Malicious Streams is dedicated to expanding the industry's capabilities in digital defense through fundamental and applied research in the areas of evolutionary protection mechanisms, incident response, and digital forensics capabilities for emerging technologies. Additionally, Malicious Streams offers an array of services to apply cutting-edge research to solve some of the most challenging problems in the cyber security space.
With the rise of modern artificial intelligence systems, AI has moved from a curiosity to a powerful system for analyzing and controlling our world. We have seen great gains because of this technology in fields such as transportation, health care, financial industries, manufacturing, retail and national defense. Research in this area includes understanding new attack vectors such as AI poisoning, auditing and protecting artificial intelligence systems, and digital forensics of artificial neural networks.
In our connected world, computing platforms are no longer restricted to traditional workstations and servers. Today, computing power is being embedded in everything from industrial systems and robotics to consumer electronics. This advancement in technology greatly improves the capabilities of these technologies but also has the affect of greatly increasing the digital attack surface and complexity of incident response. To compound this issue, these technologies have an escalating level of control over our physical world creating a potential for physical threat in addition to the traditional cyber-related scenarios. Research in this area is focused on defining the processes and building the tools needed to provide digital forensics and response capabilities for these emerging platforms.
Malware has become a common component to most modern intrusions. Confirming a system is infected or finding the attacker-‐planted backdoor can be a daunting task. To compound the situation, attackers are taking steps to actively evade traditional detection mechanisms. The foundations laid in this paper begin to develop an alternate and supplementary approach for identifying malware through detecting anomalies in the low‐level attributes of malicious files. Over 2.5 million malicious samples were analyzed and compared with a control set of non-malicious files to develop the indicators presented.
Today malware circulates in mass volume. New samples appear at a rate of thousands per day. In order to keep pace and manage this analysis demand two key needs emerge: automation and organization. This paper seeks to lay the foundation for a basic Malware Zoo that will provide a framework for both.
Malware has moved to the forefront of the information security landscape. Malicious software is involved in nearly every major data breach. While host-based anti-malware products are a must, they are not getting the job done entirely. The flood of ever changing malware continues to flow over the walls of protection and into our systems. Once malicious files have embedded themselves, the challenge falls on the incident responders and forensics experts to identify, contain, and eradicate these threats. This article will explore ways to discover malware by identifying suspicious filesystem locations most commonly used by malware.
As far back as 2001 (Peachy Worm) we have seen cyber criminals utilize embedded malicious scripts and other dynamic PDF features to install malware and steal user credentials. While the goals and technical payloads of these PDFs have changed over the years, the pattern for creating a malicious PDF remains largely unchanged.
The need to persist tools and infections between reboots is critical for the cyber criminal. In the Microsoft Windows world, we have an established body of knowledge and tools for determining programs set to launch at startup. This same level of maturity does not exist for the Mac OS X platform. Even though details of OS X’s startup systems have been widely published, there is a lack of dissemination of this information within the Forensics community. Further, there exists a gap in open source tools to aid in the compilation of OS X startup items. The intent of this article is to explore the startup mechanisms of OS X and to introduce a basic tool to help with the examination of Mac OS X systems.
The popularity of social networking sites such as MySpace and Facebook has sky rocketed in recent years. Today nearly everyone has a profile and established friends lists that are used to keep tabs on your two hundred closest friends. For most, the motive behind these sites lies somewhere between a genuine interest in keeping in touch with friends and family to keeping up with the latest gossip. This popularity hasn't gone unnoticed to the malcode authors. To these authors, social engineering is a key tactic used to get their wares installed on unsuspecting victims. Social networking sites make socially engineering victims almost too easy.
When analyzing a recent sample of koobface, I came across the following snippet.
At first glance it was easy to see that the names of some very common libraries/functions were split across multiple strings followed by an indirect call to LoadLibrary. Simple to see from manual inspection but most automated tools would blow past without identification. A simple but effective anti-analysis technique.
OS X Puper.A by most accounts has been the most popular Mac OS X malware in the past 18 months. What is most fascinating is how little sophistication is involved in this threat and yet how it continues to be a viable threat for the Mac platform. Read the analysis report for details.
© 2017 MALICIOUS STREAMS