Best Papers Competition
By: Javier Cusicanqui and Sebastian Barrera
ABSTRACT: Malware variants continue to be a real and present danger threat to ubiquitous interconnection hardware and software network environments. The daily amount of malware propagation and prevalence continues to increase at an alarming incalculable rate. To address and counters the effects malware variants may have on infected system or networks, security experts and malware analyst must tackle the daunting task of analyzing malware malicious code to generate malware signatures, address infected systems by determinate malicious code functionality and capacity. Manual malware analysis requires an intensive amount of labor and time to effectively analyze malware’s malicious code—such an approach is not feasible to keep up with an ever-increasing malware variant development and growth. Thus, in this paper, we propose a python-driven automated analysis process that would reduce the number of man-hours required to perform manual malware analysis and reduce the number of human errors that may be encounter during manual malware analysis. We will also demonstrate how to use Python to automate the transfer, execution and inspection of malware in virtual environments such as VirtualBox and VMWare.
By: Maria Alfonso, Hector Beltran, Jonathan Nunez, Marcelo Triana and Obed Ruiz
ABSTRACT: Many (if not most) organizations have some form of perimeter protection that restricts access to their inner-network machines from the internet. A reverse shell program circumvents the firewall filters and lines of defense by forcing a target-system to connect to an attacking-system that is outside the organization’s network. Reverse shells covertly create a discrete channel that allows the attacker to target specific machines, users, and data to scan internal networks, install network sniffers, collect sensitive user information, etc. Using an open-source framework like Metasploit, the attacker can inject payloads (directed data-packets sent over the internet) into the target machine through the linked channel. With a plethora of payloads that perform numerous functions, a reverse shell becomes a bridge of countless, unique methods of control. The attacker’s objective is (in one way or another) to export sensitive, internal data to an external source. A creative way of performing such an attack is through a ‘rubber ducky’ – a disguised, USB keystroke injection tool that can drop payloads on unsuspecting machines upon USB-port insertion. A cost-effective and efficient implementation of the rubber ducky is using an Arduino-like board device because of its low-profile nature, low-price, and features that entry-level and advanced-users can adapt to. Our team’s project focused on programming a Digispark ATiny85 (cheaper development-board than its comparable, Arduino Nano) device to insert a TCP reverse-shell on a target machine, which allowed Metasploit to insert malicious payloads onto the victim. We observed and analyzed which methods would result in a greater reward vs. risk to achieve the attacker’s respective goals.
By: Alain Alzuri, David Andrade, Yadelis Nunez Escobar and Brian Zamora
ABSTRACT: This project is aimed at researching and discussing the rise of a new class of malware known as fileless malware and what defensive strategies can be used to mitigate it. Fileless malware is a class of malware that runs entirely in memory and is designed to leave as small of a footprint on the target host as possible. This makes it so that traditional signature and heuristic-based detection and analysis platforms perform extremely poorly when attempting to detect this kind of infection. By reviewing reports by industry leaders such as Rapid7, The Ponemon Institute and Carbon Black this project will examine the history of fileless malware, how this kind of infection operates, growth projections for the future, as well as explore possible methods for detection, analysis and mitigation. By better understanding this new threat we will be able to clear up some misconceptions and identify certain characteristics that belong to this class of malware. This will allow for more robust detection and analysis platforms to be developed to better address this new challenge.
By: Kyle Denney, Cengiz Kayguzus and Julian Zuluaga
ABSTRACT: In modern computing, a program must utilize the operating system in order to run. To do so, the program must use system calls. These system calls provide the means for the
program to access resources on the system (e.g., input/output, memory, etc.). Malicious programs, or malware, must also use these system calls in order to function. Due to this, we can develop
techniques to analyze the system calls used by a program in order to determine if it is malicious or benign. In this paper, we survey the methodologies used to analyze system calls for malware detection. We first examine the methods to collect system calls in varying operating systems. Then, we survey the techniques used to analyze system calls. After discussing the techniques, we briefly discuss methods where malware can thwart system call tracing techniques and how one can counter these thwarting attempts. We conclude this paper by discussing where future work is needed on these three topics.