Byungho Min

Antivirus security: naked during updates

The security of modern computer systems heavily depends on security tools, especially on antivirus software solutions. In the anti‐malware research community, development of techniques for evading detection by antivirus software is an active research area. This has led to malware that can bypass or subvert antivirus software. The common strategies deployed include the use of obfuscated code and staged malware whose first instance (usually installer such as dropper and downloader) is not detected by the antivirus software. Increasingly, most of the modern malware are staged ones in order for them to be not detected by antivirus solutions at the early stage of intrusion. The installers then determine the method for further intrusion including antivirus bypassing techniques. Some malware target boot and/or shutdown time when antivirus software may be inactive so that they can perform their malicious activities. However, there can be another time frame where antivirus solutions may be inactive, namely, during the time of update. All antivirus software share a unique characteristic that they must be updated at a very high frequency to provide up‐to‐date protection of their system. In this paper, we suggest a novel attack vector that targets antivirus updates and show practical examples of how a system and antivirus software itself can be compromised during the update of antivirus software. Local privilege escalation using this vulnerability is also described. We have investigated this design vulnerability with several of the major antivirus software products such as Avira, AVG, McAfee, Microsoft, and Symantec and found that they are vulnerable to this new attack vector. The paper also discusses possible solutions that can be used to mitigate the attack in the existing versions of the antivirus software as well as in the future ones. Copyright

Design and Evaluation of Feature Distributed Malware Attacks against the Internet of Things (IoT)

In this paper, we analyse the Internet of Things (IoT) aspect of smart home from a security perspective, and adapt an advanced malware technique (called feature-distributed malware) for the IoT. We design several attacks including cyber-physical system attacks and advanced cyber attacks, and then evaluate their impact via practical evaluations. Our proposed offensive techniques are based on the following current smart home status: (1) almost every smart home appliance is directly or indirectly connected to the Internet for remote monitoring and/or control. (2) there are Internet services that integrate heterogeneous devices into one single smart home environment. These integration services make it easy and simple to build any form of customised smart home configurations. However, at the same time, such services also put the smart home at risk when they are compromised and abused by attackers, which means that the attackers can achieve their goals without needing to compromise individual smart home devices. Our evaluation results show that using traditional web attack techniques such as cookie stealing can be turned into sophisticated attacks that enable the attackers to perform various malicious activities such as unlocking the smart lock installed at the target premises and disarming security alarms. Considering existing research efforts on the smart home security are mainly about security analysis of individual devices and protocols, we believe this work will shed light on the practical implications of integrating the smart home with the Internet of things, therefore helping the development of more secure smart home environments in the future.

Design and Analysis of Security Attacks against Critical Smart Grid Infrastructures

Smart grid, the future power grid, is expected to provide better energy efficiency, more customer choices and improved reliability and security. As the smart grid is an integrated system that consists of multiple subsystems, understanding it as a whole system is required to fully understand the security risks it faces. In this paper, a sophisticated cyber-physical system (CPS) unique malware attack against the smart grid is proposed. The paper first outlines the architecture of the smart grid in general. Then we present the characteristics of recent malware attacks targeting the CPS such as Stuxnet and Shamoon. These lead to the design of our proposed attack that incorporates the key features from the smart grid architecture and the recent real attacks. One key aspect of the proposed attack is that it manipulates various physical field devices as well as cyber systems to illustrate how a blackout is possible even under the security-improved smart grid environment. Then, we explain the application of defensive techniques in the context of the suggested attack. Lastly, prototype implementation showing the effectiveness of the attack and the defensive measures is described.

A novel malware for subversion of self-protection in anti-virus

Major anti‐virus solutions have introduced a feature known as ‘self‐protection’ so that malware (and even users) cannot modify or disable the core functionality of their products. In this paper, we have investigated 12 anti‐virus products from four vendors (AVG, Avira, McAfee and Symantec) and have discovered that they have certain security weaknesses that can be exploited by malware. We have then designed a novel malware, which makes use of the weaknesses in anti‐virus software and embeds itself to become a part of the vulnerable anti‐virus solution. It subverts the self‐protection features of several anti‐virus software solutions. This malware integrated anti‐virus enjoys several advantages such as longevity (anti‐virus is active while the system is running), improved stealthy behaviour, highest privilege and capability to bypass security measures. Then we propose an effective defence against such malware. We have also implemented the defensive measure and evaluated its effectiveness. Finally, we show how the proposed defence can be applied to the current versions of vulnerable anti‐virus solutions without requiring signficant modifications. Copyright

Secure Dynamic Software Loading and Execution Using Cross Component Verification

In this paper, we propose a cross verification mechanism for secure execution and dynamic component loading. Our mechanism is based on a combination of code signing and same-origin policy, and it blocks several types of attacks from drive-by download attacks to malicious component loadings such as DLL hijacking, DLL side-loading, binary hijacking, typical DLL injection and loading of newly installed malware components, even when malicious components have valid digital signatures. Considering modern malware often uses stolen private keys to sign its binaries and bypass code signing mechanism, we believe the proposed mechanism can significantly improve the security of modern computing platforms. In addition, the proposed mechanism protects proprietary software components so that unauthorised use of such components cannot occur. We have implemented a prototype for Microsoft Windows 7 and XP SP3, and evaluated application execution and dynamic component loading behaviour under our security mechanism. The proposed mechanism is general, and can be applied to other major computing platforms including Android, Linux and Mac OS X.

Design, implementation and evaluation of a novel anti-virus parasitic malware

In this paper, we propose an advanced malware, anti-virus parasitic malware (AV-Parmware). It attacks protected components of anti-virus software by their exploiting security weaknesses, and compromises the target systems by being a parasite on the anti-virus. We have investigated 18 antivirus solutions from seven major anti-virus software vendors and have discovered that 12 products from four vendors (AVG, Avira, McAfee, and Symantec) have certain security weaknesses that can be utilised in the proposed malware. There are several advantages to being an anti-virus parasitic malware, including longevity (anti-virus runs while its system is up), improved stealthy behaviour, highest privileges and capability to bypass security measures such as Egress filtering. We have implemented our proposed parasitic malware, and have shown that all these advantages are achieved in practice.

A simple and novel technique for counteracting exploit kits

Exploit kits have become a major cyber threat over the last few years. They are widely used in both massive and highly targeted cyber attack operations. The exploit kits make use of multiple exploits for major web browsers like Internet Explorer and popular browser plugins such as Adobe Flash and Reader. In this paper, a proactive approach to preventing this prevalent cyber threat from triggering their exploits is proposed. The suggested new technique called AFFAF proactively protects vulnerable systems using a fundamental characteristic of the exploit kits. Specifically, it utilises version information of web browsers and browser plugins. AFFAF is a zero-configuration solution, which means that users do not need to configure anything after installing it. In addition, it is an easy-to-employ methodology from the perspective of plugin developers. We have implemented a lightweight prototype and have shown that AFFAF enabled vulnerable systems can counteract 50 real-world and one locally deployed exploit kit URLs. Tested exploit kits include popular and well-maintained ones such as Blackhole 2.0, Redkit, Sakura, Cool and Bleeding Life 2. We have also demonstrated that the false positive rate of AFFAF is virtually zero, and it is robust enough to be effective against real web browser plugin scanners.

Design and Analysis of a New Feature-Distributed Malware

In this paper, we propose a new advanced malware that distributes its features to multiple software components in order to bypass various security policies such as application white listing and security tools like anti-virus. A tool that automatically generates such malware has been developed, and malware instances generated by this tool have been evaluated, showing the risks of the proposed malware. The new threat proposed in this paper is particularly important in modern computing platforms since they have progressed to more secure environments with various defensive techniques such as application-based permission and application white listing. In addition, anti-virus solutions are improving their detection techniques, especially based on behavioural properties. Our offensive technique is designed to overcome these hurdles so that appropriate defensive mitigations can be explored before the adversary develops such offensive technique as they always have done.

Cascading attacks against smart grid using control command disaggregation and services

In this paper, we propose new types of cascading attacks against smart grid that use control command disaggregation and core smart grid services. Although there have been tremendous research efforts in injection attacks against the smart grid, to our knowledge most studies focus on false meter data injection, and false command and false feedback injection attacks have been scarcely investigated. In addition, control command disaggregation has not been addressed from a security point of view, in spite of the fact that it is becoming one of core concepts in the smart grid and hence analysing its security implications is crucial to the smart grid security. Our cascading attacks use false control command, false feedback or false meter data injection, and cascade the effects of such injections throughout the smart grid subsystems and components. Our analysis and evaluation results show that the proposed attacks can cause serious service disruptions in the smart grid. The evaluation has been performed on a widely used smart grid simulation platform.

A New Technique for Counteracting Web Browser Exploits

Over the last few years, exploit kits have been increasingly used for system compromise and malware propagation. As they target the web browser which is one of the most commonly used software in the Internet era, exploit kits have become a major concern of security community. In this paper, we propose a proactive approach to protecting vulnerable systems from this prevalent cyber threat. Our technique intercepts communications between the web browser and web pages, and proactively blocks the execution of exploit kits using version information of web browser plugins. Our system, AFFAF, is a zero-configuration solution, and hence users do not need to do anything but just simply install it. Also, it is an easy-to-employ methodology from the perspective of plugin developers. We have implemented a lightweight prototype, which has demonstrated that AFFAF protected vulnerable systems can counteract 50 real-world and one locally deployed exploit kit URLs. Tested exploit kits include popular and well-maintained ones such as Blackhole 2.0, Redkit, Sakura, Cool and Bleeding Life 2. We have also shown that the false positive rate of AFFAF is virtually zero, and it is robust enough to be effective against real web browser plugin scanners.