Self Protection Techniques in Malware
|
|
- Jeffry Burns
- 8 years ago
- Views:
Transcription
1 DSIE 10 5 th Doctoral lsymposium on Informatics Engineering i January 28 29, 2010 Porto, Portugal Self Protection Techniques in Malware Tiago Santos
2 Overview Introduction Malware Types Why Self Protection? Stealth, Evasion, Obfuscation Code Obsfuscation Entry Point Obfuscation Compression / Packers Encryption Anti Debugger Anti Emulation Anti Disassemble Retrovirus Conclusions
3 Introduction
4 Malware Software that can disrupt the normal functioning of a system. Installed without the knowledge or approval of the user Why? Experimental or Research Anti social bh behaviour Prank Ideological Profit/Extortion Warfare
5 Malware Software that can disrupt the normal functioning of a system. Installed without the knowledge or approval of the user Why? Experimental or Research Anti social bh behaviour Prank Ideological Profit/Extortion Warfare
6 Malware Software that can disrupt the normal functioning of a system. Installed without the knowledge or approval of the user Why? Experimental or Research Anti social bh behaviour Prank Ideological Profit/Extortion Warfare
7 Types Adware Ransomware Browser Hijack Rootkit Backdoor Scumware Botnet Spam Bugs Cryptovirus Dialer Exploit e Bomb Keylogger Hoaxes Logic Bombs Rabbit Spyware Trojans Virus Worms
8 Why Self Protection? Increase thespace betweenthetemporal the temporal points of the malware s life: infection > detection > analysis > defense
9 Why Self Protection? Increase thespace betweenthetemporal the temporal points of the malware s life: infection > detection > analysis > defense
10 Stealth, Evasion, Obfuscation
11 Self Protection Methods PASSIVE Code Obfuscation Entry Point Obfuscation Encryption Compression Packing Oligomorphism Polymorphism Metamorphism ACTIVE Anti emulation Anti debugging Anti disassembling Retro virus
12 Self Protection Methods PASSIVE Code Obfuscation Entry Point Obfuscation Encryption Compression Packing Oligomorphism Polymorphism Metamorphism ACTIVE Anti emulation Anti debugging Anti disassembling Retro virus
13 Self Protection Methods PASSIVE Code Obfuscation Entry Point Obfuscation Encryption Compression Packing Oligomorphism Polymorphism Metamorphism ACTIVE Anti emulation Anti debugging Anti disassembling Retro virus
14 Source: Alisa Shevchenko
15 Code Obsfuscation Inserting junk code Code transposition Exchanging registers Instruction substitution Commom problem: the code can increase significantly! Solution: opcode confusion undocumented instructions LEA EAX, DWORD PTR [040200H] JMP EAX MOV AX, 0200H MOVBX BX, 0004H AND EAX, 0XFFFF SHL EBX, 16 OR EAX, EBX JMP EAX
16 Code Obsfuscation Inserting junk code Code transposition Exchanging registers Instruction substitution Commom problem: the code can increase significantly! Solution: opcode confusion undocumented instructions LEA EAX, DWORD PTR [040200H] JMP EAX MOV AX, 0200H MOVBX BX, 0004H AND EAX, 0XFFFF SHL EBX, 16 OR EAX, EBX JMP EAX
17 Code Obsfuscation Inserting junk code Code transposition Exchanging registers Instruction substitution Commom problem: the code can increase significantly! Solution: opcode confusion undocumented instructions LEA EAX, DWORD PTR [040200H] JMP EAX
18 Code Obsfuscation Inserting junk code Code transposition Exchanging registers Instruction substitution Commom problem: the code can increase significantly! Solution: opcode confusion undocumented instructions LEA EAX, DWORD PTR [040200H] JMP EAX MOV AX, 0200H MOVBX BX, 0004H AND EAX, 0XFFFF SHL EBX, 16 OR EAX, EBX JMP EAX
19 Entry Point Obfuscation Anti heuristic method Hard to detect, desinfect and remove Can get control in any point (e.g. in the end => replace API ExistProcess() by a jump to the viral section )
20 Entry Point Obfuscation Anti heuristic method Hard to detect, desinfect and remove Can get control in any point (e.g. in the end => replace API ExistProcess() by a jump to the viral section )
21 Entry Point Obfuscation Anti heuristic method Hard to detect, desinfect and remove Can get control in any point (e.g. in the end => replace API ExistProcess() by a jump to the viral section )
22 Compression / Packers Reduces significantly the malware size Makes the code analysis much more difficult and tedious Efficient commercial andfree software (Problem: compression/decompression algorithm are known by the AV software Can use available software in the infected system It is possible to change the entire packed code by just changing gone single byte Some packers incorporates in the packed file antidebugging capabilities.
23 Compression / Packers Reduces significantly the malware size Makes the code analysis much more difficult and tedious Efficient commercial andfree software (Problem: compression/decompression algorithm are known by the AV software Can use available software in the infected system It is possible to change the entire packed code by just changing gone single byte Some packers incorporates in the packed file antidebugging capabilities.
24 Compression / Packers Reduces significantly the malware size Makes the code analysis much more difficult and tedious Efficient commercial andfree software (Problem: compression/decompression algorithm are known by the AV software Can use available software in the infected system It is possible to change the entire packed code by just changing gone single byte Some packers incorporates in the packed file antidebugging capabilities.
25 Compression / Packers Reduces significantly the malware size Makes the code analysis much more difficult and tedious Efficient commercial andfree software (Problem: compression/decompression algorithm are known by the AV software Can use available software in the infected system It is possible to change the entire packed code by just changing gone single byte Some packers incorporates in the packed file antidebugging capabilities.
26 Compression / Packers Reduces significantly the malware size Makes the code analysis much more difficult and tedious Efficient commercial andfree software (Problem: compression/decompression algorithm are known by the AV software Can use available software in the infected system It is possible to change the entire packed code by just changing gone single byte Some packers incorporates in the packed file antidebugging capabilities.
27 Compression / Packers Reduces significantly the malware size Makes the code analysis much more difficult and tedious Efficient commercial andfree software (Problem: compression/decompression algorithm are known by the AV software Can use available software in the infected system It is possible to change the entire packed code by just changing gone single byte Some packers incorporates in the packed file antidebugging capabilities.
28 Encryption why? To hide the malware s fixed signature, making it unrecognizable to a scanner Camouflage constants (e.g.,.exe exe, windows/system32, addresses, etc) To intricatei the code analysis
29 Encryption why? To hide the malware s fixed signature, making it unrecognizable to a scanner Camouflage constants (e.g.,.exe exe, windows/system32, addresses, etc) To intricatei the code analysis
30 Encryption why? To hide the malware s fixed signature, making it unrecognizable to a scanner Camouflage constants (e.g.,.exe exe, windows/system32, addresses, etc) To intricatei the code analysis
31 Encryption Key Points Strenght Key origin and distribution Publicvs private key Speed and reliability (e.g. RC4 faster than RSA) Implementation
32 Encryption Key Points Strenght Key origin and distribution Publicvs private key Speed and reliability (e.g. RC4 faster than RSA) Implementation
33 Encryption Key Points Strenght Key origin and distribution Publicvs private key Speed and reliability (e.g. RC4 faster than RSA) Implementation
34 Encryption Key Points Strenght Key origin and distribution Publicvs private key Speed and reliability (e.g. RC4 faster than RSA) Implementation
35 Encryption Key Points Strenght Key origin and distribution Publicvs private key Speed and reliability (e.g. RC4 faster than RSA) Implementation
36 Anti Debugger Different techniques to different debuggers Modified code based detection breakpoint detection : Checksum comparation Checking instructions Software interrupts : INT 3 (for standard Debug Breakpoint 0xCC) Timing based detection check for slowdown in runtime API (e.g. isdebuggerpresent()) Exception based detection many times difficult to bypass (INT 2Dh, INT 0x03, 0xF1, 0Fh 0Bh) Decryption based Instructions prefetching
37 Anti Debugger Different techniques to different debuggers Modified code based detection breakpoint detection : Checksum comparation Checking instructions Software interrupts : INT 3 (for standard Debug Breakpoint 0xCC) Timing based detection check for slowdown in runtime API (e.g. isdebuggerpresent()) Exception based detection many times difficult to bypass (INT 2Dh, INT 0x03, 0xF1, 0Fh 0Bh) Decryption based Instructions prefetching
38 Anti Debugger Different techniques to different debuggers Modified code based detection breakpoint detection : Checksum comparation Checking instructions Software interrupts : INT 3 (for standard Debug Breakpoint 0xCC) Timing based detection check for slowdown in runtime API (e.g. isdebuggerpresent()) Exception based detection many times difficult to bypass (INT 2Dh, INT 0x03, 0xF1, 0Fh 0Bh) Decryption based Instructions prefetching
39 Anti Debugger Different techniques to different debuggers Modified code based detection breakpoint detection : Checksum comparation Checking instructions Software interrupts : INT 3 (for standard Debug Breakpoint 0xCC) Timing based detection check for slowdown in runtime API (e.g. isdebuggerpresent()) Exception based detection many times difficult to bypass (INT 2Dh, INT 0x03, 0xF1, 0Fh 0Bh) Decryption based Instructions prefetching
40 Anti Emulation Use of triggers Sparse infection Sparse payload delivery Decryption: Nested decryption loops Brute force decryption algorithms Non linear decryption algorithms Overextending: Undocumented instructions Instructions not implemented dby the emulator Fool the emulator Network connection
41 Anti Emulation Use of triggers Sparse infection Sparse payload delivery Decryption: Nested decryption loops Brute force decryption algorithms Non linear decryption algorithms Overextending: Undocumented instructions Instructions not implemented dby the emulator Fool the emulator Network connection
42 Anti Emulation Use of triggers Sparse infection Sparse payload delivery Decryption: Nested decryption loops Brute force decryption algorithms Non linear decryption algorithms Overextending: Undocumented instructions Instructions not implemented dby the emulator Fool the emulator Network connection
43 Anti Emulation Use of triggers Sparse infection Sparse payload delivery Decryption: Nested decryption loops Brute force decryption algorithms Non linear decryption algorithms Overextending: Undocumented instructions Instructions not implemented dby the emulator Fool the emulator Network connection
44 Anti Disassemble Trick the disassembler by generating an incorrect disassembled code
45 Anti Disassemble Trick the disassembler by generating an incorrect disassembled code
46 Anti Disassemble Trick the disassembler by generating an incorrect disassembled code MOV BX, 0xF0F0 CMP BX, 0 JNE DB ADD CX,BX XOR EAX, EAX...
47 Anti Disassemble Trick the disassembler by generating an incorrect disassembled code MOV BX, 0xF0F0 CMP BX, 0 JNE DB ADD CX,BX XOR EAX, EAX MOV BX,0F0F CMP BX, JE SHORT C 40100A JNZ SHORT 40100D 40100C PUSH EAX 40100D XOR CX,BX ADD EAX,EAX...
48 Fighting AV Software Retrovirus Actively attacks the AV software by trying to bypass or to block the AV s operations, personal firewall or other security programs Easy to implement Attacks: Modify the AV code Delete theav Change the infected system in a way that affects the AV Remove CPU time to the AV Kill pre determinated processes
49 Fighting AV Software Retrovirus Actively attacks the AV software by trying to bypass or to block the AV s operations, personal firewall or other security programs Easy to implement Attacks: Modify the AV code Delete theav Change the infected system in a way that affects the AV Remove CPU time to the AV Kill pre determinated processes
50 Fighting AV Software Retrovirus Actively attacks the AV software by trying to bypass or to block the AV s operations, personal firewall or other security programs Easy to implement Attacks: Modify the AV code Delete theav Change the infected system in a way that affects the AV Remove CPU time to the AV Kill pre determinated processes
51 Conclusions Can a system be safe with an up to date AV software? Due the continue evolution techniques and the development of new ones, it is impossible to have a complete protection even with an up to dt date state tt of the art AV software, making prudent to always assume that a system is unprotected and already infected. It s a never ending conflict between malware writers and AV developers.
52 Conclusions Can a system be safe with an up to date AV software? Due the continue evolution techniques and the development of new ones, it is impossible to have a complete protection even with an up to dt date state tt of the art AV software, making prudent to always assume that a system is unprotected and already infected. It s a never ending conflict between malware writers and AV developers.
53 Conclusions Can a system be safe with an up to date AV software? Due the continue evolution techniques and the development of new ones, it is impossible to have a complete protection even with an up to dt date state tt of the art AV software, making prudent to always assume that a system is unprotected and already infected. It s a never ending conflict between malware writers and AV developers.
54 Conclusions... virus writers don t have to achieve perfect infection. It isn t crucial that infection attempts sometimes fail, or if a virus can t reliably tell whether a file is already infected. Viruses are messy and an imperfect virus can spread quite well in the real world. Conversely, an anti virus product must be extremelyreliable reliable. Unreliable detection, either by identifying a benign file as infected or vice versa, is a fatal flaw flaw. Richard Ford
55
CIT 480: Securing Computer Systems. Malware
CIT 480: Securing Computer Systems Malware Topics 1. Anti-Virus Software 2. Virus Types 3. Infection Methods 4. Rootkits 5. Malware Analysis 6. Protective Mechanisms 7. Malware Factories 8. Botnets Malware
More informationComputer Security DD2395
Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh11/ Fall 2011 Sonja Buchegger buc@kth.se Lecture 7 Malicious Software DD2395 Sonja Buchegger 1 Course Admin Lab 2: - prepare
More informationParasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips
Parasitics: The Next Generation. Vitaly Zaytsev Abhishek Karnik Joshua Phillips Agenda Overview W32/Xpaj analysis Overview of a virtual machine Software protection trends W32/Winemmem analysis W32/Induc
More informationTitanMist: Your First Step to Reversing Nirvana TitanMist. mist.reversinglabs.com
TitanMist: Your First Step to Reversing Nirvana TitanMist mist.reversinglabs.com Contents Introduction to TitanEngine.. 3 Introduction to TitanMist 4 Creating an unpacker for TitanMist.. 5 References and
More informationMalware. Björn Victor 1 Feb 2013. [Based on Stallings&Brown]
Malware Björn Victor 1 Feb 2013 Ask Sofia if anything is unclear/too difficult with the lab. Coordinate meetings between you? BadStore: demo version New York Times, Wall Street Journal attacks from China,
More informationMalicious Software. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Viruses and Related Threats
Malicious Software Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Outline Viruses and Related Threats Malicious Programs The Nature of Viruses Antivirus
More informationRunning code securely An overview of threats and countermeasures
Running code securely An overview of threats and countermeasures Almut Herzog Overview over protective technology for end users anti-virus software anti-spyware personal firewall backup encryption ssl
More informationMalicious Programs. CEN 448 Security and Internet Protocols Chapter 19 Malicious Software
CEN 448 Security and Internet Protocols Chapter 19 Malicious Software Dr. Mostafa Hassan Dahshan Computer Engineering Department College of Computer and Information Sciences King Saud University mdahshan@ccis.ksu.edu.sa
More informationComputer Virus Strategies and Detection Methods
Int. J. Open Problems Compt. Math., Vol. 1, No. 2, September 2008 Computer Virus Strategies and Detection Methods Essam Al Daoud 1, Iqbal H. Jebril 2 and Belal Zaqaibeh 3 1 Department of Computer Science,
More informationInside a killer IMBot. Wei Ming Khoo University of Cambridge 19 Nov 2010
Do you? or Inside a killer IMBot Wei Ming Khoo University of Cambridge 19 Nov 2010 Background Tracking a botnet propagating over Skype & Yahoo IM. Bait is Foto Exploits social connectivity (friend
More informationIntroduction to Reverse Engineering
Introduction to Reverse Engineering Inbar Raz Malware Research Lab Manager December 2011 What is Reverse Engineering? Reverse engineering is the process of discovering the technological principles of a
More informationCryptography and Network Security Chapter 21. Malicious Software. Backdoor or Trapdoor. Logic Bomb 4/19/2010. Chapter 21 Malicious Software
Cryptography and Network Security Chapter 21 Fifth Edition by William Stallings Chapter 21 Malicious Software What is the concept of defense: The parrying of a blow. What is its characteristic feature:
More informationMalware. Prof. Tom Austin San José State University Spring 2014
Malware Prof. Tom Austin San José State University Spring 2014 Or: The Cat & Mouse Game Attackers and Defenders Play 1971 "I'M THE CREEPER : "I'M THE CREEPER : CATCH ME IF YOU CAN." CATCH ME IF YOU CAN."
More informationBypassing Anti- Virus Scanners
Bypassing Anti- Virus Scanners Abstract Anti-Virus manufacturers nowadays implements more and more complex functions and algorithms in order to detect the latest and newest viruses along with their variants.
More informationLecture 26: Obfuscation
Lecture 26: Obfuscation 15411: Compiler Design Robbie Harwood and Maxime Serrano 21 November 2013 1 Introduction We have previously (lecture 20) considered the problem of doing compilation backwards (i.e.,
More informationPackers Models. simple. malware. advanced. allocation. decryption. decompression. engine loading. integrity check. DRM Management
allocation allocation (VirtualAlloc / empty section) trapped start allocation (VirtualAlloc / empty section) (MANY layers,add/rol/xor) startup decompression engine loading (one layer,add/rol/xor) (Tea/RC4/operators)
More informationMalware: Malicious Software
Malware: Malicious Software 10/21/2010 Malware 1 Viruses, Worms, Trojans, Rootkits Malware can be classified into several categories, depending on propagation and concealment Propagation Virus: human-assisted
More informationPackers. (5th April 2010) Ange Albertini http://corkami.blogspot.com Creative Commons Attribution 3.0
Packers (5th April 2010) Ange Albertini 3.0 Table of contents 3 Models: simple, malware, advanced 4 Categories and Features: compresser, protecter, crypter, bundler, virtualiser, mutater 5 Landscape: Free,
More informationSecurity Engineering Part III Network Security. Intruders, Malware, Firewalls, and IDSs
Security Engineering Part III Network Security Intruders, Malware, Firewalls, and IDSs Juan E. Tapiador jestevez@inf.uc3m.es Department of Computer Science, UC3M Security Engineering 4th year BSc in Computer
More informationCS 356 Lecture 9 Malicious Code. Spring 2013
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive,
More informationAnti-Virus Evasion Techniques and Countermeasures
Anti-Virus Evasion Techniques and Countermeasures Author: Debasis Mohanty www.hackingspirits.com Email ID: debasis_mty@yahoo.com mail@hackingspirits.com Table of Contents 1. INTRODUCTION............3 2.
More informationMalicious Software. Malicious Software. Overview. Backdoor or Trapdoor. Raj Jain. Washington University in St. Louis
Malicious Software Overview Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-14/
More informationZeroAccess. James Wyke. SophosLabs UK
ZeroAccess James Wyke SophosLabs UK Abstract ZeroAccess is a sophisticated kernel-mode rootkit that is rapidly becoming one of the most widespread threats in the current malware ecosystem. ZeroAccess ability
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 2 Systems Threats and Risks Objectives Describe the different types of software-based attacks List types of hardware attacks Define
More informationINTRODUCTION TO MALWARE & MALWARE ANALYSIS
INTRODUCTION TO MALWARE & MALWARE ANALYSIS by Quick Heal R&D lab Security Simplified INTRODUCTION Very often people call everything that corrupts their system a virus without being aware about what it
More informationAnalysis and Diversion of Duqu s Driver
Analysis and Diversion of Duqu s Driver Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry To cite this version: Guillaume Bonfante, Jean-Yves Marion, Fabrice Sabatier, Aurélien Thierry.
More informationC. Universal Threat Management (UTM) C.1. Threats
UTM I&C School Prof. P. Janson September 2014 C. Universal Threat Management (UTM) C.1. Threats 1 of 21 In spite of all the foregoing techniques the IT world is still insecure Why isn t there total security?
More informationFighting malware on your own
Fighting malware on your own Vitaliy Kamlyuk Senior Virus Analyst Kaspersky Lab Vitaly.Kamluk@kaspersky.com Why fight malware on your own? 5 reasons: 1. Touch 100% of protection yourself 2. Be prepared
More informationCSE534 Fundamentals of Computer Networking
CSE534 Fundamentals of Computer Networking Malware and bots Nick Nikiforakis nick@cs.stonybrook.edu Malware Malware, short for malicious software, is software designed to gain access to confidential information,
More informationCSE509 System Security
CSE509 System Security Malware and bots Nick Nikiforakis nick@cs.stonybrook.edu Malware Malware, short for malicious software, is software designed to gain access to confidential information, disrupt computer
More informationDetecting the One Percent: Advanced Targeted Malware Detection
Detecting the One Percent: Advanced Targeted Malware Detection Tomer Teller Check Point Software Technologies Session ID: SP02-T19 Session Classification: Intermediate Antivirus 20 th+ Anniversary The
More informationIntroduction to Malware. Engin Kirda ek@ccs.neu.edu
Introduction to Engin Kirda ek@ccs.neu.edu Malicious Code Overview Introduction to malicious code Taxonomy, life cycle Virus infection strategies, armored viruses, detection Worms email- and exploit-based
More informationMalware CSC 348 648 WAKE FOREST. U N I V E R S I T Y Department of Computer Science. Fall 2014. Malicious programs. Needs host
Malware CSC 348 648 WAKE FOREST U N I V E R S I T Y Department of Computer Science Fall 2014 Malicious Program Categories Needs host 1 11111 Malicious programs Independent Trapdoor Logic bomb Trojan horse
More informationCS549: Cryptography and Network Security
CS549: Cryptography and Network Security by Xiang-Yang Li Department of Computer Science, IIT Cryptography and Network Security 1 Notice This lecture note (Cryptography and Network Security) is prepared
More informationDetecting Computer Viruses
International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Detecting Computer Viruses Manju Khari, Chetna Bajaj Abstract Virus (in biology) refers to microorganism, means
More informationCS 290 Host-based Security and Malware. Christopher Kruegel chris@cs.ucsb.edu
CS 290 Host-based Security and Malware Christopher Kruegel chris@cs.ucsb.edu Malicious Code Overview Introduction to malicious code taxonomy, history, life cycle Virus infection strategies, armored viruses,
More informationCORPORATE AV / EPP COMPARATIVE ANALYSIS
CORPORATE AV / EPP COMPARATIVE ANALYSIS Exploit Evasion Defenses 2013 Randy Abrams, Dipti Ghimire, Joshua Smith Tested Vendors AVG, ESET, F- Secure, Kaspersky, McAfee, Microsoft, Norman, Panda, Sophos,
More informationOS Security. Malware. Radboud University Nijmegen, The Netherlands. Winter 2014/2015
OS Security Malware Radboud University Nijmegen, The Netherlands Winter 2014/2015 Last week... OS Security Malware 2 A short recap Important concept to reduce covert channels and possible damage by an
More informationMalware B-Z: Inside the Threat From Blackhole to ZeroAccess
Malware B-Z: Inside the Threat From Blackhole to ZeroAccess By Richard Wang, Manager, SophosLabs U.S. Over the last few years the volume of malware has grown dramatically, thanks mostly to automation and
More informationReverse Engineering and Computer Security
Reverse Engineering and Computer Security Alexander Sotirov alex@sotirov.net Introduction Security researcher at Determina, working on our LiveShield product Responsible for vulnerability analysis and
More informationCode Obfuscation Literature Survey
Code Obfuscation Literature Survey Arini Balakrishnan, Chloe Schulze CS701 Construction of Compilers, Instructor: Charles Fischer Computer Sciences Department University of Wisconsin, Madison December
More informationLASTLINE WHITEPAPER. Why Anti-Virus Solutions Based on Static Signatures Are Easy to Evade
LASTLINE WHITEPAPER Why Anti-Virus Solutions Based on Static Signatures Are Easy to Evade Abstract Malicious code is an increasingly important problem that threatens the security of computer systems. The
More informationSo You Want To Analyze Malware? Tools, Techniques, and Mindset
So You Want To Analyze Malware? Tools, Techniques, and Mindset Introduction Who, What, Why? Introduction Me Wes Brown Software and Systems Hacker Fond of Lisp-based and Functional Languages Developed Lisp
More informationIntroduction. Application Security. Reasons For Reverse Engineering. This lecture. Java Byte Code
Introduction Application Security Tom Chothia Computer Security, Lecture 16 Compiled code is really just data which can be edit and inspected. By examining low level code protections can be removed and
More information(General purpose) Program security. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.
(General purpose) Program security These ideas apply also to OS and DB. Read Chapter 3. What does it mean for a pgm to be secure? Depends whom you ask. Takes a long time to break its security controls.
More informationACS-3921/4921-050 Computer Security And Privacy. Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security
ACS-3921/4921-050 Computer Security And Privacy Lecture Note 5 October 7 th 2015 Chapter 5 Database and Cloud Security ACS-3921/4921-050 Slides Used In The Course A note on the use of these slides: These
More informationIntroduction To Security and Privacy Einführung in die IT-Sicherheit I
Introduction To Security and Privacy Einführung in die IT-Sicherheit I Prof. Dr. rer. nat. Doğan Kesdoğan Institut für Wirtschaftsinformatik kesdogan@fb5.uni-siegen.de http://www.uni-siegen.de/fb5/itsec/
More informationREpsych. : psycholigical warfare in reverse engineering. def con 2015 // domas
REpsych : psycholigical warfare in reverse engineering { def con 2015 // domas Warning This serves no purpose Taking something apart to figure out how it works With software Interfacing Documentation Obsolescence
More informationComputer Viruses: How to Avoid Infection
Viruses From viruses to worms to Trojan Horses, the catchall term virus describes a threat that's been around almost as long as computers. These rogue programs exist for the simple reason to cause you
More informationAnti-virus Evasion Techniques. By: Abhinav Singh a.k.a DaRkLoRd
Research Whitepaper on Anti-virus Evasion Techniques By: Abhinav Singh a.k.a DaRkLoRd (Information Security Specialist) url : http://hackingalert.blogspot.com Anti-virus Evasion Techniques Anti-virus has
More informationDescription: Objective: Attending students will learn:
Course: Introduction to Cyber Security Duration: 5 Day Hands-On Lab & Lecture Course Price: $ 3,495.00 Description: In 2014 the world has continued to watch as breach after breach results in millions of
More informationMalware. CS 161: Computer Security Prof. Vern Paxson. TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin
Malware CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 16, 2013 Announcements
More informationSandy. The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis. Garage4Hackers
Sandy The Malicious Exploit Analysis. http://exploit-analysis.com/ Static Analysis and Dynamic exploit analysis About Me! I work as a Researcher for a Global Threat Research firm.! Spoke at the few security
More informationAdvanced Persistent Threats
Advanced Persistent Threats George R Magee~ FCNSA, FCNSP, Fortinet Larry Cushing~ CEO, Unified Technologies Visit us at Booth #11 1 May 27, 2014 2 Threat landscape An Internet Minute 7 7 Fortinet Confidential
More informationLASTLINE WHITEPAPER. In-Depth Analysis of Malware
LASTLINE WHITEPAPER In-Depth Analysis of Malware Abstract Malware analysis is the process of determining the purpose and functionality of a given malware sample (such as a virus, worm, or Trojan horse).
More informationA Tiny Guide to Programming in 32-bit x86 Assembly Language
CS308, Spring 1999 A Tiny Guide to Programming in 32-bit x86 Assembly Language by Adam Ferrari, ferrari@virginia.edu (with changes by Alan Batson, batson@virginia.edu and Mike Lack, mnl3j@virginia.edu)
More informationAbysssec Research. 1) Advisory information. 2) Vulnerable version
Abysssec Research 1) Advisory information Title Version Discovery Vendor Impact Contact Twitter CVE : Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability : QuickTime player 7.6.5
More informationIdentification and Removal of
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Ei Eric Laspe, Reverse Engineer Jason Raber, Lead Reverse Engineer Overview The Problem:
More informationSpyware Analysis. jan.monsch@csnc.ch. Security Event - April 28, 2004 Page 1
Spyware Analysis jan.monsch@csnc.ch Security Event - April 28, 2004 Page 1 Content Definition & types of spyware Statistics Hooks Static vs. dynamic software analysis Test environment for spyware Analysis
More informationOhio University Computer Services Center October, 2004 Spyware, Adware, and Virus Guide
Ohio University Computer Services Center October, 2004 Spyware, Adware, and Virus Guide Definitions Malware is term meaning malicious software. Malware is software designed to disrupt a computer system.
More informationFine-grained covert debugging using hypervisors and analysis via visualization
Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Fine-grained covert debugging using hypervisors and analysis via visualization Daniel A. Quist Lorie M. Liebrock Offensive
More informationContact details For contacting ENISA or for general enquiries on information security awareness matters, please use the following details:
Malicious software About ENISA The European Network and Information Security Agency (ENISA) is an EU agency created to advance the functioning of the internal market. ENISA is a centre of excellence for
More informationNetwork Intrusion Detection with Semantics-Aware Capability
Network Intrusion Detection with Semantics-Aware Capability Walter Scheirer and Mooi Choo Chuah Lehigh University Dept. of Computer Science and Engineering Bethlehem, PA 18015 USA {wjs3, chuah}@cse.lehigh.edu
More informationDESIGN OF GENERIC ANTIVIRUS SYSTEM
SENRA Academic Publishers, British Columbia Vol. 8, No. 1, pp. 2775-2782, February 2014 Online ISSN: 1920-3853; Print ISSN: 1715-9997 DESIGN OF GENERIC ANTIVIRUS SYSTEM Osaghae OE, *Egbokhare, FA and Chiemeke
More informationHow to easily clean an infected computer (Malware Removal Guide)
How to easily clean an infected computer (Malware Removal Guide) Malware, short for malicious (or malevolent) software, is software used or programmed by attackers to disrupt computer operation, gather
More informationINSIDE. Hunting For Metamorphic. Evolution of Code Metamorphic Virus Detection Examples Possible Future Virus Developments. Symantec Security Response
Symantec Security Response WHITE PAPER Hunting For Metamorphic by Péter Ször Architect Peter Ferrie Principle Software Engineer INSIDE Evolution of Code Metamorphic Virus Detection Examples Possible Future
More informationTitle: Bugger The Debugger - Pre Interaction Debugger Code Execution
White Paper Title: Bugger The Debugger Pre Interaction Debugger Code Execution Prepared by: Brett Moore Network Intrusion Specialist, CTO SecurityAssessment.com Date: April 2005 Abstract The use of debuggers
More informationWhat are Viruses, Trojans, Worms & Spyware:
What are Viruses, Trojans, Worms & Spyware: There are many different types of computer viruses circulating in the cyber world, including regular Computer Viruses, Worms, Trojans, and Spyware. Each is different
More informationAntiRE en Masse. Investigating Ferrie s Documented AntiUnpacking. Kurt Baumgartner, VP Behavioral Threat Research PCTools ThreatFire
AntiRE en Masse Investigating Ferrie s Documented AntiUnpacking Tricks in the World s Worst Mal Families Kurt Baumgartner, VP Behavioral Threat Research PCTools ThreatFire Presented at Virus Bulletin 2009
More informationViolating Database - Enforced Security Mechanisms
Violating Database - Enforced Security Mechanisms Runtime Patching Exploits in SQL Server 2000: a case study Chris Anley [chris@ngssoftware.com] 18/06/2002 An NGSSoftware Insight Security Research (NISR)
More informationHotpatching and the Rise of Third-Party Patches
Hotpatching and the Rise of Third-Party Patches Alexander Sotirov asotirov@determina.com BlackHat USA 2006 Overview In the next one hour, we will cover: Third-party security patches _ recent developments
More informationStorm Worm & Botnet Analysis
Storm Worm & Botnet Analysis Jun Zhang Security Researcher, Websense Security Labs June 2008 Introduction This month, we caught a new Worm/Trojan sample on ours labs. This worm uses email and various phishing
More informationMalware Trend Report, Q2 2014 April May June
Malware Trend Report, Q2 2014 April May June 5 August 2014 Copyright RedSocks B.V. 2014. All Rights Reserved. Table of Contents 1. Introduction... 3 2. Overview... 4 2.1. Collecting Malware... 5 2.2. Processing...
More informationWHITE PAPER. Understanding How File Size Affects Malware Detection
WHITE PAPER Understanding How File Size Affects Malware Detection FORTINET Understanding How File Size Affects Malware Detection PAGE 2 Summary Malware normally propagates to users and computers through
More informationCybercrime: evoluzione del malware e degli attacchi. Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com
Cybercrime: evoluzione del malware e degli attacchi Cesare Radaelli Regional Sales Manager, Italy cradaelli@paloaltonetworks.com About Palo Alto Networks We are the network security company World-class
More informationNGBPA Next Generation BotNet Protocol Analysis
NGBPA Next Generation BotNet Protocol Analysis Felix S. Leder and Peter Martini Abstract The command & control (c&c) protocols of botnets are moving away from plaintext IRC communicationt towards encrypted
More informationSoftware Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis. What is Reverse Engineering? Software Reverse Engineering: Reversing
Software Reversing Engineering (a.k.a. Reversing) Spiros Mancoridis What is Reverse Engineering? Reverse engineering (RE) is the process of etracting the knowledge or design blueprints from anything man
More informationCovert Operations: Kill Chain Actions using Security Analytics
Covert Operations: Kill Chain Actions using Security Analytics Written by Aman Diwakar Twitter: https://twitter.com/ddos LinkedIn: http://www.linkedin.com/pub/aman-diwakar-ccie-cissp/5/217/4b7 In Special
More informationBy:XÇzA A TÅÅtÜ ]A `t{åééw
By:XÇzA A TÅÅtÜ ]A `t{åééw By: Supervised By:Dr.. Lo ai Tawalbeh 1 New York Institute of Technology (NYIT)-Jordan s Campus Eng. Ammar Mahmood Introduction A backdoor in a computer system (or cryptosystem
More informationLicense for Use Information
LESSON 6 MALWARE License for Use Information The following lessons and workbooks are open and publicly available under the following terms and conditions of ISECOM: All works in the Hacker Highschool project
More informationAutomating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com
Automating Linux Malware Analysis Using Limon Sandbox Monnappa K A monnappa22@gmail.com A number of devices are running Linux due to its flexibility and open source nature. This has made Linux platform
More informationAnalysis of Win32.Scream
Analysis of Win32.Scream 1. Introduction Scream is a very interesting virus as it combines a lot of techniques written inside of it. In this paper I ll cover all of its features and internals. I ll dissect
More informationBypass Antivirus Dynamic Analysis
Bypass Antivirus Dynamic Analysis Limitations of the AV model and how to exploit them Date of writing: 08/2014 Author: Emeric Nasi emeric.nasi[at]sevagas.com Website: http://www.sevagas.com/ License: This
More informationAttacking Obfuscated Code with IDA Pro. Chris Eagle
Attacking Obfuscated Code with IDA Pro Chris Eagle Outline Introduction Operation Demos Summary 2 First Order Of Business MOVE UP AND IN! There is plenty of room up front I can't increase the font size
More informationAnatomy of Attacks. Dmitry Samosseiko, SophosLabs
Anatomy of Attacks Dmitry Samosseiko, SophosLabs SophosLabs Team One global team UK, US, Canada, Australia 24/7, 365 days/year ~100 Researchers and Developers globally Threat Operations Systems Development
More informationApplication of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware
Application of Data Mining based Malicious Code Detection Techniques for Detecting new Spyware Cumhur Doruk Bozagac Bilkent University, Computer Science and Engineering Department, 06532 Ankara, Turkey
More informationDiving into a Silverlight Exploit and Shellcode - Analysis and Techniques
Diving into a Silverlight Exploit and Shellcode - Analysis and Techniques By Omri Herscovici & Liran Englender January 04, 2015 Preface In recent years, exploit-kits are one of the most common platforms
More informationSoftware Fingerprinting for Automated Malicious Code Analysis
Software Fingerprinting for Automated Malicious Code Analysis Philippe Charland Mission Critical Cyber Security Section October 25, 2012 Terms of Release: This document is approved for release to Defence
More informationMike Melanson (mike@multimedia.cx)
Breaking Eggs And Making Omelettes: Intelligence Gathering For Open Source Software Development Mike Melanson (mike@multimedia.cx) Legalnotice: Es können zusätzliche Angaben zur Veröffentlichung angegeben
More informationSymptoms of a Data Breach in Your Business
Cyber Security: What you need to know to protect your business February 2014 Presented by: Jon Zayicek Vice President Sera-Brynn Topics: The landscape is changing What are the threats? How to protect your
More informationData Center Security in a World Without Perimeters
www.iss.net Data Center Security in a World Without Perimeters September 19, 2006 Dave McGinnis Director of MSS Architecture Agenda Securing the Data Center What threats are we facing? What are the risks?
More information(Self-Study) Identify How to Protect Your Network Against Viruses
SECTION 24 (Self-Study) Identify How to Protect Your Network Against Viruses The following objective will be tested: Describe What You Can Do to Prevent a Virus Attack In this section you learn about viruses
More informationBE SAFE ONLINE: Lesson Plan
BE SAFE ONLINE: Lesson Plan Overview Danger lurks online. Web access, social media, computers, tablets and smart phones expose users to the possibility of fraud and identity theft. Learn the steps to take
More informationWhere s the FEEB? The Effectiveness of Instruction Set Randomization
Where s the FEEB? The Effectiveness of Instruction Set Randomization Ana Nora Sovarel David Evans Nathanael Paul University of Virginia, Department of Computer Science http://www.cs.virginia.edu/feeb Abstract
More informationCS574 Computer Security. San Diego State University Spring 2008 Lecture #7
CS574 Computer Security San Diego State University Spring 2008 Lecture #7 Today s Structure Administrivia Questions Recent News Lecture Administrivia Assignment #1 - AS1_Template.jar Alternative Tools
More informationITSC Training Courses Student IT Competence Programme SIIS1 Information Security
ITSC Training Courses Student IT Competence Programme SI1 2012 2013 Prof. Chan Yuen Yan, Rosanna Department of Engineering The Chinese University of Hong Kong SI1-1 Course Outline What you should know
More informationCOMPUTER-INTERNET SECURITY. How am I vulnerable?
COMPUTER-INTERNET SECURITY How am I vulnerable? 1 COMPUTER-INTERNET SECURITY Virus Worm Trojan Spyware Adware Messenger Service 2 VIRUS A computer virus is a small program written to alter the way a computer
More informationDefending Against Cyber Attacks with SessionLevel Network Security
Defending Against Cyber Attacks with SessionLevel Network Security May 2010 PAGE 1 PAGE 1 Executive Summary Threat actors are determinedly focused on the theft / exfiltration of protected or sensitive
More information1. General function and functionality of the malware
1. General function and functionality of the malware The malware executes in a command shell, it begins by checking to see if the executing file contains the MZP file extension, and then continues to access
More informationA Museum of API Obfuscation on Win32
A Museum of API Obfuscation on Win32 Masaki Suenaga Senior Software Engineer Contents Abstract... 1 File Image vs. Memory Image... 2 API Analysis... 4 Generating Memory Dumps... 5 Runtime API Address Resolution...
More information