The very nature of rootkits makes them hard to classify (and in some cases even detect) using automated malware analysis techniques. Kernel memory modifications can indicate that samples are trying to conceal information or hijack execution paths, thus exhibiting malicious behaviour. In an environment with a large throughput of analysis jobs, the need arises for an efficient and accurate way to identify such complex threats. In their VB2014 paper, Ahmed Zaki and Benjamin Humphrey present a system for identifying rootkit samples that is based on automated analysis - but instead of monitoring modifications to the whole memory, the system captures changes to data structures and memory regions that are known to have been targeted by rootkits in the past.
Compared to Android, iOS and Blackberry, Tizen (an open-source platform designed for multiple computing platforms such as smartphones, in-vehicle infotainment (IVI), smart TV, wearable devices, consumer electronics, etc.) offers several different options within the device structure to combat the rise in malware targeting mobile devices. In his VB2014 paper, Irfan Asrar examines these options and their ability to counteract malware and privacy threats.
In his VB2014 paper, James Wyke explores the different strategies malicious samples employ when a sandbox has been detected. He looks at examples of decoy behaviour that range from dummy files being dropped to the use of fixed path names, bogus DNS and HTTP requests, and misleading configuration files being delivered. He analyses the consequences of failing to realize we are observing bogus behaviour from a sample, and explores ways in which we might prevent ourselves from falling victim to the same techniques again.
It is not unheard of for researchers to be threatened by criminal gangs, or approached by intelligence services. On other occasions researchers have found themselves under surveillance or their devices have been compromised when on the road. What precautions should we take in order to minimize risks? What can we do to avoid leaking information that could put us in an uncomfortable situation in the future? In their VB2014 paper, Dani Creus and Vicente Diaz outline the precautions they believe security researchers should be taking.
Banking trojan Vawtrak wraps itself in layers, each of which gives rise to the next until a simple binary executable is exposed. Raul Alvarez likens Vawtrak to a nesting doll and in this article he unpacks the doll, looking at each layer in turn.
Thibault Reuille, Dhia Mahjoub and Ping Yan use particle physics to shows clusters of malicious domains.
Thanks to the ubiquity of Adobe Flash Player, Adobe Flash Player vulnerabilities have become a major target for attackers who want to deliver attacks from web pages. In 2014, some new exploits appeared, targeting two vulnerabilities (CVE-2013-5330 and CVE-2014-0497) in a new feature of Adobe applications – domain memory opcode (or Alchemy opcode). In their VB2014 paper, Chun Feng and Elia Florio analyse the technical details of exploits using these vulnerabilities. They unveil some interesting tricks used by these exploits to make the attacks more reliable and stealthy, and discuss the malware components distributed by the exploits.
In this short version of the January 2015 VBSpam report, Martijn Grooten provides a summary of the results of the 35th VBSpam test as well as some information on ‘the state of spam’.
All but three of the 16 full solutions submitted for this month's test achieved a VBSpam award, and six of them achieved a VBSpam+ award. Martijn Grooten has the details.