Abstract: How far would you trust your antivirus viral database updates? From a security point of view, updates help and continue to enhance your security. Antivirus solutions remain a mandatory component of computer systems as it is updated at least once a day. In this paper we address interesting issue around the confidence we can give to our antivirus. We have chosen to analyze the McAfee antivirus on a technical and reproducible basis.
This particular choice is motivated by the fact that this antivirus is widely used and has been suspected of supporting Magic Lantern US intelligence initiative by the press and later by the public opinion. We intend to address several issues. First we will analyze their protection/detection approach with respect to the 2008 Conficker: even now this threat is not fully detected. Second, we will present McAfee's approach in malware signatures management and updates that could lead to third party access on systems protected by McAfee Antivirus products.
We will show on a technical and reproducible basis how the real number of malware is artificially increased thus leading to exaggerated and thus incorrect numbers. We then show how badly the quarantine process is managed and how to analyze the naming convention in McAfee's Official DAT signature file. This can help users to check new added threats. Finally, we will explain how your Antivirus and your web browsing can help hackers, Cybercriminals, Organizations, law enforcement, intelligence agencies or even other government entities to gain access in your systems and take what they want.
Abstract: Statistical methods have been used for a long time as a way to detect viral code. Such a detection method has been called spectral analysis, because it works with statistical distributions, such as bytes, instructions or system calls frequencies spectra. Most statistical classi_cation algorithms can be shown as graphical models, namely Bayesian networks. We will first present in this paper an approach of viral detection by means of spectral analysis based on Bayesian networks, through two basic examples of such learning models: naive Bayes and hidden Markov models.
Designing a statistical information retrieval model requires careful and thorough evaluation in order to demonstrate the superior performance of new techniques on representative program collections. Nowadays, it has developed into a highly empirical discipline. We will next present information theory based criteria to characterize the effectiveness of spectral analysis models and then discuss the limits of such models.
Abstract: Malware is increasingly becoming a serious threat and a nuisance in the information and network age. Human experts have to extract (involves complex analysis of encrypted and/or packed binaries) a signature (usually a text pattern) of the malware and deploy it, to protect against a malware. However, this approach does not work for polymorphic and metamorphic malware, which have the ability to change shape from attack to attack; also, metamorphic virus detection even assuming fixed length is NP-complete. To counter these advanced forms of malware, we need semantic signatures which capture the essential behaviour of the malware (which remains unchanged across variants). Note that, the signature need not capture all the activities of the malware. However, knowledge of all the activities of a malware is needed to disinfect (wherever possible) systems already infected by the malware.
In this paper, we present an algorithmic approach for extracting semantic signatures of malware -as a regular expression over API calls- and demonstrate via experiments its efficacy in detecting and predicting malware variants. Our approach involves two steps. In the first step, we collect and abstract the behaviour (as a sequence of security relevant API/system calls) of the malware in different runs. In the second step, we inductively learn a regular expression that tightly fits these behaviours (generalizing where necessary). This regular expression then acts as the semantic signature of the malware. Our learning algorithm is basically a regular expression learning algorithm with positive data and further, it has several properties useful in practice, and the class of languages learnt is such that the size of the automaton is the same as the size of the regular expression. Our algorithm has been validated on malware in-the-wild (Etap, Netsky, MyDoom, Beagle, Sality) and shown to work for metamorphic viruses/worms as well as polymorphic varieties. Further, the algorithms along with the behavioural model leads to an architecture for constructive monitoring of malware w.r.t given policies.
Abstract: There are so many new malware that appear quite each day that we need automatic tools to help the analysts to make the analysis faster, and more efficient. It has been heard at EICAR 2010 that it is now possible for an AV company to receive more than 40000 "new" malware each day. This proves clearly that the "malware industry" is flourishing, but of course, a lot of these "new" malware share large portions of codes with existing and already known malwares (a lot of malwares contains small or large parts of code that has been copied from another). Here, known means analyzed, i.e. we have understood for example what the malware does, how it is programmed, how we can detect him with the help of a static signature in an antivirus software and so on.
Beyond the basic idea of searching for a signature of a malware, is there an interest to develop new tools for malware analysis ? Yes! For (at least) the two following reasons:
1. if we have better tools, the malwares programmers will have to work harder (and so, hopefully, longer) to create new malwares that are difficult to analyze;
2. in the few last years, a new threat has appeared in the tools used for the information warfare: Targeted Malware Attacks, i.e. malware that are developed to attack a specific target. The Stuxnet worm is probably the most known example. This is really a serious problem because the reaction of the AV community faced to a new malware depends a lot of the impact of this new malware. And there are so many new malwares that the analyze of new malwares is prioritized, ressources has to be managed in a balance between the importance of the threats and the ability to analyze a lot of files.
We present here algorithms to solve the following problems:
1. Let us suppose we have:
2. Given two binary malware, supposed already disassembled, how can we quickly compare them? More precisely, how can we understand the similarities, but also the dissimilarities between both files ?
3. we suppose we have an new malware function and a large database of (already) known malware functions, we want to understand the differences and the similarities between this how we can be protected against it (for example we want to find a signature for AV softwares).
Our algorithms are mainly based on the use of the Normalized Compression Distance (NCD) at different granularity levels. For the first problem, that we call the global malware filtering problem, we will propose two algorithms, one is new and is based on an algorithm for the third problem. We propose to use filtering tactics to select the better files of the malware set M. We propose to use two different but similar tactics, using the Normalized Compression Distance for a first filtering tactics to filter the set M and the entropy for a second filtering tactic. For the second problem, we will present an algorithm that, given the Call Flow Graph (CFG) of both malwares, will approximately solve the graph matching problem associated with the two CFGS using again the NCD of the nodes.
Abstract: A highlight of the 2009 Virus Bulletin Conference was a panel session on "Free AV vs paid-for AV; Rogue AVs", chaired by Paul Ducklin. As the title indicates, the discussion was clearly divided into two loosely related topics, but it was perhaps the first indication of a dawning awareness that the security industry has a problem that is only now being acknowledged.
Why is it so hard for the general public to distinguish between the legitimate AV marketing model and the rogue marketing approach used by rogue (fake) security software? Is it because the purveyors of rogue services are so fiendishly clever? Is it simply because the public is dumb? Is it, as many journalists would claim, the difficulty of discriminating between "legitimate" and criminal flavours of FUD (Fear, Uncertainty, Doubt)? Is the AV marketing model fundamentally flawed? In any case, the security industry needs to do a better job of explaining its business models in a way that clarifies the differences between real and fake anti-malware, and the way in which marketing models follow product architecture.
This doesn't just mean declining to mimic rogue AV marketing techniques, bad though they are for the industry and for the consumer: it's an educational initiative, and it involves educating the business user, the end-user, and the people who market and sell products. A security solution is far more than a scanner: it's a whole process that ranges from technical research and development, through marketing and sales, to post-sales support. But so is a security threat, and rogue applications involve a wide range of skills: not just the technical range associated with a Stuxnet-like, multi-disciplinary tiger team, but the broad skills ranging from development to search engine optimization, to the psychologies of evaluation and ergonomics, to identity and brand theft, to call centre operations that are hard to tell apart from legitimate support schemes, for the technically unsophisticated customer. A complex problem requires a complex and comprehensive solution, incorporating techniques and technologies that take into account the vulnerabilities inherent in the behaviour of criminals, end-users and even prospective customers, rather than focusing entirely on technologies for the detection of malicious binaries.
This paper contrasts existing malicious and legitimate technology and marketing, but also looks at ways in which holistic integration of multi-layered security packages might truly reduce the impact of the current wave of fake applications and services.
Abstract: Detecting malware used to be the main problem posed to antivirus companies and, to some extent it still is, but in the last couple of years this problem has been out-weight by the task of cleaning the system once it has been compromised. This is because antiviruses, eventually, add detection to unknown malware, but the changes the malware caused in the registry or the file system during the "blind" period, most often disable features of the operating system or leave behind security holes that can lead to future infections. Thus, only removing or neutralizing the malware itself, is not good enough, if these changes are not undone as well.
This paper tries to address the more specific case related to behavior detection systems that signal the infection only after the malware has already executed some or his entire payload. Although in this case, the malware has been identified and removed, the machine has already been compromised so a need for accurate cleaning is essential.
Traditional approaches for this problem usually involve either specific removal routines for known malware or history databases that record actions of current running processes in order to undo them in the case an infection is declared. These methods have the disadvantage of either not being general or of increasing memory usage and overhead by the antivirus.
We propose a system to preemptively block undetected malware before actually executing their payload, using prior information, stored "in the cloud". The system is a three step process based on the model "interrogate-detect-submit". It essentially gathers information from the first instance of a process, declared as malware by the behavioral engine, stores it in the cloud and uses this information to identify identical infected process on other machines, before they are able to execute. This enables the system to both behaviorally detect infected processes and at the same time, stop their execution before doing any damage, thus easing the task of a complete cleaning.
Abstract: In last June, sets of viruses broke out on Symbian 3rd phones in China. Within one week, more than 1 million phones were infected, according to CNCERT. The statistics of victim has been climbing since then. Compared to the viruses broke out previously, these viruses bear more resemblance to the "botnet" virus on PC, so they are given the name "Zombie" . (The formal virus name are "FC.ThemeInstaller.A", "AVK.DuMusic.A" and their variants.)
This paper will firstly provide some background information about "Zombie", and then introduce the security mechanisms on Symbian 3rd, the basic assembly code and reverse engineering techniques, all of which are essential to understand the later part. Next, this paper will explain the basic features of "Zombie" from an implementation aspect, including how they propagate, how they protect themselves against anti-virus, and how they spread etc. These features are illustrated with assembly code and regenerated standard api on Symbian. Most importantly, this paper will expatiate the new feature of "Zombie", that remote malicious server play an important, even vital role in the attack and spread of "Zombie". It will show how the server commands "Zombie" to conduct malicious behavior the hacker wants. These commands can range widely, from uploading sensitive information of the victim to downloading new addresses of the remote server for protecting "Zombie" from operator, such as China Mobile's blocking. This paper will provide these commands already known, but there will always exist new commands, since the high expansibility of "Zombie" allowing them to accept whatever commands defined by hacker. By showing and explaining these "protocol" between remote malicious server and "Zombie", this paper will provide an overview of the whole process of "Zombie" attack, and the framework of this new type of mobile threats.
Finally, this paper will conclude on the importance of the "Zombie" and their influence to mobile security world widely.
Abstract: When was the last time you hesitated opening a movie file? Unfortunately it is possible for media file formats to contain more than one might expect.
Trojan media files are increasingly being used as an infection vector, with attackers exploiting design issues or undocumented features in file formats. Modern day media file formats allow for hyperlinks to be embedded inside and are frequently misused as a vehicle for web-centric attacks. Unlike the notorious history associated with executable, Microsoft office or PDF files, media files are traditionally perceived trustworthy by end-users. And malware authors have been quick to capitalize by using exploit-laden media files to propagate malware.
This paper presents a technical analysis of vulnerabilities affecting popular audio and video file formats - Apple QuickTime, Adobe Shockwave Flash, Microsoft Advanced Systems Format and Real Media. We also discuss the challenges security vendors face detecting malicious media files and the techniques attackers use to subvert detection.
Abstract: One of the main trends in the modern anti-virus industry is the development of algorithms that help estimate the similarity of files. Since malware writers tend to use increasingly complex techniques to protect their code such as obfuscation and polymorphism, anti-virus software vendors face problems of the increasing difficulty of file scanning, the considerable growth of anti-virus databases, and file storages overgrowth. For solving such problems, a static analysis of files appears to be of some interest. Its use helps determine those file characteristics that are necessary for their comparison without executing malware samples within a protected environment.
The solution provided in this article is based on the assumption that different samples of the same malicious program have a similar order of code and data areas. Each such file area may be characterized not only by its length, but also by its homogeneity. In other words, the file may be characterized by the complexity of its data order. Our approach consists of using wavelet analysis for the segmentation of files into segments of different entropy levels and using edit distance between sequence segments to determine the similarity of the files.
The proposed solution has a number of advantages that help detect malicious programs efficiently on personal computers. First, this comparison does not take into account the functionality of analysed files and is based solely on determining the similarity in code and data area positions which makes the algorithm effective against many ways of protecting executable code. On the other hand, such a comparison may result in false alarms. Therefore, our solution is useful as a preliminary test that triggers the running of additional checks. Second, the method is relatively easy to implement and does not require code disassembly or emulation. And, third, the method makes the malicious file record compact which is significant when compiling anti-virus databases.
Abstract: This paper deals with android malwares. With the rise of Android as a system for smarphones, malwares begun to appear. Current malwares use classical exploits embedded through ELF binaries or shared libraries because the feature of executing native code is available with the NDK.
We present some of them, how they work, as well as how they are used in Android applications. More precisely, we focus on the DroidDream malware, which was the first found to be present in the Android market. This malware is particularly interesting as it has the ability to root the phone it is executed on. This step is performed in order to convert it in a zombie agent.
Such a thing is done using publicly known exploits, such as 'exploid' and 'rageagainstthecage'. This is interesting because these exploits are relatively old, yet there are still a lot of phones which are vulnerable. This can be explained by the fact that updates were not deployed by vendors, and that databases of antivirus vendors don't take into account classical exploits.
Abstract: The complexity of IT infrastructure is continuously growing. More products are incorporated and more services are used. Enterprises rely on computer network and information technology while their primary processes completely depend on IT department. Malware infection within the range of one computer is troublesome the infection of whole network is often a disaster. There are well known approaches to stop malware from spreading based on signatures (intrusion detection system, antivirus, antispyware). However these are not bulletproof methods and their capabilities might be extended using network traffic monitoring and analysis. Flow data are currently the most widely used standard for detailed measuring and monitoring of computer networks. A lot of research has been performed in this area and several methods mostly based on statistical analysis of the flow data exist. However these methods according to low sensitivity to individual attacks and malware activities typically indicate the disaster situation which is too late. The latest results prove that the flow data might be used to detect targeted attacks, malware activities or anomalies that express themselves only as a few network connections with minimal traffic. This trend is called Network Behavior Analysis (NBA) and we will demonstrate the purpose of NBA on the problem of malware activities detection.
Abstract: A program protected with validity technology continuously ascertains its own integrity, without relying on any trusted external help, it then takes countermeasures if any problem is detected. This achievement is made possible by a mix of software and hardware techniques. The development team continues to develop and test the program with its habitual development tools. The protection is then applied by modifying the executable code with a post-compiler. Finally, while running, the protected program is composed of a fine mix of standard instructions which are executed on the computer's processor and of transformed instructions which are executed on a secure co-processor. The secure co-processor is an inexpensive secure chip addition to the computer or to the embedded system; depending on the application, it can take various form-factors: USB Key, SDIO card, Surface Mount Chip... Since secure chips are much slower than general purpose processors, to keep good performances, only a small but essential fraction of the original instructions are transformed into co-processor instructions.
A cryptographic key is used by the post-compiler to encrypt the transformed instructions and only co-processors with a matching decryption key can execute this very specific co-processor instruction-set. The program instruction stream becomes a mix of standard unchanged processor instructions and specific co-processor instructions, making a specific hybrid instruction-set:
The co-processor architecture differs from standard co-processor architectures by using several additional fields in every instruction and one additional field in every register to embed execution flow monitoring capability. At recompilation time, for each instruction, the identity of the instructions which will be allowed to generate the operands are computed and recorded in the added fields. At execution time, the identity of the instruction writing inside a register is recorded in the added field of the register in addition to the value itself. Also at execution time, the identity of the instruction which generated an operand, taken from the added register field, is compared with the identity of the allowed instruction(s), taken from the added instruction field(s). Those simple comparisons are inexpensive and establish a very strong "tripwire" detecting almost any semantic change of the program.
This mechanism rapidly detects any program tampering and since the co-processor holds a part of the program state, it can take meaningful coercion or recovery actions without fear to be bypassed. A standard PC program can decide to simply die, and embedded system can retry an action or restart from a checkpoint or reboot...