Oct 042012

Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this paper, we propose a novel approach to the development of evasion-resistant malware signatures. The idea is that the signature is based on the malware’s execution profile extracted from the OS kernel data structure objects rather than on syntactic information. As a result, the signature is more resistant to malware obfuscation techniques and is more resilient in detecting malicious code variants.

To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE was developed. The effectiveness of signatures generated by SigGENE was evaluated using an experimental root kit-simulation tool that employs obfuscation techniques commonly found in rootkits.  In further experiments, different syntactic variants of the same real-world malware have been used to verify the real-world applicability of the proposed approach. The experiments show that the proposed approach is effective not only in generating signatures that detect malware and its variants, but also in producing execution profiles that can be used to characterize different malicious attacks.

Paper [Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects].

Oct 042012

Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where each state represents behavior that results in an observable modification to the victim’s system. The derived model of the malicious code allows for accurate reasoning and deduction of the occurrence of malicious activities even when anti-forensic methods are employed to disrupt the investigation process.

Paper [Towards Automated Forensic Event Reconstruction of Malicious Code].

Poster [Automated Forensic Event Reconstruction of Malicious Code].

Oct 042012

When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a network of computers running Microsoft Windows. The method is based on the analysis of Windows Restore Points from the compromised computers.  The idea is that malware infection traces from different computers can be correlated in time to identify the progress of the malware through the network and to identify the likely initial point of infection.

A simulated case study is given that demonstrates the viability of the proposed attack path reconstruction technique.

[A Novel methodology for Malware Intrusion Attack Path Reconstruction Paper].

Oct 042012

This post is on behalf of one of our students, Ms. Jacky Fox. Given below is the archive that contains her MSc dissertation and the Bash scripts she wrote to extract and correlate Windows registry artifacts. During her research she discovered that recent versions of Microsoft Windows introduced subtle changes to forensic interpretation of Windows registry keys, including UserAssist and the keys related to USB devices. Modern forensic literature and tools do not reflect these changes – hence this post.




Oct 032012

Last week Joshua and I gave invited talk about digital forensics at InfoSecurity Russia 2012. The slides of the talk are here: Slides of DigitalFIRE Talk at InfoSecurity Russia 2012

Our talk explored the issues of digital forensics in the cloud environment. The first part of the talk introduced the concepts of cyber crime investigations and the challenges faced by digital forensic practitioners. The second part of the talk explored investigative difficulties posed by cloud computing. A possible approach to dealing with some of these difficulties based on the I-STRIDE model was outlined.