While the latest CommWarrior variants continue to entice mobile phone users into clicking ‘Yes’ to grant them permission to install, we have encountered the first remote exploit for Windows Mobile phones using MMS as the attack vector.
It seems like malware is slowly but steady taking over mobile device operating systems, which suffer from the same syndrome as their big relatives the computer operating systems. We are experiencing more and more malware exploiting vulnerabilities and backdoors in the various mobile operating systems. A few vulnerabilities will only require the user to open a malformed MMS message to cause a buffer overflow. In Windows Mobile Synchronized Multimedia Integration Language (SMIL) parser for example, the exploit can execute code on the targeted mobile phone to silently install malware. We will explore several vulnerabilities and payloads on various mobile devices.
Recommendations on how to select and/or memorize a four-digit PIN (Personal Identification Number) can be found all over the Internet, but while we have learned a great deal from analyses of mixed-character passwords and passphrases revealed by high-profile breaches like the highly publicized Gawker and Rockyou.com attacks, there are no exactly equivalent attack-derived data on PIN usage. However, a sample of 204,508 anonymized passcodes for a smartphone application, by ranking 4-digit strings by popularity, gives us a starting point for mapping that ranking to known selection and mnemonic strategies.Memorization strategies summarized by Rasmussen and Rudmin include rote learning; memorization according to keypad pattern; passcode re-use from other security contexts; code with personal meaning; code written down or stored electronically (as on mobile phone) – possibly using various concealment and transformation strategies.
The data provided by Amitay, allows us to assess the degree to which those strategies are used in relation to a standard smartphone numeric keypad, but also to engage in some informed speculation on the extent to which they might be modified on other keypads, including QWERTY phone keypads, ATM keypads, security tokens requiring initial PIN entry, and hardware using an inverted (calculator-type) numeric layout. The ranking allows evaluation of the entropic efficacy of these strategies: the more popular the sequence, the likelier it is to be guessed.
These considerations are used to assess the validity of commonly recommended strategies in a diversity of contexts and generate a set of recommendations based on the findings of this analysis. These recommendations are placed into the context of more general mixed-character passwords and passphrases. They will provide a starting point for security managers and administrators responsible for the education and protection by policy of end users and customers using the kinds of device and application that require numeric passcodes for authentication.
Currently number of Android malware samples grows, and manual processing one by one becomes too time consuming. Considered approaches to processing stocks of Android malware (Apk packages, Dex files) and writing generic detections. Explained Dex file structure and methods of finding malware-specific data, methods of avoiding FPs and scan slowdowns. Explained methods of automated finding similar files at Android market for comparing clean and possibly malicious files. Explained detection method based on sequence of evaluation of geometry, class names, strings and Dex pcode.
Imagine a world where security product testing is really, really useful.
When I snap your fingers, you will wake out of your trance, and we will consider how we could actually bring about this happy state of affairs. For a while, it looked as if AMTSO, the Anti-Malware Testing Standards Organization, might be the key (or at any rate one of the keys), and we will summarize the not inconsiderable difference that AMTSO has made to the testing landscape. However, it’s clear that the organization has no magic wand and a serious credibility problem, so it isn’t going to save the world (or the internet) all on its own. So where do we (the testing and anti-malware communities) go from here? Can we identify the other players in this arena and engage with them usefully and appropriately?
Virtual Machines are important infrastructural tools for malware analysis. They provide safe yet accurate way of evaluating real life behaviour and impact of any executable code, thus providing a better understanding of obfuscated or non conventional portions of code within a binary file. Many Virtual machines such as Vmware, Qemu, VirtualBox and SandBoxes are available and are widely adopted by malware researchers and analysts. Moreover, many Anti-virus scanners have their own implementation of emulators to achieve comparable results by running malicious code within a controlled environment in order to decrypt obfuscated code.
Virus writers have always responded to these technologies. Most of malware today use anti debug techniques to counter analysis and evade anti-virus detection. Lately, malware like Zbot/SpyEyes and associated families such as Smoaler, Dromedan, Kazy, Yakes, or W32.Pilleuz, have deployed techniques to disrupt the use of virtual machines and emulators. These malware families are able to implement different variations of disruption techniques within single samples or within related groups of malware before propagation. This paper will present a study of these anti-emulation and anti-virtual machine techniques.
Spotting malicious samples in the wild has always been difficult, and Android malware is no exception. Actually, the fact Android applications are (usually) not directly accessible from market places hardens the task even more. For instance, Google enforces its own communication protocol to browse and download applications from its market. Thus, an efficient market crawler must reverse and implement this protocol, issue appropriate search requests and take necessary steps so as not to be banned.
From end-users' side, having difficulties spotting malicious mobile applications results in most Android malware remaining unnoticed up to 3 months before a security researcher finally stumbles on it. To reduce this window of opportunity, this paper presents a heuristics engine that statically pre-processes and prioritizes samples. The engine uses 39 different flags of different nature such as Java API calls, presence of embedded executables, code size, URLs... Each flag is assigned a different weight, based on statistics we computed from the techniques mobile malware authors most commonly use in their code. The engine outputs a risk score which highlights samples which are the most likely to be malicious.
The engine has been tested over a set of clean applications and malicious ones. The results show a strong difference in the average risk score for both sets and in its distribution, proving its use to spot malware.
Domain generation algorithms can be used for registering spamming and phishing sites, as well as by botnets for domain flux. In this paper we study Kwyjibo, a more sophisticated domain/word generation algorithm that is able to produce over 48 million distinct pronounceable words. We show through four different implementations how Kwyjibo might be deployed and how its size can be reduced to under 163KiB using a technique we call 'lossy distribution compression.' This means that Kwyjibo is both powerful as well as small enough to be used by malware on mobile devices.
There is great interest in the topic of resilient cyber systems. However, much of the accompanying research is clouded by a lack of an appropriate definition of the term “resilience” and the challenges of measuring the actual resilience of a system. In this paper, we examine some of the lessons learned in defining resilience metrics and argue that such metrics are highly contextual, and that a general, quantitative set of metrics for resilience of cyber systems is impractical. Instead, we provide a set of considerations and guidelines for building metrics that are helpful for a particular system.
Access, which is the Microsoft Office tool for database management, is currently used by SMEs fortheir internal organization due to its ease of use. As a result, many companies store confidentialdata in these databases while they still strongly believe that the level of security of Accessguaranteed by Microsoft will preserve their integrity. This paper aims to show that use the Access software to manage a database may represent a major security risk which can be the takeover by a remote adversary. Most companies subcontract the management and the creation of their database systems. This paper deals with macro-viruses, which are still present since many years and which, in our case, show the possibility to insert into Access some major security vulnerabilities and the difficulty to detect or avoid them...
Although Information technology and software advancements have been fast during e.g. the recent 15 years, most of the code is still written by human programmers. Humans make easily mistakes and programmers’ mistakes lead to vulnerabilities. Secure coding practices can eliminate most of the vulnerabilities but even released software contains bugs. Static analysis tools have been developed to automatically go through the source code and report possible threats for the programmer or code reviewer.
In this paper we performed comparison between four existing freeware C/C++ source code analyzers. We used Cppcheck, RATS, Flawfinder and Jlint (AntiC). For the analyzis we used open source software KeePassX. The program was intentionally modified to include threats and vulnerabilities. Therefore we could easily follow what vulnerabilities were found by each analyzer.
Before executing the security analysis with static code analyzers, we assumed that none of the chosen analyzers can find all the vulnerabilities from the source code. Our experimental results show that our hypothesis was correct. All the analyzers reported false positives and they did not recognize all the vulnerabilities. Cppcheck was able to find most of the added threats unlike the others.
The method of abstraction can be taken one step further and be used as a mechanism of detection, a way to evaluate prevalent data or a way to obtain a subset of a large set without losing data variability.
Logical extraction of functional components from compiled programs is a new paradigm for functional component extraction that differs from the traditional physical approach. Using this new paradigm, the extracted functional components may be reused in situ; that is, without first being separated from their original programs. Such in situ reuse is accomplished by usurping control of the program from which the functional component was logically extracted. Once control over the program's execution is attained, it may be driven to execute the code of the functional component contained therein. Several categories of logically extracted functional components have been identified, and the manner in which they may be reused varies. An implementation that allows for the programmatic in situ reuse of logically extracted functional components has been constructed, thereby providing proof of concept.
In a world where computer infections crawl from every corner of the web, reliable technological assets must be developed for fighting against the swarm of ever-increasing number of malicious software. With reliability and automation as our primary goals, we developed a framework environment based on real hardware. Within this environment one can automate most of the quality assurance and malware analysis tools that require accurate behavior of malware samples and can’t otherwise be obtained in operating systems running in virtual machines.
One of the hard constraints we had in building this system was the speed of reverting from the infected operating system to the clean snapshot or even to a brand new operating system altogether. To overcome this step, we choose to boot the test machines over network from a repository server that manages the hard-drive allocation. The snapshotting, cloning and destroying hard disk images logic was built on top of the ZFS File System running as a Free BSD kernel module. Using this design, we managed to have a negligible delay time from shutting down one operating system to booting from a brand new hard-drive. Another important requirement was to have an unattended, scalable and secure system. We discuss some of the interesting challenges we confronted with in achieving these tasks such as: scripting language controlled Power Distribution Units, video monitoring of client machines over network or private networking between each drone and its managing server.
We present here step by step our progress in developing this framework including the choice of existing technologies, the needed changes and usage scenarios that range from modifying network interface card firmware, redesigning the AoE transmission protocol and drivers for every supported client operating system, to designing a web application for user interaction.
Despite hype around the benefits of ‘Cloud computing’, challenges in maintaining data security and data privacy have been recognised as significant vulnerabilities (Pearson, 2009; Ristenpart, Tromert, Shacham, & Savage, 2009; Vouk, 2008). These vulnerabilities raise numerous questions about the capacity of organisations relying on cloud solutions to effectively manage risk. This is particularly the case as the threats faced move increasingly from indiscriminate malware to targeted cyber-attack tools. It has already been recognised how the ’cloud’ pose numerous challenges for forensic computing specialists including discoverability and chain of evidence (Reilly, Wren, & Berry, 2011; Ruan, Carthy, Kechadi, & Crosbie, 2011). However, to date there has been little consideration of how differences between indiscriminate malware and target cyber-attack tools further problematize the capacity of organisations to manage risk. This paper considers how the continuum from malware through to cyber-attack tools poses a range of technical, legal and moral dilemmas that organisations need to face before relying on cloud solutions.