Scroll Top

Malware ANALYSIS

We are tackling different problems related with malware. Being able to track the origin of the malware is one of the current open problems. It is also very important to automate 0-day detection and malware attribution just to name a few.

Malware analysis is complicated due to anti-forensic techniques. This needs to be tackled by the design of continuous new counter techniques. Indicators of Compromise need to be intelligently collected and graphed to allow Malware Investigations independently from malware complexity and with auto expanding graphs. We have developed a solution in collaboration with VirusTotal and published the code in GitHub in the context of the SAVE project.

At the same time, binary code similarity needs to be effective and efficiently processed in order to correlate similar behaviours among petabytes of malware code. One of our efforts to this objective is the design of a new fuzzy hash function that is efficient and recognizes code functionality. A preliminary implementation has being published in collaboration with VirusTotal in [1]  and its code can be seen in Github.

Malware-driven Honeypots

Ransomware has grown considerably, with a potential to attack every businesses worldwide. Infections via e-mail, phishing and botnet nodes remain the most commonly used methods to compromise computers in the business environment. As a consequence, one of the biggest concerns today is how to respond effectively to malware dissemination campaigns. Honeypot systems are designed to capture attacks by simulating real services and/or applications. They employ deception techniques that try to satisfy the attacker’s demands, providing him/her with valid responses to service requests and apparently accepting modifications they want to make on the system.

There are two main scenarios commonly used for deploying honeypots: i) replicate live services of the production environment and ii) research environments. The efforts in NICS Lab focus on the second scenario, where the goal is to show a configuration of honeypots that enables attacks to be captured, to later analyse new techniques used. The main issue when designing this type of solution is the lack of information prior to the attack. Currently, there are principally two approaches to the problem: (a) studying only specific scenarios (web servers, SSH/Telnet protocols, etc.), and (b) implementing specialized trap systems for a reduced set of malware families (eg. Mirai). However, new malware attacking these honeypots will not necessarily activate all stages of the attack, due to an unfulfilled requirement. In order to solve part of these problems, the Hogney architecture [2] is proposed for the deployment of malware-driven honeypots. This new concept refers to honeypots that have been dynamically configured according to the environment expected by malware. The adaptation mechanism designed here is built on services that offer up-to-date and relevant intelligence information on current threats. Thus, the Hogney architecture takes advantage of recent Indicators Of Compromise (IOC) and information about suspicious activity currently being studied by analysts. The information gathered from these services is then used to adapt honeypots to fulfill malware requirements, inviting them to unleash their full strength. In addition, in [1] a methodology to deploy relevant honeypots in IoT environments is proposed.

Technical Resources: Malware Analysis lab

NICS Lab has one laboratory isolated from the rest of the University of Malaga, used for the development of prototypes and security tests of those projects and research works with other teams, subject to confidential requirements. NICS Lab has diverse malware and forensic tools and computing resources that help to fulfill these tasks, such as: reverse engineering, virtualized execution of malware, digital evidence recovery and analysis, memory, hard disk and network traffic forensics. For this purpose, NICS Lab has top quality software tools like IDA Pro, Encase Forensic Deluxe and AccessData Forensic Toolkit. We also have a wide set of development kits for analysing wireless communications, operating in different frequencies and covering protocols like ZigBee, Bluetooth Low Energy, 6LoWPAN, RFID, NFC and SDR transceptors, etc. Also tools for analysing serial communications, Modbus, Rs-232, USB and Ethernet.

All these tools and resources are also used for deploying new use cases used for training professionals in various specialization courses.

References

  1. Antonio Acien and Ana Nieto and Gerardo Fernandez and Javier Lopez (2018): A comprehensive methodology for deploying IoT honeypots. In: 15th International Conference on Trust, Privacy and Security in Digital Business (TrustBus 2018), pp. 229–243, Springer Nature Switzerland AG Springer Nature Switzerland AG, Regensburg (Germany), 2018.
  2. Gerardo Fernandez and Ana Nieto and Javier Lopez (2017): Modeling Malware-driven Honeypots. In: 14th International Conference On Trust, Privacy & Security In Digital Business (TrustBus 2017), pp. 130-144, Springer International Publishing Springer International Publishing, Lyon (France), 2017, ISBN: 978-3-319-64482-0.