Upload File

malware analyncs at sri - nist

8
Malware AnalyNcs at SRI Phillip Porras Computer Science Laboratory, SRI InternaMonal Date: Sprint 2012 NOT FOR PUBLIC DISTRIBUTION

Upload: others

Post on 29-Jan-2022

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Malware AnalyNcs at SRI - NIST

Malware AnalyNcs at SRIPhillip Porras  Computer Science Laboratory, SRI  InternaMonalDate: Sprint  2012

NOT FOR  PUBLIC DISTRIBUTION

Page 2: Malware AnalyNcs at SRI - NIST

2011 Great  AnMmalware Papers in Academia  hOp://mtc.sri.com/2011BestPapers.html

Tracking Internet Fraudsters

Click  Trajectories: End-­‐to-­‐End Analysis  of the Spam Value ChainLevchenko et  al., IEEE Security Symposium 2011Summary: Perhaps  the  most comprehensive  analysis  of  the  underground spam  economy todate. Strong Evidence that SPAM  adverNsers are boPlenecked at a handful of banks

Understanding Fraudulent Ac?vi?es  in Online Ad Exchanges  BreO Stone-­‐Gross, Ryan Stevens, Richard Kemmerer, Christopher Kruegel, Giovanni Vigna,  Apostolis Zarras, ACM/SIGCOMM  Internet  Measurement  Conference 2011Summary: First analysis of fraud in ad exchanges driven by botnets with data from inside anad network, how botnets are used to perpetrate ad-­‐fraud, and how they make money.

Measuring Pay-­‐per-­‐Install: The Commodi?za?on of Malware Distribu?onJuan Caballero, Chris Grier, ChrisMan Kreibich,  Vern Paxson,  Usenix Security 2011Summary: Another great measurement study of underground malware economy. Bestpaper award  at Usenix Security!   PPI is  all about  the  economy that  drives  criminals  to infect  vicNm  machines,  and how  they convert  those  installs  into cash.  12 of  the  topinstalls employ  PPI.

20 malware  

Page 3: Malware AnalyNcs at SRI - NIST

2011 Great  AnMmalware Papers in Academia  hOp://mtc.sri.com/2011BestPapers.html

DNS Abuse Monitoring

Monitoring the IniNal DNS Behavior of Malicious Domains, Shuang Hao,  Nick  Feamster,  Ramakant Pandrangi ACM/SIGCOMM  Internet  Measurement  Conference 2011Summary: InteresNng measurement  paper with  some important  insights  for rapid  classificaNon of malicious domains. 55%  of of malware campaigns use domains registered w/ in 24hrs of campaign + plus key ASs where JIT malware domains are born.

DetecNng Malware Domains at the Upper DNS Hierararchy,  Manos Antonakakis, RobertoPerdisci,  Wenke Lee, Nikolaos Vasiloglou II, David DagonUsenix Security 2011Summary: Another malware DNS detecNon system, but from a unique global vantage point.How to detect  malware DNS  acNvity  by monitoring  upper-­‐level  DNS  query  paPerns  (Kopis).

BOTNET DETECTION SYSTEMS

BOTMAGNIFIER: LocaNng  Spambots on the  Internet, Gianluca Stringhini, Thorsten Holz,  BreOStone-­‐Gross, Christopher Kruegelx, and Giovanni VignaSummary: One of the few  botnet  detecNon  systems  published  this year,  the other significant  one being JACKSTRAW. Using maillogs to detect  hosts  w/ spam  behavioral paPernswhat match known spammers.

Page 4: Malware AnalyNcs at SRI - NIST

2011 Great  AnMmalware Papers in Academia  MALWARE ANALYSIS SYSTEMSBitShred: Feature Hashing Malware for Scalable Triage and SemanNc Analysis, Jiyong Jang,David Brumley and Shobha Venkataraman, ACM  CCS 2011Summary: A new approach to the malware classificaNon problem with impressive scalabilityand performance.  

The Power of ProcrasNnaNon: DetecNon and MiNgaNon of ExecuNon-­‐Stalling Malicious Code,Clemens  Kolbitsch,  Engin Kirda, Christopher Kruegel, ACM  CCS 2011Summary: An important step in improving the state of dynamic analysis.

Virtuoso: Narrowing the SemanNc Gap in Virtual Machine IntrospecNon, Brendan Dolan-­‐GaviO,  Tim Leek, Michael Zhivich, Jonathon Giffin, and Wenke Lee, IEEE Security Symposium 2011Summary: IntrospecNon  has featured  prominently  in many  recent  security  soluNons,  such  asvirtual machine-­‐based intrusion detecNon,  forensic  memory analysis,  and low-­‐arNfact  malware  analysis.   This system  shows lots of  promise  and will hopefully inspire  a new  suite  of  introspecNon  systems.

A Study of Android ApplicaNon Security, William Enck, Damien Octeau, Patrick McDaniel, andSwarat Chaudhuri,  Usenix Security 2011Summary: An interesNng tool that would likely be useful for next-­‐generaNon Androidmalware  analysis systems.  

Page 5: Malware AnalyNcs at SRI - NIST

  

   

      

Malware Binary Reverse Engineering BotHuntermalgram.mtc.sri.com www.bothunter.net

What’s  Novel Hereè BotHunterAutomated Malware Reverse Engineering

• Flip the IDS Paradigm -­‐ INFECTION• Binary Structural AnalysisDIAGNOSIS not  INBOUND EXPLOIT ALARMS• Dynamic Analyses

• Network Dialog CorrelaMon (patent  • API  Hookingpending)  

• Peer App Kernel Probing   • Analyze two-­‐way  communicaNon flows• VM  IntrospecMon between internal assets and the Internet  

• Analyze all dialog exchanges against  • StaMc Program Analysis defined  malware infec?on lifecycle model  

• Unpacking• Code DeobfuscaMon Next  Steps:   IntegraNng  InfecNon  Diagnosis  with• DecompilaMon Binary object intercepNon |=   InfecNon

• Program Analysis• Program RewriMng

ValidaNon

www.bothunter.net�
Page 6: Malware AnalyNcs at SRI - NIST

     

Malware Threat TrackinghPp://Nnyurl/InfectedUSA

SRI  does mulMple forms of malware Threat  Intel Tracking• Honeynets• ReflectorNets• IP ReputaMon Service• CALO – Web Tracking and InterpretaMon• Free Sensors  

SRI Threat ReputaNon Service:

OpenFlowSecurity  Through  

So?ware Defined Networking

www.openflowsec.org  

Fresco / FortNOX

PublicaMons

Current  Video DemosAutomated Malware QuaranMneReflector NetsStopping Illegal VTunnels

hOp://kb.bothunter.net/ipInfo/IPRep.php?IP=%s&FORMAT=csv-­‐ the FORMAT arg can be CSV, TEXT, TAB, XML

www.openflowsec.org�
Page 7: Malware AnalyNcs at SRI - NIST

hOp://www.bothunter.net  

WiredMagazine

12/30/2012

Page 8: Malware AnalyNcs at SRI - NIST

Malware and Anti-Malware Seminar by Benny Czarny

Analisis dan Deteksi Malware Menggunakan Metode Malware

Malware Analysis Without Looking At Assembly Codegauss.ececs.uc.edu/Courses/c5155/pdf/malware-analysis.pdf · 2015. 11. 20. · Malware Analysis Malware typically employs encryption:

Rajitgadh SmartGrid NIST March 2014 Presentation.pdf | NIST

NIST Measurement Services: NIST Calibration Services for

Malware Nilgün Kablan. Malware …………………………………….…….……………………………………………… Geschichte der Malware ……………….…………………………………………………

NIST Page · NIST Page

Chapter 8 Malware - FTMS · – Boot virus – Logic Bomb virus – Directory virus – Resident virus. CSCA0101 Computing Basics 8 Malware Types of Malware ... Malware Types of Malware

Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware … · 2011-08-16 · Malware Analysis and Antivirus Technologies: Kernel Malware & A Look at Malware

The SRI NIST SRE10 Speaker Verification System · 2010. 12. 16. · Introduction: SRI Approach Historical focus • Higher-level speaker modeling using ASR • Modeling many aspects

1 Automated malware audit service Automatischer Malware Audit

MALWARES MALWARE REVIEWED ISE DE Malware Reviewed · MALWARES There are public reports about spreading of malware named as ServHelper malware. It is a backdoor malware used by attacker

NIST Plan Public Access.pdf | NIST

Using Zero Trust, CARTA, NIST, Federal CDM and Others to ... · 11/4/2019  · AMP Everywhere Advanced Malware Protection StealthWatch Traffic Analysis –Identify abnormal and known-bad

Malware Analysis Analysis.pdf · Definisi Malware Analysis • What is a malware? • Malware (malicious software) ... Malware Sinkronisasi Token • Pelaku: Zeus Banking Trojan •

Mobile Malware Network View - Black Hat · Mobile Malware Network View ... ... Windows Malware impacts mobile

Jeff McFadden, NIST Sam Coriell, NIST Bill Mitchell, NIST Bruce Murray, SUNY Binghamton

The SRI NIST SRE08 Speaker Verification System · 2010. 12. 16. · 3 NIST SRE Workshop, Montreal, 6/17/2008 Introduction: SRI Approach Historical focus • Higher-level speaker modeling

NIST CSF Enterprise - NIST Cybersecurity Framework ... · NIST CSF Frameworks & Methods • NIST Cybersecurity Framework The NIST Cyber Security Framework provides guidance and training’s

NIST · 2019. 10. 29. · NIST

Improving accuracy of malware detection by …...FFRI, Inc. Background – malware and its detection 4 Increasing malware Targeted Attack (Unknown malware) Malware generators Obfuscators

Kirkborne NIST-June2012PDF | NIST

Malware and anti-malware (fun with Trojans) - Z. …z.cliffe.schreuders.org/edu/FS/Malware and anti-malware... · 2014-04-02 · Malware and anti-malware (fun with Trojans) ... with

NIST Big Data | NIST

Malware & Anti-Malware

SRI International Reverse Engineering Malware Hassen Saidi Computer Science Laboratory SRI International [email protected]

Reversing malware analysis trainingpart9 advanced malware analysis

Malware Slums: Measurement and Analysis of Malware on ...homepage.cs.uiowa.edu/~mshafiq/files/malware... · Malware Slums: Measurement and Analysis of Malware on Traffic Exchanges

Cybersecurity Executive Order - New York State Office of ... · CLOUD . COMPUTING . BYOD LIABILITY/ INSURANCE MALWARE ... NIST 800-53, COBIT ... Features include a mapping to control

Windows Malware Firewall: Remove Windows Malware Firewall

Android Malware Exposed-Evolution of Android Malware

Guide to Malware Incident Prevention and Handling for ... · NIST Special Publication 800-83 . Revision 1. Guide to Malware Incident Prevention and Handling for Desktops and Laptops

MALWARE RISKS AND MITIGATION REPORT - NIST › system › files › documents › itl › ... · malware risks and mitigation report. june 2011 . bits . a division of the financial

Computer Virology and Mobile Malware Detection · 2019-03-14 · Outline •Introduction •Computer Virology • Malware taxonomy • Encrypted malware •Malware Detection •Mobile

NIST BD Platforms 01 Pednault BigData NIST