2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)最新文献

{"title":"AirHopper: Bridging the air-gap between isolated networks and mobile phones using radio frequencies","authors":"Mordechai Guri, Gabi Kedma, Assaf Kachlon, Y. Elovici","doi":"10.1109/MALWARE.2014.6999418","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999418","url":null,"abstract":"Information is the most critical asset of modern organizations, and accordingly coveted by adversaries. When highly sensitive data is involved, an organization may resort to air-gap isolation, in which there is no networking connection between the inner network and the external world. While infiltrating an air-gapped network has been proven feasible in recent years (e.g., Stuxnet), data exfiltration from an air-gapped network is still considered to be one of the most challenging phases of an advanced cyber-attack. In this paper we present \"AirHopper\", a bifurcated malware that bridges the air-gap between an isolated network and nearby infected mobile phones using FM signals. While it is known that software can intentionally create radio emissions from a video display unit, this is the first time that mobile phones are considered in an attack model as the intended receivers of maliciously crafted radio signals. We examine the attack model and its limitations, and discuss implementation considerations such as stealth and modulation methods. Finally, we evaluate AirHopper and demonstrate how textual and binary data can be exfiltrated from physically isolated computer to mobile phones at a distance of 1-7 meters, with effective bandwidth of 13-60 Bps (Bytes per second).","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"81 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126040728","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"CrowdSource: Automated inference of high level malware functionality from low-level symbols using a crowd trained machine learning model","authors":"Joshua Saxe, R. Turner, K. Blokhin","doi":"10.1109/MALWARE.2014.6999417","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999417","url":null,"abstract":"In this paper we introduce CrowdSource, a statistical natural language processing system designed to make rapid inferences about malware functionality based on printable character strings extracted from malware binaries. CrowdSource “learns” a mapping between low-level language and high-level software functionality by leveraging millions of web technical documents from StackExchange, a popular network of technical question and answer sites, using this mapping to infer malware capabilities. This paper describes our approach and provides an evaluation of its accuracy and performance, demonstrating that it can detect at least 14 high-level malware capabilities in unpacked malware binaries with an average per-capability f-score of 0.86 and at a rate of tens of thousands of binaries per day on commodity hardware.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131193063","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Agent-based trace learning in a recommendation-verification system for cybersecurity","authors":"W. Casey, Evan Wright, J. Morales, Michael Appel, Jeffrey Gennari, B. Mishra","doi":"10.1109/MALWARE.2014.6999404","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999404","url":null,"abstract":"Agents in a social-technological network can be thought of as strategically interacting with each other by continually observing their own local or hyperlocal information and communicating suitable signals to the receivers who can take appropriate actions. Such interactions have been modeled as information-asymmetric signaling games and studied in our earlier work to understand the role of deception, which often results in general loss of cybersecurity. While there have been attempts to model and check such a body of agents for various global properties and hyperproperties, it has become clear that various theoretical obstacles against this approach are unsurmountable. We instead advocate an approach to dynamically check various liveness and safety hyperproperties with the help of recommenders and verifiers; we focus on empirical studies of the resulting signaling games to understand their equilibria and stability. Agents in such a proposed system may mutate, publish, and recommend strategies and verify properties, for instance, by using statistical inference, machine learning, and model checking with models derived from the past behavior of the system. For the sake of concreteness, we focus on a well-studied problem of detecting a malicious code family using statistical learning on trace features and show how such a machine learner - in this study a classifier for Zeus/Zbot - can be rendered as a property, and then be deployed on endpoint devices with trace monitors. The results of this paper, in combination with our earlier work, indicate the feasibility and way forward for a recommendation-verification system to achieve a novel defense mechanism in a social-technological network in the era of ubiquitous computing.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"79 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126179331","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Fighting banking botnets by exploiting inherent command and control vulnerabilities","authors":"Lanier A Watkins, Christina Kawka, C. Corbett, W. H. Robinson","doi":"10.1109/MALWARE.2014.6999411","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999411","url":null,"abstract":"Malware poses a significant threat to commerce and banking systems. Specifically, the Zeus banking botnet is reported to have caused more than 100 million dollars in damages. This type of malware has been around for over ten years, and in 2013 alone was responsible for compromising over one-million computers. The impact of banking botnets (i.e., typically Zeus or its derivatives) can be lessened by exploiting the inherent vulnerabilities of their command and control (C&C). Our approach involves: (1) fuzz testing the C&C to identify vulnerabilities and (2) designing exploits that can be used to make bot-herders less effective in their criminal endeavors. The novelty of our approach is its focus on interrogating the C&C and not the compromised clients; however we do not discourage traditional malware removal and clean-up processes. As a complement to traditional processes, we offer our approach to organizations with the proper authority for an active defense (i.e., offensive measures). We demonstrate the feasibility of this approach by using the leaked Zeus 2.0.8.9 toolkit that included the C&C web application. The following security flaws exist in the Zeus 2.0.8.9 C&C web application: (1) no authentication between the zbot (i.e., client-side malware) and the C&C, (2) a lack of proper access control in the web application folders, and (3) simple clear text authentication between C&C and the remote bot-herder. Our results suggest that because of these security flaws, a range of offensive measures are viable against the Zeus C&C, including Buffer-Overflow, Denial-of-Service, and Dictionary or Brute Force Attacks.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"72 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132322255","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Protection against remote code execution exploits of popular applications in Windows","authors":"Jeffrey Wu, A. Arrott, F. C. Osorio","doi":"10.1109/MALWARE.2014.6999416","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999416","url":null,"abstract":"The objective of Malicious Remote Code Execution Exploits is to remotely execute code transparently to the user, and without relying on user interaction, in order to infect targeted machines. This comparative study examines the effectiveness of different proactive exploit mitigation technologies included in popular endpoint security products and specialized anti-exploit tools. The study focuses on exploits of popular applications running on Windows XP SP3 with Internet Explorer (IE8). As such, the Microsoft Enhanced Mitigation Experience Toolkit (MS-EMET) is used as a reference standard for all exploit mitigation solutions. The study compares the effectiveness of endpoint security products and anti-exploit tools by separating measurements of protections in common with MS-EMET from measures of protections supplemental to MS-EMET. This is done in order to understand not just the relative competitive effectiveness of the individual products and tools but also to understand the overall capabilities of the Windows endpoint security solutions to combat the remote code execution exploit capabilities of the overall Windows malware ecosystem.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"24 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133292506","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Codescanner: Detecting (Hidden) x86/x64 code in arbitrary files","authors":"Viviane Zwanger, E. Gerhards-Padilla, M. Meier","doi":"10.1109/MALWARE.2014.6999403","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999403","url":null,"abstract":"Disassembly is indispensable for the proper analysis of malware. However, a common problem concerning the x86/x64 architecture is that disassemblers produce partially incorrect results. This is used by malware authors who nowadays routinely generate binaries with anti-disassembly measures. In this paper, we derive general constraints on x86 code which are not based on disassembly but on byte level. Based on these constraints we develop a set of classifiers able to locate code in any kind of files. Operating on byte level, our approach is independent of assembly semantics. Our evaluation shows that we are able to precisely locate code and provide anti-disassembly resistance independent of the operating system or compiler. Our tool can be used to detect the code sections of malware, improve code coverage for disassemblers, detect hidden code in files and in memory, or identify malware with anti-disassembly techniques.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"171 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123267207","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"MysteryChecker: Unpredictable attestation to detect repackaged malicious applications in Android","authors":"Jihwan Jeong, Dongwon Seo, Chan-Haeng Lee, Jonghoon Kwon, Heejo Lee, J. Milburn","doi":"10.1109/MALWARE.2014.6999415","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999415","url":null,"abstract":"The number of malicious applications, sometimes known as malapps, in Android smartphones has increased significantly in recent years. Malapp writers abuse repackaging techniques to rebuild applications with code changes. Existing anti-malware applications do not successfully defeat or defend against the repackaged malapps due to numerous variants. Software-based attestation approaches widely used in a resource-constrained environment have been developed to detect code changes of software with low resource consumption. In this paper, we propose a novel software-based attestation approach, called MysteryChecker, leveraging an unpredictable attestation algorithm. For its unpredictable attestation, MysteryChecker applies the concept of code obfuscation, which changes the syntax in order to avoid code analysis by adversaries. More precisely, unpredictable attestation is achieved by chaining randomly selected crypto functions. A verifier sends a randomly generated attestation module, and the target application must reply with a correct response using the attestation module. Also, the target application periodically receives a new module that contains a different attestation algorithm. Thus, even if the attacker analyzes the attestation module, the target application replaces the existing attestation module with a new one and the analysis done by the attacker becomes invalid. Experimental results show that MysteryChecker is completely able to detect known and unknown variants of repackaged malapps, while existing anti-malware applications only partially detect the variants.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"43 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132693890","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Global and local prevalence weighting of missed attack sample impacts for endpoint security product comparative detection testing","authors":"A. Clementi, Peter Stelzhammer, F. C. Osorio","doi":"10.1109/MALWARE.2014.6999413","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999413","url":null,"abstract":"In the past, several methods have been used to select Malware attack samples, the so-called Stimulus Workload (SW), used in Malware-detection tests of endpoint security products. For example, in the selection process one must be aware that amongst the samples selected, some pose a greater threat to users than others as they are more widespread and hence are more likely to affect a user. Some may target a specific company or user base, but present less risk to other users. Other Malware attack samples may only be found on specific websites, affect specific countries/regions, or only be relevant to particular operating system versions or interface languages (English, German, Chinese, and so forth). Unfortunately, and due to such variability, the selection of samples can and will skew the results dramatically. For this reason, over the last several years, the Security Effectiveness Measurement Community & Ecosystem (SEMCE), has begun the process of adopting a test methodology that requires strict adherence to standards. The primary reason for the adoption of said methodology, first described in [1], is to assure the reproducibility and reliability of test results. These methodology requires that the stimulus workload used must be a reliable/good proxy for the actual environment that the products are expected to encounter in the wild. In this manuscript, we present the results of end-point security protection products effectiveness when the selected stimulus workload (SW) takes into consideration the variabilities such as the ones described above. We called these workloads CSW or Customizable Stimulus Workloads, and our results show great variance as to the effectiveness of end-point products when such CSW's are used. Our evaluation of end-point security products uses simple metric, namely missed detections. The generation of the CSWs depended heavily on Microsoft's Global telemetry data gathered in 2013 and 2014 for Microsoft Windows updates. Twenty-two (22) end-point security products were evaluated using such a methodology. The results obtained show great variability between the miss ratios, meaning the number of Malware samples the product failed to detect versus the customer impact coefficient amongst vendors. For example, two end-point protection products that had similar miss percentages of 0.2 % and 0.4 % showed dramatic customer impact coefficient differences of 0.001209 and 0.018903 respectively. Meaning, that when miss percentages were normalized for factors such as prevalence, Operating System, languages, and so fort, systems protected by one vendor were 18 times more likely to suffer an infection that their counterpart.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"33 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"114433135","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Risk prediction of malware victimization based on user behavior","authors":"F. Lévesque, José M. Fernandez, Anil Somayaji","doi":"10.1109/MALWARE.2014.6999412","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999412","url":null,"abstract":"Understanding what types of users and usage are more conducive to malware infections is crucial if we want to establish adequate strategies for dealing and mitigating the effects of computer crime in its various forms. Real-usage data is therefore essential to make better evidence-based decisions that will improve users' security. To this end, we performed a 4-month field study with 50 subjects and collected real-usage data by monitoring possible infections and gathering data on user behavior. In this paper, we present a first attempt at predicting risk of malware victimization based on user behavior. Using neural networks we developed a predictive model that has an accuracy of up to 80% at predicting user's likelihood of being infected.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"27 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121489541","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

{"title":"Host-based code injection attacks: A popular technique used by malware","authors":"Thomas Barabosch, E. Gerhards-Padilla","doi":"10.1109/MALWARE.2014.6999410","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999410","url":null,"abstract":"Common goals of malware authors are detection avoidance and gathering of critical information. There exist numerous techniques that help these actors to reach their goals. One especially popular technique is the Host-Based Code Injection Attack (HBCIA). According to our research 63.94% out of a malware set of 162850 samples use HBCIAs. The act of locally copying malicious code into a foreign process space and subsequently executing it is called a Host-Based Code Injection Attack. In this paper, we define HBCIAs and introduce a taxonomy for HBCIA algorithms. We show that a HBCIA algorithm can be broken down into three steps. In total there are four classes of HBCIA algorithms. Then we examine a huge set of malware samples and estimate the prevalence of HBCIA-employing malware and their target process distribution. Moreover, we analyse Intrusion Prevention System data and show that HBCIA-employing malware prefers network-related processes for its network communication. To the best of our knowledge, we are the first to thoroughly describe and formalize this phenomenon and give an estimation of its prevalence. Thus, we build a solid foundation for future work on this topic.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"102 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116666203","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}