2021
|
Botacin, Marcus; Aghakhani, Hojjat; Ortolani, Stefano; Kruegel, Christopher; Vigna, Giovanni; Oliveira, Daniela; Geus, Paulo Lício De; Grégio, André One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware Journal Article ACM Trans. Priv. Secur., 24 (2), 2021, ISSN: 2471-2566. Abstract | Links | BibTeX @article{10.1145/3429741,
title = {One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware},
author = {Marcus Botacin and Hojjat Aghakhani and Stefano Ortolani and Christopher Kruegel and Giovanni Vigna and Daniela Oliveira and Paulo Lício De Geus and André Grégio},
url = {https://doi.org/10.1145/3429741
https://secret.inf.ufpr.br/papers/marcus_tops_br.pdf},
doi = {10.1145/3429741},
issn = {2471-2566},
year = {2021},
date = {2021-01-01},
journal = {ACM Trans. Priv. Secur.},
volume = {24},
number = {2},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats. |
2020
|
Botacin, Marcus; Ceschin, Fabricio; de Geus, Paulo; Grégio, André We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations Journal Article Computers & Security, pp. 101859, 2020, ISSN: 0167-4048. Abstract | Links | BibTeX @article{BOTACIN2020101859,
title = {We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations},
author = {Marcus Botacin and Fabricio Ceschin and Paulo de Geus and André Grégio},
url = {http://www.sciencedirect.com/science/article/pii/S0167404820301310
https://secret.inf.ufpr.br/papers/marcus_av.pdf},
doi = {https://doi.org/10.1016/j.cose.2020.101859},
issn = {0167-4048},
year = {2020},
date = {2020-04-29},
journal = {Computers & Security},
pages = {101859},
abstract = {Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately. |
Botacin, Marcus; de Geus, Paulo Lício; Grégio, André Leveraging branch traces to understand kernel internals from within Journal Article Journal of Computer Virology and Hacking Techniques, 2020, ISSN: 2263-8733. Abstract | Links | BibTeX @article{Botacin2020,
title = {Leveraging branch traces to understand kernel internals from within},
author = {Marcus Botacin and Paulo Lício de Geus and André Grégio},
url = {https://doi.org/10.1007/s11416-019-00343-w
https://secret.inf.ufpr.br//papers/reverse_kernel_marcus.pdf},
doi = {10.1007/s11416-019-00343-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-02},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes. |
Botacin, Marcus; Zanata, Marco; Grégio, André The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support Journal Article Journal of Computer Virology and Hacking Techniques, 2020, ISSN: 2263-8733. Abstract | Links | BibTeX @article{Botacin2020b,
title = {The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support},
author = {Marcus Botacin and Marco Zanata and André Grégio},
url = {https://doi.org/10.1007/s11416-020-00348-w
https://secret.inf.ufpr.br/papers/SMC_marcus.pdf},
doi = {10.1007/s11416-020-00348-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-01},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations. |
Sun, R; Botacin, M; Sapountzis, N; Yuan, X; Bishop, M; Porter, D E; Li, X; Gregio, A; Oliveira, D A Praise for Defensive Programming: LeveragingUncertainty for Effective Malware Mitigation Journal Article IEEE Transactions on Dependable and Secure Computing, pp. 1-1, 2020. Links | BibTeX @article{9061034,
title = {A Praise for Defensive Programming: LeveragingUncertainty for Effective Malware Mitigation},
author = {R Sun and M Botacin and N Sapountzis and X Yuan and M Bishop and D E Porter and X Li and A Gregio and D Oliveira},
url = {https://ieeexplore.ieee.org/document/9061034
https://secret.inf.ufpr.br/papers/chameleon.pdf},
year = {2020},
date = {2020-01-01},
journal = {IEEE Transactions on Dependable and Secure Computing},
pages = {1-1},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
|
Botacin, Marcus; ~a, Giovanni Bert; de Geus, Paulo; Grégio, André; Kruegel, Christopher; Vigna, Giovanni On the Security of Application Installers and Online Software Repositories Conference Detection of Intrusions and Malware, and Vulnerability Assessment, Springer International Publishing, Cham, 2020, ISBN: 978-3-030-52683-2. Abstract | Links | BibTeX @conference{10.1007/978-3-030-52683-2_10b,
title = {On the Security of Application Installers and Online Software Repositories},
author = {Marcus Botacin and Giovanni Bert{~a}o and Paulo de Geus and André Grégio and Christopher Kruegel and Giovanni Vigna},
editor = {Clémentine Maurice and Leyla Bilge and Gianluca Stringhini and Nuno Neves},
url = {https://link.springer.com/chapter/10.1007/978-3-030-52683-2_10
https://secret.inf.ufpr.br/papers/marcus_dimva_bundle.pdf},
isbn = {978-3-030-52683-2},
year = {2020},
date = {2020-01-01},
booktitle = {Detection of Intrusions and Malware, and Vulnerability Assessment},
pages = {192--214},
publisher = {Springer International Publishing},
address = {Cham},
abstract = {The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge this gap by analyzing five popular software repositories. We focus on their software updating dynamics, as well as the presence of traces of vulnerable and/or trojanized applications among the top-100 most downloaded Windows programs on each of the evaluated repositories. We analyzed 2,935 unique programs collected in a period of 144 consecutive days. Our results show that: (i) the repositories frequently exhibit rank changes due to applications fast climbing toward the first positions; (ii) the repositories often update their payloads, which may cause the distribution of distinct binaries for the same intended application (binaries for the same applications may also be different in each repository); (iii) the installers are composed by multiple components and often download payloads from the Internet to complete their installation steps, posing new risks for users (we demonstrate that some installers are vulnerable to content tampering through man-in-the-middle attacks); (iv) the ever-changing nature of repositories and installers makes them prone to abuse, as we observed that 30% of all applications were reported malicious by at least one AV.},
keywords = {},
pubstate = {published},
tppubtype = {conference}
}
The security of application installers is often overlooked, but the security risks associated to these pieces of code are not negligible. Online public repositories have been one of the most popular ways for end users to obtain software, but there is a lack of systematic security evaluation of popular public repositories. In this paper, we bridge this gap by analyzing five popular software repositories. We focus on their software updating dynamics, as well as the presence of traces of vulnerable and/or trojanized applications among the top-100 most downloaded Windows programs on each of the evaluated repositories. We analyzed 2,935 unique programs collected in a period of 144 consecutive days. Our results show that: (i) the repositories frequently exhibit rank changes due to applications fast climbing toward the first positions; (ii) the repositories often update their payloads, which may cause the distribution of distinct binaries for the same intended application (binaries for the same applications may also be different in each repository); (iii) the installers are composed by multiple components and often download payloads from the Internet to complete their installation steps, posing new risks for users (we demonstrate that some installers are vulnerable to content tampering through man-in-the-middle attacks); (iv) the ever-changing nature of repositories and installers makes them prone to abuse, as we observed that 30% of all applications were reported malicious by at least one AV. |