Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.

Published byFrank Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology."— Presentation transcript:

1 Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology

2 Overview How malware is collected and shared now Malfease’s service-oriented repository –Support for malware analysis, e.g., signature generation, and evaluation of intrusion/anomaly detection/prevention systems, etc. –Automated unpacking

3 Current Practices Numerous private, semi-public malware collections –Need “trust” to join –“Too much sharing” often seen as competitive disadvantage Analysis not shared Incomplete collections: reflect sensor bias –Darknet-based collection –IRC surveillance –Honeypot-based collection

4 Shortcomings Malware authors know and exploit weaknesses in data collection Illuminating sensors –“Mapping Internet Sensors with Probe Response Attacks”, Bethencourt, et al., Usenix 2005 Automated victims updates –E.g., via botnets

5 Solution: Service-Oriented Repository Malfease uses hub-and-spoke model –Hub is central collection of malware –Spokes are analysis partners Hub: –Malware, indexing, search –Static analysis: header extraction, icons, libraries –Metainfo: longitudinal AV scan results Spoke: –E.g., dynamic analysis, unpacking, signatures, etc.

6 Malware Repo Requirements Malware repos should not: –Help illuminate sensors –Serve as a malware distribution site Malware repo should: –Help automate analysis of malware flood –Coordinate different analysts (RE gurus, Snort rule writers, etc.)

7 Approaches Repository allows upload of samples –Downloads restricted to classes of users Repository provides binaries and analysis –Automated unpacking –Win32 PE Header analysis –Longitudinal detection data What did the AV tool know, and when did it know it? –Malware similarity analysis, family tree –Etc.

8 Overview

9 Repository User Classes Unknown users –Scripts, random users, even bots Humans –CAPTCHA-verified Authenticated Users –Known trusted contributors

10 Repository Access Control Unknown users –Upload; view aggregate statistics Humans –Upload; download analysis of their samples Authenticated Users –Upload; download all; access analysis

11 Basic User View

12 Analysis Page for Sample

13 Static Analysis Example

14 Note search ability

15 Dynamic Analysis Unpacked binary Available for Download, Along with asm version

16 Malware: Why Pack? Reduced malware size Obfuscation transformation –Opaque binaries prevent pattern analysis –Invalid PE32 headers complicate RE Increases response time –Unpacking often requires specialized skill sets

17 Polyunpack: Work Flow

18 Unpacking Heuristic

19 Unpacking Example

20 Results Improved AV detection AV Scan 6K very old Samples 0.8K Claimed “OK” Unpacking 5.2K Samples Claimed VX AV ReScan 42 are now claimed VX 10-40% improved AV detection on “old” stuff

21 Plan for Cyber-TA Evaluation of various signature generation schemes –Development of new schemes Development of signature ensemble scheme - automatically combine the attributes of signatures from different generation schemes Evaluation of intrusion/anomaly detection systems –E.g., automatically generating mimicry/blending attacks based on malware

22 Conclusion Service-oriented repository –Support research in malware analysis and intrusion/anomaly detection/prevention See malfease.oarci.net for details Credits –David Dagon –Paul Vixie –Paul Royal –Mitch Halpin

Download ppt "Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology."

Similar presentations

How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.

How to Set Up a System for Teaching Files, Conferences, and Clinical Trials Medical Imaging Resource Center.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
The DRIVER Infrastructure (Digital Repository Infrastructure Vision for European Research) Paolo Manghi ISTI - National Research Council, Italy.

The DRIVER Infrastructure (Digital Repository Infrastructure Vision for European Research) Paolo Manghi ISTI - National Research Council, Italy.
Reuel A. Morales (Sr. Security Analyst, APAC-RTL) 04.29.2008 APAC RTL Clean Tool v5.0 Solution.

Reuel A. Morales (Sr. Security Analyst, APAC-RTL) APAC RTL Clean Tool v5.0 Solution.
A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.

A Survey of Botnet Size Measurement PRESENTED: KAI-HSIANG YANG ( 楊凱翔 ) DATE: 2013/11/04 1/24.
BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.

BOTHUNTER : DETECTING MALWARE INFECTION THROUGH IDS-DRIVEN DIALOG CORRELATION AUTHORS: Guofei Gu, Phillip Porras, Vinod Yegneswaran, Martin Fong, Wenke.
An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)

An Introduction of Botnet Detection – Part 2 Guofei Gu, Wenke Lee (Georiga Tech)
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”

Welcome to SpyEye Front-end interface called “CN 1” or “Main Access Panel.”
Malware Repository Update David Dagon Georgia Institute of Technology

Malware Repository Update David Dagon Georgia Institute of Technology
Privacy in Social Networks CSCE 201. Reading Dwyer, Hiltz, Passerini, Trust and privacy concern within social networking sites: A comparison of Facebook.

Privacy in Social Networks CSCE 201. Reading Dwyer, Hiltz, Passerini, Trust and privacy concern within social networking sites: A comparison of Facebook.
A S URVEY OF TRUST MANAGEMENT AND ITS APPLICATIONS S UPERVISED BY : D R. Y AN W ANG Ravendra Singh Student-id: 41446461 1.

A S URVEY OF TRUST MANAGEMENT AND ITS APPLICATIONS S UPERVISED BY : D R. Y AN W ANG Ravendra Singh Student-id:
BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.

BotMiner Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology.
Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.

Wide-scale Botnet Detection and Characterization Anestis Karasaridis, Brian Rexroad, David Hoeflin.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
LittleOrange Internet Security an Endpoint Security Appliance.

LittleOrange Internet Security an Endpoint Security Appliance.
Learning Table Extraction from Examples Ashwin Tengli, Yiming Yang and Nian Li Ma School of Computer Science Carnegie Mellon University Coling 04.

Learning Table Extraction from Examples Ashwin Tengli, Yiming Yang and Nian Li Ma School of Computer Science Carnegie Mellon University Coling 04.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

Similar presentations

Ads by Google