19 Works

DGA Clustering and Analysis: Mastering Modern, Evolving Threats, DGALab

Alexander Chailytko & Aliaksandr Trafimchuk
Domain Generation Algorithms (DGA) is a basic building block used in almost all modern malware. Malware researchers have attempted to tackle the DGA problem with various tools and techniques, with varying degrees of success. We present a complex solution to populate DGA feed using reversed DGAs, third-party feeds, and a smart DGA extraction and clustering based on emulation of a large number of samples. Smart DGA extraction requires no reverse engineering and works regardless of...

Malpedia: A Collaborative Effort to Inventorize the Malware Landscape

Daniel Plohmann, Martin Clauß, Steffen Enders & Elmar Padilla
For more than a decade now, a perpetual influx of new malware samples can be observed. To analyze this flood effectively, static analysis is still one of the most important methods. Thus, it would be highly desirable to have an open, freely accessible, curated, and cleanly labeled corpus of unpacked malware samples for research on static analysis methods. In this paper, we introduce MALPEDIA, a collaboration platform for curating a malware corpus. Additionally, we provide...

Malware Instrumentation Application to Regin Analysis

Matthieu Kaczmarek
The complexity of the Regin malware underlines the importance of reverse engineering in modern incident response. The present study shows that such complexity can be overcome: substantial information about adversary tactics, techniques and procedures is obtained from reverse engineering. An introduction to the Regin development framework is provided along with instrumentation guidelines. Such instrumentation enables experimentation with malware modules. So analysis can derectly leverage malware’s own code without the need to program an analysis toolkit....

Practical Experiences of Building an IPFIX Based Open Source Botnet Detector

Mark Graham, Adrian Winckles & Erika Sanchez-Velazquez
The academic study of flow-based malware detection has primarily focused on NetFlow v5 and v9. In 2013 IPFIX was ratified as the flow export standard. As part of a larger project to develop protection methods for Cloud Service Providers from botnet threats, this paper considers the challenges involved in designing an open source IPFIX based botnet detection function. This paper describes how these challenges were overcome and presents an open source system built upon Xen...

The Missing Piece in Threat Intelligence

Frank Denis
Common systems for sharing intelligence on security threats have not been designed to efficiently process feedback from infrastructure providers. In order to fill this gap, we introduce DIP, a new description language to expose changes being made on a network that are relevant to security research and prevention.

Make It Count: an Analysis of a Brute-forcing Botnet

Veronica Valeros
The smallest element in a botnet is a bot. The behavior of a bot can change dynamically based on the decision of the botmaster. Commonly driven by profit, bots are expected to be profitable. If an infected bot does not fulfill the expectations, the botmaster can instruct the bot to switch it's behavior to serve a better purpose. This paper presents a detailed analysis of a network traffic capture of a machine originally infected by...

Air-gap Limitations and Bypass Techniques: “Command and Control” using Smart Electromagnetic Interferences

Chaouki Kasmi, José Lopes Esteves & Philippe Valembois
Air gaps are generally considered to be a very efficient information security protection. However, this technique also showed limitations, involving finding covert channels for bridging the air gap. Interestingly, recent publications have pointed out that a smart use of the intentional electromagnetic interferences introduced new threats for information security. In this paper, an innovative way for remotely communicating with a malware already installed on a computer by involving the induced perturbations is discussed leading to...

Function Identification and Recovery Signature Tool

Angel Villegas
Reverse Engineering benign or malicious samples can take a considerable amount of time and new samples are created at an alarming rate. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. Their knowledge is not easily transferred to similar samples or functions for themselves or others. In particular we can consider the problem code reuse has on reversing efforts, whether it is...

The Journal on Cybercrime & Digital Investigations, Vol 2 No 1 (2016)

The Journal On Cybercrime
Proceedings of Botconf 2016 The botnet fighting conference, 4th edition, Lyon, France, 30 November-2 December 2016

Malware Analysis Sandbox Testing Methodology

Zoltan Balazs
Manual processing of malware samples became impossible years ago. Sandboxes are used to automate the analysis of malware samples to gather information about the dynamic behaviour of the malware, both at AV companies and at enterprises. Some malware samples use known techniques to detect when it runs in a sandbox, but most of these sandbox detection techniques can be easily detected and thus flagged as malicious. I invented new approaches to detect these sandboxes. I...

ISFB: Still Live and Kicking

Maciej Kotowicz
ISFB is also known as Gozi2/Ursnif, sometimes Rovnix. ISFB reappeared in early 2013 attracting some attention from the research community and a lot of confusion in the naming convention and to what was being analyzed. Then suddenly, it went dark again. However, dark does not mean dead. With attention of the world focused on Dridex and Dyre, ISFB silently evolved, hiding from the spotlight to become one of the most complex and fully featured banking...

The Journal on Cybercrime & Digital Investigations, Vol 3 No 1 (2017): Botconf 2017

The Journal On Cybercrime
Proceedings of Botconf 2017

Behavior-Driven Development in Malware Analysis

Thomas Barabosch & Elmar Gerhards-Padilla
A daily task of malware analysts is the extraction of behaviors from malicious binaries. Such behaviors include domain generation algorithms, cryptographic algorithms or deinstallation routines. Ideally, this tedious task should be automated. So far scientific solutions have not gotten beyond proof-of-concepts. Malware analysts continue to reimplement behaviors of interest manually. However, often times they merely translate the malicious binary assembler code to a higher-level language. This yields to poorly readable and undocumented code whose correctness...

An Overview of the WCMS Brute-forcing Malware Landscape

Anna Shirokova & Veronica Valeros
Web Content Management Systems (WCMS) provide simple tools to manage web content that enables users with little knowledge of programming languages and web design. WCMSs have become extremely popular in the last decade. WordPress, with more than 18M websites world wide, is the most prominent WCMS. Is because of its popularity that this and other well-known WCMSs have been systematically attacked for the past years by different threat actors seeking disposable infrastructure for their attacks....

Building a Hybrid Experimental Platform for Mobile Botnet Research

Apostolos Malatras & Laurent Beslay
Mobile botnets are an emerging security threat that aims at exploiting the wide penetration of mobile devices and systems and their vulnerabilities in the same spirit of traditional botnets. Mobile botmasters take advantage of infected mobile devices and issue command and control operations on them to extract personal information, cause denial of service or gain financially. To date, research on countering such attacks or studying their effects has been conducted in a sporadic manner that...

Exploring a P2P Transient Botnet - From Discovery to Enumeration

Renato Marinho & Raimir Holanda
From DDoS attacks to malicious code propagation, Botnets continue to represent a strength threat to entities and users connected to the Internet and, due to this, continue to be an important research area. The power of those numerous networks proved us its power when they interrupted great part of the Internet causing impacts to companies like Twitter and Netflix when Mirai P2P Botnet targeted Dyn company’s DNS services back in 2016. In this paper, we...

Collecting Malicious Particles from Neutrino Botnets

Jakub Souček, Jakub Tomanek & Peter Kálnai
Neutrino Bot (also known and detected as Win/Kasidet) is a rapidly changing threat. It first became known around December 2013. It has been actively developed ever since resulting in version 5.4 at the very beginning of 2018. It is being sold for an attractive price to a large variety of cybercriminals. This paper shows an extensive summary of the history of the bot while focusing on the most recent versions. It presents methods how to...

ApiScout: Robust Windows API Usage Recovery for Malware Characterization and Similarity Analysis

Daniel Plohmann, Steffen Enders & Elmar Padilla
Given today's masses of malware there is a need for fast analysis and comparison of samples. System API usage has been proven to be a very valuable source of information for this e.g. shown by Rieck et al. However, the majority of malware samples is shipped packed, making it hard to get accurate information on their payload's API usage. Today's state of the art to get this information from packed samples is by unpacking them...

Registration Year

  • 2016
    10
  • 2017
    3
  • 2018
    5
  • 2019
    1

Resource Types

  • Text
    19