Towards network containment in malware analysis systems

Graziano, Mariano; Leita, Corrado; Balzarotti, Davide

doi:10.1145/2420950.2421000

Cited by 16 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Unclassified

Order By: Relevance

“…Todos estos valores se han recogido de manera automática mediante la ejecución desatendida de PinVMShield dentro del entorno de sandbox de Cuckoo Sandbox (versión 0.6) [14], una herramienta de código abierta ampliamente usada por la comunidad de análisis de software malicioso [23][45] [46].…”

Section: A Herramienta Pafishunclassified

Towards the Detection of Isolation-Aware Malware

Rodríguez

Gaston²,

Alonso

2016

IEEE Latin Am. Trans.

View full text Add to dashboard Cite

Abstract-Malware analysis tools have evolved in the last years providing tightly controlled sandbox and virtualised environments where malware is analysed minimising potential harmful consequences. Unfortunately, malware has advanced in parallel, being currently able to recognise when is running in sandbox or virtual environments and then, behaving as a nonharmful application or even not executing at all. This kind of malware is usually called analysis-aware malware. In this paper, we propose a tool to detect the evasion techniques used by analysis-aware malware within sandbox or virtualised environments. Our tool uses Dynamic Binary Instrumentation to maintain the binary functionality while executing arbitrary code. We evaluate the tool under a set of well-known analysis-aware malware showing its current effectiveness. Finally, we discuss limitations of our proposal and future directions.Index Terms-analysis-aware malware, binary analysis, dynamic binary instrumentation. I. INTRODUCCIÓNL VOLUMEN de aplicaciones software creadas con intenciones maliciosas o sospechosas (dícese malware por su nombre en inglés) ha crecido tanto en cantidad como en complejidad en la última década [18], [35], [36], [44]. La lucha contra el malware requiere una constante actualización de las técnicas defensivas, entender cómo actúa el malware, qué tipo de acciones dañinas realiza y cómo éstas pueden ser detectadas, eliminadas o prevenidas. Expertos analistas de malware deben hacer frente cada día a un creciente número de muestras de malware. Por ejemplo, la compañía especializada en antivirus Kaspersky indicó que en 2013 analizó, aproximadamente, 350.000 muestras de malware diarias [30]. La ingeniería inversa es el proceso desarrollado para conocer y entender las capacidades y comportamiento del malware; sin embargo, requiere mucho tiempo y trabajo. Dado el incremento diario de retos a los que se enfrentan los analistas de malware, dos tendencias complementarias han emergido recientemente en el análisis de La automatización del proceso de análisis del malware permite, por un lado, un conocimiento del comportamiento de la muestra de una forma ágil y rápida, y por tanto permite mantener actualizadas las bases de datos de anti-virus para proteger de forma efectiva a los usuarios finales ante nuevas amenazas. Por otro lado, el aislamiento del entorno de análisis de malware previene que durante el proceso de análisis el malware pueda infectar un sistema o una red legítima, o incluso llegue a interferir en el negocio de la empresa donde se está llevando el análisis. En este sentido, en este artículo sólo consideramos las soluciones software propuestas para aislar el entorno de análisis de malware, dejando de lado las soluciones basadas en máquinas físicas aisladas como entorno de análisis.Sin embargo, los desarrolladores de malware han aprendido a su vez cómo se analizan las muestras de malware, y por ello han empezado a incorporar a sus desarrollos diversas técnicas de evasión que permiten reconocer cuándo el malware está siendo ejecutado...

show abstract

Section: A Herramienta Pafishunclassified

Towards the Detection of Isolation-Aware Malware

Rodríguez

Gaston²,

Alonso

2016

IEEE Latin Am. Trans.

View full text Add to dashboard Cite

show abstract

“…Forced path execution for binaries have been extensively discussed in [14], [15], [16] and some of the obfuscation techniques for Android malware have appeared in [17], [18], [19]. However, we are not aware of any large-scale study that attempted to analyze mobile applications in terms of copyright infringement.…”

Section: Related Workmentioning

confidence: 99%

Analysis of content copyright infringement in mobile application markets

Johnson

Kiourtis

Stavrou

et al. 2015

2015 APWG Symposium on Electronic Crime Research (eCrime)

View full text Add to dashboard Cite

As mobile devices increasingly become bigger in terms of display and reliable in delivering paid entertainment and video content, we also see a rise in the presence of mobile applications that attempt to profit by streaming pirated content to unsuspected end-users. These applications are both paid and free and in the case of free applications, the source of funding appears to be advertisements that are displayed while the content is streamed to the device.In this paper, we assess the extent of content copyright infringement for mobile markets that span multiple platforms (iOS, Android, and Windows Mobile) and cover both official and unofficial mobile markets located across the world. Using a set of search keywords that point to titles of paid streaming content, we discovered 8, 592 Android, 5, 550 iOS, and 3, 910 Windows mobile applications that matched our search criteria. Out of those applications, hundreds had links to either locally or remotely stored pirated content and were not developed, endorsed, or, in many cases, known to the owners of the copyrighted contents. We also revealed the network locations of 856, 717 Uniform Resource Locators (URLs) pointing to back-end servers and cyber-lockers used to communicate the pirated content to the mobile application.

show abstract

“…To gain access a hacker might try different vulnerabilities in a host while automated programs are the exact opposite; they use the same exploits on all the hosts hoping to find a host with a weak point [9,10].…”

Section: Automated Attack Programsmentioning

confidence: 99%

Container based virtual honeynet for increased network security

Memari

Hashim

Samsudin

2015

2015 5th National Symposium on Information Technology: Towards New Smart World (NSITNSW)

View full text Add to dashboard Cite

Honeynet represents a new strategy in defending the computer networks and systems against unauthorized access or hacking attempts. Not only it can detect and display the attack pattern or the tools utilized, it can also help in eliminating access to real systems by representing an emulation of the physical systems and services present within the network , thus delaying or confusing the intruder. In this paper we provide an overview of a lightweight container based deployment that emulates popular Linux and Windows services to unsuspecting intruders. Results show the real world attacks against the deployed system.

show abstract

Towards network containment in malware analysis systems

Cited by 16 publications

References 12 publications

Towards the Detection of Isolation-Aware Malware

Towards the Detection of Isolation-Aware Malware

Analysis of content copyright infringement in mobile application markets

Container based virtual honeynet for increased network security

Contact Info

Product

Resources

About