meds - hybrid osdfcon 2021 - osdfcon
TRANSCRIPT
![Page 1: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/1.jpg)
MEDSMalware Evolution Discovery System
![Page 2: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/2.jpg)
Agenda● Personal Background● Mobile Malware
○ Geographical Mobile Markets● Intro to Android and APK package● MEDS (Malware Evolution Discovery System)
○ Creation Phylogenetic (Lineage) Trees○ Predicting Generativeness
● Summary/Future Work
![Page 3: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/3.jpg)
whoami● Antonio Cesar Vargas
○ M.Sc, John Jay College of Criminal Justice■ Digital Forensics and Cybersecurity
○ B.Sc, Queens College■ Computer Science
○ Interests■ Python■ Malware■ Memory Forensics
![Page 4: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/4.jpg)
2014 10th Birthday Mobile Malware
![Page 5: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/5.jpg)
Mobile Malware● Android
○ Prefered Malware Creators○ Dominant Mobile Platform
● Threats○ Ransomware, botnet, personal/financial information
theft
![Page 6: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/6.jpg)
Tenth Anniversary Mobile Malware
● 2004○ Symbian OS
■ Cabir, Trojan.Mos, Skulls● 2006
○ Cross Platform Mobile Malware(Symbian and Blackberry)■ Redbrowser, FlexiSpy
![Page 7: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/7.jpg)
Tenth Anniversary Mobile Malware
● 2010○ Cross Platform Mobile Malware(Symbian and
Android)■ ZeusMitmo
● 2011○ Android
■ Geinimi, RootCager
![Page 8: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/8.jpg)
Why are mobile devices attractive?
![Page 9: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/9.jpg)
Life Companion
![Page 10: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/10.jpg)
Dependence Mobile Devices● Business Purposes● Everyday Needs
![Page 11: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/11.jpg)
Something for everyone!!
● Cybercriminals○ Data Theft○ Botnet Activity○ Personal/Financial Information Theft
● Government Entities○ Surveillance○ Tactical Operations
![Page 12: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/12.jpg)
Most Malware is not ‘new’
● Repacks● Incremental Updates● Business Model
○ Malware Headquarters■ Startup Business
○ Governmental Intrusion and Remote Monitoring Solutions■ Gamma International--FinFisher Suite
![Page 13: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/13.jpg)
Malware HQ (Industrial Business)
● Dragon Lady Investigation○ Lookout
![Page 14: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/14.jpg)
Dragon Lady Findings
● Android Malware HQ ○ Startup ○ Organized
● Constant Releases of Malware Families○ Agile Approach
● Affiliate Marketers○ Distribution○ Customization
![Page 15: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/15.jpg)
Why is this important?
● Mobile Malware Visibility○ Specific Geographical Regions (China and Russia)
■ Third Party App Stores
![Page 16: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/16.jpg)
New Internet Citizens● Experience the Internet through a mobile phone● Third World Countries
![Page 17: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/17.jpg)
North America
![Page 18: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/18.jpg)
Malware Prefered Mobile Platform
![Page 19: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/19.jpg)
Malware Prefered Mobile Platform
![Page 20: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/20.jpg)
Android Architecture
![Page 21: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/21.jpg)
APK Package
![Page 22: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/22.jpg)
Android Applications (APK)
● Zip Format Archive○ AndroidManifest.xml○ classes.dex
■ Java Code■ Dalvik VM
○ Meta information■ SSL Certificate (Self Signed)
○ Resources
![Page 23: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/23.jpg)
APK Internals
![Page 24: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/24.jpg)
AndroidManifest.xml
![Page 25: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/25.jpg)
MEDS (Malware Evolution)
● Malware Evolution○ Android Malware○ Similarity Percentage
■ Approximate Matching○ Creation Approximation○ Phylogenetic/Lineage Tree
![Page 26: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/26.jpg)
Similarity of object?
● Very good at equality○ Hashing (Fingerprint)
● Similarity of two objects?
![Page 27: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/27.jpg)
Approximate Matching
● NIST Special Publication 800-168● Approximate Matching
○ Bytewise (Sequence of bytes)■ SDHASH
○ Syntactic (Internal Structures)■ AndroidManifest.xml
○ Semantic ( Contextual Attributes )
![Page 28: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/28.jpg)
Phylogenetic (Lineage) Tree
● Metadata○ Creation Date
● Approximate Matching Value○ AndroidManifest.xml (Syntactic)○ Dex Files (Bytewise)
![Page 29: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/29.jpg)
MEDS (Discovery System)
● Regression Analysis○ Feature Extraction
■ Number of Dangerous Permissions○ Linear and Logistic Regression
■ Generativeness● Statistics about what malware will influenced the creation of
future malware
![Page 30: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/30.jpg)
Python Implementation
● Graphs○ Pygraphviz
■ Modeling■ Dot Files for visualization
● SDHash (Bytewise)○ Python SWIG Binding to C++ library
● Edit Distance (Syntactic)○ AndroidManifest.xml
![Page 31: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/31.jpg)
Phylogenetic (Lineage) Tree
● Not A New Idea○ Goldberg, Leslie Ann et al. Constructing Computer
Virus Phylogenies. 1996○ DARPA (43 Million) Cyber Genome Project, 2010
■ Lockheed Martin■ Invicea Labs (Cynomix.org)■ BAE Systems■ Raytheon BBN Technologies
![Page 32: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/32.jpg)
Invincea Labs (Cynomix)
![Page 33: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/33.jpg)
Phylogenetic Tree
![Page 34: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/34.jpg)
Generative Malware
● Generativeness○ Predict Future Malware Trends○ Active Malware
■ Features■ Vulnerabilities■ Baseline
![Page 35: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/35.jpg)
Present Samples Scenario
![Page 36: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/36.jpg)
Malware Evolution
![Page 37: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/37.jpg)
Regression Analysis
● Malware Features○ Number of Dangerous Permissions○ Number of Receivers
● Phylogenetic Tree Features○ Approximate Matching Value (to parent)○ Age in second from parent○ Age in second of the latest child
![Page 38: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/38.jpg)
Dangerous Permissions
![Page 39: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/39.jpg)
Number of Children
![Page 40: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/40.jpg)
Python Implementation
● Regression Analysis Algorithms○ Octave
■ Oct2py○ Visualization
■ rpy2
![Page 41: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/41.jpg)
Summary
● MEDS○ Phylogenetic Tree Malware
■ Evolution Malware● Rapid Development of detection and eradication
○ Generative Malware■ Detect Promiscuous Malware■ Pro-Active Malware Outbreaks■ Data Science Problem
![Page 42: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/42.jpg)
Summary
● Python very flexible○ Phylogenetic Malware Tree○ Machine Learning Algorithms Integration
● Generativeness (Data Science Problem)○ Bias
■ Further research■ Choose Different Features
![Page 43: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/43.jpg)
Future Work
● Regression Analysis improvements○ scikit-learn○ Bias Problem
■ Choose Different Features■ Different Malware Sets
● Better Visualization● More/Different Malware Samples
![Page 44: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/44.jpg)
Acknowledgements
● virusshare.com○ Malware Samples
● Candice Quates○ SDHash Core Developer
● CUNY○ Prof. Bilal Khan
■ http://www.systemic-inquiry.com○ Jeremy D. Seideman
![Page 45: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/45.jpg)
More Acknowledgments
● AndroGuard○ Anthony Desnos
● Silvio Cesare○ Software Similarity
![Page 46: MEDS - Hybrid OSDFCon 2021 - OSDFCon](https://reader030.vdocuments.us/reader030/viewer/2022012621/61a1b710fe97a13b5f269e57/html5/thumbnails/46.jpg)
Thank You !!!
● Questions
● Comments
● Clarifications@vargasces