regards to personal banking activities. Due to the characteristics of wireless medium, limited protection of the nodes, nature of connectivity and lack of centralized managing point, wireless networks tend to be highly vulnerable and more often than not they become subjects of attack. This paper proposes to identify potential threats associated with communication between a mobile device and the back end server in mobile banking applications.

  • 100169 V2 BCG Mobile Malware Infographic

    KNOW THY With mobile usage at an all time high, malware specifically designed for smartphones has become more prevalent and sophisticated. MOBILE ENEMY. We’re here to help. Mobile malware can take on many different forms: POTENTIALLY UNWANTED SOFTWARE (PUS) The Basics How PUS Starts Signs of a PUS Attack • Often poses as • Users allow permission • Sudden increase in junk antivirus software because attack poses as SMS texts antivirus software • Similar to adware • Data stolen from your or spyware contacts list and shared with third parties • Millions of variations already exist RANSOMWARE The Basics Complete Anonymity Ransomware & Fear • Advanced cryptographic • Assailants demand • Most aren’t likely to report Accept threats that hold untraceable ransom ransomware acquired from les hostage payment (Bitcoin) embarrassing sources (ie. porn) • Ransom is due within • Attackers use Tor network a strict time limit to hide destination • Often payment doesn’t mean before les become of payment the bad guys uphold their permanently inaccessible end of the bargain • .onion addresses often used in ransom demands How Ransomware Starts • Installing risky mobile apps from insecure websites INFORMATION LEAKAGE Every Move is Monitored IMEI Identifier Broadcast Personal Privacy Threats Within Mobile Network • Often results from app • Can lead to cloned • Utilize GPS satellite designers who don’t phones where service systems to create digital encrypt or do it wrong is hijacked “breadcrumbs” showing activity • Reveal where people live, work, socialize, etc. using social networking options TOP TWO INFECTION VECTORS MIXING BUSINESS WITH PLEASURE Users now have one device for everything— #1 Porn #2Suspicious chances of personal use impacting business networks at 36% WebAd networks/large networks are higher than ever.
  • A the Hacker

    A the Hacker

    A The Hacker Madame Curie once said “En science, nous devons nous int´eresser aux choses, non aux personnes [In science, we should be interested in things, not in people].” Things, however, have since changed, and today we have to be interested not just in the facts of computer security and crime, but in the people who perpetrate these acts. Hence this discussion of hackers. Over the centuries, the term “hacker” has referred to various activities. We are familiar with usages such as “a carpenter hacking wood with an ax” and “a butcher hacking meat with a cleaver,” but it seems that the modern, computer-related form of this term originated in the many pranks and practi- cal jokes perpetrated by students at MIT in the 1960s. As an example of the many meanings assigned to this term, see [Schneier 04] which, among much other information, explains why Galileo was a hacker but Aristotle wasn’t. A hack is a person lacking talent or ability, as in a “hack writer.” Hack as a verb is used in contexts such as “hack the media,” “hack your brain,” and “hack your reputation.” Recently, it has also come to mean either a kludge, or the opposite of a kludge, as in a clever or elegant solution to a difficult problem. A hack also means a simple but often inelegant solution or technique. The following tentative definitions are quoted from the jargon file ([jargon 04], edited by Eric S. Raymond): 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities, as opposed to most users, who prefer to learn only the minimum necessary.
  • Malware and Social Engineering Attacks

    Malware and Social Engineering Attacks

    chapter 2 Malware and Social Engineering Attacks After completing this chapter, you will be able to do the following: ● Describe the differences between a virus and a worm ● List the types of malware that conceals its appearance ● Identify different kinds of malware that is designed for profit ● Describe the types of social engineering psychological attacks ● Explain physical social engineering attacks 41 42 Chapter 2 Malware and Social Engineering Attacks Today’s Attacks and Defenses Successful software companies use a variety of strategies to outsell their competition and gain market share. These strategies may include selling their software at or below a com- petitor’s price, offering better technical support to customers, or providing customized software for clients. And if all else fails, a final strategy can be to buy out the competition through a merger or acquisition. These strategies are also being widely used by attackers who sell their attack software to others. Approximately two out of three malicious Web attacks have been developed using one of three popular attack toolkits. The toolkits are MPack (the most popular attack toolkit, which has almost half of the attacker toolkit mar- ket), NeoSploit, and ZeuS. These toolkits, which are bought and sold online through the underground attacker community, are used to create customized malware that can steal personal information, execute fraudulent financial transactions, and infect computers without the user’s knowledge. The toolkits range in price from only $40 to as much as $8,000. The developers behind these attack toolkits compete fiercely with each other. Some of their tactics include updating the toolkits to keep ahead of the latest security defenses, advertising their attack toolkits as cheaper than the competition, and provid- ing technical support to purchasers.
  • EVALUATION of HIDDEN MARKOV MODEL for MALWARE BEHAVIORAL CLASSIFICATION By

    EVALUATION of HIDDEN MARKOV MODEL for MALWARE BEHAVIORAL CLASSIFICATION By

    EVALUATION OF HIDDEN MARKOV MODEL FOR MALWARE BEHAVIORAL CLASSIFICATION By Mohammad Imran A research thesis submitted to the Department of Computer Science, Capital University of Science & Technology, Islamabad in partial fulfillment of the requirements for the degree of DOCTOR OF PHILOSOPHY IN COMPUTER SCIENCE DEPARTMENT OF COMPUTER SCIENCE CAPITAL UNIVERSITY OF SCIENCE & TECHNOLOGY ISLAMABAD October 2016 Copyright© 2016 by Mr. Mohammad Imran All rights reserved. No part of the material protected by this copyright notice may be reproduced or utilized in any form or any means, electronic or mechanical, including photocopying, recording or by any information storage and retrieval system, without the permission from the author. To my parents and family Contents List of Figures iv List of Tablesv Abbreviations vi Publications vii Acknowledgements viii Abstractx 1 Introduction1 1.1 What is malware?............................1 1.2 Types of malware............................3 1.2.1 Virus...............................3 1.2.2 Worm..............................3 1.2.3 Trojan horse...........................3 1.2.4 Rootkit.............................4 1.2.5 Spyware.............................4 1.2.6 Adware.............................4 1.2.7 Bot................................4 1.3 Malware attack vectors.........................5 1.3.1 Use of vulnerabilities......................5 1.3.2 Drive-by downloads.......................5 1.3.3 Social engineering........................5 1.4 Combating malware: Malware analysis................5 1.4.1 Static analysis..........................6 1.4.2 Dynamic analysis........................9 1.4.3 Hybrid analysis......................... 12 1.5 Combating malware: Malware detection and classification...... 12 1.6 Observations from the literature.................... 13 1.7 Problem statement........................... 15 1.8 Motivation................................ 15 1.8.1 Why malware analysis?..................... 16 1.8.2 Why Hidden Markov Model?................
  • Mobile Malware

    Mobile Malware

    CS 155 Spring 2016 Mobile Malware John Mitchell Outline • Mobile malware • Identifying malware – Detect at app store rather than on platform • Classification study of mobile web apps – Entire Google Play market as of 2014 – 85% of approx 1 million apps use web interface • Target fragmentation in Android – Out-of-date Apps may disable more recent security platform patches Malware Trends W Based on FairPlay vulnerability • Requires malware on user PC, installation of malicious app in App Store • Continues to work after app removed from store • Silently installs app on phone Android malware 2015 Current Android Malware Description AccuTrack This application turns an Android smartphone into a GPS tracker. Ackposts This Trojan steals contact information from the compromised device and uploads them to a remote server. Acnetdoor This Trojan opens a backdoor on the infected device and sends the IP address to a remote server. Adsms This is a Trojan which is allowed to send SMS messages. The distribution channel ... is through a SMS message containing the download link. Airpush/StopSMS Airpush is a very aggresive Ad-Network. … BankBot This malware tries to steal users’ confidential information and money from bank and mobile accounts associated with infected devices. http://forensics.spreitzenbarth.de/android-malware/ Trends 2014-15 Android free antivirus apps … 1. Comodo Security & Antivirus 2. CM Security Antivirus AppLock 3. 360 Security - Antivirus Boost 4. Sophos Free Antivirus and Security 5. Malwarebytes Anti- Malware 6. Bitdefender Antivirus
  • A Case Study in DNS Poisoning

    A Case Study in DNS Poisoning

    A wrinkle in time: A case study in DNS poisoning Harel Berger Amit Z. Dvir Moti Geva Abstract—The Domain Name System (DNS) provides a trans- lation between readable domain names and IP addresses. The DNS is a key infrastructure component of the Internet and a prime target for a variety of attacks. One of the most significant threat to the DNS’s wellbeing is a DNS poisoning attack, in which the DNS responses are maliciously replaced, or poisoned, by an attacker. To identify this kind of attack, we start by an analysis of different kinds of response times. We present an analysis of typical and atypical response times, while differentiating between the different levels of DNS servers’ response times, from root servers down to internal caching servers. We successfully identify empirical DNS poisoning attacks based on a novel method for DNS response timing analysis. We then present a system we developed to validate our technique that does not require any changes to the DNS protocol or any existing network equipment. Our validation system tested data from different architectures including LAN and cloud environments and real data from an Internet Service Provider (ISP). Our method and system differ from most other DNS poisoning detection methods and achieved high detection rates exceeding 99%. These findings suggest that when used in conjunction with other methods, they can considerably enhance the accuracy of these methods. I. INTRODUCTION Fig. 1. DNS hierarchy example The Domain Name System (DNS) [1], [2] is one of the best known protocols in the Internet. Its main function is to trans- late human-readable domain names into their corresponding following steps.
  • Miscellaneous: Malware Cont'd & Start on Bitcoin

    Miscellaneous: Malware Cont'd & Start on Bitcoin

    Miscellaneous: Malware cont’d & start on Bitcoin CS 161: Computer Security Prof. Raluca Ada Popa April 19, 2018 Credit: some slides are adapted from previous offerings of this course Viruses vs. Worms VIRUS WORM Propagates By infecting Propagates automatically other programs By copying itself to target systems Usually inserted into A standalone program host code (not a standalone program) Another type of virus: Rootkits Rootkit is a ”stealthy” program designed to give access to a machine to an attacker while actively hiding its presence Q: How can it hide itself? n Create a hidden directory w /dev/.liB, /usr/src/.poop and similar w Often use invisiBle characters in directory name n Install hacked Binaries for system programs such as netstat, ps, ls, du, login Q: Why does it Become hard to detect attacker’s process? A: Can’t detect attacker’s processes, files or network connections By running standard UNIX commands! slide 3 Sony BMG copy protection rootkit scandal (2005) • Sony BMG puBlished CDs that apparently had copy protection (for DRM). • They essentially installed a rootkit which limited user’s access to the CD. • It hid processes that started with $sys$ so a user cannot disaBle them. A software engineer discovered the rootkit, it turned into a Big scandal Because it made computers more vulneraBle to malware Q: Why? A: Malware would choose names starting with $sys$ so it is hidden from antivirus programs Sony BMG pushed a patch … But that one introduced yet another vulneraBility So they recalled the CDs in the end Detecting Rootkit’s
  • Éric FREYSSINET Lutte Contre Les Botnets

    Éric FREYSSINET Lutte Contre Les Botnets

    THÈSE DE DOCTORAT DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Spécialité Informatique École doctorale Informatique, Télécommunications et Électronique (Paris) Présentée par Éric FREYSSINET Pour obtenir le grade de DOCTEUR DE L’UNIVERSITÉ PIERRE ET MARIE CURIE Sujet de la thèse : Lutte contre les botnets : analyse et stratégie Présentée et soutenue publiquement le 12 novembre 2015 devant le jury composé de : Rapporteurs : M. Jean-Yves Marion Professeur, Université de Lorraine M. Ludovic Mé Enseignant-chercheur, CentraleSupélec Directeurs : M. David Naccache Professeur, École normale supérieure de thèse M. Matthieu Latapy Directeur de recherche, UPMC, LIP6 Examinateurs : Mme Clémence Magnien Directrice de recherche, UPMC, LIP6 Mme Solange Ghernaouti-Hélie Professeure, Université de Lausanne M. Vincent Nicomette Professeur, INSA Toulouse Cette thèse est dédiée à M. Celui qui n’empêche pas un crime alors qu’il le pourrait s’en rend complice. — Sénèque Remerciements Je tiens à remercier mes deux directeurs de thèse. David Naccache, officier de réserve de la gendarmerie, contribue au développement de la recherche au sein de notre institution en poussant des personnels jeunes et un peu moins jeunes à poursuivre leur passion dans le cadre académique qui s’impose. Matthieu Latapy, du LIP6, avec qui nous avions pu échanger autour d’une thèse qu’il encadrait dans le domaine difficile des atteintes aux mineurs sur Internet et qui a accepté de m’accueillir dans son équipe. Je voudrais remercier aussi, l’ensemble de l’équipe Réseaux Complexes du LIP6 et sa responsable d’équipe actuelle, Clémence Magnien, qui m’ont accueilli à bras ouverts, accom- pagné à chaque étape et dont j’ai pu découvrir les thématiques et les méthodes de travail au fil des rencontres et des discussions.
  • A Study on Advanced Botnets Detection in Various Computing Systems Using Machine Learning Techniques

    A Study on Advanced Botnets Detection in Various Computing Systems Using Machine Learning Techniques

    SJIF Impact Factor: 7.001| ISI I.F.Value:1.241| Journal DOI: 10.36713/epra2016 ISSN: 2455-7838(Online) EPRA International Journal of Research and Development (IJRD) Volume: 5 | Issue: 12 | December 2020 - Peer Reviewed Journal A STUDY ON ADVANCED BOTNETS DETECTION IN VARIOUS COMPUTING SYSTEMS USING MACHINE LEARNING TECHNIQUES K. Vamshi Krishna Assistant Professor, Department of Computer Science and Engineering, Narasaraopet Engineering College, Narasaraopet, Guntur, India Article DOI: https://doi.org/10.36713/epra5902 ABSTRACT Due to the rapid growth and use of Emerging technologies such as Artificial Intelligence, Machine Learning and Internet of Things, Information industry became so popular, meanwhile these Emerging technologies have brought lot of impact on human lives and internet network equipment has increased. This increment of internet network equipment may bring some serious security issues. A botnet is a number of Internet-connected devices, each of which is running one or more bots.The main aim of botnet is to infect connected devices and use their resource for automated tasks and generally they remain hidden. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. In this paper we are going to address the advanced Botnet detection techniques using Machine Learning. Traditional botnet detection uses manual analysis and blacklist, and the efficiency is very low. Applying machine learning to batch automatic detection of botnets can greatly improve the efficiency of detection. Using machine learning to detect botnets, we need to collect network traffic and extract traffic characteristics, and then use X-Means, SVM algorithm to detect botnets.
  • Security of Personal Identifiable Information

    Security of Personal Identifiable Information

    https://doi.org/10.48009/2_iis_2008_634-638 SECURITY OF PERSONAL IDENTIFIABLE INFORMATION Jack D. Shorter,Texas A&M University – Kingsville, [email protected] Karen A. Forcht, North Carolina A & T University, [email protected] Alicia Aldridge,Appalachian State University, [email protected] Daphyne S. Thomas, James Madison University,[email protected] Abstract impacted if Google’s merger with DoubleClick is completed? In today’s fast moving world, the use of technology has become a part of everyday life. Whether it is DoubleClick is one of the fastest growing digital using a computer to access the Internet, sending marketers, and the amount of user data that could be email, or using cell phones to contact friends and provided to them from Google would be phenomenal. family, technology is found in almost everything. At issue is whether Google can be trusted with users’ Technology provides many conveniences such as PII at its disposal. Armed with this information online banking, renewing a driver’s license, making a DoubleClick could target consumers with a method known as “retargeting.” This type of practice was consumer purchase, or conducting research. th However, using technology has its pros and cons. On one of the topics discussed at the 17 annual the positive side, conducting personal business online Conference on Computers, Freedom & Privacy in is convenient, saves time, and is economical. May 2007. This method uses ads and serves them to However, with the pluses, there are usually minuses users based on their Web surfing behaviors. [4] as well. In the case of an online consumer purchase, one may find price deals, but may discover a lack of A user uses a search engine such as Google to find a quality or poor customer care.
  • What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia

    What Is Exploit Kit and How Does It Work? [1]Ade Kurniawan, [2]Ahmadfitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia

    International Journal of Pure and Applied Mathematics Volume 118 No. 20 2018, 509-516 ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu Special Issue ijpam.eu What is Exploit Kit and How Does it Work? [1]Ade Kurniawan, [2]AhmadFitriansyah [1][2]Department of Informatics Engineering, Universal University,Batam, Indonesia Abstract— In the Year 2016 to mid-2017, the analysts have claimed those years as the years of Malware especially Ransomware. The number, spread, infection and impact of malware have caused many users, businesses, governments, and organizations to be anxious, one of the tools to spread it by using exploit kits. A popular method of mass distribution used the perpetrators of cyber criminals is using the exploit kit. Exploit kit has become more effective, cheaper and sophisticated tools to spread malware to their victims. Therefore, in this paper, we provide this research using the Network Forensic Method. The results which are done will explain the chain of events about what the exploit kit is and how the exploit kit works, including actors, campaigns, payload, and terminology involved in the spreading of malware Index Terms—Exploit Kit, Payload, Malware, Ransomware, and Chain of events. I. INTRODUCTION In our digital era, everything is connected and Network Forensics Method. Network forensics is a everyone is vulnerable. The development, part of Digital Forensic conducted with scientific dependability, and complexity of computer software methods to identify, analyse and reconstruct events have brought immediate implications for global based on digital evidence/logs from the network safety and security, especially physical objects such [14][15][16].