SlideShare a Scribd company logo
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Among Viruses, Trojans, and Backdoors
Fighting Malware in 2022
Marcus Botacin
1mfbotacin@inf.ufpr.br
mfbotacin@gmail.com
marcusbotacin.github.io
Among Viruses, Trojans, and Backdoors 1 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Who Am I?
PhD. in Computer Science (2021) - Federal University of Paraná (UFPR), Brazil
Thesis: “On the Malware Detection Problem: Challenges and new Approaches”
MSc. in Computer Science (2017) - University of Campinas (UNICAMP), Brazil
Dissertation: “Hardware-Assisted Malware Analysis”
Computer Engineer (2015) - University of Campinas (UNICAMP), Brazil
Final Project: “Malware detection via syscall patterns identification”
Among Viruses, Trojans, and Backdoors 2 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Malware Detection
How have we been doing?
Among Viruses, Trojans, and Backdoors 3 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
How have we been doing? (Malware Specifics)
The good side
Figure: Source:
https://apnews.com/article/europe-ma
lware-netherlands-coronavirus-pandem
ic-7de5f74120a968bd0a5bee3c57899fed
The bad side
Figure: Source:
https://thehackernews.com/2021/06/dr
oidmorph-shows-popular-android.html
Among Viruses, Trojans, and Backdoors 4 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Malware Detection:
What have we been doing?
Among Viruses, Trojans, and Backdoors 5 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
The State-of-the-art in Malware Detection & Prevention
Steps
1 Collection
2 Triage
3 Sandbox Analysis
4 Threat Intelligence
5 Endpoint Protection
Distributed Processing
Collection
Cloud Processing
Analysis and Intelligence steps
Limited Processing
Endpoint
Among Viruses, Trojans, and Backdoors 6 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Collection
How to find new malware samples?
Searching “dark web” forums.
Crawling software repositories.
Leveraging honeypots.
Checking spam traps.
Downloading Malware repositories.
Scrapping blocklists.
The result
Figure: Source:
https://www.forbes.com/sites/thomasb
rewster/2021/09/29/google-play-warni
ng-200-android-apps-stole-millions
-from-10-million-phones/
Among Viruses, Trojans, and Backdoors 7 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Triage
Why how many new malware samples?
Variations from the same source
code.
Implications
Increase processing costs and
response time.
How to solve this problem?
Identify and cluster similar samples.
The Statistics
Figure: Source:
https://www.kaspersky.com/about/pres
s-releases/2020 the-number-of-new-m
alicious-files-detected-every-day-
increases-by-52-to-360000-in-2020
Among Viruses, Trojans, and Backdoors 8 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Sandbox Analysis
Goals
Uncover hidden
behaviors.
Method
Trace sample
execution.
Challenge
Handle evasion
attempts.
Solution 1
Figure: https://blog.vir
ustotal.com/2019/05/vi
rustotal-multisandbox-
yoroi-yomi.html
Solution 2
Figure: https:
//blog.virustotal.com/
2019/07/virustotal-mul
tisandbox-sndbox.html
Among Viruses, Trojans, and Backdoors 9 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Threat Intelligence
Goal
Identify trends and predict attacks.
How?
Data analytics over analyzed
samples.
Challenges
Look to a representative dataset.
We should look to:
Figure: Source:
https://www.computerweekly.com/news/
252504676/Ransomware-attacks-increas
e-dramatically-during-2021
Among Viruses, Trojans, and Backdoors 10 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Malware Detection
Endpoint Protection
Goal
Protect customers in their machines.
How?
Moving the viable analyses to the
endpoint.
Challenges
Performance and usability
constraints.
Is there a “best”?
Figure: Source: https://www.av-test.or
g/en/antivirus/home-windows/
Among Viruses, Trojans, and Backdoors 11 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Sandboxing
Enhancing Malware Tracing
Among Viruses, Trojans, and Backdoors 12 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Sandboxing
Publication
Figure: Link: https://link.springer.com/article/10.1007/s11416-017-0292-8
Among Viruses, Trojans, and Backdoors 13 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Sandboxing
Software-based Sandbox
Figure: System Architecture. Analysis VMs.
Among Viruses, Trojans, and Backdoors 14 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Sandboxing
Publication
Figure: Link: https://dl.acm.org/doi/10.1145/3152162
Among Viruses, Trojans, and Backdoors 15 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Sandboxing
Hardware-based Sandbox
Monitoring Steps
1 Software executes a branch.
2 Processor stores branch address in
memory page.
3 Processor raises an interrupt.
4 Kernel handles interrupt.
5 Kernel sends data to userland.
6 Userland introspects into this data.
Figure: System Architecture.
Among Viruses, Trojans, and Backdoors 16 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Sandboxing
Key Insight: Branches define basic blocks
Figure: Identified branches and basic
blocks.
Figure: CFG Reconstruction.
Among Viruses, Trojans, and Backdoors 17 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Threat Intelligence
From Tracing to Threat Intelligence
Among Viruses, Trojans, and Backdoors 18 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Threat Intelligence
Publications
Figure: Link: https:
//dl.acm.org/doi/10.1145/3429741
Figure: Link: https://dl.acm.org/doi/1
0.1145/3339252.3340103
Among Viruses, Trojans, and Backdoors 19 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Threat Intelligence
Brazilian Financial Malware on Desktop
Figure: Passive Banker Malware for
Santander bank waiting for user’s
credential input.
Figure: Passive Banker Malware for Itaú
bank waiting for user’s credential input.
Among Viruses, Trojans, and Backdoors 20 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Threat Intelligence
Brazilian Financial Malware on Mobile
Figure: BB’s Whatsapp chatbot. Figure: Bradesco’s Whatsapp chatbot.
Among Viruses, Trojans, and Backdoors 21 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Threat Intelligence
More about Brazilian Malware
Figure: Link:
https://www.usenix.org/conference/enigma2021/presentation/botacin
Among Viruses, Trojans, and Backdoors 22 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
From Threat Intelligence to Endpoint
Protection
Among Viruses, Trojans, and Backdoors 23 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
Publication
Figure: Link:
https://www.sciencedirect.com/science/article/pii/S0167404821003242
Among Viruses, Trojans, and Backdoors 24 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
Drawback: Real-time monitoring performance penalty
0
50
100
150
200
250
Perl Xalanc Gobmk H264 Namd Mcf
Time
(s)
Benchmark
AV’s Monitoring Performance
Filter AV SSDT AV No AV
Figure: AV Monitoring Performance.
0
50
100
150
200
250
300
perl namd Bzip milc mfc
Execution
Time
(s)
Benchmark
AV scanning overhead
Scan
Baseline
Figure: In-memory AV scans worst-case
and best-case performance penalties.
Among Viruses, Trojans, and Backdoors 25 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
Publication
Figure: Link: https://ieeexplore.ieee.org/document/9034972
Among Viruses, Trojans, and Backdoors 26 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
SMC-Aware Processor
Figure: Sample Profiling. Figure: System Overview.
Among Viruses, Trojans, and Backdoors 27 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
Publication
Figure: Link: https://link.springer.com/article/10.1007/s11416-020-00348-w
Among Viruses, Trojans, and Backdoors 28 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
SMC-Aware Processor
Figure: Modified Cache. Figure: Modified MMU.
Among Viruses, Trojans, and Backdoors 29 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
Publication
Figure: Link:
https://www.sciencedirect.com/science/article/abs/pii/S0957417422004882
Among Viruses, Trojans, and Backdoors 30 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Endpoint Protection
A first idea: Hardware features as signatures
Figure: Two-level branch predictor. A
sequence window of taken (1) and not-taken
(0) branches is stored in the Global History
Register (GHR).
0
10
20
30
40
50
60
70
80
90
100
8 16 24 32 40
Percentage
of
signature
collision
in
the
k−bit
space
Branch pattern length (in k bits)
Percentage of signature collision per branch−pattern length (in bits)
Patterns
Figure: Branch patterns coverage.
Among Viruses, Trojans, and Backdoors 31 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Solutions Availability
Solutions Availability
Among Viruses, Trojans, and Backdoors 32 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Solutions Availability
Code: The BranchMonitoring Project
Figure: Link: https://github.com/marcusbotacin/BranchMonitoringProject
Among Viruses, Trojans, and Backdoors 33 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Solutions Availability
Service: Corvus Platform
Figure: Link: corvus.inf.ufpr.br Figure: Corvus’ Threat Intelligence.
Among Viruses, Trojans, and Backdoors 34 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Current Projects
Current Research:
Malware Decompilation
Among Viruses, Trojans, and Backdoors 35 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Current Projects
Publication
Figure: Link: https://dl.acm.org/doi/10.1145/3375894.3375895
Among Viruses, Trojans, and Backdoors 36 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Current Projects
Decompilation Execution Example 1
Data Extraction
Debugging with GDB.
Decompilation
Lifting with Python.
Recompilation
Using GCC.
Among Viruses, Trojans, and Backdoors 37 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Current Projects
Publication
Figure: Link: https://arxiv.org/abs/2109.06127
Among Viruses, Trojans, and Backdoors 38 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Current Projects
Decompilation Execution Example 1
Figure: Malware Source-Code. Figure: Generated Patch.
Among Viruses, Trojans, and Backdoors 39 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
Machine Learning:
The Latest Trend
Among Viruses, Trojans, and Backdoors 40 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
Malware Evasion Competition
Figure: Source: mlsec.io
Figure: Source: https:
//www.microsoft.com/security/blog/20
21/07/29/attack-ai-systems-in-machin
e-learning-evasion-competition/
Among Viruses, Trojans, and Backdoors 41 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
Adversarial Machine Learning
Figure: Source: https://github.com/marcusbotacin/Talks/tree/master/Waikato
Among Viruses, Trojans, and Backdoors 42 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
Adversarial Malware
Figure: Dropper Strategy. Figure: Data Appendix Result.
Among Viruses, Trojans, and Backdoors 43 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
Challenge Results
Figure: Defenders Challenge.
Among Viruses, Trojans, and Backdoors 44 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
Challenge Results
Figure: Attackers Challenge.
Among Viruses, Trojans, and Backdoors 45 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Machine Learning
What’s Next?
Among Viruses, Trojans, and Backdoors 46 / 47 UFMG
Introduction Contributions Moving Forward Current Research Future Challenges Conclusions
Recap & Remarks
Thanks!
Questions? Comments?
@MarcusBotacin
mfbotacin@inf.ufpr.br
mfbotacin@gmail.com
marcusbotacin.github.io
corvus.inf.ufpr.br
Among Viruses, Trojans, and Backdoors 47 / 47 UFMG

More Related Content

Similar to Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022

Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
Marcus Botacin
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
Piotr Dyba
 
20170412 om patri pres 153pdf
20170412 om patri pres 153pdf20170412 om patri pres 153pdf
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering,  Available at: www....Malware analysis and detection using reverse Engineering,  Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
Research Publish Journals (Publisher)
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesSymbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Fabio Rosato
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
amiable_indian
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
UltraUploader
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith Jones, PhD
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
IRJET Journal
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET Journal
 
Malware evolution and Endpoint Detection and Response
Malware evolution and Endpoint Detection and Response Malware evolution and Endpoint Detection and Response
Malware evolution and Endpoint Detection and Response
Adrian Guthrie
 
Malware evolution and Endpoint Detection and Response Technology
Malware evolution and Endpoint Detection and Response  TechnologyMalware evolution and Endpoint Detection and Response  Technology
Malware evolution and Endpoint Detection and Response Technology
Adrian Guthrie
 
Software Preservation: challenges and opportunities for reproductibility (Sci...
Software Preservation: challenges and opportunities for reproductibility (Sci...Software Preservation: challenges and opportunities for reproductibility (Sci...
Software Preservation: challenges and opportunities for reproductibility (Sci...
Roberto Di Cosmo
 
ScilabTEC 2015 - Irill
ScilabTEC 2015 - IrillScilabTEC 2015 - Irill
ScilabTEC 2015 - Irill
Scilab
 
Ontologies Ontop Databases
Ontologies Ontop DatabasesOntologies Ontop Databases
Ontologies Ontop Databases
Martín Rezk
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
Fraunhofer AISEC
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Pluribus One
 
H017445260
H017445260H017445260
H017445260
IOSR Journals
 
Dnasec
DnasecDnasec
Dnasec
Zied Houaneb
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 

Similar to Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022 (20)

Análise de malware com suporte de hardware
Análise de malware com suporte de hardwareAnálise de malware com suporte de hardware
Análise de malware com suporte de hardware
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: security
 
20170412 om patri pres 153pdf
20170412 om patri pres 153pdf20170412 om patri pres 153pdf
20170412 om patri pres 153pdf
 
Malware analysis and detection using reverse Engineering, Available at: www....
Malware analysis and detection using reverse Engineering,  Available at: www....Malware analysis and detection using reverse Engineering,  Available at: www....
Malware analysis and detection using reverse Engineering, Available at: www....
 
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion TechniquesSymbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques
 
Network Security Data Visualization
Network Security Data VisualizationNetwork Security Data Visualization
Network Security Data Visualization
 
A theoretical superworm
A theoretical superwormA theoretical superworm
A theoretical superworm
 
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
Keith J. Jones, Ph.D. - MALGAZER: AN AUTOMATED MALWARE CLASSIFIER WITH RUNNIN...
 
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINEINTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
INTELLIGENT MALWARE DETECTION USING EXTREME LEARNING MACHINE
 
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
IRJET- Zombie - Venomous File: Analysis using Legitimate Signature for Securi...
 
Malware evolution and Endpoint Detection and Response
Malware evolution and Endpoint Detection and Response Malware evolution and Endpoint Detection and Response
Malware evolution and Endpoint Detection and Response
 
Malware evolution and Endpoint Detection and Response Technology
Malware evolution and Endpoint Detection and Response  TechnologyMalware evolution and Endpoint Detection and Response  Technology
Malware evolution and Endpoint Detection and Response Technology
 
Software Preservation: challenges and opportunities for reproductibility (Sci...
Software Preservation: challenges and opportunities for reproductibility (Sci...Software Preservation: challenges and opportunities for reproductibility (Sci...
Software Preservation: challenges and opportunities for reproductibility (Sci...
 
ScilabTEC 2015 - Irill
ScilabTEC 2015 - IrillScilabTEC 2015 - Irill
ScilabTEC 2015 - Irill
 
Ontologies Ontop Databases
Ontologies Ontop DatabasesOntologies Ontop Databases
Ontologies Ontop Databases
 
Tech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on AndroidTech Report: On the Effectiveness of Malware Protection on Android
Tech Report: On the Effectiveness of Malware Protection on Android
 
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
Battista Biggio @ ICML 2015 - "Is Feature Selection Secure against Training D...
 
H017445260
H017445260H017445260
H017445260
 
Dnasec
DnasecDnasec
Dnasec
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
 

More from Marcus Botacin

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
Marcus Botacin
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
Marcus Botacin
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
Marcus Botacin
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Marcus Botacin
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Marcus Botacin
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
Marcus Botacin
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
Marcus Botacin
 
UMLsec
UMLsecUMLsec
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
Marcus Botacin
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Marcus Botacin
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
Marcus Botacin
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
Marcus Botacin
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
Marcus Botacin
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
Marcus Botacin
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
Marcus Botacin
 

More from Marcus Botacin (20)

Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024Machine Learning by Examples - Marcus Botacin - TAMU 2024
Machine Learning by Examples - Marcus Botacin - TAMU 2024
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?GPThreats-3: Is Automated Malware Generation a Threat?
GPThreats-3: Is Automated Malware Generation a Threat?
 
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses[HackInTheBOx] All You Always Wanted to Know About Antiviruses
[HackInTheBOx] All You Always Wanted to Know About Antiviruses
 
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change![Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
[Usenix Enigma\ Why Is Our Security Research Failing? Five Practices to Change!
 
Hardware-accelerated security monitoring
Hardware-accelerated security monitoringHardware-accelerated security monitoring
Hardware-accelerated security monitoring
 
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários ExecutáveisExtraindo Caracterı́sticas de Arquivos Binários Executáveis
Extraindo Caracterı́sticas de Arquivos Binários Executáveis
 
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
All You Need to Know to Win a Cybersecurity Adversarial Machine Learning Comp...
 
Near-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless MalwareNear-memory & In-Memory Detection of Fileless Malware
Near-memory & In-Memory Detection of Fileless Malware
 
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
Does Your Threat Model Consider Country and Culture? A Case Study of Brazilia...
 
Integridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomwareIntegridade, confidencialidade, disponibilidade, ransomware
Integridade, confidencialidade, disponibilidade, ransomware
 
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
An Empirical Study on the Blocking of HTTP and DNS Requests at Providers Leve...
 
UMLsec
UMLsecUMLsec
UMLsec
 
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
The Internet Banking [in]Security Spiral: Past, Present, and Future of Online...
 
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
Análise do Malware Ativo na Internet Brasileira: 4 anos depois. O que mudou?
 
Towards Malware Decompilation and Reassembly
Towards Malware Decompilation and ReassemblyTowards Malware Decompilation and Reassembly
Towards Malware Decompilation and Reassembly
 
Reverse Engineering Course
Reverse Engineering CourseReverse Engineering Course
Reverse Engineering Course
 
Malware Variants Identification in Practice
Malware Variants Identification in PracticeMalware Variants Identification in Practice
Malware Variants Identification in Practice
 
Machine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy RatesMachine Learning for Malware Detection: Beyond Accuracy Rates
Machine Learning for Malware Detection: Beyond Accuracy Rates
 
The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!The AV says: Your Hardware Definitions were Updated!
The AV says: Your Hardware Definitions were Updated!
 

Recently uploaded

Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
Safe Software
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
Hiroshi SHIBATA
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
Brandon Minnick, MBA
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
Enterprise Knowledge
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
ScyllaDB
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
AstuteBusiness
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
Pablo Gómez Abajo
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
Antonios Katsarakis
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
DianaGray10
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
UiPathCommunity
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
saastr
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
ScyllaDB
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 

Recently uploaded (20)

Essentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation ParametersEssentials of Automations: Exploring Attributes & Automation Parameters
Essentials of Automations: Exploring Attributes & Automation Parameters
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Introduction of Cybersecurity with OSS at Code Europe 2024
Introduction of Cybersecurity with OSS  at Code Europe 2024Introduction of Cybersecurity with OSS  at Code Europe 2024
Introduction of Cybersecurity with OSS at Code Europe 2024
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Choosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptxChoosing The Best AWS Service For Your Website + API.pptx
Choosing The Best AWS Service For Your Website + API.pptx
 
Demystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through StorytellingDemystifying Knowledge Management through Storytelling
Demystifying Knowledge Management through Storytelling
 
A Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's ArchitectureA Deep Dive into ScyllaDB's Architecture
A Deep Dive into ScyllaDB's Architecture
 
Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |Astute Business Solutions | Oracle Cloud Partner |
Astute Business Solutions | Oracle Cloud Partner |
 
Mutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented ChatbotsMutation Testing for Task-Oriented Chatbots
Mutation Testing for Task-Oriented Chatbots
 
Dandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity serverDandelion Hashtable: beyond billion requests per second on a commodity server
Dandelion Hashtable: beyond billion requests per second on a commodity server
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
What is an RPA CoE? Session 1 – CoE Vision
What is an RPA CoE?  Session 1 – CoE VisionWhat is an RPA CoE?  Session 1 – CoE Vision
What is an RPA CoE? Session 1 – CoE Vision
 
Session 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdfSession 1 - Intro to Robotic Process Automation.pdf
Session 1 - Intro to Robotic Process Automation.pdf
 
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
9 CEO's who hit $100m ARR Share Their Top Growth Tactics Nathan Latka, Founde...
 
Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024Northern Engraving | Nameplate Manufacturing Process - 2024
Northern Engraving | Nameplate Manufacturing Process - 2024
 
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-EfficiencyFreshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
Freshworks Rethinks NoSQL for Rapid Scaling & Cost-Efficiency
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 

Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022

  • 1. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Among Viruses, Trojans, and Backdoors Fighting Malware in 2022 Marcus Botacin 1mfbotacin@inf.ufpr.br mfbotacin@gmail.com marcusbotacin.github.io Among Viruses, Trojans, and Backdoors 1 / 47 UFMG
  • 2. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Who Am I? PhD. in Computer Science (2021) - Federal University of Paraná (UFPR), Brazil Thesis: “On the Malware Detection Problem: Challenges and new Approaches” MSc. in Computer Science (2017) - University of Campinas (UNICAMP), Brazil Dissertation: “Hardware-Assisted Malware Analysis” Computer Engineer (2015) - University of Campinas (UNICAMP), Brazil Final Project: “Malware detection via syscall patterns identification” Among Viruses, Trojans, and Backdoors 2 / 47 UFMG
  • 3. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Malware Detection How have we been doing? Among Viruses, Trojans, and Backdoors 3 / 47 UFMG
  • 4. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection How have we been doing? (Malware Specifics) The good side Figure: Source: https://apnews.com/article/europe-ma lware-netherlands-coronavirus-pandem ic-7de5f74120a968bd0a5bee3c57899fed The bad side Figure: Source: https://thehackernews.com/2021/06/dr oidmorph-shows-popular-android.html Among Viruses, Trojans, and Backdoors 4 / 47 UFMG
  • 5. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Malware Detection: What have we been doing? Among Viruses, Trojans, and Backdoors 5 / 47 UFMG
  • 6. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection The State-of-the-art in Malware Detection & Prevention Steps 1 Collection 2 Triage 3 Sandbox Analysis 4 Threat Intelligence 5 Endpoint Protection Distributed Processing Collection Cloud Processing Analysis and Intelligence steps Limited Processing Endpoint Among Viruses, Trojans, and Backdoors 6 / 47 UFMG
  • 7. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Collection How to find new malware samples? Searching “dark web” forums. Crawling software repositories. Leveraging honeypots. Checking spam traps. Downloading Malware repositories. Scrapping blocklists. The result Figure: Source: https://www.forbes.com/sites/thomasb rewster/2021/09/29/google-play-warni ng-200-android-apps-stole-millions -from-10-million-phones/ Among Viruses, Trojans, and Backdoors 7 / 47 UFMG
  • 8. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Triage Why how many new malware samples? Variations from the same source code. Implications Increase processing costs and response time. How to solve this problem? Identify and cluster similar samples. The Statistics Figure: Source: https://www.kaspersky.com/about/pres s-releases/2020 the-number-of-new-m alicious-files-detected-every-day- increases-by-52-to-360000-in-2020 Among Viruses, Trojans, and Backdoors 8 / 47 UFMG
  • 9. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Sandbox Analysis Goals Uncover hidden behaviors. Method Trace sample execution. Challenge Handle evasion attempts. Solution 1 Figure: https://blog.vir ustotal.com/2019/05/vi rustotal-multisandbox- yoroi-yomi.html Solution 2 Figure: https: //blog.virustotal.com/ 2019/07/virustotal-mul tisandbox-sndbox.html Among Viruses, Trojans, and Backdoors 9 / 47 UFMG
  • 10. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Threat Intelligence Goal Identify trends and predict attacks. How? Data analytics over analyzed samples. Challenges Look to a representative dataset. We should look to: Figure: Source: https://www.computerweekly.com/news/ 252504676/Ransomware-attacks-increas e-dramatically-during-2021 Among Viruses, Trojans, and Backdoors 10 / 47 UFMG
  • 11. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Malware Detection Endpoint Protection Goal Protect customers in their machines. How? Moving the viable analyses to the endpoint. Challenges Performance and usability constraints. Is there a “best”? Figure: Source: https://www.av-test.or g/en/antivirus/home-windows/ Among Viruses, Trojans, and Backdoors 11 / 47 UFMG
  • 12. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Sandboxing Enhancing Malware Tracing Among Viruses, Trojans, and Backdoors 12 / 47 UFMG
  • 13. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Sandboxing Publication Figure: Link: https://link.springer.com/article/10.1007/s11416-017-0292-8 Among Viruses, Trojans, and Backdoors 13 / 47 UFMG
  • 14. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Sandboxing Software-based Sandbox Figure: System Architecture. Analysis VMs. Among Viruses, Trojans, and Backdoors 14 / 47 UFMG
  • 15. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Sandboxing Publication Figure: Link: https://dl.acm.org/doi/10.1145/3152162 Among Viruses, Trojans, and Backdoors 15 / 47 UFMG
  • 16. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Sandboxing Hardware-based Sandbox Monitoring Steps 1 Software executes a branch. 2 Processor stores branch address in memory page. 3 Processor raises an interrupt. 4 Kernel handles interrupt. 5 Kernel sends data to userland. 6 Userland introspects into this data. Figure: System Architecture. Among Viruses, Trojans, and Backdoors 16 / 47 UFMG
  • 17. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Sandboxing Key Insight: Branches define basic blocks Figure: Identified branches and basic blocks. Figure: CFG Reconstruction. Among Viruses, Trojans, and Backdoors 17 / 47 UFMG
  • 18. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Threat Intelligence From Tracing to Threat Intelligence Among Viruses, Trojans, and Backdoors 18 / 47 UFMG
  • 19. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Threat Intelligence Publications Figure: Link: https: //dl.acm.org/doi/10.1145/3429741 Figure: Link: https://dl.acm.org/doi/1 0.1145/3339252.3340103 Among Viruses, Trojans, and Backdoors 19 / 47 UFMG
  • 20. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Threat Intelligence Brazilian Financial Malware on Desktop Figure: Passive Banker Malware for Santander bank waiting for user’s credential input. Figure: Passive Banker Malware for Itaú bank waiting for user’s credential input. Among Viruses, Trojans, and Backdoors 20 / 47 UFMG
  • 21. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Threat Intelligence Brazilian Financial Malware on Mobile Figure: BB’s Whatsapp chatbot. Figure: Bradesco’s Whatsapp chatbot. Among Viruses, Trojans, and Backdoors 21 / 47 UFMG
  • 22. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Threat Intelligence More about Brazilian Malware Figure: Link: https://www.usenix.org/conference/enigma2021/presentation/botacin Among Viruses, Trojans, and Backdoors 22 / 47 UFMG
  • 23. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection From Threat Intelligence to Endpoint Protection Among Viruses, Trojans, and Backdoors 23 / 47 UFMG
  • 24. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection Publication Figure: Link: https://www.sciencedirect.com/science/article/pii/S0167404821003242 Among Viruses, Trojans, and Backdoors 24 / 47 UFMG
  • 25. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection Drawback: Real-time monitoring performance penalty 0 50 100 150 200 250 Perl Xalanc Gobmk H264 Namd Mcf Time (s) Benchmark AV’s Monitoring Performance Filter AV SSDT AV No AV Figure: AV Monitoring Performance. 0 50 100 150 200 250 300 perl namd Bzip milc mfc Execution Time (s) Benchmark AV scanning overhead Scan Baseline Figure: In-memory AV scans worst-case and best-case performance penalties. Among Viruses, Trojans, and Backdoors 25 / 47 UFMG
  • 26. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection Publication Figure: Link: https://ieeexplore.ieee.org/document/9034972 Among Viruses, Trojans, and Backdoors 26 / 47 UFMG
  • 27. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection SMC-Aware Processor Figure: Sample Profiling. Figure: System Overview. Among Viruses, Trojans, and Backdoors 27 / 47 UFMG
  • 28. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection Publication Figure: Link: https://link.springer.com/article/10.1007/s11416-020-00348-w Among Viruses, Trojans, and Backdoors 28 / 47 UFMG
  • 29. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection SMC-Aware Processor Figure: Modified Cache. Figure: Modified MMU. Among Viruses, Trojans, and Backdoors 29 / 47 UFMG
  • 30. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection Publication Figure: Link: https://www.sciencedirect.com/science/article/abs/pii/S0957417422004882 Among Viruses, Trojans, and Backdoors 30 / 47 UFMG
  • 31. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Endpoint Protection A first idea: Hardware features as signatures Figure: Two-level branch predictor. A sequence window of taken (1) and not-taken (0) branches is stored in the Global History Register (GHR). 0 10 20 30 40 50 60 70 80 90 100 8 16 24 32 40 Percentage of signature collision in the k−bit space Branch pattern length (in k bits) Percentage of signature collision per branch−pattern length (in bits) Patterns Figure: Branch patterns coverage. Among Viruses, Trojans, and Backdoors 31 / 47 UFMG
  • 32. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Solutions Availability Solutions Availability Among Viruses, Trojans, and Backdoors 32 / 47 UFMG
  • 33. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Solutions Availability Code: The BranchMonitoring Project Figure: Link: https://github.com/marcusbotacin/BranchMonitoringProject Among Viruses, Trojans, and Backdoors 33 / 47 UFMG
  • 34. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Solutions Availability Service: Corvus Platform Figure: Link: corvus.inf.ufpr.br Figure: Corvus’ Threat Intelligence. Among Viruses, Trojans, and Backdoors 34 / 47 UFMG
  • 35. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Current Projects Current Research: Malware Decompilation Among Viruses, Trojans, and Backdoors 35 / 47 UFMG
  • 36. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Current Projects Publication Figure: Link: https://dl.acm.org/doi/10.1145/3375894.3375895 Among Viruses, Trojans, and Backdoors 36 / 47 UFMG
  • 37. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Current Projects Decompilation Execution Example 1 Data Extraction Debugging with GDB. Decompilation Lifting with Python. Recompilation Using GCC. Among Viruses, Trojans, and Backdoors 37 / 47 UFMG
  • 38. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Current Projects Publication Figure: Link: https://arxiv.org/abs/2109.06127 Among Viruses, Trojans, and Backdoors 38 / 47 UFMG
  • 39. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Current Projects Decompilation Execution Example 1 Figure: Malware Source-Code. Figure: Generated Patch. Among Viruses, Trojans, and Backdoors 39 / 47 UFMG
  • 40. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning Machine Learning: The Latest Trend Among Viruses, Trojans, and Backdoors 40 / 47 UFMG
  • 41. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning Malware Evasion Competition Figure: Source: mlsec.io Figure: Source: https: //www.microsoft.com/security/blog/20 21/07/29/attack-ai-systems-in-machin e-learning-evasion-competition/ Among Viruses, Trojans, and Backdoors 41 / 47 UFMG
  • 42. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning Adversarial Machine Learning Figure: Source: https://github.com/marcusbotacin/Talks/tree/master/Waikato Among Viruses, Trojans, and Backdoors 42 / 47 UFMG
  • 43. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning Adversarial Malware Figure: Dropper Strategy. Figure: Data Appendix Result. Among Viruses, Trojans, and Backdoors 43 / 47 UFMG
  • 44. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning Challenge Results Figure: Defenders Challenge. Among Viruses, Trojans, and Backdoors 44 / 47 UFMG
  • 45. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning Challenge Results Figure: Attackers Challenge. Among Viruses, Trojans, and Backdoors 45 / 47 UFMG
  • 46. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Machine Learning What’s Next? Among Viruses, Trojans, and Backdoors 46 / 47 UFMG
  • 47. Introduction Contributions Moving Forward Current Research Future Challenges Conclusions Recap & Remarks Thanks! Questions? Comments? @MarcusBotacin mfbotacin@inf.ufpr.br mfbotacin@gmail.com marcusbotacin.github.io corvus.inf.ufpr.br Among Viruses, Trojans, and Backdoors 47 / 47 UFMG