Towards a Malware Language for Use with BERT Transformer—An Approach Using API Call Sequences

Owens, Joshua

23 August 2022

No description available.

Computer Science

Malware

BERT

Adapting Linguistic Deception Cues for Malware Detection

Severyn, Stacie Noel

January 2014

No description available.

Computer Engineering

malware detection

Caractérisation et détection de malware Android basées sur les flux d'information. / Characterization and detection of Android malware based on information flows

Andriatsimandefitra Ratsisahanana, Radoniaina

15 December 2014

Les flux d’information sont des transferts d’information entre les objets d’un environnement donné. À l’échelle du système, pour toute information appartenant à une application donnée, les flux impliquant cette information décrivent comment l’application propage ses données dans le système et l’ensemble de ces flux peut ainsi être considéré comme un profil comportemental de l’application. À cause du nombre croissant d’applications malveillantes, il est devenu nécessaire d’explorer des nouvelles techniques permettant de faciliter voir automatiser l’analyse et la détection de malware. Dans cette thèse, nous proposons ainsi une méthode pour caractériser et détecter les malware Android en nous basant sur les flux d’information qu’ils causent dans le système. Cette méthode repose sur deux autres contributions de la thèse : AndroBlare, la version Android d’un moniteur de flux d’information du nom de Blare, et les graphes de flux système, une structure de donnée représentant de manière compacte et humainement compréhensible les flux d’information observés. Nous avons évalué avec succès notre approche en construisant le profil de 4 malware différents et avons montré que ces profils permettaient de détecter l’exécution d’applications infectées par les malware dont on a un profil. / : Information flows are information exchanges between objects in a given environment. At system level, information flows involving data belonging to a given application describe how this application disseminates its data in the system and can be considered as behaviour based profile of the application. Because of the increasing number of Android malware, there is an urgent need to explore new approaches to analyse and detect Android malware. In this thesis, we thus propose an approach to characterize and detect Android malware based on information flows they cause in the system. This approach leverages two other contributions of the thesis which are AndroBlare, the Android version of an information flow monitor named Blare, and the system flow graph, a data structure to represent in a compact and human readable way the information flows observed by AndroBlare. We successfully evaluated our approach by building the profile of 4 different malware and showed that these profiles permitted to detect the execution of applications infected by malware for which we have computed a profile.

Malware Android

Analyse dynamique de malware

Sécurité Android

Suivi de flux d’information

Détection de malware

Android malware

Dynamic analysis of Android malware

Android security

Dynamic information flow tracking

Malware detection

378.242

Trestněprávní a kriminologické aspekty šíření ransomware / Criminal and criminological aspects of ransomware spreading

Zavadil, Stanislav

January 2019

Criminal and criminological aspects of ransomware spreading Abstract This diploma thesis deals with issues of ransomware spreading and examines certain criminal and criminological aspects of this cybercrime phenomenon. Ransomware is malware that encrypts, blocks or prevents access to the computer system or data in a computer system. In connection to this, it demands monetary or other ransom. This diploma thesis firstly describes ransomware from the point of view of its function and technical aspects, including its history, categorization of its variations and description of several notable infection examples, namely WannaCry, Petya, DoubleLocker and Vir Policie. Following section describes possible criminal qualifications according to Czech substantive criminal law, including the consideration of specifics of different ransomware variations and potential development of this criminal aktivity. The final part focuses on criminological aspects of ransomware spreading. It beggins with a description of the crime status and dynamics, including further details about latency and trends. Then follows the description of perpetrator and victim in view of certain criminological theories. Finally, criminological part comprises a chapter about crime control and prevention, which includes practical parts that aim to help...

Concise Analysis of Malware Behavior

Tsai, Hung-Shiuan

10 January 2012

In recent years the popularity of the internet, the network not only providing information to the general users to browse the contents of the site, but also has some network service like e-mail, e-commerce, and social networks. Although these online services are convenient for general users, also provide the possible hackers to abuse these services through the internet to spread malware. As the number of malware is increasing very fast, in order to understand the behavior of malware better, in the research we create a malware analysis environment, after the execute of malware samples to record the behavior of malware, and the behavior of malware to aggregation the original records to provide users with a summary analysis of the behavior. Which lists the important and malware-related behavior, if users need access to more detailed content and then further click to view. In the research, use existing analysis tools and memory forensics technology for analysis. By memory forensics technology that can identify some malware that attempts to hide the behavior in order to detectability. In addition to record the behavior of malware, the present research get the original complex to integrate and simplify log file. The last of analysis generates a summary report, which lists the malware¡¦s main behavior. So that the user can grasp malware to the extent and scope of the impact, if necessary can further see a more complete record. Look forward to control the behavior of malware more easily and efficiently.

Virtual Machine

Memory Forensics

Malware Behavior

Dynamic Analysis

Malware

Evaluating tool based automated malware analysis through persistence mechanism detection

Webb, Matthew S.

January 1900

Master of Science / Department of Computer Science / Eugene Vasserman / Since 2014 there have been over 120 million new malicious programs registered every year. Due to the amount of new malware appearing every year, analysts have automated large sections of the malware reverse engineering process. Many automated analysis systems are created by re-implementing analysis techniques rather than automating existing tools that utilize the same techniques. New implementations take longer to create and do not have the same proven quality as a tool that evolved alongside malware for many years. The goal of this study is to assess the efficiency and effectiveness of using existing tools for the application of automated malware analysis. This study focuses on the problem of discovering how malware persists on an infected system. Six tools are chosen based on their usefulness in manual analysis for revealing different persistence techniques employed by malware. The functions of these tools are automated in a fashion that emulates how they can be manually utilized, resulting in information about a tested sample. These six tools are tested against a collection of actual malware samples, pulled from malware families that are known for employing various persistence techniques. The findings are then scanned for indicators of persistence. The results of these tests are used to determine the smallest tool subset that discovers the largest range of persistence mechanisms. For each tool, implementation difficulty is compared to the number of indicators discovered to reveal the effectiveness of similar tools for future analysis applications. The conclusion is that while the tools covered a wide range of persistence mechanisms, the standalone tools that were designed with scripting in mind were more effective than those with multiple system requirements or those with only a graphical interface. It was also discovered that the automation process limits functionality of some tools, as they are designed for analyst interaction. Regaining the tools’ functionality lost from automation to use them for other reverse engineering applications could be cumbersome and could require necessary implementation overhauls. Finally, the more successful tools were able to detect a broader range of techniques, while some less successful tools could only detect a portion of the same techniques. This study concludes that while an analysis system can be created by automating existing tools, the characteristics of the tools chosen impact the workload required to automate them. A well-documented tool that is controllable through a command line interface that offers many configuration options will require less work for an analyst to automate than a tool with little documentation that can only be controlled through a graphical interface.

Malware analysis

Automated analysis

Tool evaluation

Malware persistence

Ransomware : Ett modernt gisslandrama

Frick, Jan, Sjöström, Andreas

January 2016

Ransomware är en sorts skadlig kod som krypterar vissa delar av ett datorsystem med så pass hög säkerhet att endast krypteringsnyckeln kan ge tillgång till filerna igen. Den ges mot betalning av en lösensumma. Antalet infekterade system har ökat kraftigt de senaste åren och det har utvecklats till en stor svart marknad som omsätter miljoner varje år. I detta arbete analyseras fyra sorters ransomware: Cryptowall, TeslaCrypt, CTB-Locker och Locky. Det dessa ransomware har gemensamt är att de krypterar filnamnen och innehållet i filerna med en okäckbar kod. Genom att infektera ett virtuellt system undersöks möjliga åtgärder för att återskapa filer efter att en infektion har skett. Analysen visar att filen vssadmin.exe spelar en betydande roll för de fyra sorters ransomwaren. Med hjälp av denna fil raderar ransomwaren alla tidigare skapade återställningspunkter, kallad Volume Snapshot Services, och därmed försvinner möjligheten att återställa filer till ett tidigare läge. Experimenten visar att genom att förhindra ransomwarens åtkomst till denna fil möjliggörs återställandet av mappar till ett tidigare läge, och därmed även återställandet av filerna, efter en ransomwareinfektion.

Ransomware

virus

skadlig kod

malware

Kriminologické a trestněprávní aspekty fenoménu ransomware / Criminological and legal aspects of the ransomware phenomenon

Johanovský, Tomáš

January 2018

Criminological and legal aspects of the ransomware phenomenon Abstract This diploma thesis deals with the current topic of cybercrime and focuses specifically on the phenomenon of ransomware on a scope unprecedented in Czech legal literature. Ransomware is a malicious code that interferes with the operation of a computer system, and later requires ransom for the victim to recover the access to the computer system and the data contained therein. Basic concepts necessary for the definition of ransomware (such as cyberspace, cybercrime, computer system, malicious code, cryptocurrency and darknet) are introduced and explained. The specificities of cybercrime and its development and current range in the Czech Republic are analysed. The main part of the text deals with the analysis of ransomware, starting with its history and leading to the possible future developments of ransomware. Different variants of ransomware are described such as false antivirus, police, locker and encryption ransomware. From a criminological point of view, the text focuses on the unique interaction of the perpetrator and the victim, which takes on surprising forms of customer support, answers to frequently asked questions and instructions for acquiring virtual currencies. Emphasis is placed on prevention efforts that can mitigate the...

Jämförelse av metoder för malwareanalys

Hjertsson, Emil, Kentsson, Henrik

January 2013

Att genomföra analys av malware är en viktig del i att få en bättre förståelse för hur det fungerar och beter sig när det drabbar ett system. Själva genomförandet av analysen kan göras på olika vis. Detta arbete tittar närmare på tre metoder för att analysera malware och ser vilken information de ger. Genom de experiment som utförs på ett malware som går under namnet BetaBot skapas en bättre förståelse för hur just detta malware fungerar. Målet är bland annat att jämföra de olika analysmetoder som valts ut och se hur de förhåller sig till varandra. Den grundläggande statiska analysen ger viss information om ett malware. Dock är den inte tillräcklig för att veta vad det gör. Vidare undersöks den dynamiska analysen, som till skillnad från den automatiserade kan ge ytterligare information om malwarebeteende. Dock är den metoden mer tidskrävande och skapar en stor informationsmängd som måste bearbetas. Utifrån resultaten drar vi slutsatsen att den automatiserade analysen, som är en slags kombination av statisk och dynamisk analys, är ett lämpligt första steg vid analys av malware. Denna metod ger snabbt resultat och en överskådlig bild av ett analyserat malware.

Malware

Analys

Statisk

Dynamisk

Automatiserad

Practical, Large-Scale Detection of Obfuscated Malware Code Via Flow Dependency Indexing

Jin, Wesley

01 May 2014

Malware analysts often need to search large corpuses of obfuscated binaries for particular sequences of related instructions. The use of simple tactics, such as dead code insertion and register renaming, prevents the use of conventional, big-data search indexes. Current, state of the art malware detectors are unable to handle the size of the dataset due to their iterative approach to comparing files. Furthermore, current work is also frequently designed to act as a detector and not a search tool. I propose a system that exploits the observation that many data/control-flow relationships between instructions are preserved in the presence of obfuscations. The system will extract chains of flow-dependent instructions from a binary’s Program Dependence Graph (PDG). It will then use a representation of each chain as a key for an index that points to lists of functions (and their corresponding files). Analysts will be able to quickly search for instruction sequences by querying the index.

obfuscated malware

inverted index

PDG