Abstract image of a woman sitting on books and studying on a laptop

Large Scale Studies: Malware Needles in a Haystack

Marcus Botacin, profile picture
Marcus Botacin

This document presents a large-scale study of malware analysis, comparing coarse-grained and fine-grained methodologies to unveil various malicious behaviors and characteristics. It details the dataset used, the processing architecture, and the results of both analysis types, highlighting distinct behaviors, signatures, and techniques employed by malware. The conclusion emphasizes the importance of combining both analytical approaches for a comprehensive understanding of malware threats.

Science
1 of 40
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Large Scale Studies: Malware Needles in a Haystack Giovanni Bert˜ao1,3, Marcus Botacin2, Andr´e Gr´egio2, Paulo L´ıcio de Geus1 1University of Campinas (UNICAMP) {bertao, paulo}@lasca.ic.unicamp.br 2Federal University of Parana (UFPR) {mfbotacin, gregio}@inf.ufpr.br 3Bolsista PIBIC-CNPq Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Topics 1 Introduction 2 Motivation & Related Work 3 Methodology 4 Analysis Results 5 Discussion 6 Final Remarks Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Analysis Type: Coarse-grained and Fine-grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Analysis Type: Coarse-grained and Fine-grained Malware Analysis Approaches Coarse-Grained Highlight major aspects. Discard sample details. Fine-Grained Focus on implementation details. Don’t state the risk of such sample in the overall scenario. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Motivation Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Motivation Malware Studies Figure: Coarse-Grained BBC: https://www.bbc.com/news/technology-39730407 Figure: Fine-Grained Trend Micro: https://bit.ly/2PaSPDC Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Related Work Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Related Work Related Work Bayer (Windows) A view on current malware behaviors. Lindorfer (Android) Andrubis – 1,000,000 apps later: A view on current android malware behaviors. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Dataset Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Dataset Building the Dataset Dataset Composition Malware repositories and blacklists crawled daily. 135,000 unique malware samples collected from Malshare database. Only Windows samples. Samples submitted to static, dynamic and network analysis procedures. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Processing the Data Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Processing the Data Analysis Method Static Analysis Presence of packers. Anti-analysis techniques. Anti-virus detection. Dynamic and Network Analysis Logs from BehEMOT, an internal sandbox solution. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Architecture Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Architecture Large Scale Support Figure: Parallel Processing Architecture. Samples are independently analyzed and their results are stored on a centralized database. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Architecture Time Elapsed 0M 10M 20M 30M 40M 50M 60M 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 Tuples Hours Tuples x Time Figure: Parallel Processing Time. The complete analysis took 36 hours. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Malicious Behavior (Static Analysis) 0% 20% 40% 60% 80% 100% Percentage(%) Malicious Behaviors Identified Malicious Behaviors Termination Timing Performance Process Window Fingerprinting Modularization Removal AntiDebug Figure: Identified Malicious Behaviors. We identified multiple, distinct malicious behaviors during samples executions, such as AV analysis evasion using Timing delays, measuring Performance overhead due to monitoring and the Termination of security solutions to avoid detection. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Prevalent Signatures Table: Most Prevalent Signatures. Compilers are more prevalent than packers. Signature Type Occurrence (%) Microsoft Compiler 37.95% Nullsoft PIMP Installer 25.51% Borland Delphi Compiler 15.06% UPX Packer 4.23% MSLHR Packer 2.25% PEcompact Packer 1.66% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Malicious Behavior (Dynamic Analysis) Table: Dynamic Analysis. Identified Malicious Behaviors. Subsystem Operation Samples (%) Target Samples (%) File Subsystem Create Files 91.56 Internet Explorer 10.14% Read Files 89.18% .DLL 86.80% Internet Explorer 7.01% .SYS 1.26% Write Files 81.74% .EXE 46.20% .DLL 31.62% Internet Explorer <0.01% Host 0.00% Delete Files 62.45% Internet Explorer 0.00% Process Subsystem Create Process 22.84% Delete Process 23.38% Registry Subsystem Set Registry Values 74.73% Proxy 68.36% Autorun 5.66 % Delete Registry Values 55.43% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Anti-Analysis Techniques 0% 10% 20% 30% 40% 50% 60% 70% 80% Percentage(%) Techniques Identified Anti-Analysis Techniques getlasterror unhandledexceptionfilter raiseexception terminateprocess isdebuggerpresent isprocessorfeaturepresent findwindowexa vmcheck.dll bochs & qemu cpuid vmware virtual box Figure: Identified Anti-Analysis Techniques. Samples employ anti-analysis techniques to avoid being inspected during sandbox execution. We identified techniques aimed to detect the presence of debuggers and virtual-machines. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — Protocols Distribution 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Samples(%) Protocols Protocol distribution by samples HTTP/Non−TCP HTTP/TCP UDP/Non−DNS UDP/DNS Figure: Protocol usage distribution by sample. HTTP over TCP and DNS over UDP are the prevalent communication channels. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — Domains Contacted Table: Most Contacted Domains. We observe the presence of cloud providers among the most accessed domains. Domain Accesses (%) Cloudfront 4.39% Amazonaws 3.32% Kirov 3.20% Kerch 3.11% Comcast 1.75% Akamaitechnologies 1.48% Sbcglobal 1.10% Broadband 1.08% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — TLDs 0% 5% 10% 15% 20% 25% 30% 35% Access(%) Top Level Domains Contacteds TLDS net com ru de sc jp eu br fr biz Figure: Most Accessed TLDs distribution. Generic domains are prevalent and country-specific domains are well distributed, thus showing that malware creators are ready to exploit vulnerabilities in multiple countries. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — DNS Resolvers 0.01% 0.1% 1% 10% 100% Access(%) DNS hosts DNS queries distribution google opendns d0wn emerion as43289 root−servers polyram−group jp 114dns cryptostorm Figure: DNS Resolvers Distribution. Default sandbox DNS (google) was the most used one. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Keys Modification Table: Modified AutoRun Keys. Whereas coarse-grained analysis identified that ≈ 5.66% of samples write in an Autorun key, the fine-grained analysis specified their location. Key Samples(%) HKCUIDSoftwareMicrosoftWindowsCurrentVersionRun 46.33% HKCU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRun < 0.01% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Contacted IPs Table: Contacted IPs by Sample. Coarse-grained analysis showed that, in average, each sample contacts 2 distinct IP addresses. Fine-grained analysis revelead that ransomware samples which spread through scanning contact many more IPs. MD5 Hash Number of Distinct IPs Label c1abb496deb7bd51a4ad2f8a43113b13 16386 Ransomware.Cerber bc88096e7cc09f02f11deec35f84d5cd 16385 Ransomware.AWA a801cdef09a61d3ba7969015a8bffec0 1 Ransomware.VirLock Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained HTTP requests Table: Prevalent HTTP Requests. Coarse-grained analysis shows that HTTP payloads dominate TCP traffic. Fine-grained analysis shows that this is due to Downloader samples. MD5 Hash Total of Distinct HTTP Request Label ede13f40a96a8b6e5de1029200c0b15e 394 Downloader e5f4116d08c343623d5ee3af5553cbee 353 Downloader 47a328b0b903bb68147facc3a084172c 310 Downloader 28c4e2a48d9ddfffa01a943ca1ba1262 304 Downloader Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained DNS Resolvers Table: DNS queries resolvers distribution. Coarse-grained analysis shows that DNS queries dominate UDP traffic. Fine-grained analysis reveals that this is due to Bot samples. Query Contacted(%) Description bmp.pilenga.co.uk. 12.29% Hijacked Subdomain - Andromeda Botnet tgr.tecnoagenzia.eu. 5.96% Hijacked Subdomain - Andromeda Botnet tds.repack.it. 2.48% Andromeda Botnet rxxl.tecnoagenzia.eu. 2.06% Andromeda Botnet and31.blllaaaaaazblaaa1.com. 0.92% Andromeda Botnet Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Drawing Panoramas Dataset Characterization Mainly executables. Few libraries. Rely on system native libraries. Few external libraries. GUI usage. Strong presence of system interactions (file and registry creation/deletion). Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Panorama Comparison Brazilian Panorama Mix of binaries and DLL. Rely on system native libraries. Mostly as background activity. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Identifying project decisions Coarse-Grained In average, each sample contacts 2 different IP address. Fine-Grained c1abb496deb7bd51a4ad2f8a43113b13 contacts 16386 IPs. a801cdef09a61d3ba7969015a8bffec0 contacts only 1 IP. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Conclusion Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Conclusion Conclusion A coarse-grained analysis procedure is the only approach able to draw threat panoramas. A fine-grained analysis procedure is the only approach which enables individual samples characterization. Fine-grained and coarse-grained analysis approaches must be combined for increased threat understanding. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Acknowledgments Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Acknowledgments Acknowledgments CNPq Institute of Computing/Unicamp Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Questions Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Questions Questions? bertao@lasca.ic.unicamp.br Large Scale Studies: Malware Needles in a Haystack SBSeg’18

More Related Content

PPTX
Databases, Web Services and Tools For Systems Immunology
Yannick Pouliot
 
PDF
Software Analytics: Towards Software Mining that Matters
Tao Xie
 
PDF
Software Analytics: Data Analytics for Software Engineering
Tao Xie
 
PDF
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
PPTX
Findability through Traceability - A Realistic Application of Candidate Tr...
Markus Borg
 
PDF
Presentation1.pdf
ZixunZhou
 
PPTX
Towards Automated AI-guided Drug Discovery Labs
Ola Spjuth
 
PPTX
Automating the process of continuously prioritising data, updating and deploy...
Ola Spjuth
 
Databases, Web Services and Tools For Systems Immunology
Yannick Pouliot
 
Software Analytics: Towards Software Mining that Matters
Tao Xie
 
Software Analytics: Data Analytics for Software Engineering
Tao Xie
 
Software Analytics: Data Analytics for Software Engineering and Security
Tao Xie
 
Findability through Traceability - A Realistic Application of Candidate Tr...
Markus Borg
 
Presentation1.pdf
ZixunZhou
 
Towards Automated AI-guided Drug Discovery Labs
Ola Spjuth
 
Automating the process of continuously prioritising data, updating and deploy...
Ola Spjuth
 

What's hot (20)

PPTX
Dice.com Bay Area Search - Beyond Learning to Rank Talk
Simon Hughes
 
PDF
Developing A Big Data Search Engine - Where we have gone. Where we are going:...
Lucidworks
 
PDF
Towards Effective Bug Triage with Software Data Reduction Techniques
1crore projects
 
PPTX
HyQue: Evaluating scientific Hypotheses using semantic web technologies
Michel Dumontier
 
PDF
Software bug prediction
Muthukumaran Kasinathan
 
PDF
Evidence Briefings: Towards a Medium to Transfer Knowledge from Systematic Re...
UFPA
 
PPTX
Big(ger) Data in Software Engineering
Mehdi Mirakhorli
 
PDF
Software Mining and Software Datasets
Tao Xie
 
PDF
Stack Overflow slides Data Analytics
Rahul Thankachan
 
PPTX
HotSoS16 Tutorial "Text Analytics for Security" by Tao Xie and William Enck
Tao Xie
 
PPTX
Evolving the Optimal Relevancy Ranking Model at Dice.com
Simon Hughes
 
PDF
Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing Ef...
Alex Pinto
 
PDF
ICSME2014
swy351
 
PDF
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 
PDF
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
Alex Pinto
 
PDF
Analyzing Stack Overflow - Problem
Amrith Krishna
 
PDF
Runtime Behavior of JavaScript Programs
IRJET Journal
 
PDF
Quality Control of Sequencing Data
Surya Saha
 
PDF
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Alex Pinto
 
PDF
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
Dice.com Bay Area Search - Beyond Learning to Rank Talk
Simon Hughes
 
Developing A Big Data Search Engine - Where we have gone. Where we are going:...
Lucidworks
 
Towards Effective Bug Triage with Software Data Reduction Techniques
1crore projects
 
HyQue: Evaluating scientific Hypotheses using semantic web technologies
Michel Dumontier
 
Software bug prediction
Muthukumaran Kasinathan
 
Evidence Briefings: Towards a Medium to Transfer Knowledge from Systematic Re...
UFPA
 
Big(ger) Data in Software Engineering
Mehdi Mirakhorli
 
Software Mining and Software Datasets
Tao Xie
 
Stack Overflow slides Data Analytics
Rahul Thankachan
 
HotSoS16 Tutorial "Text Analytics for Security" by Tao Xie and William Enck
Tao Xie
 
Evolving the Optimal Relevancy Ranking Model at Dice.com
Simon Hughes
 
Sharing is Caring: Understanding and Measuring Threat Intelligence Sharing Ef...
Alex Pinto
 
ICSME2014
swy351
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
Alex Pinto
 
Analyzing Stack Overflow - Problem
Amrith Krishna
 
Runtime Behavior of JavaScript Programs
IRJET Journal
 
Quality Control of Sequencing Data
Surya Saha
 
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Alex Pinto
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
Alex Pinto
 
Ad

Similar to Large Scale Studies: Malware Needles in a Haystack (20)

PDF
Analysis random org nist2005
eliecerherrera
 
PDF
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
PDF
Supporting image-based meta-analysis with NIDM: Standardized reporting of neu...
Camille Maumet
 
PDF
Malicious Linux binaries: A Landscape
Marcus Botacin
 
PPTX
INT254_Zero Lecture Machine Learning 1st book
AyushSingh695401
 
PDF
Sybrandt Thesis Proposal Presentation
Justin Sybrandt, Ph.D.
 
DOC
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEEMEMTECHSTUDENTPROJECTS
 
PPTX
Awareness Support in Global Software Development: A Systematic Review Based o...
Marco Aurelio Gerosa
 
PPTX
Computing Just What You Need: Online Data Analysis and Reduction at Extreme ...
Ian Foster
 
PPTX
Art into Science 2017 - Investigation Theory: A Cognitive Approach
chrissanders88
 
PDF
Publish or Perish: Questioning the Impact of Our Research on the Software Dev...
Margaret-Anne Storey
 
PDF
A Survey And Taxonomy Of Distributed Data Mining Research Studies A Systemat...
Sandra Long
 
PDF
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
HASE – Human Aspects in Software Engineering
 
PDF
Transition From Mechanical Engineering to Data Science | Tutort Academy
Tutort Academy
 
PDF
حلقة تكنولوجية 11 بحث علمى بعنوان A Systematic Mapping Study for Big Data Str...
Adel Sabour
 
PPTX
Automatic Classification of Springer Nature Proceedings with Smart Topic Miner
Francesco Osborne
 
PDF
Software Engineering Research: Leading a Double-Agent Life.
Lionel Briand
 
PPTX
Threshold for Size and Complexity Metrics: A Case Study from the Perspective ...
SAIL_QU
 
PDF
0912f50eedb48e44d7000000
Rakesh Sharma
 
PDF
From data lakes to actionable data (adventures in data curation)
Novartis Institutes for BioMedical Research
 
Analysis random org nist2005
eliecerherrera
 
What do malware analysts want from academia? A survey on the state-of-the-pra...
Marcus Botacin
 
Supporting image-based meta-analysis with NIDM: Standardized reporting of neu...
Camille Maumet
 
Malicious Linux binaries: A Landscape
Marcus Botacin
 
INT254_Zero Lecture Machine Learning 1st book
AyushSingh695401
 
Sybrandt Thesis Proposal Presentation
Justin Sybrandt, Ph.D.
 
IEEE 2014 DOTNET CLOUD COMPUTING PROJECTS A scientometric analysis of cloud c...
IEEEMEMTECHSTUDENTPROJECTS
 
Awareness Support in Global Software Development: A Systematic Review Based o...
Marco Aurelio Gerosa
 
Computing Just What You Need: Online Data Analysis and Reduction at Extreme ...
Ian Foster
 
Art into Science 2017 - Investigation Theory: A Cognitive Approach
chrissanders88
 
Publish or Perish: Questioning the Impact of Our Research on the Software Dev...
Margaret-Anne Storey
 
A Survey And Taxonomy Of Distributed Data Mining Research Studies A Systemat...
Sandra Long
 
2011 EASE - Motivation in Software Engineering: A Systematic Review Update
HASE – Human Aspects in Software Engineering
 
Transition From Mechanical Engineering to Data Science | Tutort Academy
Tutort Academy
 
حلقة تكنولوجية 11 بحث علمى بعنوان A Systematic Mapping Study for Big Data Str...
Adel Sabour
 
Automatic Classification of Springer Nature Proceedings with Smart Topic Miner
Francesco Osborne
 
Software Engineering Research: Leading a Double-Agent Life.
Lionel Briand
 
Threshold for Size and Complexity Metrics: A Case Study from the Perspective ...
SAIL_QU
 
0912f50eedb48e44d7000000
Rakesh Sharma
 
From data lakes to actionable data (adventures in data curation)
Novartis Institutes for BioMedical Research
 
Ad

More from Marcus Botacin (20)

PDF
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
PDF
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
PDF
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
PDF
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
PDF
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
PDF
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
PDF
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
PDF
Hardware-accelerated security monitoring
Marcus Botacin
 
PDF
How do we detect malware? A step-by-step guide
Marcus Botacin
 
PDF
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
PDF
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
PDF
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
PDF
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
PDF
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
PDF
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
PDF
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
Cross-Regional Malware Detection via Model Distilling and Federated Learning
Marcus Botacin
 
GPThreats: Fully-automated AI-generated malware and its security risks
Marcus Botacin
 
[Texas A&M University] Research @ Botacin's Lab
Marcus Botacin
 
Pilares da Segurança e Chaves criptográficas
Marcus Botacin
 
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
Hardware-accelerated security monitoring
Marcus Botacin
 
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
On the Malware Detection Problem: Challenges & Novel Approaches
Marcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 

Recently uploaded (20)

PDF
Warm, water-depleted rocky exoplanets with surfaceionic liquids: A proposed c...
Sérgio Sacani
 
PDF
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
PPTX
Probability.pptx pearl lecture first year
ayeshanadeem0508
 
PPTX
Microbes in human welfare class 12 .pptx
chinmayikalokhe
 
PPTX
gene cloning powerpoint for general biology 2
G17RodriguezJanelleA
 
PPT
Presentation of a Romanian Institutee 2.
TeodoraRusu3
 
PPTX
Hypertension_Training_materials_English_2024[1] (1).pptx
johnsalaoudine
 
PPT
THE CELL THEORY AND ITS FUNDAMENTALS AND USE
nctpcctv
 
PDF
Assessment of environmental effects of quarrying in Kitengela subcountyof Kaj...
mohamedmahmoudSebbab1
 
PPTX
Substance Disorders- part different drugs change body
NizaAnne
 
PDF
Science Form five needed shit SCIENEce so
ArielLucifer1
 
PDF
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
PPTX
endocrine - management of adrenal incidentaloma.pptx
csushrut2511
 
PPTX
POULTRY PRODUCTION AND MANAGEMENTNNN.pptx
RomnickTanilon
 
PDF
Social preventive and pharmacy. Pdf
HarshithaK71
 
PDF
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
PPTX
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
PDF
Unit 5 Preparations, Reactions, Properties and Isomersim of Organic Compounds...
fliwertyfw154
 
PPTX
Presentation1 INTRODUCTION TO ENZYMES.pptx
JIBY2
 
PDF
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 
Warm, water-depleted rocky exoplanets with surfaceionic liquids: A proposed c...
Sérgio Sacani
 
GROUP 2 ORIGINAL PPT. pdf Hhfiwhwifhww0ojuwoadwsfjofjwsofjw
jjsaplad10
 
Probability.pptx pearl lecture first year
ayeshanadeem0508
 
Microbes in human welfare class 12 .pptx
chinmayikalokhe
 
gene cloning powerpoint for general biology 2
G17RodriguezJanelleA
 
Presentation of a Romanian Institutee 2.
TeodoraRusu3
 
Hypertension_Training_materials_English_2024[1] (1).pptx
johnsalaoudine
 
THE CELL THEORY AND ITS FUNDAMENTALS AND USE
nctpcctv
 
Assessment of environmental effects of quarrying in Kitengela subcountyof Kaj...
mohamedmahmoudSebbab1
 
Substance Disorders- part different drugs change body
NizaAnne
 
Science Form five needed shit SCIENEce so
ArielLucifer1
 
Communicating Health Policies to Diverse Populations (www.kiu.ac.ug)
publication11
 
endocrine - management of adrenal incidentaloma.pptx
csushrut2511
 
POULTRY PRODUCTION AND MANAGEMENTNNN.pptx
RomnickTanilon
 
Social preventive and pharmacy. Pdf
HarshithaK71
 
BET Eukaryotic signal Transduction BET Eukaryotic signal Transduction.pdf
enreddy1
 
INTRODUCTION TO PAEDIATRICS AND PAEDIATRIC HISTORY TAKING-1.pptx
godfreymandela88
 
Unit 5 Preparations, Reactions, Properties and Isomersim of Organic Compounds...
fliwertyfw154
 
Presentation1 INTRODUCTION TO ENZYMES.pptx
JIBY2
 
Is Earendel a Star Cluster?: Metal-poor Globular Cluster Progenitors at z ∼ 6
Sérgio Sacani
 

Large Scale Studies: Malware Needles in a Haystack

  • 1. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Large Scale Studies: Malware Needles in a Haystack Giovanni Bert˜ao1,3, Marcus Botacin2, Andr´e Gr´egio2, Paulo L´ıcio de Geus1 1University of Campinas (UNICAMP) {bertao, paulo}@lasca.ic.unicamp.br 2Federal University of Parana (UFPR) {mfbotacin, gregio}@inf.ufpr.br 3Bolsista PIBIC-CNPq Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 2. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Topics 1 Introduction 2 Motivation & Related Work 3 Methodology 4 Analysis Results 5 Discussion 6 Final Remarks Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 3. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Analysis Type: Coarse-grained and Fine-grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 4. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Analysis Type: Coarse-grained and Fine-grained Malware Analysis Approaches Coarse-Grained Highlight major aspects. Discard sample details. Fine-Grained Focus on implementation details. Don’t state the risk of such sample in the overall scenario. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 5. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Motivation Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 6. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Motivation Malware Studies Figure: Coarse-Grained BBC: https://www.bbc.com/news/technology-39730407 Figure: Fine-Grained Trend Micro: https://bit.ly/2PaSPDC Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 7. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Related Work Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 8. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Related Work Related Work Bayer (Windows) A view on current malware behaviors. Lindorfer (Android) Andrubis – 1,000,000 apps later: A view on current android malware behaviors. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 9. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Dataset Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 10. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Dataset Building the Dataset Dataset Composition Malware repositories and blacklists crawled daily. 135,000 unique malware samples collected from Malshare database. Only Windows samples. Samples submitted to static, dynamic and network analysis procedures. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 11. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Processing the Data Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 12. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Processing the Data Analysis Method Static Analysis Presence of packers. Anti-analysis techniques. Anti-virus detection. Dynamic and Network Analysis Logs from BehEMOT, an internal sandbox solution. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 13. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Architecture Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 14. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Architecture Large Scale Support Figure: Parallel Processing Architecture. Samples are independently analyzed and their results are stored on a centralized database. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 15. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Architecture Time Elapsed 0M 10M 20M 30M 40M 50M 60M 0 2 4 6 8 10 12 14 16 18 20 22 24 26 28 30 32 34 36 Tuples Hours Tuples x Time Figure: Parallel Processing Time. The complete analysis took 36 hours. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 16. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 17. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Malicious Behavior (Static Analysis) 0% 20% 40% 60% 80% 100% Percentage(%) Malicious Behaviors Identified Malicious Behaviors Termination Timing Performance Process Window Fingerprinting Modularization Removal AntiDebug Figure: Identified Malicious Behaviors. We identified multiple, distinct malicious behaviors during samples executions, such as AV analysis evasion using Timing delays, measuring Performance overhead due to monitoring and the Termination of security solutions to avoid detection. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 18. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Prevalent Signatures Table: Most Prevalent Signatures. Compilers are more prevalent than packers. Signature Type Occurrence (%) Microsoft Compiler 37.95% Nullsoft PIMP Installer 25.51% Borland Delphi Compiler 15.06% UPX Packer 4.23% MSLHR Packer 2.25% PEcompact Packer 1.66% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 19. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Malicious Behavior (Dynamic Analysis) Table: Dynamic Analysis. Identified Malicious Behaviors. Subsystem Operation Samples (%) Target Samples (%) File Subsystem Create Files 91.56 Internet Explorer 10.14% Read Files 89.18% .DLL 86.80% Internet Explorer 7.01% .SYS 1.26% Write Files 81.74% .EXE 46.20% .DLL 31.62% Internet Explorer <0.01% Host 0.00% Delete Files 62.45% Internet Explorer 0.00% Process Subsystem Create Process 22.84% Delete Process 23.38% Registry Subsystem Set Registry Values 74.73% Proxy 68.36% Autorun 5.66 % Delete Registry Values 55.43% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 20. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Anti-Analysis Techniques 0% 10% 20% 30% 40% 50% 60% 70% 80% Percentage(%) Techniques Identified Anti-Analysis Techniques getlasterror unhandledexceptionfilter raiseexception terminateprocess isdebuggerpresent isprocessorfeaturepresent findwindowexa vmcheck.dll bochs & qemu cpuid vmware virtual box Figure: Identified Anti-Analysis Techniques. Samples employ anti-analysis techniques to avoid being inspected during sandbox execution. We identified techniques aimed to detect the presence of debuggers and virtual-machines. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 21. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — Protocols Distribution 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Samples(%) Protocols Protocol distribution by samples HTTP/Non−TCP HTTP/TCP UDP/Non−DNS UDP/DNS Figure: Protocol usage distribution by sample. HTTP over TCP and DNS over UDP are the prevalent communication channels. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 22. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — Domains Contacted Table: Most Contacted Domains. We observe the presence of cloud providers among the most accessed domains. Domain Accesses (%) Cloudfront 4.39% Amazonaws 3.32% Kirov 3.20% Kerch 3.11% Comcast 1.75% Akamaitechnologies 1.48% Sbcglobal 1.10% Broadband 1.08% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 23. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — TLDs 0% 5% 10% 15% 20% 25% 30% 35% Access(%) Top Level Domains Contacteds TLDS net com ru de sc jp eu br fr biz Figure: Most Accessed TLDs distribution. Generic domains are prevalent and country-specific domains are well distributed, thus showing that malware creators are ready to exploit vulnerabilities in multiple countries. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 24. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Network Analysis — DNS Resolvers 0.01% 0.1% 1% 10% 100% Access(%) DNS hosts DNS queries distribution google opendns d0wn emerion as43289 root−servers polyram−group jp 114dns cryptostorm Figure: DNS Resolvers Distribution. Default sandbox DNS (google) was the most used one. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 25. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 26. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Keys Modification Table: Modified AutoRun Keys. Whereas coarse-grained analysis identified that ≈ 5.66% of samples write in an Autorun key, the fine-grained analysis specified their location. Key Samples(%) HKCUIDSoftwareMicrosoftWindowsCurrentVersionRun 46.33% HKCU.DEFAULTSOFTWAREMicrosoftWindowsCurrentVersionRun < 0.01% Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 27. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Contacted IPs Table: Contacted IPs by Sample. Coarse-grained analysis showed that, in average, each sample contacts 2 distinct IP addresses. Fine-grained analysis revelead that ransomware samples which spread through scanning contact many more IPs. MD5 Hash Number of Distinct IPs Label c1abb496deb7bd51a4ad2f8a43113b13 16386 Ransomware.Cerber bc88096e7cc09f02f11deec35f84d5cd 16385 Ransomware.AWA a801cdef09a61d3ba7969015a8bffec0 1 Ransomware.VirLock Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 28. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained HTTP requests Table: Prevalent HTTP Requests. Coarse-grained analysis shows that HTTP payloads dominate TCP traffic. Fine-grained analysis shows that this is due to Downloader samples. MD5 Hash Total of Distinct HTTP Request Label ede13f40a96a8b6e5de1029200c0b15e 394 Downloader e5f4116d08c343623d5ee3af5553cbee 353 Downloader 47a328b0b903bb68147facc3a084172c 310 Downloader 28c4e2a48d9ddfffa01a943ca1ba1262 304 Downloader Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 29. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained DNS Resolvers Table: DNS queries resolvers distribution. Coarse-grained analysis shows that DNS queries dominate UDP traffic. Fine-grained analysis reveals that this is due to Bot samples. Query Contacted(%) Description bmp.pilenga.co.uk. 12.29% Hijacked Subdomain - Andromeda Botnet tgr.tecnoagenzia.eu. 5.96% Hijacked Subdomain - Andromeda Botnet tds.repack.it. 2.48% Andromeda Botnet rxxl.tecnoagenzia.eu. 2.06% Andromeda Botnet and31.blllaaaaaazblaaa1.com. 0.92% Andromeda Botnet Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 30. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 31. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Drawing Panoramas Dataset Characterization Mainly executables. Few libraries. Rely on system native libraries. Few external libraries. GUI usage. Strong presence of system interactions (file and registry creation/deletion). Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 32. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Coarse-Grained Panorama Comparison Brazilian Panorama Mix of binaries and DLL. Rely on system native libraries. Mostly as background activity. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 33. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 34. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Fine-Grained Identifying project decisions Coarse-Grained In average, each sample contacts 2 different IP address. Fine-Grained c1abb496deb7bd51a4ad2f8a43113b13 contacts 16386 IPs. a801cdef09a61d3ba7969015a8bffec0 contacts only 1 IP. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 35. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Conclusion Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 36. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Conclusion Conclusion A coarse-grained analysis procedure is the only approach able to draw threat panoramas. A fine-grained analysis procedure is the only approach which enables individual samples characterization. Fine-grained and coarse-grained analysis approaches must be combined for increased threat understanding. Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 37. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Acknowledgments Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 38. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Acknowledgments Acknowledgments CNPq Institute of Computing/Unicamp Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 39. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Questions Topics 1 Introduction Analysis Type: Coarse-grained and Fine-grained 2 Motivation & Related Work Motivation Related Work 3 Methodology Dataset Processing the Data Architecture 4 Analysis Results Coarse-Grained Fine-Grained 5 Discussion Coarse-Grained Fine-Grained 6 Final Remarks Conclusion Acknowledgments Questions Large Scale Studies: Malware Needles in a Haystack SBSeg’18
  • 40. Introduction Motivation & Related Work Methodology Analysis Results Discussion Final Remarks Questions Questions? bertao@lasca.ic.unicamp.br Large Scale Studies: Malware Needles in a Haystack SBSeg’18