Scanning memory with Yara

Cohen, Michael

doi:10.1016/j.diin.2017.02.005

Cited by 24 publications

(7 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In a paper on the malware analysis tool Yara, Cohen [9] describes LotL as a trend that has been recently observed in the tactics used by elite threat actors; this claim is reinforced by the results of our analysis. Research by Hassan et al [21] states that APT malware uses LotL attack strategies to enable persistent campaigns and analyses two campaigns, compared to our less granular analysis of 16,232 samples.…”

Section: Related Worksupporting

confidence: 66%

See 1 more Smart Citation

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Barr-Smith

Ugarte-Pedrero

Graziano

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

As malware detection algorithms and methods become more sophisticated, malware authors adopt equally sophisticated evasion mechanisms to defeat them. Anecdotal evidence claims Living-Off-The-Land (LotL) techniques are one of the major evasion techniques used in many malware attacks. These techniques leverage binaries already present in the system to conduct malicious actions. We present the first large-scale systematic investigation of the use of these techniques by malware on Windows systems.In this paper, we analyse how common the use of these native system binaries is across several malware datasets, containing a total of 31,805,549 samples. We identify an average 9.41% prevalence. Our results show that the use of LotL techniques is prolific, particularly in Advanced Persistent Threat (APT) malware samples where the prevalence is 26.26%, over twice that of commodity malware.To illustrate the evasive potential of LotL techniques, we test the usage of LotL techniques against several fully patched Windows systems in a local sandboxed environment and show that there is a generalised detection gap in 10 of the most popular anti-virus products.

show abstract

Section: Related Worksupporting

confidence: 66%

“…Yara Rule Match Malware. We collected an additional dataset by leveraging the live hunting service from VT. To this end, we deployed three Yara [9] rules we wrote to detect the use of LotL binaries based on the behavioural footprint of the samples. We make these rules public in our repository.…”

Section: A Dataset Compositionmentioning

confidence: 99%

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Barr-Smith

Ugarte-Pedrero

Graziano

et al. 2021

2021 IEEE Symposium on Security and Privacy (SP)

View full text Add to dashboard Cite

show abstract

“…When evaluating memory with scanning techniques, one can either scan the virtual address space or the memory image directly. Cohen [45] proposed a "context aware" scanning method that uses the Windows Page Frame Number (PFN) database to rapidly identify the owner of each physical page, and where it is mapped in its virtual address space. This method improves the matching speed and accuracy since the virtual address space need not be reconstructed for every process.…”

Section: Signature Scanningmentioning

confidence: 99%

The Evolution of Volatile Memory Forensics

Nyholm

Lyles

et al. 2022

JCP

View full text Add to dashboard Cite

The collection and analysis of volatile memory is a vibrant area of research in the cybersecurity community. The ever-evolving and growing threat landscape is trending towards fileless malware, which avoids traditional detection but can be found by examining a system’s random access memory (RAM). Additionally, volatile memory analysis offers great insight into other malicious vectors. It contains fragments of encrypted files’ contents, as well as lists of running processes, imported modules, and network connections, all of which are difficult or impossible to extract from the file system. For these compelling reasons, recent research efforts have focused on the collection of memory snapshots and methods to analyze them for the presence of malware. However, to the best of our knowledge, no current reviews or surveys exist that systematize the research on both memory acquisition and analysis. We fill that gap with this novel survey by exploring the state-of-the-art tools and techniques for volatile memory acquisition and analysis for malware identification. For memory acquisition methods, we explore the trade-offs many techniques make between snapshot quality, performance overhead, and security. For memory analysis, we examined the traditional forensic methods used, including signature-based methods, dynamic methods performed in a sandbox environment, as well as machine learning-based approaches. We summarize the currently available tools, and suggest areas for more research.

show abstract

“…The indicators of cybercrime can be searched from the extensive data set of evidence like malicious network traffic (Pilli et al, 2010;Tobergte & Curtis, 2013). The finding may be shared with the development team of security tools for improvement purposes (Case & Richard III, 2017;Cohen, 2017;Burdach, 2006).…”

Section: Examinationmentioning

confidence: 99%

An emerging threat Fileless malware: a survey and research challenges

2020

View full text Add to dashboard Cite

With the evolution of cybersecurity countermeasures, the threat landscape has also evolved, especially in malware from traditional file-based malware to sophisticated and multifarious fileless malware. Fileless malware does not use traditional executables to carry-out its activities. So, it does not use the file system, thereby evading signature-based detection system. The fileless malware attack is catastrophic for any enterprise because of its persistence, and power to evade any anti-virus solutions. The malware leverages the power of operating systems, trusted tools to accomplish its malicious intent. To analyze such malware, security professionals use forensic tools to trace the attacker, whereas the attacker might use anti-forensics tools to erase their traces. This survey makes a comprehensive analysis of fileless malware and their detection techniques that are available in the literature. We present a process model to handle fileless malware attacks in the incident response process. In the end, the specific research gaps present in the proposed process model are identified, and associated challenges are highlighted.

show abstract

Scanning memory with Yara

Cited by 24 publications

References 6 publications

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

Survivalism: Systematic Analysis of Windows Malware Living-Off-The-Land

The Evolution of Volatile Memory Forensics

An emerging threat Fileless malware: a survey and research challenges

Contact Info

Product

Resources

About