2021
|
Botacin, Marcus; Aghakhani, Hojjat; Ortolani, Stefano; Kruegel, Christopher; Vigna, Giovanni; Oliveira, Daniela; Geus, Paulo Lício De; Grégio, André One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware Journal Article ACM Trans. Priv. Secur., 24 (2), 2021, ISSN: 2471-2566. Abstract | Links | BibTeX @article{10.1145/3429741,
title = {One Size Does Not Fit All: A Longitudinal Analysis of Brazilian Financial Malware},
author = {Marcus Botacin and Hojjat Aghakhani and Stefano Ortolani and Christopher Kruegel and Giovanni Vigna and Daniela Oliveira and Paulo Lício De Geus and André Grégio},
url = {https://doi.org/10.1145/3429741
https://secret.inf.ufpr.br/papers/marcus_tops_br.pdf},
doi = {10.1145/3429741},
issn = {2471-2566},
year = {2021},
date = {2021-01-01},
journal = {ACM Trans. Priv. Secur.},
volume = {24},
number = {2},
publisher = {Association for Computing Machinery},
address = {New York, NY, USA},
abstract = {Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Malware analysis is an essential task to understand infection campaigns, the behavior of malicious codes, and possible ways to mitigate threats. Malware analysis also allows better assessment of attackers’ capabilities, techniques, and processes. Although a substantial amount of previous work provided a comprehensive analysis of the international malware ecosystem, research on regionalized, country-, and population-specific malware campaigns have been scarce. Moving towards addressing this gap, we conducted a longitudinal (2012-2020) and comprehensive (encompassing an entire population of online banking users) study of MS Windows desktop malware that actually infected Brazilian banks’ users. We found that the Brazilian financial desktop malware has been evolving quickly: it started to make use of a variety of file formats instead of typical PE binaries, relied on native system resources, and abused obfuscation techniques to bypass detection mechanisms. Our study on the threats targeting a significant population on the ecosystem of the largest and most populous country in Latin America can provide invaluable insights that may be applied to other countries’ user populations, especially those in the developing world that might face cultural peculiarities similar to Brazil’s. With this evaluation, we expect to motivate the security community/industry to seriously consider a deeper level of customization during the development of next-generation anti-malware solutions, as well as to raise awareness towards regionalized and targeted Internet threats. |
Botacin, Marcus; Ceschin, Fabricio; Sun, Ruimin; Oliveira, Daniela; Grégio, André Challenges and Pitfalls in Malware Research Journal Article Computers & Security, pp. 102287, 2021, ISSN: 0167-4048. Abstract | Links | BibTeX @article{BOTACIN2021102287,
title = {Challenges and Pitfalls in Malware Research},
author = {Marcus Botacin and Fabricio Ceschin and Ruimin Sun and Daniela Oliveira and André Grégio},
url = {https://www.sciencedirect.com/science/article/pii/S0167404821001115
https://secret.inf.ufpr.br/papers/marcus_challenges.pdf},
doi = {https://doi.org/10.1016/j.cose.2021.102287},
issn = {0167-4048},
year = {2021},
date = {2021-01-01},
journal = {Computers & Security},
pages = {102287},
abstract = {As the malware research field became more established over the last two decades, new research questions arose, such as how to make malware research reproducible, how to bring scientific rigor to attack papers, or what is an appropriate malware dataset for relevant experimental results. The challenges these questions pose also brings pitfalls that affect the multiple malware research stakeholders. To help answering those questions and to highlight potential research pitfalls to be avoided, in this paper, we present a systematic literature review of 491 papers on malware research published in major security conferences between 2000 and 2018. We identified the most common pitfalls present in past literature and propose a method for assessing current (and future) malware research. Our goal is towards integrating science and engineering best practices to develop further, improved research by learning from issues present in the published body of work. As far as we know, this is the largest literature review of its kind and the first to summarize research pitfalls in a research methodology that avoids them. In total, we discovered 20 pitfalls that limit current research impact and reproducibility. The identified pitfalls range from (i) the lack of a proper threat model, that complicates paper’s evaluation, to (ii) the use of closed-source solutions and private datasets, that limit reproducibility. We also report yet-to-be-overcome challenges that are inherent to the malware nature, such as non-deterministic analysis results. Based on our findings, we propose a set of actions to be taken by the malware research and development community for future work: (i) Consolidation of malware research as a field constituted of diverse research approaches (e.g., engineering solutions, offensive research, landscapes/observational studies, and network traffic/system traces analysis); (ii) design of engineering solutions with clearer, direct assumptions (e.g., positioning solutions as proofs-of-concept vs. deployable); (iii) design of experiments that reflects (and emphasizes) the target scenario for the proposed solution (e.g., corporation, user, country-wide); (iv) clearer exposition and discussion of limitations of used technologies and exercised norms/standards for research (e.g., the use of closed-source antiviruses as ground-truth).},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
As the malware research field became more established over the last two decades, new research questions arose, such as how to make malware research reproducible, how to bring scientific rigor to attack papers, or what is an appropriate malware dataset for relevant experimental results. The challenges these questions pose also brings pitfalls that affect the multiple malware research stakeholders. To help answering those questions and to highlight potential research pitfalls to be avoided, in this paper, we present a systematic literature review of 491 papers on malware research published in major security conferences between 2000 and 2018. We identified the most common pitfalls present in past literature and propose a method for assessing current (and future) malware research. Our goal is towards integrating science and engineering best practices to develop further, improved research by learning from issues present in the published body of work. As far as we know, this is the largest literature review of its kind and the first to summarize research pitfalls in a research methodology that avoids them. In total, we discovered 20 pitfalls that limit current research impact and reproducibility. The identified pitfalls range from (i) the lack of a proper threat model, that complicates paper’s evaluation, to (ii) the use of closed-source solutions and private datasets, that limit reproducibility. We also report yet-to-be-overcome challenges that are inherent to the malware nature, such as non-deterministic analysis results. Based on our findings, we propose a set of actions to be taken by the malware research and development community for future work: (i) Consolidation of malware research as a field constituted of diverse research approaches (e.g., engineering solutions, offensive research, landscapes/observational studies, and network traffic/system traces analysis); (ii) design of engineering solutions with clearer, direct assumptions (e.g., positioning solutions as proofs-of-concept vs. deployable); (iii) design of experiments that reflects (and emphasizes) the target scenario for the proposed solution (e.g., corporation, user, country-wide); (iv) clearer exposition and discussion of limitations of used technologies and exercised norms/standards for research (e.g., the use of closed-source antiviruses as ground-truth). |
2020
|
Ceschin, Fabricio; Botacin, Marcus; Lüders, Gabriel; Gomes, Heitor Murilo; Oliveira, Luiz; Gregio, Andre No Need to Teach New Tricks to Old Malware: Winning an Evasion Challenge with XOR-Based Adversarial Samples Inproceedings Reversing and Offensive-Oriented Trends Symposium, pp. 13–22, Association for Computing Machinery, Vienna, Austria, 2020, ISBN: 9781450389747. Abstract | Links | BibTeX @inproceedings{10.1145/3433667.3433669,
title = {No Need to Teach New Tricks to Old Malware: Winning an Evasion Challenge with XOR-Based Adversarial Samples},
author = {Fabricio Ceschin and Marcus Botacin and Gabriel Lüders and Heitor Murilo Gomes and Luiz Oliveira and Andre Gregio},
url = {https://doi.org/10.1145/3433667.3433669
https://secret.inf.ufpr.br/papers/roots_mlsec20.pdf},
doi = {10.1145/3433667.3433669},
isbn = {9781450389747},
year = {2020},
date = {2020-11-01},
booktitle = {Reversing and Offensive-Oriented Trends Symposium},
pages = {13–22},
publisher = {Association for Computing Machinery},
address = {Vienna, Austria},
series = {ROOTS'20},
abstract = {Adversarial attacks to Machine Learning (ML) models became such a concern that tech companies (Microsoft and CUJO AI’s Vulnerability Research Lab) decided to launch contests to better understand their impact on practice. During the contest’s first edition (2019), participating teams were challenged to bypass three ML models in a white box manner. Our team bypassed all the three of them and reported interesting insights about models’ weaknesses. In the second edition (2020), the challenge evolved to an attack-and-defense model: the teams should either propose defensive models and attack other teams’ models in a black box manner. Despite the difficulty increase, our team was able to bypass all models again. In this paper, we describe our insights for this year’s contest regarding on attacking models, as well defending them from adversarial attacks. In particular, we show how frequency-based models (e.g., TF-IDF) are vulnerable to the addition of dead function imports, and how models based on raw bytes are vulnerable to payload-embedding obfuscation (e.g., XOR and base64 encoding).},
keywords = {},
pubstate = {published},
tppubtype = {inproceedings}
}
Adversarial attacks to Machine Learning (ML) models became such a concern that tech companies (Microsoft and CUJO AI’s Vulnerability Research Lab) decided to launch contests to better understand their impact on practice. During the contest’s first edition (2019), participating teams were challenged to bypass three ML models in a white box manner. Our team bypassed all the three of them and reported interesting insights about models’ weaknesses. In the second edition (2020), the challenge evolved to an attack-and-defense model: the teams should either propose defensive models and attack other teams’ models in a black box manner. Despite the difficulty increase, our team was able to bypass all models again. In this paper, we describe our insights for this year’s contest regarding on attacking models, as well defending them from adversarial attacks. In particular, we show how frequency-based models (e.g., TF-IDF) are vulnerable to the addition of dead function imports, and how models based on raw bytes are vulnerable to payload-embedding obfuscation (e.g., XOR and base64 encoding). |
Botacin, Marcus; Ceschin, Fabricio; de Geus, Paulo; Grégio, André We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations Journal Article Computers & Security, pp. 101859, 2020, ISSN: 0167-4048. Abstract | Links | BibTeX @article{BOTACIN2020101859,
title = {We Need to Talk About AntiViruses: Challenges & Pitfalls of AV Evaluations},
author = {Marcus Botacin and Fabricio Ceschin and Paulo de Geus and André Grégio},
url = {http://www.sciencedirect.com/science/article/pii/S0167404820301310
https://secret.inf.ufpr.br/papers/marcus_av.pdf},
doi = {https://doi.org/10.1016/j.cose.2020.101859},
issn = {0167-4048},
year = {2020},
date = {2020-04-29},
journal = {Computers & Security},
pages = {101859},
abstract = {Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Security evaluation is an essential task to identify the level of protection accomplished in running systems or to aid in choosing better solutions for each specific scenario. Although antiviruses (AVs) are one of the main defensive solutions for most end-users and corporations, AV’s evaluations are conducted by few organizations and often limited to compare detection rates. Moreover, other important factors of AVs’ operating mode (e.g., response time and detection regression) are usually underestimated. Ignoring such factors create an “understanding gap” on the effectiveness of AVs in actual scenarios, which we aim to bridge by presenting a broader characterization of current AVs’ modes of operation. In our characterization, we consider distinct file types, operating systems, datasets, and time frames. To do so, we daily collected samples from two distinct, representative malware sources and submitted them to the VirusTotal (VT) service for 30 consecutive days. In total, we considered 28,875 unique malware samples. For each day, we retrieved the submitted samples’ detection rates and assigned labels, resulting in more than 1M distinct VT submissions overall. Our experimental results show that: (i) phishing contexts are a challenge for all AVs, turning malicious Web pages detectors less effective than malicious files detectors; (ii) generic procedures are insufficient to ensure broad detection coverage, incurring in lower detection rates for particular datasets (e.g., country-specific) than for those with world-wide collected samples; (iii) detection rates are unstable since all AVs presented detection regression effects after scans in different time frames using the same dataset and (iv) AVs’ long response times in delivering new signatures/heuristics create a significant attack opportunity window within the first 30 days after we first identified a malicious binary. To address the effects of our findings, we propose six new metrics to evaluate the multiple aspects that impact the effectiveness of AVs. With them, we hope to assess corporate (and domestic) users to better evaluate the solutions that fit their needs more adequately. |
Botacin, Marcus; de Geus, Paulo Lício; Grégio, André Leveraging branch traces to understand kernel internals from within Journal Article Journal of Computer Virology and Hacking Techniques, 2020, ISSN: 2263-8733. Abstract | Links | BibTeX @article{Botacin2020,
title = {Leveraging branch traces to understand kernel internals from within},
author = {Marcus Botacin and Paulo Lício de Geus and André Grégio},
url = {https://doi.org/10.1007/s11416-019-00343-w
https://secret.inf.ufpr.br//papers/reverse_kernel_marcus.pdf},
doi = {10.1007/s11416-019-00343-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-02},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Kernel monitoring is often a hard task, requiring external debuggers and/or modules to be successfully performed. These requirements make analysis procedures more complicated because multiple machines, although virtualized ones, are required. This requirements also make analysis procedures more expensive. In this paper, we present the Lightweight Kernel Tracer (LKT), an alternative solution for tracing kernel from within by leveraging branch monitors for data collection and an address-based introspection procedure for context reconstruction. We evaluated LKT by tracing distinct machines powered by x64 Windows kernels and show that LKT may be used for understanding kernel's internals (e.g., graphics and USB subsystems) and for system profiling. We also show how to use LKT to trace other tracing and monitoring mechanisms running in kernel, such as Antiviruses and Sandboxes. |
Botacin, Marcus; Zanata, Marco; Grégio, André The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support Journal Article Journal of Computer Virology and Hacking Techniques, 2020, ISSN: 2263-8733. Abstract | Links | BibTeX @article{Botacin2020b,
title = {The self modifying code (SMC)-aware processor (SAP): a security look on architectural impact and support},
author = {Marcus Botacin and Marco Zanata and André Grégio},
url = {https://doi.org/10.1007/s11416-020-00348-w
https://secret.inf.ufpr.br/papers/SMC_marcus.pdf},
doi = {10.1007/s11416-020-00348-w},
issn = {2263-8733},
year = {2020},
date = {2020-01-01},
journal = {Journal of Computer Virology and Hacking Techniques},
abstract = {Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations.},
keywords = {},
pubstate = {published},
tppubtype = {article}
}
Self modifying code (SMC) are code snippets that modify themselves at runtime. Malware use SMC to hide payloads and achieve persistence. Software-based SMC detection solutions impose performance penalties for real-time monitoring and do not benefit from runtime architectural information (cache invalidation or pipeline flush, for instance). We revisit SMC impact on hardware internals and discuss the implementation of an SMC detector at distinct architectural points. We consider three detection approaches: (i) existing hardware counters; (ii) block invalidation by the cache coherence protocol; (iii) the use of Memory Management Unit (MMU) information to control SMC execution. We compare the identified instrumentation points to highlight their strong and weak points. We also compare them to previous SMC detectors' implementations. |
