Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.

Slides:



Advertisements
Similar presentations
How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.
Advertisements

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
The DRIVER Infrastructure (Digital Repository Infrastructure Vision for European Research) Paolo Manghi ISTI - National Research Council, Italy.
Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Fast and Precise In-Browser JavaScript Malware Detection
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Malware Repository Update David Dagon Georgia Institute of Technology
Privacy in Social Networks CSCE 201. Reading Dwyer, Hiltz, Passerini, Trust and privacy concern within social networking sites: A comparison of Facebook.
A S URVEY OF TRUST MANAGEMENT AND ITS APPLICATIONS S UPERVISED BY : D R. Y AN W ANG Ravendra Singh Student-id:
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
LittleOrange Internet Security an Endpoint Security Appliance.
Learning Table Extraction from Examples Ashwin Tengli, Yiming Yang and Nian Li Ma School of Computer Science Carnegie Mellon University Coling 04.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
Overview of Distributed Data Mining Xiaoling Wang March 11, 2003.
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Silvio Cesare Ph.D. Candidate, Deakin University.
China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
John P., Fang Yu, Yinglian Xie, Martin Abadi, Arvind Krishnamurthy University of California, Santa Cruz USENIX SECURITY SYMPOSIUM, August, 2010 John P.,
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Guofei Gu, Roberto Perdisci, Junjie Zhang, and.
Speaker:Chiang Hong-Ren Botnet Detection by Monitoring Group Activities in DNS Traffic.
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,
Proof-Of-Concept: Signature Based Malware Detection for Websites and Domain Administrators - Anant Kochhar.
1 How to 0wn the Internet in Your Spare Time Authors: Stuart Staniford, Vern Paxson, Nicholas Weaver Publication: Usenix Security Symposium, 2002 Presenter:
A Multifaceted Approach to Understanding the Botnet Phenomenon Authors : Moheeb Abu Rajab, Jay Zarfoss, Fabian Monrose, Andreas Terzis Computer Science.
Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.
0 eCPIC User Training: Resource Library These training materials are owned by the Federal Government. They can be used or modified only by FESCOM member.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Mapping Internet Sensors with Probe Response Attacks Authors: John Bethencourt, Jason Franklin, Mary Vernon Published At: Usenix Security Symposium, 2005.
Online Reporting System. Understand the role and purpose of the Performance Reports in supporting student success and achievement. Understand changes.
Presented by: Ashgan Fararooy Referenced Papers and Related Work on:
By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.
Automating Analysis of Large-Scale Botnet Probing Events Zhichun Li, Anup Goyal, Yan Chen and Vern Paxson* Lab for Internet and Security Technology (LIST)
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
1 Session Number Presentation_ID © 2002, Cisco Systems, Inc. All rights reserved. Using the Cisco TAC Website for Security and Virtual Private Network.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.
@packetjay Fun and games until someone uses IPv6 or TCP.
Mapping Internet Sensor With Probe Response Attacks Authors: John Bethencourt, Jason Franklin, and Mary Vernon. University of Wisconsin, Madison. Usenix.
BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.
1 Modeling and Measuring Botnets David Dagon, Wenke Lee Georgia Institute of Technology Cliff C. Zou Univ. of Central Florida Funded by NSF CyberTrust.
Speaker: Hom-Jay Hom Date:2009/10/20 Botnet Research Survey Zhaosheng Zhu. et al July 28-August
2009/6/221 BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure- Independent Botnet Detection Reporter : Fong-Ruei, Li Machine.
©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.
SEMINAR - SCALABLE, BEHAVIOR-BASED MALWARE CLUSTERING GUIDES : BOJAN KOLOSNJAJI, MOHAMMAD REZA NOROUZIAN, GEORGE WEBSTER PRESENTER RAMAKANT AGRAWAL.
Corrado LeitaSymantec Research Labs Ulrich Bayer Technical University Vienna Engin KirdaInstitute iSecLab.
Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA
MIRC Overview Medical Imaging Resource Center. RSNA2006 MIRC Courses Overview of the RSNA MIRC Software Installing MIRC on Your Laptop Using MIRC for.
Techniques, Tools, and Research Issues
Chapter 1. Basic Static Techniques
Malware Reverse Engineering Process
Article by:. rown Farinholt, Mohammad Rezaeirad, Paul Pearce, Hitesh
SECURITY INFORMATION AND EVENT MANAGEMENT
Data Warehousing Data Mining Privacy
Data Mining & Machine Learning Lab
Introductory session for End Users of CIRCA version 3.1
Presentation transcript:

Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology

Overview How malware is collected and shared now Malfease’s service-oriented repository –Support for malware analysis, e.g., signature generation, and evaluation of intrusion/anomaly detection/prevention systems, etc. –Automated unpacking

Current Practices Numerous private, semi-public malware collections –Need “trust” to join –“Too much sharing” often seen as competitive disadvantage Analysis not shared Incomplete collections: reflect sensor bias –Darknet-based collection –IRC surveillance –Honeypot-based collection

Shortcomings Malware authors know and exploit weaknesses in data collection Illuminating sensors –“Mapping Internet Sensors with Probe Response Attacks”, Bethencourt, et al., Usenix 2005 Automated victims updates –E.g., via botnets

Solution: Service-Oriented Repository Malfease uses hub-and-spoke model –Hub is central collection of malware –Spokes are analysis partners Hub: –Malware, indexing, search –Static analysis: header extraction, icons, libraries –Metainfo: longitudinal AV scan results Spoke: –E.g., dynamic analysis, unpacking, signatures, etc.

Malware Repo Requirements Malware repos should not: –Help illuminate sensors –Serve as a malware distribution site Malware repo should: –Help automate analysis of malware flood –Coordinate different analysts (RE gurus, Snort rule writers, etc.)

Approaches Repository allows upload of samples –Downloads restricted to classes of users Repository provides binaries and analysis –Automated unpacking –Win32 PE Header analysis –Longitudinal detection data What did the AV tool know, and when did it know it? –Malware similarity analysis, family tree –Etc.

Overview

Repository User Classes Unknown users –Scripts, random users, even bots Humans –CAPTCHA-verified Authenticated Users –Known trusted contributors

Repository Access Control Unknown users –Upload; view aggregate statistics Humans –Upload; download analysis of their samples Authenticated Users –Upload; download all; access analysis

Basic User View

Analysis Page for Sample

Static Analysis Example

Note search ability

Dynamic Analysis Unpacked binary Available for Download, Along with asm version

Malware: Why Pack? Reduced malware size Obfuscation transformation –Opaque binaries prevent pattern analysis –Invalid PE32 headers complicate RE Increases response time –Unpacking often requires specialized skill sets

Polyunpack: Work Flow

Unpacking Heuristic

Unpacking Example

Results Improved AV detection AV Scan 6K very old Samples 0.8K Claimed “OK” Unpacking 5.2K Samples Claimed VX AV ReScan 42 are now claimed VX 10-40% improved AV detection on “old” stuff

Plan for Cyber-TA Evaluation of various signature generation schemes –Development of new schemes Development of signature ensemble scheme - automatically combine the attributes of signatures from different generation schemes Evaluation of intrusion/anomaly detection systems –E.g., automatically generating mimicry/blending attacks based on malware

Conclusion Service-oriented repository –Support research in malware analysis and intrusion/anomaly detection/prevention See malfease.oarci.net for details Credits –David Dagon –Paul Vixie –Paul Royal –Mitch Halpin

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.