a cuckoo s egg in the malware nest
play

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE - PowerPoint PPT Presentation

Mar 19, 2024 •155 likes •313 views

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

  1. A CUCKOO’S EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS

  2. MALWARE WARS Ø In the last half-decade malware has evolved into a business q Windows is the most attacked platform, OS X also affected Ø Symantec & Co show impressive growing rates o Use of polymorphism/packers o Malware writers are just better J Ø Dynamic Malware Analysis (DMA) q Malware samples are executed in a sandbox q Analysis results are used to update AV signatures and “detection models” q Anubis, CWSandbox, Malheur, Malnet, etc. Christiaan Schade 12/19/11

  3. LIMITATIONS OF DMA Ø Malware writers implemented several countermeasures to avoid/slow down the DMA analysis q Runs only when user(s) is actually logged in q Waits for a certain time frame before activating (10-15 mins) q Checks for virtualization / known registry keys / known IPs Ø DMA tools usually perform post-mortem analysis à users submit their sample(s) and get a report back q Limited support to monitor an internal network and protect endpoints q If you submit a sample, you already suspect it is malware … and your AV likely did not detect it (otherwise … why submit it for further analysis? Ø DMA tools lack information about the execution context and do not offer real-time protection Christiaan Schade 12/19/11

  4. THE IDEA Ø ~30% of current malware download additional components once running q Require some external “content providers”, usually early compromised servers q Content providers might not be online, malware will often need to run several download attempts Ø If we can detect one of these attempts, we can feed the malware with a crafted executable (we call it “cuckoo’s egg”) that: q Will perform some real-time analysis at the end host à on-the-fly malware analysis q Can be instructed to terminate its parent process à effective containment Christiaan Schade 12/19/11

  5. GENERAL ARCHITECTURE WE CALL IT AVATAR Christiaan Schade 12/19/11

  6. LAYING THE EGG… Ø We use an algorithm based on TWR to detect “too many” failed attempts, then the egg generator: q Checks the requested filename q Checks magic numbers in case a file is successfully fetched after several attempts q Packs and sends the cuckoo’s egg when # attempts > threshold Ø When the egg is executed on the target machine, it attempts to get control over its parent process q Depending on the OS version the egg can freeze/terminate the process Christiaan Schade 12/19/11

  7. …AND PARASITE! Ø The egg collects several information about the parent process: q Path to the exe q Any module that was loaded (full module paths) q Window (if any is attached) information: handle, size, caption text q Executable size Ø The collected information are sent to the MAE, which can stop the egg or perform deeper analysis q The egg can send back to the MAE the original parent executable Christiaan Schade 12/19/11

  8. LIMITATIONS TO OUR APPROACH Ø Malware could initiate connections at a very low rate à this would slow down the infection though Ø Malware could apply some verification/encryption mechanisms to the downloaded components à keys could be disclosed Ø Malware writers could use steganography to hide executables into other file formats (e.g., JPEG, like the recent Duqu) Ø Malware could leverage the CreateRemoteThread function to execute its code into another process Christiaan Schade 12/19/11

  9. TESTS Ø Avatar has been tested against real-life malware samples q CWSandbox data set, available at Malheur’s web site q everyday malware we all receive in our mailbox J Ø Dataset A – PoC q ~10 malware families, huge collection (almost) publicly available from the authors of Malheur (2009) à 75 samples Ø Dataset B – evaluation of false positives/negatives q everyday malware we received in our mailboxes during a week time à 30 samples + 30 benign samples Christiaan Schade 12/19/11

  10. TEST RESULTS – DATASET A Christiaan Schade 12/19/11

  11. TEST RESULTS – DATASET B Christiaan Schade 12/19/11

  12. CONCLUSION Ø Avatar raises the bar of malware analysis q No software is required to run at the endpoint q Delivers on-the-fly any component needed for analysis q Heavy computations are off-loaded q We can stop a malicious process as soon as it is detected (to some extent, depending on the OS) Ø We know it can be circumvented, but this will also make it more difficult for malware writers q No countermeasure has been observed so far in our tests Christiaan Schade 12/19/11

  13. DEMO Christiaan Schade 12/19/11

  14. QUESTIONS ? Christiaan Schade 12/19/11

Recommend

A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University

A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University

Department of Law public lecture A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University of Warwick Dr Linda Mulcahy Chair, LSE London School of Economics Law lectures 2011

652 views • 47 slides
Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently Welcome to the

648 views • 43 slides
Visiting the snake nest Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher Matthieu

Visiting the snake nest Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher Matthieu

Visiting the snake nest Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher Matthieu Faou | Malware Researcher Jean-Ian Boutin Matthieu Faou Senior Malware Researcher Malware Researcher @jiboutin @matthieu_faou Agenda 1.

2.05k views • 138 slides
Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a

Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a

Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a skill-building community that TRANSFORMS them into professionals who can CREATE successful careers, innovative solutions, and prosperous communities

423 views • 19 slides
Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan

Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan

Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan Kaya What is cuckoo search with Levy flights? v A meta-heuristic method v Global optimization v Based on obligate brood parasitic behavior of cuckoo

711 views • 19 slides
Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing with two choices: max load O ( loglog n ) . Cuckoo hashing. Hashing with two choices: max load O ( loglog n ) . Cuckoo hashing: Cuckoo hashing.

1.69k views • 147 slides
NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating

NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating

NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating Scientific and Technological Needs (NEST activity); Basic Research Specific Activities covering a Wider Field of Research New and Emerging Science

292 views • 12 slides
What is Nest? FREE online home matching platform Nest matches people with disability to

What is Nest? FREE online home matching platform Nest matches people with disability to

What is Nest? FREE online home matching platform Nest matches people with disability to accommodation/housing that suits their needs and wants. Nest makes it easy to search, choose and apply for accommodation/housing that meets

282 views • 14 slides
First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North

First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North

First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North Carolina Jeff Janies - Redjack LLC Teryl Taylor - Dalhousie University FloCon 2010 New Orleans January 2010 What is a cuckoo bag? SiLK sets and

315 views • 29 slides
Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest

Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest

Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest Institute (BNI) Linking science and management Baltic NEST = a science based decision support system (DSS) to : Explore and synthesize

511 views • 20 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 ,

AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 ,

AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 , Bongki Cho 1 , Changdae Kim 2 , Heejin Park 1 , Jiwon Seo 1 1 2 1 Ou Outline NVM and AMQs Cuckoo Filter Optimizations in AniFilter

1.18k views • 58 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern

Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern

Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern University CoFounder, Nest Egg Guru John H. Robinson Founder, Financial Planning Hawaii CoFounder, Nest Egg Guru Inspiration: Two Seminal

219 views • 19 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Background and introduction to NeST within the context of the GPEDC and the global SSC debates

Background and introduction to NeST within the context of the GPEDC and the global SSC debates

Background and introduction to NeST within the context of the GPEDC and the global SSC debates Presentation for the NeST SA reference group meeting Neissan Alessandro Besharati Jan Smuts House, Johannesburg, 28 January 2015 The Rise of the

417 views • 22 slides
SWAN NEST A SWAN BUILDS ITS NEST FROM FOUND MATERIALS, RECYCLING AND REFLECTING THE

SWAN NEST A SWAN BUILDS ITS NEST FROM FOUND MATERIALS, RECYCLING AND REFLECTING THE

5/16/2018 SWAN NEST A SWAN BUILDS ITS NEST FROM FOUND MATERIALS, RECYCLING AND REFLECTING THE AESTHETIC OF THE WATER. - BISSET ADAMS DESIGN CONCEPT DESIGN INTENTION AND SUSTAINABLE GOALS 1 5/16/2018 DESIGN INTENT The concept for

571 views • 30 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides

More recommend