Source Code Implications for Malcode

Abstract

The advent of source code availability within the malicious code world has serious implications. The nature and volume of attacks have been changed forever as a result. This article reviews a brief history of source code implications and identifies current trends and implications of source code availability to malicious actors.     

Source Code Implications for Malcode

Abstract

The availability of source code for both exploits and malicious code is higher than it has ever been in the history of computing. More important, the source codes for highly successful, high- profile malicious tools are now available. Several years ago it was almost impossible to obtain the source for these worms and exploits, forcing actors to rely on minor changes to binaries to generate new variants of a family. With the source code, attackers can easily edit code, compile new “undetected” variants, and copy and paste code from multiple creations to create new codes.     

基于多线程的超混沌加解密技术

针对现阶段虚拟机防病毒技术存在的缺陷,本文将基于超混沌Hénon映射的加解密技术与多线程技术相结合,提出了基于多线程超混沌密码的恶意代码隐藏算法;在对恶意代码涉及的隐藏性因素进行分析的基础上,基于层次分析法,提出了恶意代码的隐藏性分析模型。利用灰鸽子这一典型恶意代码对提出的恶意代码隐藏算法进行了实验与测试,并利用隐藏性分析模型对测试结果进行了分析,验证了提出的基于多线程超混沌密码的恶意代码隐藏算法的有效性。本文的研究成果可以增强恶意代码的隐藏性,增加恶意代码的威胁程度,为防病毒技术的发展提供了新思路。     

Unknown malcode detection and the imbalance problem

The recent growth in network usage has motivated the creation of new malicious code for various purposes. Today’s signature-based antiviruses are very accurate for known malicious code, but can not detect new malicious code. Recently, classification algorithms were used successfully for the detection of unknown malicious code. But, these studies involved a test collection with a limited size and the same malicious: benign file ratio in both the training and test sets, a situation which does not reflect real-life conditions. We present a methodology for the detection of unknown malicious code, which examines concepts from text categorization, based on n-grams extraction from the binary code and feature selection. We performed an extensive evaluation, consisting of a test collection of more than 30,000 files, in which we investigated the class imbalance problem. In real-life scenarios, the malicious file content is expected to be low, about 10% of the total files. For practical purposes, it is unclear as to what the corresponding percentage in the training set should be. Our results indicate that greater than 95% accuracy can be achieved through the use of a training set that has a malicious file content of less than 33.3%.     

基于最小攻击树的UEFI恶意行为检测模型

指出了UEFI中源代码、自身扩展模块及来自网络的安全隐患,分析了传统的BIOS与已有的UEFI恶意代码检测方法的不足,定义了结合UEFI平台特点的攻击树与威胁度,构建了动态扩展的威胁模型库与恶意行为特征库相结合的攻击树模型,设计了针对UEFI恶意行为检测的加权最小攻击树算法。实验证明了模型的有效性与可扩展性。     

Securing communication using function extraction technology for malicious code behavior analysis

Since computer hardware and Internet is growing so fast today, security threats of malicious executable code are getting more serious. Basically, malicious executable codes are categorized into three kinds – virus, Trojan Horse, and worm. Current anti-virus products cannot detect all the malicious codes, especially for those unseen, polymorphism malicious executable codes. The newly developed virus will create the damages before it has been found and updated in database. The basic idea of the proposed system is, it will analyze the behavior of the malicious codes and based on the behavior signature of the malicious code content filtering mechanism will be used to filter out contents, so that, the system will be secured from the future communication processes. The behavior of the code is analyzed using the function extraction technology. The function extraction technology will replace the function codes into algebraic expressions. Based on the behavior of the malicious codes, it will be categorized into different kinds of malicious codes. The detected malicious code will be prevented from execution. Based on the type of malicious code, appropriate security mechanism will be used for further communication.     

Attacking malicious code: a report to the Infosec Research Council

The accelerating trends of interconnectedness, complexity and extensibility are aggravating the already-serious threat posed by malicious code. To combat malicious code, these authors argue for creating sound policy about software behavior and enforcing that policy through technological means     

Metamorphic Malware Detection Using Code Metrics

ABSTRACT

Malware is becoming more and more aggressive and new techniques are emerging to allow malicious code to evade detection by antiviruses. Metamorphic malware is a particularly insidious kind of virus that changes its form at each infection. In this article, a technique for detecting metamorphic viruses is proposed that is based on identifying specific features of the assembly code, such as the instructions that change the contents of the registers, the instructions that change the control flow, and the potential code fragmentation. Such features have been derived by the analysis of a large dataset of malware. The experimentation suggests that the proposed technique produces very high precision (over 97%) in recognizing metamorphic malware, and allows also for distinguishing among different families of malware.     

SubSeven’s Honey Pot Program

A serious security threat today are malicious executables, especially new, unseen malicious executables often arriving as email attachments. These new malicious executables are created at the rate of thousands every year¹ and pose a serious threat. Current anti-virus systems attempt to detect these new malicious programs with heuristic generated by hand. This approach is costly and often ineffective. In this paper we introduce the Trojan Horse SubSeven, its capabilities and influence over intrusion detection systems. A Honey Pot program is implemented, simulating the SubSeven Server. The Honey Pot Program provides feedback and stores data to and from the SubSeven’s client.     

基于威胁情报的自动生成入侵检测规则方法

针对传统的IDS规则更新方法基本只能提取已知攻击行为的特征,或者在原有特征的基础上寻找最佳的一般表达式,无法针对当前发生的热点网络安全事件做出及时更新,提出基于威胁情报的自动生成入侵检测规则方法.文章分类模块使用Word2Vec进行特征提取,利用AdaBoost算法训练文章分类模型获取威胁情报文本;定位IoC所在的段落...     

Exposing mobile malware from the inside (or what is your mobile app really doing?)

It is without a doubt that malware especially designed for modern mobile platforms is rapidly becoming a serious threat. The problem is further multiplexed by the growing convergence of wired, wireless and cellular networks, since virus writers can now develop sophisticated malicious software that is able to migrate across network domains. This is done in an effort to exploit vulnerabilities and services specific to each network. So far, research in dealing with this risk has concentrated on the Android platform and mainly considered static solutions rather than dynamic ones. Compelled by this fact, in this paper, we contribute a fully-fledged tool able to dynamically analyze any iOS software in terms of method invocation (i.e., which API methods the application invokes and under what order), and produce exploitable results that can be used to manually or automatically trace software’s behavior to decide if it contains malicious code or not. By employing real life malware we assessed our tool both manually, as well as, via heuristic techniques and the results we obtained seem highly accurate in detecting malicious code.     

Evolution of cross site request forgery attacks

This paper presents a state of the art of cross-site request forgery (CSRF) attacks and new techniques which can be used by potential intruders to make them more effective. Several attack scenarios on widely used web applications are discussed, and a vulnerability which affect most recent browsers is explained. This vulnerability makes it possible to perform effective CSRF attacks using the XMLHTTPRequest object. In addition, this paper describes a new technique that preserves the malicious code on the target system even after the browser window is closed. Lastly, best solutions to prevent these attacks are discussed to enable everyone (users, browser or Web applications developers, professionals in charge of IT security in an organization or a company) to prevent or manage this threat.     

一种基于Native层的Android恶意代码检测机制

Android现有的恶意代码检测机制主要是针对bytecode层代码，这意味着嵌入Native层的恶意代码不能被检测，最新研究表明86%的热门Android应用都包含Native层代码。为了解决该问题，本文提出一种基于Native层的Android恶意代码检测机制，将smali代码和so文件转换为汇编代码，生成控制流图并对其进行优化，通过子图同构方法与恶意软件库进行对比,计算相似度值，并且与给定阈值进行比较，以此来判断待测软件是否包含恶意代码。实验结果表明，跟其他方法相比，该方法可以检测出Native层恶意代码而且具有较高的正确率和检测率。     

Suppressing the Spread of Email Malcode using Short-term Message Recall

Outbreaks of computer viruses and worms have established a pressing need for developing proactive antivirus solutions. A proactive antivirus solution is one that reliably and accurately detects novel malicious mobile code and one that either prevents damage or recovers systems from the damage that such code inflicts. Research has indicated that behavioral analysis, though provably imprecise, can feasibly predict whether novel behavior poses a threat. Nevertheless, even the most reliable detection methods can conceivably misclassify malicious code or deem it harmful only after substantial damage has taken place. The study of damage control and recovery mechanisms is, therefore, clearly essential to the development of better proactive systems. Earlier work has demonstrated that undoing the damage of malicious code is possible with an appropriate behavior monitoring and recording mechanism. However, it remains that even if a system is recovered, the virulent code may have already propagated to other systems, some of which may not be well-equipped in terms of proactive defenses. Curbing the propagation of undesired code once it has left the boundaries of a system is a hard problem and one that has not received much attention. This work focuses on a specific instance of this difficult problem: viruses and worms that spread by email. In this paper, we explore how advantageous it would be to have a short-term email undo mechanism whose purpose is to recall infected messages. Simulation results demonstrate that such ability can substantially curb the damage of email viruses on a global scale. The results are encouraging because they only assume technology that is either readily available or that is otherwise clearly practical today     

Shadow attacks: automatically evading system-call-behavior based malware detection

Contemporary malware makes extensive use of different techniques such as packing, code obfuscation, polymorphism, and metamorphism, to evade signature-based detection. Traditional signature-based detection technique is hard to catch up with latest malware or unknown malware. Behavior-based detection models are being investigated as a new methodology to defeat malware. This kind of approaches typically relies on system call sequences/graphs to model a malicious specification/pattern. In this paper, we present a new class of attacks, namely ??shadow attacks??, to evade current behavior-based malware detectors by partitioning one piece of malware into multiple ??shadow processes??. None of the shadow processes contains a recognizable malicious behavior specification known to single-process-based malware detectors, yet those shadow processes as an ensemble can still fulfill the original malicious functionality. To demonstrate the feasibility of this attack, we have developed a compiler-level prototype tool, AutoShadow, to automatically generate shadow-process version of malware given the source code of original malware. Our preliminary result has demonstrated the effectiveness of shadow attacks in evading several behavior-based malware analysis/detection solutions in real world. With the increasing adoption of multi-core computers and multi-process programs, malware writers may exploit more such shadow attacks in the future. We hope our preliminary study can foster more discussion and research to improve current generation of behavior-based malware detectors to address this great potential threat before it becomes a security problem of the epidemic proportions.     

PDAs At Risk,Says Report

A new threat exists for malicious code and virus attacks on portable devices, as it has become increasingly common for vendors to introduce the devices before the security has been deployed, according to a research report.     

Removing web spam links from search engine results

Web spam denotes the manipulation of web pages with the sole intent to raise their position in search engine rankings. Since a better position in the rankings directly and positively affects the number of visits to a site, attackers use different techniques to boost their pages to higher ranks. In the best case, web spam pages are a nuisance that provide undeserved advertisement revenues to the page owners. In the worst case, these pages pose a threat to Internet users by hosting malicious content and launching drive-by attacks against unsuspecting victims. When successful, these drive-by attacks then install malware on the victims’ machines. In this paper, we introduce an approach to detect web spam pages in the list of results that are returned by a search engine. In a first step, we determine the importance of different page features to the ranking in search engine results. Based on this information, we develop a classification technique that uses important features to successfully distinguish spam sites from legitimate entries. By removing spam sites from the results, more slots are available to links that point to pages with useful content. Additionally, and more importantly, the threat posed by malicious web sites can be mitigated, reducing the risk for users to get infected by malicious code that spreads via drive-by attacks.     

Anomaly Detection Based on Discrete Wavelet Transformation for Insider Threat Classification

Unlike external attacks, insider threats arise from legitimate users who belong to the organization. These individuals may be a potential threat for hostile behavior depending on their motives. For insider detection, many intrusion detection systems learn and prevent known scenarios, but because malicious behavior has similar patterns to normal behavior, in reality, these systems can be evaded. Furthermore, because insider threats share a feature space similar to normal behavior, identifying them by detecting anomalies has limitations. This study proposes an improved anomaly detection methodology for insider threats that occur in cybersecurity in which a discrete wavelet transformation technique is applied to classify normal vs. malicious users. The discrete wavelet transformation technique easily discovers new patterns or decomposes synthesized data, making it possible to distinguish between shared characteristics. To verify the efficacy of the proposed methodology, experiments were conducted in which normal users and malicious users were classified based on insider threat scenarios provided in Carnegie Mellon University’s Computer Emergency Response Team (CERT) dataset. The experimental results indicate that the proposed methodology with discrete wavelet transformation reduced the false-positive rate by 82% to 98% compared to the case with no wavelet applied. Thus, the proposed methodology has high potential for application to similar feature spaces.     

Trends,codes and virus attacks - 2003 year in review

A shortlist of the most memorable events of 2003 will undoubtedly include the demise of Saddam Hussein's regime but what will surely be omitted from most top 10s is the continuing threat posed by malware — viruses and other malicious code – and the nuisance of spam messaging. These omissions are made despite worrying developments in mass mail worms, blended threats and increasing spam complexity.