M. Zubair Rafique

Driving in the cloud: an analysis of drive-by download operations and abuse reporting

Drive-by downloads are the preferred distribution vector for many malware families. In the drive-by ecosystem many exploit servers run the same exploit kit and it is a challenge understanding whether the exploit server is part of a larger operation. In this paper we propose a technique to identify exploit servers managed by the same organization. We collect over time how exploit servers are configured and what malware they distribute, grouping servers with similar configurations into operations. Our operational analysis reveals that although individual exploit servers have a median lifetime of 16 hours, long-lived operations exist that operate for several months. To sustain long-lived operations miscreants are turning to the cloud, with 60% of the exploit servers hosted by specialized cloud hosting services. We also observe operations that distribute multiple malware families and that pay-per-install affiliate programs are managing exploit servers for their affiliates to convert traffic into installations. To understand how difficult is to take down exploit servers, we analyze the abuse reporting process and issue abuse reports for 19 long-lived servers. We describe the interaction with ISPs and hosting providers and monitor the result of the report. We find that 61% of the reports are not even acknowledged. On average an exploit server still lives for 4.3 days after a report.

Stranger danger: exploring the ecosystem of ad-based URL shortening services

URL shortening services facilitate the need of exchanging long URLs using limited space, by creating compact URL aliases that redirect users to the original URLs when followed. Some of these services show advertisements (ads) to link-clicking users and pay a commission of their advertising earnings to link-shortening users. In this paper, we investigate the ecosystem of these increasingly popular ad-based URL shortening services. Even though traditional URL shortening services have been thoroughly investigated in previous research, we argue that, due to the monetary incentives and the presence of third-party advertising networks, ad-based URL shortening services and their users are exposed to more hazards than traditional shortening services. By analyzing the services themselves, the advertisers involved, and their users, we uncover a series of issues that are actively exploited by malicious advertisers and endanger the users. Moreover, next to documenting the ongoing abuse, we suggest a series of defense mechanisms that services and users can adopt to protect themselves.

FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors

The ever-increasing number of malware families and polymorphic variants creates a pressing need for automatic tools to cluster the collected malware into families and generate behavioral signatures for their detection. Among these, network traffic is a powerful behavioral signature and network signatures are widely used by network administrators. In this paper we present FIRMA, a tool that given a large pool of network traffic obtained by executing unlabeled malware binaries, generates a clustering of the malware binaries into families and a set of network signatures for each family. Compared with prior tools, FIRMA produces network signatures for each of the network behaviors of a family, regardless of the type of traffic the malware uses e.g., HTTP, IRC, SMTP, TCP, UDP. We have implemented FIRMA and evaluated it on two recent datasets comprising nearly 16,000 unique malware binaries. Our results show that FIRMAs clustering has very high precision 100% on a labeled dataset and recall 97.7%. We compare FIRMAs signatures with manually generated ones, showing that they are as good often better, while generated in a fraction of the time.

Evolutionary algorithms for classification of malware families through different network behaviors

The staggering increase of malware families and their diversity poses a significant threat and creates a compelling need for automatic classification techniques. In this paper, we first analyze the role of network behavior as a powerful technique to automatically classify malware families and their polymorphic variants. Afterwards, we present a framework to efficiently classify malware families by modeling their different network behaviors (such as HTTP, SMTP, UDP, and TCP). We propose protocol-aware and state-space modeling schemes to extract features from malware network behaviors. We analyze the applicability of various evolutionary and non-evolutionary algorithms for our malware family classification framework. To evaluate our framework, we collected a real-world dataset of

Application of evolutionary algorithms in detecting SMS spam at access layer

6,000

Network dialog minimization and network dialog diffing: two novel primitives for network security applications

unique and active malware samples belonging to 20 different malware families. We provide a detailed analysis of network behaviors exhibited by these prevalent malware families. The results of our experiments shows that evolutionary algorithms, like sUpervised Classifier System (UCS), can effectively classify malware families through different network behaviors in real-time. To the best of our knowledge, the current work is the first malware classification framework based on evolutionary classifier that uses different network behaviors.

xMiner: Nip the Zero Day Exploits in the Bud

In recent years, Short Message Service (SMS) has been widely exploited in arbitrary advertising campaigns and the propagation of scam. In this paper, we first analyze the role of SMS spam as an increasing threat to mobile and smart phone users. Afterward, we present a filtering method for controlling SMS spam on the access layer of mobile devices. We analyze the role of different evolutionary and non evolutionary classifiers for our spam filter by assimilating the byte-level features of SMS. We evaluated our framework on real-world benign and spam datasets collected from Grumbletext and the users in our social networking community. The results of carefully designed experiments demonstrated that the evolutionary classifiers, like the Structural Learning Algorithm in Vague Environment (SLAVE), could efficiently detect spam messages at the access layer of a mobile device. To the best of our knowledge, the current work is the first SMS spam filter based on evolutionary classifier that works on the access layer of a mobile device. The results of our experiments show that our framework, using evolutionary algorithms, achieves a detection accuracy of more than 93%, with false alarm rate of 0.13

Manufacturing compromise: the emergence of exploit-as-a-service

% in classifying spam SMS. Moreover, the memory requirement for incorporating SMS features is relatively small, and it takes less than one second to classify a message as spam or benign.

FIRMA: Malware clustering and network signature generation with mixed network behaviors

In this work, we present two fundamental primitives for network security: network dialog minimization and network dialog diffing. Network dialog minimization (NDM) simplifies an original dialog with respect to a goal, so that the minimized dialog when replayed still achieves the goal, but requires minimal network communication, achieving significant time and bandwidth savings. We present network delta debugging, the first technique to solve NDM. Network dialog diffing compares two dialogs, aligns them, and identifies their common and different parts. We propose a novel dialog diffing technique that aligns two dialogs by finding a mapping that maximizes similarity. We have applied our techniques to 5 applications. We apply our dialog minimization approach for: building drive-by download milkers for 9 exploit kits, integrating them in a infrastructure that has collected over 14,000 malware samples running from a single machine; efficiently measuring the percentage of popular sites that allow cookie replay, finding that 31% do not destroy the server-side state when a user logs out and that 17% provide cookies that live over a month; simplifying a cumbersome user interface, saving our institution 3 hours of time per year and employee; and finding a new vulnerability in a SIP server. We apply our dialog diffing approach for clustering benign (F-Measure = 100%) and malicious (F-Measure = 87.6%) dialogs.

CyberProbe: Towards Internet-Scale Active Detection of Malicious Servers

Vulnerability exploits present in malformed messages are one of the major sources to remotely launch malicious activities in different protocols. Sometimes, a single malformed message could be enough to crash remote servers or to gain unfettered access over them. In this paper, we propose the design of a generic vulnerability exploits detection system xMiner to detect malformed messages in real time for avoiding any network hazard. The proposed xMiner exploits the information embedded within byte-level sequences of network messages. xMiner applies multi-order Markov process and principal component analysis (PCA) to extract novel discriminative features and uses them to detect attacks launched through malicious packets in real-time. The novelty of xMiner lies in its light-weight design which requires less processing and memory resources and makes it easily deployable on resource-constrained devices like smart phones. The system is evaluated on real-world datasets pertaining to three different protocols -- HTTP, FTP and SIP. Five different classifiers are deployed to establish the effectiveness of the proposed system. On evaluation we found that the decision tree classifier performs well for HTTP and FTP datasets whereas, SVM shows highest performance in case of SIP packets.