Research: Threat Intelligence & Malware Infrastructures Andrea - - PowerPoint PPT Presentation

research threat intelligence malware infrastructures
SMART_READER_LITE
LIVE PREVIEW

Research: Threat Intelligence & Malware Infrastructures Andrea - - PowerPoint PPT Presentation

Feb 06, 2024 198 likes •384 views

Malware Analysis Research: Threat Intelligence & Malware Infrastructures Andrea Lanzi: andrea.lanzi@unimi.it May, 3 2017 Andrea Lanzi: andrea.lanzi@unimi.it Malware Analysis Malware Analysis Malicious Infrastruture Who am I? My

slide-1
SLIDE 1

Malware Analysis

Research: Threat Intelligence & Malware Infrastructures

Andrea Lanzi: andrea.lanzi@unimi.it May, 3 2017

Andrea Lanzi: andrea.lanzi@unimi.it

slide-2
SLIDE 2

Malware Analysis Malware Analysis Malicious Infrastruture

Who am I?

My research focuses on systems and systems security: Memory Error Detection and exploitation. Malware Detection and Analysis (program analysis techniques). Software Reverse Engineering (program analysis techniques). Hardware-supported Virtualization (OS protection). Studying the Malicious Infrastructures (ToR, SPAM, Sandboxes etc.).

Andrea Lanzi: andrea.lanzi@unimi.it

slide-3
SLIDE 3

Malware Analysis Malware Analysis Malicious Infrastruture

Malicious Infrastructure

Study the malicious phenomena on the network and try to understand the business model under the malicious infrastructures. Try to design defensive system that are able to shutdown or detect such malicious infrastructures. Challenges here is to find out automatic techniques (e.g., program analysis, network algorithms etc.) that can be applied in order to design analysis framework for new business model.

Andrea Lanzi: andrea.lanzi@unimi.it

slide-4
SLIDE 4

Malware Analysis Malware Analysis Malicious Infrastruture

Spam is an ever-green economy despite the several botnet takedowns. Spam ranges:

Search Engine Optimization product advertising generic phishing targeted malware spreading

Andrea Lanzi: andrea.lanzi@unimi.it

slide-5
SLIDE 5

Malware Analysis Malware Analysis Malicious Infrastruture

Rather than focusing on spam prevention, we want to analyze the infrastructure that is the basis of modern spam business. URLs embedded advertised in spam messages can be distinguished in two groups:

source: intial URLs advertised by the spammer final: pages where the user ends up when he visits a source URL

1 Many source URL may redirect to a single final URL 2 One redirection chain leads from a source URL to a final URL Andrea Lanzi: andrea.lanzi@unimi.it

slide-6
SLIDE 6

Malware Analysis Malware Analysis Malicious Infrastruture

Structure and content information:

continuous recrawl of the suspicious chains information collected from different sources focus on identifying the most important nodes (TDSes)

Contributions:

analysis of the evolution of the malicious infrastructure development of an approach for identifying malicious nodes/domains

Andrea Lanzi: andrea.lanzi@unimi.it

slide-7
SLIDE 7

Malware Analysis Malware Analysis Malicious Infrastruture

Example of chains:

1

H3

2

H1

3

H1 → H2 → H3

4

H4 → H2 → H3

Possible approaches: in-degree analysis Pagerank clustering using features of the page

Andrea Lanzi: andrea.lanzi@unimi.it

slide-8
SLIDE 8

Malware Analysis Malware Analysis Malicious Infrastruture

Example of chains:

1

H3

2

H1

3

H1 → H2 → H3

4

H4 → H2 → H3

Possible approaches: in-degree analysis Pagerank clustering using features of the page

Andrea Lanzi: andrea.lanzi@unimi.it

slide-9
SLIDE 9

Malware Analysis Malware Analysis Malicious Infrastruture

Example of chains:

1

H3

2

H1

3

H1 → H2 → H3

4

H4 → H2 → H3

Possible approaches: in-degree analysis Pagerank clustering using features of the page

Andrea Lanzi: andrea.lanzi@unimi.it

slide-10
SLIDE 10

Malware Analysis Malware Analysis Malicious Infrastruture

Study Pilot I

10,000 malicious chains chains re-crawled consecutively for 11 days detection rule: TDS if linked by two distinct domains

Andrea Lanzi: andrea.lanzi@unimi.it

slide-11
SLIDE 11

Malware Analysis Malware Analysis Malicious Infrastruture

Study Pilot II

  • ther 10,000 malicious chains

chains re-crawled consecutively for 60 days using only most frequent version of a chain detection rule: TDS if linked by two distinct domains

Correctly identi- fied 7988 mali- cious chains out

  • f

the 10,000 considered.

Andrea Lanzi: andrea.lanzi@unimi.it

slide-12
SLIDE 12

Malware Analysis Malware Analysis Malicious Infrastruture Andrea Lanzi: andrea.lanzi@unimi.it

slide-13
SLIDE 13

Malware Analysis Malware Analysis Malicious Infrastruture

Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence

Published in USENIX Security Symposium 2015 Novel methodology based on machine learning and data-mining to automatically identify malware development cases from the samples submitted to a malware analysis sandbox. We were able to automatically identify thousands of developments, and to show how the authors modify their programs to test their functionalities or for evading sandboxes.

Andrea Lanzi: andrea.lanzi@unimi.it

slide-14
SLIDE 14

Malware Analysis Malware Analysis Malicious Infrastruture

Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence

Try to cluster together binary executable first based on the binary similarity by using ssdep tools. Moreover we considered also time frame based on the developing task. We start from 32,294,094 binaries files and we obtained 5972 clusters containing on average 4.5 elements each. the timeline was 5 year. We also considered the same IP submission and we were able to create 225 macro clusters.

Andrea Lanzi: andrea.lanzi@unimi.it

slide-15
SLIDE 15

Malware Analysis Malware Analysis Malicious Infrastruture

Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence

We also performed intra-cluster Analysis and we extract some code-based features based on: code normalization, programming languages, and call-graph and CFG comparison. We then extract other features based on the Antvirus analysis such as: IP from which client was connected to, type of evasion technique, email address used, timesstamp of submission etc. we applied machine learning algorithm and we train a classifier based on the selected features and the system flagged 3038 cluster as a potential development over a six years period.

Andrea Lanzi: andrea.lanzi@unimi.it

slide-16
SLIDE 16

Malware Analysis Malware Analysis Malicious Infrastruture

Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence

Campaign Early Submission Time Before Public Disclosure Submitted by Operation Aurora ✓ 4 months US Red October ✓ 8 months Romania APT1 ✓ 43 months US Stuxnet ✓ 1 months US Beebus ✓ 22 months Germany LuckyCat ✓ 3 months US BrutePOS ✓ 5 months France NetTraveller ✓ 14 months US Pacific PlugX ✓ 12 months US Pitty Tiger ✓ 42 months US Regin ✓ 44 months UK Equation ✓ 23 months US

Andrea Lanzi: andrea.lanzi@unimi.it

slide-17
SLIDE 17

Malware Analysis Malware Analysis Malicious Infrastruture

Needles in a Haystack: Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence

This system can be used as an early warning system and can be designed in a way to resistance to the attacker attacks. any public sandboxes can be equipped with a active monitor that is able to detect early malware development and stop the malware propagation.

Andrea Lanzi: andrea.lanzi@unimi.it

slide-18
SLIDE 18

Malware Analysis Malware Analysis Malicious Infrastruture

Q&A

Thank You! Q&A?

Andrea Lanzi: andrea.lanzi@unimi.it