Keep SECRET

@article{10.1145/3429741,
title = {One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware},
author = {Marcus Botacin and Hojjat Aghakhani and Stefano Ortolani and Christopher Kruegel and Giovanni Vigna and Daniela Oliveira and Paulo Lício De Geus and André Grégio},
url = {https://doi.org/10.1145/3429741
https://secret.inf.ufpr.br/papers/marcus_tops_br.pdf},
doi = {10.1145/3429741},
issn = {2471-2566},
year = {2021},
date = {2021-01-01},
journal = {ACM Trans. Priv. Secur.},
volume = {24},
number = {2},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}

@article{BOTACIN2020101859,
title = {We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations},
author = {Marcus Botacin and Fabricio Ceschin and Paulo de Geus and André Grégio},
url = {http://www.sciencedirect.com/science/article/pii/S0167404820301310
https://secret.inf.ufpr.br/papers/marcus_av.pdf},
doi = {https://doi.org/10.1016/j.cose.2020.101859},
issn = {0167-4048},
year = {2020},
date = {2020-04-29},
journal = {Computers & Security},
pages = {101859},
abstract = {Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}

@article{Botacin2020,
title = {Leveraging branch traces to understand kernel internals from within},
author = {Marcus Botacin and Paulo Lício de Geus and André Grégio},
url = {https://doi.org/10.1007/s11416-019-00343-w
https://secret.inf.ufpr.br//papers/reverse_kernel_marcus.pdf},
doi = {10.1007/s11416-019-00343-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-02},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}

@article{Botacin2020b,
title = {The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support},
author = {Marcus Botacin and Marco Zanata and André Grégio},
url = {https://doi.org/10.1007/s11416-020-00348-w
https://secret.inf.ufpr.br/papers/SMC_marcus.pdf},
doi = {10.1007/s11416-020-00348-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-01},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}

@article{9061034,
title = {A Praise for Defensive Programming: LeveragingUncertainty for Effective Malware Mitigation},
author = {R Sun and M Botacin and N Sapountzis and X Yuan and M Bishop and D E Porter and X Li and A Gregio and D Oliveira},
url = {https://ieeexplore.ieee.org/document/9061034
https://secret.inf.ufpr.br/papers/chameleon.pdf},
year = {2020},
date = {2020-01-01},
journal = {IEEE Transactions on Dependable and Secure Computing},
pages = {1-1},
keywords = {},
pubstate = {published},
tppubtype = {article}
}