User Tools

Site Tools


malware_analysis

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
malware_analysis [2017/06/22 01:52]
fabio.massacci@unitn.it
malware_analysis [2021/01/29 10:58] (current)
Line 14: Line 14:
 ==== TestREx (A Testbed for Repeatable Exploits) ==== ==== TestREx (A Testbed for Repeatable Exploits) ====
  
-In our {{https://​www.usenix.org/​system/​files/​conference/​cset14/​cset14-paper-dashevskyi.pdf|PDF}} presented at //USENIX CSET'​14//​ we have presented **TestREx**,​ a testbed for repeatable exploits which can pack and run applications with their environments,​ inject exploits and monitor their success; and generate security reports. In 2016 the TestREx process has also been the object of a [[https://​www.google.com/​patents/​US2016031430|US patent]] by SAP AG .+In our {{https://​www.usenix.org/​system/​files/​conference/​cset14/​cset14-paper-dashevskyi.pdf|paper}} presented at //USENIX CSET'​14//​ we have presented **TestREx**,​ a testbed for repeatable exploits which can pack and run applications with their environments,​ inject exploits and monitor their success; and generate security reports. In 2016 the TestREx process has also been the object of a [[https://​www.google.com/​patents/​US20160314302|US patent]] by SAP AG .
  
  
Line 51: Line 51:
 ==== The MalwareLab ==== ==== The MalwareLab ====
  
-Exploit Kits are attack tools traded in the [[security_economics|black markets for cybercrime]] that are responsible for hundred of millions of system infections worldwide. We have infiltrated and are currently monitoring among the most important black markets in the cybercrime scenario (the result of the analysis is reported further down). As part of our investigations,​ we were gathered more than 40 Exploit Kits leaked from the markets. After a thorough technical analysis of their capabilities and characteristics ({{:​kotov_massacci_anatomy_of_exploit_kits_wp.pdf|see "​Anatomy of Exploit Kits: Preliminary Analysis of Exploit Kits as Software Artefacts."​}}),​ we started **testing them**.+Exploit Kits are attack tools traded in the [[security_economics|black markets for cybercrime]] that are responsible for hundred of millions of system infections worldwide. We have infiltrated and are currently monitoring among the most important black markets in the cybercrime scenario (the result of the analysis is reported further down). As part of our investigations,​ we were gathered more than 40 Exploit Kits leaked from the markets. After a thorough technical analysis of their capabilities and characteristics ({{:​kotov_massacci_anatomy_of_exploit_kits_wp.pdf|see "​Anatomy of Exploit Kits: Preliminary Analysis of Exploit Kits as Software Artefacts."​}} ​below), we started **testing them**.
  
-The goal of this experimental approach is to estimate exploit kits capabilities in terms of infection potential and returned value for the attacker. In order to do that we are simulating **traffic** coming to the Exploit Kits and measuring metrics such as infection rates of kits.+The goal of this experimental approach ​presented in our {{:​cset-13.pdf|paper}} at //USENIX CSET'​13// ​is to estimate exploit kits capabilities in terms of infection potential and returned value for the attacker. ​ 
 + 
 +In order to do that we are simulating **traffic** coming to the Exploit Kits and measuring metrics such as infection rates of kits.
 To this aim we are randomly generating plausible machine configurations spanning from 2006 to 2013, in moving windows of two years, and testing them against our Exploit Kits. A sample example is given in the Figure at the bottom. Configurations are installed (with windows calculated on release dates) on the following operative systems: To this aim we are randomly generating plausible machine configurations spanning from 2006 to 2013, in moving windows of two years, and testing them against our Exploit Kits. A sample example is given in the Figure at the bottom. Configurations are installed (with windows calculated on release dates) on the following operative systems:
   * Windows XP{{ :​random-conf.png?​550|}}   * Windows XP{{ :​random-conf.png?​550|}}
Line 86: Line 88:
 Over the past couple of years a number of private exploit kit source codes leaked in public. We identified information for more than 70 exploit kits and out of those we were able to successfully download and deploy 33 instances of 24 web malware families (such as Crimepack, Eleonore and Fragus). ​ Over the past couple of years a number of private exploit kit source codes leaked in public. We identified information for more than 70 exploit kits and out of those we were able to successfully download and deploy 33 instances of 24 web malware families (such as Crimepack, Eleonore and Fragus). ​
  
-In our paper at published in //​ESSOS'​15// we pursued the following goals:+In our {{:​kotov_massacci_anatomy_of_exploit_kits_wp.pdf|paper}}  ​at published in //​ESSOS'​13// we pursued the following goals:
  
-  * Study the functional aspects of exploit kits and offer a taxonomy for the routines implemented in them;+  * Study the functional aspects of exploit kits and offer a taxonomy for the routines implemented in them;
   * Classify the exploit delivery mechanisms;   * Classify the exploit delivery mechanisms;
   * Uncover web crawler evasion techniques that are used by exploit kits.   * Uncover web crawler evasion techniques that are used by exploit kits.
malware_analysis.1498089168.txt.gz · Last modified: 2021/01/29 10:58 (external edit)