Maximize Computer Security With Limited RessourcesSecunia
Presentation from Stefan Frei on how patches are an effective method to escape the arms race with cybercriminals. The majority of vulnerabilities have patches ready on the day of disclosure, which means that the right patch strategy is evident to maximize risk reduction.
Maximize Computer Security With Limited RessourcesSecunia
Presentation from Stefan Frei on how patches are an effective method to escape the arms race with cybercriminals. The majority of vulnerabilities have patches ready on the day of disclosure, which means that the right patch strategy is evident to maximize risk reduction.
This white paper examines why having multiple anti-virus scanners at mail server level substantially reduces the chance of virus infection and explores ways in which this can be achieved.
VIRTUAL MACHINES DETECTION METHODS USING IP TIMESTAMPS PATTERN CHARACTERISTICijcsit
Virtual machines (VMs) are underlying technologies of IT solutions such as cloud computing. VMs provide
ease of use through their on-demand characteristics and provide huge benefits in terms of lowering costs and
improving scalability. VMs are also being used as malware detection systems, and with the rapidly expanding
usage of mobile devices, besides of their usage as honeypots, VMs are coming to be used as emulators for
detecting malware in apps. This is due to the limited resources, such as processing power, available in mobile
devices. Currently, the security of applications for mobile devices is checked by running them in VM
environments before they are released to the end user. We argue that such a process may cause or overlook
serious security threats to the end user. In particular, if a piece of malware can detect its current running
environment, it may change its behavior such that it doesn’t perform malicious operations in environments it
suspects to be emulators. In this way, when the malware detects that its running environment is on a VM, it
may be able to hide from the security system on the VM. This is a potential security hazard for end users,
especially users of mobile devices. In this paper, we present a VM detection method that we argue could be
used for remotely detecting VM environments. The detection method works by analyzing the pattern of IP
timestamps in replies sent from the target environment. The method does not require any installation of
software on the target machine which further increase its potential harm if it were to be used by malware to
detect VM environments. In this paper, we also present a technique to disguise a real PC machine such that it
shows the similar IP timestamp patterns as the VM. By using this technique, malware may not be able to
differentiate between a real machine and a VM, thus providing protection to PC end users.
Benny Czarny, CEO at OPSWAT, presents at an OPSWAT Cyber Security Seminar in DC on February 9th. This presentation covers the benefits of multi-scanning and how organizations can receive protection from both known and unknown threats through leveraging OPSWAT's technology.
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
Tony Berning, Senior Product Manager at OPSWAT, gave a talk on Securing Critical Infrastructure, using multiple anti-malware engines and other methods, to an audience of academic researchers, operators of power plants and other workers in critical infrastructure. The presentation introduced the basics of multi-scanning and the benefits of utilizing multiple anti-malware engines to scan files. The presentation also covered topics related to defining and setting appropriate security policies for various user groups and outlining common security architectures.
Virus detection based on virus throttle technologyAhmed Muzammil
In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.
In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.
The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.
This is an update on the Summer Missions Teams associated with Encouragement International that went out to the Czech Republic and Pskov, Russia.
Presentation given on: Sun - 8/28/2011
This white paper examines why having multiple anti-virus scanners at mail server level substantially reduces the chance of virus infection and explores ways in which this can be achieved.
VIRTUAL MACHINES DETECTION METHODS USING IP TIMESTAMPS PATTERN CHARACTERISTICijcsit
Virtual machines (VMs) are underlying technologies of IT solutions such as cloud computing. VMs provide
ease of use through their on-demand characteristics and provide huge benefits in terms of lowering costs and
improving scalability. VMs are also being used as malware detection systems, and with the rapidly expanding
usage of mobile devices, besides of their usage as honeypots, VMs are coming to be used as emulators for
detecting malware in apps. This is due to the limited resources, such as processing power, available in mobile
devices. Currently, the security of applications for mobile devices is checked by running them in VM
environments before they are released to the end user. We argue that such a process may cause or overlook
serious security threats to the end user. In particular, if a piece of malware can detect its current running
environment, it may change its behavior such that it doesn’t perform malicious operations in environments it
suspects to be emulators. In this way, when the malware detects that its running environment is on a VM, it
may be able to hide from the security system on the VM. This is a potential security hazard for end users,
especially users of mobile devices. In this paper, we present a VM detection method that we argue could be
used for remotely detecting VM environments. The detection method works by analyzing the pattern of IP
timestamps in replies sent from the target environment. The method does not require any installation of
software on the target machine which further increase its potential harm if it were to be used by malware to
detect VM environments. In this paper, we also present a technique to disguise a real PC machine such that it
shows the similar IP timestamp patterns as the VM. By using this technique, malware may not be able to
differentiate between a real machine and a VM, thus providing protection to PC end users.
Benny Czarny, CEO at OPSWAT, presents at an OPSWAT Cyber Security Seminar in DC on February 9th. This presentation covers the benefits of multi-scanning and how organizations can receive protection from both known and unknown threats through leveraging OPSWAT's technology.
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
Tony Berning, Senior Product Manager at OPSWAT, gave a talk on Securing Critical Infrastructure, using multiple anti-malware engines and other methods, to an audience of academic researchers, operators of power plants and other workers in critical infrastructure. The presentation introduced the basics of multi-scanning and the benefits of utilizing multiple anti-malware engines to scan files. The presentation also covered topics related to defining and setting appropriate security policies for various user groups and outlining common security architectures.
Virus detection based on virus throttle technologyAhmed Muzammil
In the Internet age, virus epidemics are getting worse than before, making the networks slow, computers slow, suspending mission critical operations and so on.
In this paper, a new technique for virus detection based on virus throttle technology is presented. This technique allows detecting attacks on networks within seconds of possible virus affection.
The special feature of this technology is that its virus detection algorithm is based on the network behavior of the virus and not on identification of virus code. So it is possible to detect even unknown viruses without any signature updates.
This is an update on the Summer Missions Teams associated with Encouragement International that went out to the Czech Republic and Pskov, Russia.
Presentation given on: Sun - 8/28/2011
Assignment 3: CHEWING GUM
Create as much "value" as possible, with value measured in any way you like, starting with chewing gum.
You can use any type of gum you like, as little or much as you like, and measure value in any way you want.
Use this as an opportunity to "reframe" chewing gum... What is the most interesting, valuable, and creative thing you can do with it?
Presentation at the 9th European Sociological Association in Lisbon, September 2009
Research program in cooperation with ISS - Istituto Superiore della Sanità
http://esa.abstractbook.net/abstract.php?aID=1124
Public transportation - Insights reportDaniele Iori
BETTER EXPERIENCES FOR PUBLIC TRANSPORTATION
Insights report
This document is an abstract of a research activity made during the IDEO U course: "Insights for Innovation".
CHALLENGE
Gather inspiration and insights to design a better experience for people on public transportation in central Italy area.
FOCUS
Gather insights to design a better travel experience for commuters, who travel every day to work by train, and who often face the train delays.
Presentation of the case study of urban vegetable gardens in Bologna at the international workshop#5 AGOR-AGRO (Ferrara, 7th november 2013)
focusing on urban agriculture and its benefits
from a socio-cultural point of view.
It has been organized by Emilia-Romagna Region and
the Province of Ferrara, as part of the European
project Hybrid Parks Interreg IVC Programme.
Hoe zet je LinkedIn zakelijk in? Interactieve lezing voor ondernemers en belanghebbenden in de gemeente Voorst, gemeentehuis in Twello. Aanwezig waren 60 ondernemers.
Tips voor het Linkedin persoonsprofiel, bedrijfsprofiel, groepen, Pulse, netwerkfunctie en rol van LinkedIn in het social media landschap
company names mentioned herein are for identification and educational purposes only and are the property of, and may be trademarks of, their respective owners.
This Presentation explains about Firewalls, Viruses and Antiviruses. I hope this presentation may help you in understanding about Viruses, Firewall and Antiviruses Software.
Assessing the Effectiveness of Antivirus SolutionsImperva
How good is antivirus? How should enterprises invest in endpoint protection? Imperva collected and analyzed more than 80 previously non-cataloged viruses against more than 40 antivirus solutions. This report details our findings.
Integrated Feature Extraction Approach Towards Detection of Polymorphic Malwa...CSCJournals
Some malware are sophisticated with polymorphic techniques such as self-mutation and emulation based analysis evasion. Most anti-malware techniques are overwhelmed by the polymorphic malware threats that self-mutate with different variants at every attack. This research aims to contribute to the detection of malicious codes, especially polymorphic malware by utilizing advanced static and advanced dynamic analyses for extraction of more informative key features of a malware through code analysis, memory analysis and behavioral analysis. Correlation based feature selection algorithm will be used to transform features; i.e. filtering and selecting optimal and relevant features. A machine learning technique called K-Nearest Neighbor (K-NN) will be used for classification and detection of polymorphic malware. Evaluation of results will be based on the following measurement metrics-True Positive Rate (TPR), False Positive Rate (FPR) and the overall detection accuracy of experiments.
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...Lumension
Today, more than 1.6 million new malware signatures are identified each month. And more organizations are falling prey to "zero-day" attacks - malware for which an anti-virus signature does not exist. It’s no surprise that roughly half of the organizations surveyed in a 2010 Ponemon Institute study reported an increase in their IT operating expenses - a main driver of that cost increase was malware. Traditional anti-virus simply can't keep up in the malware arms race and relying on it as your primary defense will prove costly.
In this webcast, Paul Henry, security and forensics expert, and Chris Merritt, Director of Solution Marketing with Lumension, will examine:
* The true cost of anti-virus in terms of PC performance, network bandwidth, IT helpdesk costs, prevention of malware and more
* Why application whitelisting is a better approach to defend against rising targeted attacks
* How application whitelisting has evolved to provide a new level of intelligence that delivers more effective security and necessary flexibility to improve productivity - in even rapidly changing endpoint environments
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
Climate Impact of Software Testing at Nordic Testing DaysKari Kakkonen
My slides at Nordic Testing Days 6.6.2024
Climate impact / sustainability of software testing discussed on the talk. ICT and testing must carry their part of global responsibility to help with the climat warming. We can minimize the carbon footprint but we can also have a carbon handprint, a positive impact on the climate. Quality characteristics can be added with sustainability, and then measured continuously. Test environments can be used less, and in smaller scale and on demand. Test techniques can be used in optimizing or minimizing number of tests. Test automation can be used to speed up testing.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
Unlocking Productivity: Leveraging the Potential of Copilot in Microsoft 365, a presentation by Christoforos Vlachos, Senior Solutions Manager – Modern Workplace, Uni Systems
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Automated Sample Processing
1. Automated Sample Processing
Schon Brenner Dmitry Gryaznov Joel Spurlock
Engineering Software Development Sr. Research Architect Virus Research Lead
Team Lead
McAfee AVERT
USA
Abstract
Long gone are the days when the number of viruses, trojans and other malware was counted in dozens, hundreds, even in
thousands. A few years ago the number of known unique pieces of malware exceeded 100,000, and everybody stopped keep-
ing the exact count.
These days up to 10,000 pieces of malware are added to McAfee malware collection, and their detection and removal to
McAfee products, in a single month. When it comes to the malware analysis workload in the same month, the 10,000 are
the tip of the iceberg of all the processed samples. There are numerous sources of samples for malware analysis: customer sub-
missions, malware patrols, honeypots, Web trawlers, and last but not the least - malware collections from other antivirus
vendors and researchers.
All those sources amount to well over 100,000 samples awaiting processing in an average month. Of course, it would be
simply impossible to process them all manually.
This paper offers a “behind the scenes” view of the McAfee AVERT automation. The automation consists of several logical
pieces: source analysis (prioritization, geographical analysis, denial of service protection, etc), sample elimination, static
and behavioral analysis, and content generation (malware descriptions, malware definitions, system training, etc). As part
of sample processing and system training, researchers interact with the automation to increase its processing capabilities.
2. The Problem
About ten years ago some computer antivirus research-
ers started worrying about a possible malware “glut”
problem. That is, a sustained situation when new viruses,
trojans, other malware and variants are appearing faster
than the antivirus industry can handle. At that time the
total number of all known viruses, trojans, etc. was about
10,000 and it was growing at a rate of several thousands
a year (see Figure 1). An average antivirus researcher can
fully process 8-10 new malware samples per day. That in-
cludes analyzing each sample using tools like unpackers, Figure 2 Samples added to McAfee AVERT malware col-
disassemblers, debuggers, etc.; running each sample in a lection 1999 - 2005
controlled environment on a dedicated physical or virtual
computer; if the sample proves to be malicious, creating of 8-10 samples per antivirus researcher, requires 20-25
and testing detection and removal routines for the mal- researchers doing nothing but full-time sample analy-
ware; and optionally creating and publishing a descrip- sis and processing. In reality, these numbers are just the
tion for the malware. Not a small job to do in less than tip of the iceberg of samples. For each sample eventually
an hour. classified as malware and added to the internal malware
collection, there are many more samples that had to be
processed. Some of them appeared to be not malicious,
some were corrupted, some were duplicate samples of the
same malware, and so on.
Let’s look at the sources of samples coming to McAfee
AVERT Labs. First, there are direct submissions of sam-
ples to AVERT from customers, sometimes from malware
authors and malware itself (e.g. a mass-mailing virus).
These days AVERT routinely receives 10,000-15,000 of
such submissions a week.
Figure 1 Growth in Malware 1988-1998
Then, there are malware collections from other antivirus
companies. It was realized long time ago that in order
From 1996 to 1997 the number of known viruses and
to succeed in the business of protecting customers from
trojans grew by about 6,000 in one year, or by about 23 a
malware, antivirus companies must share samples of new
day. An antivirus company back then had 3-5 antivirus re-
malware with each other, despite being competitors on
searchers, who often spent their time not only processing
the market. These samples have been shared mostly on
samples but also reverse engineering and supporting new
monthly basis and are generally known as “monthly col-
file formats, unpackers, archivers and often worked as
lections”. Ten years ago a typical monthly collection con-
antivirus engine developers as well. Thus, it is hardly sur-
tained several hundred samples, was several megabytes in
prising that some antivirus companies found themselves
size when archived and could be distributed via E-mail
at the limits of their sample processing capacity. Improve-
even over a dial-up modem connection. Today a single
ments in antivirus technologies (e.g. heuristic and generic
monthly collection contains thousands and tens of thou-
detection and removal) and growth of the antivirus com-
sands of samples, is hundreds of megabytes or even sev-
panies helped to alleviate the problem.
eral gigabytes in size, and takes several hours to download
over a broadband Internet connection. On an average
Today we count the total number of all known malware
month McAfee AVERT receives over 100,000 samples in
in hundreds of thousands and routinely see thousands of
monthly collections from about 20 other antivirus com-
new malware threats appearing in a single month. Dur-
panies.
ing the year 2005 over 55,000 (see Figure 2) new malware
samples were added to McAfee AVERT Labs malware
Since this means several thousand of new malware samples
collection. That means over 210 samples per day, which,
a day, some of which may be fairly urgent, many antivirus
at the processing rate
companies, as well as other antimalware entities, started
AVAR 2006 - AucklAnd
3. sharing new samples on a daily basis – so called “daily col- time; or, in other words, a system to teach, a system to
lections”. There are also other sources of frequent sample learn from.
submissions that fall into this category – for example, ser-
vices like VirusTotal, organizations like CERT, etc. On an Researcher develops
Consumes new new analysis and
average day in September 2006 McAfee AVERT received capabilities of analysis remediation capabilities.
and remediation.
2,000-3,000 samples in daily collections.
Yet another source of potentially malicious samples is ac- Automated
Research
tive monitoring of different networks like Usenet, Inter- Human
Research
net Relay Chat (IRC), peer-to-peer file sharing and so on,
known as AVERT Virus Patrols. Virus Patrols deal with
Produces automated Consumes automation
many thousands samples on an average day. analysis and remediation analysis and remediation
results. results
Altogether, the above listed sources amount to several
Figure 3 Flow diagram of human / automation system
hundred thousands samples in an average month, or tens
of thousands samples on an average day. Processing all
Figure 3 describes the flow by which a researcher can both
those samples manually would require hundreds if not
use the system to automate their work as well as educate
thousands of malware researchers which is, of course,
the system to provide new and enhanced analysis and
unfeasible in the real world. In reality, the overwhelming
remediation capabilities. Furthermore, a researcher can
majority of these thousands of samples is processed by
enhance the system to provide that would highlight or
means of automation.
prove or disprove theories that would further their capa-
bilities as a researcher.
The Solution
Automating the research
The nature of research at a general level is quite sequen-
tial. A long list of discrete task can be executed in pre-
While the automation system can be extend to teach and
dictable ways that makes researchers lives significantly re-
learn from, at any given point in time, its capabilities are
petitive. These repetitive tasks are the first candidates for
static and are centered on a process of sample analysis and
automation. Since 1998 McAfee Avert has been employ-
remediation. While there are many discrete, the automa-
ing automation to automate the most repetitive aspects
tion can be broken down into several separate high level
of sample analysis. As time progressed and additional
stages.
tasks were identified, automation was enhanced to not
only provide sample analysis but also automation resolu- ■ Triage
tion and response to customers. With the automation
systems of present, McAfee Avert is at most able to close ■ Examination
approximately 90% of all samples; leaving the remaining
■ Observation
10% to be handled manually by McAfee Avert research-
ers. While 10% doesn’t seem like an egregious number,
■ Diagnosis
as time has progressed and the growth of malware has ac-
celerated in both volume and complexity, this remaining
■ Resolution
percentage has become intolerable for both existing and
future research staff.
Before automation will progress from one stage to the
next it attempts to diagnosis the inquiry to a resolution.
If the rate of malware growth remained constant, further
If diagnosis is definitive then one or many solutions could
refinements of automated malware analysis would be suf-
be provided and then a response is given to the client. If
ficient, however in reality, with malware growth acceler-
at the end of all stages a definitive diagnosis cannot be
ating in volume and complexity, combatant automation
found, escalation to researchers is required to assist auto-
must in turn also grow with equal or greater potency. In
mation in finding a diagnosis.
order to meet this objective the automation of present
must provide data to assist researchers in identifying re-
lationships among the data as well as providing a means
by which researchers can develop and extend automation
to automate future discrete and repeatable tasks in real
AVAR 2006 - AucklAnd
4. ■ Sample attributes discovery
Enough Enough
Inquiry Triage Examination Observation
Info? Info?
■ Sample dissection (unpacking)
N N
1:N Symptoms Priority? Looks like Replicate
Known clean? Competitors Emulate
1:N Samples
Known dirty? Suspicious attr. Disassembly
Last seen?
■ Competitor detections
Y
Y
Response Resolution Diagnosis
Definitive?
■ Looks like (string / byte comparison to known da-
Question VIL Description Innocent
1:N Solution Pup
Driver
Malware
Add to known
tabases)
clean / dirty Unknown
Y
N Escalation
When the sample is being inspected, the goal is to deter-
Researcher
notification
mine as much information as possible through static sam-
ple evaluation. During this process new information can
Figure 4 Inquiry / Response flow be discovered through unpacking of samples, extraction
of scripts from html, decryption of code or scripts. Some
Inquiry / Response
of this information can actually be considered samples as
Clients interface with automation through an inquiry well.
and response mechanism. For every inquiry that a client
has, the client can provide a description of the problems Sample attributes is a key value pair, such as current scan
or symptoms that they are experiencing as well as submit- detections, file type, file version info, packer information,
ting one or many samples (including but not limited only high level language, capturing of resources or various
to files). Additionally, once a diagnosis can be made, ei- checksums on portions of the sample.
ther by automation or human, a response is generated and
Competitor detections are interesting in many ways. Al-
delivered to the client.
though they are not be used as a sole means of detection,
Triage they provide supporting information for classification al-
The intent of this stage is to identify what we know about gorithms. If a sample is automatically classified as a Tro-
the sample in order to prioritize the inquiry. In some jan, and competitors detect, escalation to researchers can
cases being able to identify the sample can beget an im- occur in order to validate automated conclusions. Like-
mediate diagnosis and resolution of the inquiry. If diag- wise, competitor information can be used to reinforce an
nosis can’t be made then the inquiry will be queued for automated conclusion.
examination.
“Looks like” is a complex evaluation process which con-
siders packer type, comparison of resources, strings and
■ Known status is determined first, by comparing the
specific byte sequences to known databases of samples
samples to a set of known clean files through a hash-
(both clean and dirty). The history data bases used in
ing mechanism (md5, etc). The known set of clean
the “Looks like” process are sorted by classification, file
files can be updated through partner programs,
type, and other attributes. They can contain information
adding binaries from trusted sources, or through
about all of the samples previously evaluated and as such
manual analysis. Secondly, the sample can be com-
are very large. Filtering is done using the attributes such
pared to the known set of known dirty files again
as type, size, etc, as well as competitor information.
added through similar mechanism as the clean set.
Observation
■ Prioritization is determined through a combination
of identifying a samples origin as well as its known If a diagnosis through examination has still not been
status. This prioritization is then use the through achieved, then the behavior of the sample should be eval-
out the system. uated. Sample behavior is evaluated to determine ‘what
does the sample do’. This can be done by evaluating the
■ Severity can also be determined through a combi- functions or byte sequences of the sample, emulating the
nation of sample origin and priority. This is also execution of the sample, or replicating the sample in a
used throughout the system. physical or virtual environment.
Examination From the behavior, specific features of the sample can be
If triage is not capable of diagnosis and resolution then determined. API analysis or execution traces can be used
examination is required. From an automated perspective to automatically determine that a sample connects to an
IRC server, sends an email, reads user stored password in-
the examination process considers the following:
formation, etc. Disassembly analysis can determine code
AVAR 2006 - AucklAnd
5. sequences which exist that indicate behaviors. Exploit if a scan detection occurs and no competitors detect, it is
code, code for writing to explorer memory, and code for possible that the detection of the sample is a false.
downloading files are examples of this.
Trojan / Virus
Any sample replication or emulation system should make Trojans and viruses are the easiest samples to classify in
some effort to emulate resources to encourage the sample an automated sense. Trojans and viruses tend towards
to exhibit more behavior. These environments provide the more egregious activities, so it is easier to make some
different network services (IRC, SMTP, etc), AV binaries determination. In the simplest terms, this sample does
for process termination, and installed software. Using something that is deemed as ‘malicious’, therefore it is a
common or more vulnerable platforms / software is im- trojan, virus, etc. This is most evident through behavioral
portant. Windows XP, Windows 2000 server, and Of- evaluation, but can also be discovered during file inspec-
fice 2000 with no patches or service releases are generally tion. Examples may include file infection, downloading
more vulnerable. or dropping of known dirty files, installation of rootkits,
and containing exploit code sequences.
As a function of evaluating the sample behavior, new
samples can be discovered (dropped or downloaded files, Automated algorithms can identify ‘this is a virus mass
urls, etc). mailer’ fairly easily. It is more difficult to classify a Tro-
jan or virus by name and family. A historical comparison
diagnosis
or predictive algorithms must be utilized. The algorithm
Diagnosis is primary achieved through classification of must be able to determine that the sample is a ‘bagle’ mass
the sample or samples analyzed by the system. Classify- mailer and not a ‘netsky’ mass mailer. This information is
ing a sample is defined as automation making an assertion gathered during the looks like sample inspection, and can
about the sample. The assertion can be ‘clean’ or ‘trojan’, be reinforced with competitor information.
or ‘virus’, etc. After each step, classification can be at-
tempted. If enough data has been captured in order to Potentially Unwanted Programs (PUP)
classify a sample or the sample has been seen before and a Classifying a sample as a potentially unwanted program
previous classification can be used, then automation can can be done based on several factors. There are some dis-
proceed to generating a resolution. If not enough data is tinctions that can be made about PUPs which separate
available to make an assertion, then the sample will con- them from more benign Trojans. These ‘positive’ attri-
tinue being evaluated. When all work on the sample and butes can include: installers, a license agreement, unin-
any discovered samples are complete, and enough infor- stallers, a website, signed binaries, and some user interface
mation to classify is not available, then an ‘unknown’ clas- (toolbar component, dialog, etc).
sification is selected as a default.
PUPs will not have overtly malicious activities, but ques-
Innocent Files tionable activities. This separates them from innocent
Automatically classifying files as clean can be dangerous. files or other legitimate applications. These can include
If a virus or trojan is incorrectly identified as a clean sam- displaying advertisements out of the context of the main
ple by an automated system, then the solution provided application window, sending personal information, redi-
will corrupt the integrity of the virus definitions as well recting search criteria, modifying the start page, etc.
as erode the customer confidence. Classification of sam-
ples as ‘innocent must therefore be reviewed by a human. It is the presence of the positive attributes in combination
There are three ways to classify innocent files. First, the with the questionable activities that allows for automatic
detection of PUPs. As with viruses and Trojans, historical
sample can be identified as a junk file.
comparison (or looks like) can be used to specify a name,
These are generally text or log files which meet some strin- and competitor information can be used to reinforce the
gent criteria, or some heavily corrupted PE file. Secondly classification.
the sample can be identified as an innocent file. This can
be done through a combination of string / byte analysis,
comparison to history databases, and behavior analysis. Guilt by Association
Usually the file will be compiled in specific ways, have ap- During the sample inspection phase and the replica-
propriate version information, be signed in some way, is tion phase, new samples can be discovered which also
not packed, etc. Finally, a false can be identified as a com- need analysis. Each new sample gets processed recur-
bination of competitor and signature scans. For example, sively through inspection, evaluation, and classification.
AVAR 2006 - AucklAnd
6. Through evaluation of the new samples, yet more infor- resource can be extracted from the sample and compar-
mation can be discovered (and so on). Grouping these to- ing them to a database of known information in order to
gether and relating them allows for classification of more minimize the chance of creating a false positive.
samples than just evaluating the single sample. Some
Generating repair is done by evaluating the sample behav-
simple examples:
ior and providing instructions in the signature to reverse
■ File downloads another file, which is classified as a the effects on the system. Care must be taken to only re-
trojan. The first file is a ‘Trojan Downloader’. move effects that the sample caused where the previous
value is known or a safe default can be selected. Removal
■ File drops another file, which is classified as a PUP. can include tasks from removing or editing a registry key
The first file can then be classified as a dropper or to modifying the network stack to remove a layered ser-
installer of the PUP. vice provider.
Unknown Methods of generation have different risk levels which can
The Unknown classification is a catch all. In effect, it be evaluated over time. Some methods, like strings, will
means that the automated system is unable to make a de- almost always require a human to validate before com-
termination and will require some human to participate mitting the signature to the definitions. Each method of
generating a signature can be trusted over time, removing
in the classification process.
the human from the validation loop. Methods to gener-
ate signatures based on packed data inherently carry less
Resolution
A solution which is generated depends on the source risk than generic signature generation methods.
of the sample, its prevalence, its classification, and what
Automation Teach Thyself
work has already been completed. Solutions cannot be
generated unless a classification has been determined. So- As a function of sample inspection, behavioral evaluation,
lutions can include public or private descriptions of the classifying samples, creating solutions, and interacting
sample behavior, generating detection and repair, adding with humans, large amounts of data are constantly being
the sample information to a known clean or known dirty generated. This can include detection names for samples,
database, or responding to the submitter. Most of the hashes for clean samples, strings and resources to add to
solutions are self explanatory. The automatic generation historical databases, or API traces. Each one of these
of signatures to detect and repair has caveats which beg pieces of data is placed in various data stores, which can
then be called upon when processing the next sample.
further explanation.
Additionally, algorithms can make use of this constantly
To generate automated detection for a sample has a level
updated data in order to come to a diagnosis. If a new
of risk. Detecting a sample incorrectly can lead to falses
sample is processed, it may provide some piece of correlat-
(e.g. hitting on packer code), or inefficient detection
ing information that will cause other samples to then be
which will bloat malware signatures. Additionally, if a
classified. Researchers can also update or create new algo-
sample is parasitically infected by some virus, automatic
rithms to utilize this data, as well as create new data gath-
generation is not safe, and the task of generating detec-
ering methods and processes. In this way, automation can
tion and repair must be performed by a human.
teach itself by discerning conclusions and generating data
The vast majority of samples which will require signature to be correlated for the next sample.
generation are some new packed or encrypted version of a
sample which has been evaluated before. Generating de- Cost Benefit Analysis
tection for packed samples can be done with minimal risk
using a data driven generation technique. A safe method
of detection is selected based on the attributes detected While automation provides a means by which to distill
in the sample inspection. For example, a UPX packed file an inquiry to a resolution, it still suffers from the same ru-
will have detection generated in one specific way versus a dimentary bottlenecks that researchers face with sample
analysis. That is the costs associated with multi-process-
Morphine encrypted file.
ing (handling simulations related or non-related inquires
Generating signatures for unpacked files is also possible at a time) and intensive recursive, aggregate and/or search
but carries with it some level or risk. These detections are algorithms in order to form some concrete diagnosis; al-
inherently generic, and usually based on string sequences beit at a much higher bound.
or resource signatures in the sample. The correct string or
AVAR 2006 - AucklAnd
7. 120.00% 100.00%
100.00%
100.00% 100.00%
10.00%
80.00%
1.00%
Pending Diagnosis
60.00%
Diagnosis Cost (min)
0.18%
0.10%
40.00%
26.56%
0.01%
20.00% 0.01%
11.78%
2.40%
0.00% 0.00%
Received Triage Examination Observation
Figure 5 Estimative analysis of sample volume vs. comple-
tion time.
Figure 1.6 depicts an estimative analysis of sample vol-
ume (pending Diagnosis) vs. completion time (Diagnosis
Cost) per stage as samples progress through the malware
analysis and remediation process.
On average, McAfee Avert receives 2067 samples from the
field a day. As samples progress though the triage stage,
samples are filtered, prioritized and diagnosis in a matter
of milliseconds based on the hash of the sample and other
previous diagnosis’s reducing the volume of samples re-
quiring further analysis by 73%. T
he remaining 27% then progress though the examination
stage where samples are scanned with a set of AV scanners
and tools in a matter of seconds / minutes, further diag-
nosing 44% of the remaining samples, leaving 12% to be
handled by the Observation stage.
During the observation stage samples are monitored for
behavior and the results are analyzed to diagnose another
20% of the remaining samples; however this stage is the
most expensive and take upward to 15 minutes to com-
plete.
Overall, the process eliminates 97% of all samples received
by McAfee Avert, leaving only the remainder to humans
to diagnose manually.
With the current inflow of samples, the fleet of research-
ers required to manually process this load is calculated in
hundreds, however with the benefit of the malware analy-
sis and remediation process, the number of researchers re-
quired by McAfee Avert is approximately 50-75; a much
more tolerable number.
AVAR 2006 - AucklAnd