a cuckoo s egg in the malware nest
play

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE - PowerPoint PPT Presentation

Mar 19, 2024 •155 likes •313 views

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

  1. A CUCKOO’S EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS

  2. MALWARE WARS Ø In the last half-decade malware has evolved into a business q Windows is the most attacked platform, OS X also affected Ø Symantec & Co show impressive growing rates o Use of polymorphism/packers o Malware writers are just better J Ø Dynamic Malware Analysis (DMA) q Malware samples are executed in a sandbox q Analysis results are used to update AV signatures and “detection models” q Anubis, CWSandbox, Malheur, Malnet, etc. Christiaan Schade 12/19/11

  3. LIMITATIONS OF DMA Ø Malware writers implemented several countermeasures to avoid/slow down the DMA analysis q Runs only when user(s) is actually logged in q Waits for a certain time frame before activating (10-15 mins) q Checks for virtualization / known registry keys / known IPs Ø DMA tools usually perform post-mortem analysis à users submit their sample(s) and get a report back q Limited support to monitor an internal network and protect endpoints q If you submit a sample, you already suspect it is malware … and your AV likely did not detect it (otherwise … why submit it for further analysis? Ø DMA tools lack information about the execution context and do not offer real-time protection Christiaan Schade 12/19/11

  4. THE IDEA Ø ~30% of current malware download additional components once running q Require some external “content providers”, usually early compromised servers q Content providers might not be online, malware will often need to run several download attempts Ø If we can detect one of these attempts, we can feed the malware with a crafted executable (we call it “cuckoo’s egg”) that: q Will perform some real-time analysis at the end host à on-the-fly malware analysis q Can be instructed to terminate its parent process à effective containment Christiaan Schade 12/19/11

  5. GENERAL ARCHITECTURE WE CALL IT AVATAR Christiaan Schade 12/19/11

  6. LAYING THE EGG… Ø We use an algorithm based on TWR to detect “too many” failed attempts, then the egg generator: q Checks the requested filename q Checks magic numbers in case a file is successfully fetched after several attempts q Packs and sends the cuckoo’s egg when # attempts > threshold Ø When the egg is executed on the target machine, it attempts to get control over its parent process q Depending on the OS version the egg can freeze/terminate the process Christiaan Schade 12/19/11

  7. …AND PARASITE! Ø The egg collects several information about the parent process: q Path to the exe q Any module that was loaded (full module paths) q Window (if any is attached) information: handle, size, caption text q Executable size Ø The collected information are sent to the MAE, which can stop the egg or perform deeper analysis q The egg can send back to the MAE the original parent executable Christiaan Schade 12/19/11

  8. LIMITATIONS TO OUR APPROACH Ø Malware could initiate connections at a very low rate à this would slow down the infection though Ø Malware could apply some verification/encryption mechanisms to the downloaded components à keys could be disclosed Ø Malware writers could use steganography to hide executables into other file formats (e.g., JPEG, like the recent Duqu) Ø Malware could leverage the CreateRemoteThread function to execute its code into another process Christiaan Schade 12/19/11

  9. TESTS Ø Avatar has been tested against real-life malware samples q CWSandbox data set, available at Malheur’s web site q everyday malware we all receive in our mailbox J Ø Dataset A – PoC q ~10 malware families, huge collection (almost) publicly available from the authors of Malheur (2009) à 75 samples Ø Dataset B – evaluation of false positives/negatives q everyday malware we received in our mailboxes during a week time à 30 samples + 30 benign samples Christiaan Schade 12/19/11

  10. TEST RESULTS – DATASET A Christiaan Schade 12/19/11

  11. TEST RESULTS – DATASET B Christiaan Schade 12/19/11

  12. CONCLUSION Ø Avatar raises the bar of malware analysis q No software is required to run at the endpoint q Delivers on-the-fly any component needed for analysis q Heavy computations are off-loaded q We can stop a malicious process as soon as it is detected (to some extent, depending on the OS) Ø We know it can be circumvented, but this will also make it more difficult for malware writers q No countermeasure has been observed so far in our tests Christiaan Schade 12/19/11

  13. DEMO Christiaan Schade 12/19/11

  14. QUESTIONS ? Christiaan Schade 12/19/11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University

A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University

Department of Law public lecture A European Contract Law: a cuckoo in the nest? Professor Hugh Beale Professor of law, University of Warwick Dr Linda Mulcahy Chair, LSE London School of Economics Law lectures 2011

652 views • 47 slides
Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason

Tasty Malware Analysis with T.A.C.O. Bringing Cuckoo Reports into IDA Pro Ruxcon 2015 Jason Jones Who Am I? Sr. Security Research Analyst for Arbor Networks ASERT Attend AHA! in Austin semi-frequently Welcome to the

648 views • 43 slides
Visiting the snake nest Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher Matthieu

Visiting the snake nest Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher Matthieu

Visiting the snake nest Recon Brussels 2018 Jean-Ian Boutin | Senior Malware Researcher Matthieu Faou | Malware Researcher Jean-Ian Boutin Matthieu Faou Senior Malware Researcher Malware Researcher @jiboutin @matthieu_faou Agenda 1.

2.05k views • 138 slides
Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a

Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a

Digital NEST Connect Transform Create What is the NEST? Digital NEST CONNECTS youth to a skill-building community that TRANSFORMS them into professionals who can CREATE successful careers, innovative solutions, and prosperous communities

423 views • 19 slides
Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan

Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan

Cuckoo Search via Lvy flights X. S. Yang and Suash Deb NABIC, 2009, IEEE Presented by Cihan Kaya What is cuckoo search with Levy flights? v A meta-heuristic method v Global optimization v Based on obligate brood parasitic behavior of cuckoo

711 views • 19 slides
Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing

Today. Cuckoo hashing. Today. Cuckoo hashing. Johnson-Lindenstrass. Cuckoo hashing. Hashing with two choices: max load O ( loglog n ) . Cuckoo hashing. Hashing with two choices: max load O ( loglog n ) . Cuckoo hashing: Cuckoo hashing.

1.69k views • 147 slides
NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating

NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating

NEST NEST New and Emerging Science and Technology European Commission RTD.B.1 Anticipating Scientific and Technological Needs (NEST activity); Basic Research Specific Activities covering a Wider Field of Research New and Emerging Science

292 views • 12 slides
What is Nest? FREE online home matching platform Nest matches people with disability to

What is Nest? FREE online home matching platform Nest matches people with disability to

What is Nest? FREE online home matching platform Nest matches people with disability to accommodation/housing that suits their needs and wants. Nest makes it easy to search, choose and apply for accommodation/housing that meets

282 views • 14 slides
First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North

First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North

First experiences with Cuckoo bags John McHugh - RedJack, LLC and The University of North Carolina Jeff Janies - Redjack LLC Teryl Taylor - Dalhousie University FloCon 2010 New Orleans January 2010 What is a cuckoo bag? SiLK sets and

315 views • 29 slides
Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest

Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest

Ew E NEST m odel Thorsten Blenckner Maciej T. Tomczak Susa Niiranen Olle Hjerne Baltic Nest Institute (BNI) Linking science and management Baltic NEST = a science based decision support system (DSS) to : Explore and synthesize

511 views • 20 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 ,

AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 ,

AniFilter: Parallel and Failure-Atomic Cuckoo Filter for Non-Volatile Memories Hyungjun Oh 1 , Bongki Cho 1 , Changdae Kim 2 , Heejin Park 1 , Jiwon Seo 1 1 2 1 Ou Outline NVM and AMQs Cuckoo Filter Optimizations in AniFilter

1.18k views • 58 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern

Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern

Determinants of Nest Egg Sustainability Jack C. DeJong, Jr., Ph.D., MBA, CFA Nova Southeastern University CoFounder, Nest Egg Guru John H. Robinson Founder, Financial Planning Hawaii CoFounder, Nest Egg Guru Inspiration: Two Seminal

219 views • 19 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
17: Dynamic Programming CS1101S: Programming Methodology Martin Henz October 19, 2012 CS1101S:

17: Dynamic Programming CS1101S: Programming Methodology Martin Henz October 19, 2012 CS1101S:

Fibonacci Numbers Dropping Eggs Puzzle Optimal Binary Search Tree 17: Dynamic Programming CS1101S: Programming Methodology Martin Henz October 19, 2012 CS1101S: Programming Methodology 17: Dynamic Programming Fibonacci Numbers Dropping

660 views • 25 slides
The joy of functional programming June 2019 Hadley Wickham @hadleywickham Chief

The joy of functional programming June 2019 Hadley Wickham @hadleywickham Chief

The joy of functional programming June 2019 Hadley Wickham @hadleywickham Chief Scientist, RStudio Import Visualise Tidy Transform Model Program Communicate Import Visualise Tidy Transform Model Program Communicate

445 views • 42 slides
MOL2NET , 2019 , 5, doi:10.3390/mol2net-05-xxxx 2 for each day of storage. The treatments to be

MOL2NET , 2019 , 5, doi:10.3390/mol2net-05-xxxx 2 for each day of storage. The treatments to be

MOL2NET , 2019 , 5, doi:10.3390/mol2net-05-xxxx 1 MOL2NET, International Conference Series on Multidisciplinary Sciences MDPI http://sciforum.net/conference/mol2net-05 QUALITY AND CONSERVATION OF THE EGG OF CRIOLL FOR MARKETING IN THE AMAZON

641 views • 5 slides
Managing many models February 2016 Hadley Wickham @hadleywickham Chief Scientist,

Managing many models February 2016 Hadley Wickham @hadleywickham Chief Scientist,

Managing many models February 2016 Hadley Wickham @hadleywickham Chief Scientist, RStudio There are 7 key components of data science Import Visualise Communicate Transform Tidy Automate Model Understand Today I want to focus

683 views • 43 slides
Supervised Learning of Complete Morphological Paradigms Greg Durrett and John DeNero UC

Supervised Learning of Complete Morphological Paradigms Greg Durrett and John DeNero UC

Supervised Learning of Complete Morphological Paradigms Greg Durrett and John DeNero UC Berkeley / Google Morphological Inflection train (de) Zug Morphological Inflection N OM, S ING: Zug N OM, P LU: Zge train (de) Zug G EN, S ING:

916 views • 89 slides
Parsing Contexts Context Sensitive Grammars for Everyone Jan Kur kurs@iam.unibe.ch Software

Parsing Contexts Context Sensitive Grammars for Everyone Jan Kur kurs@iam.unibe.ch Software

Parsing Contexts Context Sensitive Grammars for Everyone Jan Kur kurs@iam.unibe.ch Software Composition Group Indentation using Petit Parser print Hello! if keyword if (outOf(milk)): print We are out of milk! block of commands

576 views • 57 slides
women participating in the Nutrition Links Project in a rural district of Ghana Afua

women participating in the Nutrition Links Project in a rural district of Ghana Afua

Poultry egg production and utilization among NUTRITION LINKS women participating in the Nutrition Links Project in a rural district of Ghana Afua Atuobi-Yeboah, Grace Marquis, Esi Colecraft, Frances Aboud, Shelley Clark, Theresa Gyorkos,

486 views • 25 slides
Basic Data Mining Algorithms Liyao Xiang http://xiangliyao.cn/ Shanghai Jiao Tong University

Basic Data Mining Algorithms Liyao Xiang http://xiangliyao.cn/ Shanghai Jiao Tong University

EE226 Big Data Mining Lecture 3 Basic Data Mining Algorithms Liyao Xiang http://xiangliyao.cn/ Shanghai Jiao Tong University http://jhc.sjtu.edu.cn/public/courses/EE226/ Notice There will be a quiz in the next weeks class. Please take a

363 views • 15 slides

More recommend