Wenbiao Ding, Xiao Xing, Ping Chen, Zhi Xin, Bing Mao
{"title":"Automatic construction of printable return-oriented programming payload","authors":"Wenbiao Ding, Xiao Xing, Ping Chen, Zhi Xin, Bing Mao","doi":"10.1109/MALWARE.2014.6999408","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999408","url":null,"abstract":"Return-oriented programming is a kind of codereuse technique for attackers, which is very effective to bypass the DEP defense. However, the instruction snippet (we call it gadget) is often unprintable 1. This shortcoming can limit the ROP attack to be deployed to practice, since non-ASCII scanning can detect such ROP payload. In this paper, we present a novel method that only uses the printable gadgets, as such it can circumvent the non-ASCII detection. However, this method is non-trival because printable gadgets count for about 10 percents of all the gadgets we can find in existing code(e.g., library or program code). Additionally, not only the gadget address but also data should all be printable in our ROP payload. To construct the printable ROP payload, we propose reverse derivation method to transform original shellcode to printable ROP payload. The transformation is driven by state machines, which indicate the status of data flows. Experimental results show that our method can construct the printable ROP payload that has the same functionality as the real-world malicious shellcode, in addition, the construction process is totally automatic.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123177999","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Muhammad H. ElSheikh, Mohammed S. Gadelrab, Mahmoud A. Ghoneim, M. Rashwan
{"title":"BoTGen: A new approach for in-lab generation of botnet datasets","authors":"Muhammad H. ElSheikh, Mohammed S. Gadelrab, Mahmoud A. Ghoneim, M. Rashwan","doi":"10.1109/MALWARE.2014.6999406","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999406","url":null,"abstract":"Although datasets represent a critical part of research and development activities, botnet research suffers from a serious shortage of reliable and representative datasets. In this paper, we explain a new approach to build a botnet experimentation platform completely from off-the-shelf open sources. This work aims to fill the gap in botnet research due to the lack of representative datasets. The proposed approach provides a flexible way to experiment with botnets freely in a controlled environment. Moreover, various botnet scenarios can be generated and carried out automatically, which allows producing rich datasets with diverse botnet scenarios.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"37 2","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"120978078","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"HoneyAgent: Detecting malicious Java applets by using dynamic analysis","authors":"Jan Gassen, J. P. Chapman","doi":"10.1109/MALWARE.2014.6999402","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999402","url":null,"abstract":"Malicious Java applets are widely used to deliver malicious software to remote systems. In this work, we present HoneyAgent which allows for the dynamic analysis of Java applets, bypassing common obfuscation techniques. This enables security researchers to quickly comprehend the functionality of an examined applet and to unveil malicious behavior. In order to trace the behavior of a sample as far as possible, HoneyAgent is further able to simulate various vulnerabilities allowing analysts for example to identify the malware that should finally be installed by the applet. In our evaluation, we show that HoneyAgent is able to reliably detect malicious applets used by common exploit kits with no false positives. By using a combination of heuristics as well as signatures applied to observed method invocations, HoneyAgent is further able to identify exploited common vulnerabilities and exposures in many cases.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"126757084","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, A. Perrig
{"title":"PsyBoG: Power spectral density analysis for detecting botnet groups","authors":"Jonghoon Kwon, Jeongsik Kim, Jehyun Lee, Heejo Lee, A. Perrig","doi":"10.1109/MALWARE.2014.6999414","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999414","url":null,"abstract":"Botnets are widely used for acquiring economic profits, by launching attacks such as distributed denial-of-service (DDoS), identification theft, ad-ware installation, mass spamming, and click frauds. Many approaches have been proposed to detect botnet, which rely on end-host installations or operate on network traffic with deep packet inspection. They have limitations for detecting botnets which use evasion techniques such as packet encryption, fast flux, dynamic DNS and DGA. Sporadic botnet behavior caused by disconnecting the power of system or botnet's own nature also brings unignorable false detection. Furthermore, normal user's traffic causes a lot of false alarms. In this paper, we propose a novel approach called PsyBoG to detect botnets by capturing periodic activities. PsyBoG leverages signal processing techniques, PSD (Power Spectral Density) analysis, to discover the major frequencies from the periodic DNS queries of botnets. The PSD analysis allows us to detect sophisticated botnets irrespective of their evasion techniques, sporadic behavior and even the noise traffic generated by normal users. To evaluate PsyBoG, we utilize the real-world DNS traces collected from a /16 campus network including more than 48,046K queries, 34K distinct IP addresses and 146K domains. Finally, PsyBoG caught 19 unknown and 6 known botnet groups with 0.1% false positives.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"26 24-25","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132709022","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Combining commercial consensus and community crowd-sourced categorization of web sites for integrity against phishing and other web fraud","authors":"F. Leitold, A. Arrott, F. C. Osorio","doi":"10.1109/MALWARE.2014.6999407","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999407","url":null,"abstract":"Traditionally, the protection provided by 3rd party anti-Malware endpoint security products is measured using a sample set that is representative of the prevalent universe of attacks at that point in time (malicious URLs and/or malicious files in the world). The methodology used for such a selection of the Malware attack samples, the so-called Stimulus Workload (SW), has been a matter of controversy for a number of years. The reason is simple. Given a carefully crafted selection of such files or URLs, then, the results of the measurements can varied drastically favoring one vendor versus the other. In [1], Colon Osorio, et.al. argued that the selection process must be strictly regulated, and further, that such a selection must take into account the fact that amongst the samples selected, some pose a greater threat to users than others, as they are more widespread, and hence are more likely to affect a given user. Further, some Malware attack samples may only be found on specific websites, affect specific countries/regions, or only be relevant to a particular operating system version or interface languages (English, German, Chinese, and so forth). In [1], [2], the idea of a Customizable Stimulus Workloads, (CSW) was first suggested, whereas, the collection of samples selected as the Stimulus Workload is required to take into account all the elements described above. Within this context, CSWs are created by filtering attack samples base on prevalence, geographic regions, customer application environments, and other factors. Within the context of this methodology, in this manuscript we will pay special attention to one such specific application environment, primarily, Social Networks. With such a target environment in mind, a CSW was created and used to evaluate the performance of end-point security products. Basically, we examine the protection provided against Malware that uses internet Social Networks as part of the attack vector. When Social Network CSWs are used, together with differential metrics of effectiveness, we found that amongst the Social Networks studied (Facebook, Google+, and Twitter) the amount of inherent protection provided ranged from negligible to a level that we will call modest self-protection (0% to 18% prevention rate). Further, results of our evaluation showed that the supplemental protection provided by 3rd party anti-Malware products was erratic, ranging from a low of 0% to a high of 93% depending on the product and/or Social Network combination.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"86 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"123533428","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Identifying malware genera using the Jensen-Shannon distance between system call traces","authors":"Jeremy D. Seideman, B. Khan, A. C. Vargas","doi":"10.1109/MALWARE.2014.6999409","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999409","url":null,"abstract":"The study of malware often involves some form of grouping or clustering in order to indicate malware samples that are closely related. There are many ways that this can be performed, depending on the type of data that is recorded to represent the malware and the eventual goal of the grouping. While the concept of a malware family has been explored in depth, we introduce the concept of the malware genus, a grouping of malware that consists of very closely related samples determined by the relationships between samples within the malware population. Determining the boundaries of the malware genus is dependent upon the way that the malware samples are compared and the overall relationship between samples, with special attention paid to the parent-child relationship. Biologists have several criteria that are used to judge the usefulness of a genus when creating a taxonomy of organisms; we sought to design a classification that would be as useful in the world of malware research as it is in biology. We present two case studies in which we analyze a set of malware, using the Jensen-Shannon Distance between system call traces to measure distance between samples. The case studies show the genera that we create adhere to all of the criteria used when creating taxa of biological organisms.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115369061","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
{"title":"Bacterial quorum sensing for coordination of targeted malware","authors":"Mark E. Fioravanti, R. Ford","doi":"10.1109/MALWARE.2014.6999405","DOIUrl":"https://doi.org/10.1109/MALWARE.2014.6999405","url":null,"abstract":"Bacterial Quorum Sensing is a process that bacteria use to determine their local population density. Based on this determination, individual bacterial cells may alter their survival strategies to those strategies which benefit the cell the most [1, 5, 12]. For example, bacteria utilize quorum sensing to determine if the cell would benefit more from either asocial or social strategies. Alone, a single cell is vulnerable, but in a community they represent a threat capable of overwhelming a host's immune system. Most importantly, most quorum sensing approaches use commonly-encountered chemicals for sensing; due to their ubiquity, these quorum signals do not become useful for determining if an object is a bacterium; rather, they speak to the local population density. Similarly, malware has demonstrated a variety of techniques to communicate and to evade detection, and like bacteria, survival strategies can also depend on population density. As such, malware could utilize the bacterial quorum sensing system as a method of communication which has the potential to allow targeted malware to communicate and coordinate activities. Furthermore, inspired by bacterial quorum sensing, malware could use signals that are already common in the computing environment in a way that does not provide actionable remediation intelligence to network defenders. Thus, the use of a bacterial quorum sensing mechanism instead of another distributed algorithm allows the malware to leverage self-organizing properties that are based to the number of infected hosts on a network without exposing individually infected hosts to targeted remediation. This paper demonstrates and implements a digital version of the quorum sensing system through a timing covert channel [9], and uses statistical tests to determine if a signal is present. We argue that just as for bacteria, the digital quorum sensing signal is not useful for determining if a particular host is infected; as such, it is an attractive choice for malware authors.","PeriodicalId":151942,"journal":{"name":"2014 9th International Conference on Malicious and Unwanted Software: The Americas (MALWARE)","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-10-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132776490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}