Abstract.To cope with the increasing number of malware attacks that organizations face, anti-malware appliances and sandboxes have become an integral security defense. In particular, appliances have become the de facto standard in the fight against targeted attacks. Yet recent incidents have demonstrated that malware can effectively detect and thus evade sandboxes, resulting in an ongoing arms race between sandbox developers and malware authors.We show how attackers can escape this arms race with what we call customized malware, i.e., malware that only exposes its malicious behavior on a targeted system. We present a web-based reconnaissance strategy, where an actor leaves marks on the target system such that the customized malware can recognize this particular system in a later stage, and only then exposes its malicious behavior. We propose to implant identifiers into the target system, such as unique entries in the browser history, cache, cookies, or the DNS stub resolver cache. We then prototype a customized malware that searches for these implants on the executing environment and denies execution if implants do not exist as expected. This way, sandboxes can be evaded without the need to detect artifacts that witness the existence of sandboxes or a real system environment. Our results show that this prototype remains undetected on commercial malware security appliances, while only exposing its real behavior on the targeted system. To defend against this novel attack, we discuss countermeasures and a responsible disclosure process to allow appliances vendors to prepare for such attacks.
Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.
Existing research on information security for IP cameras has been primarily focused on issues with authentication or malware, but not on the peeping method itself. How cyber peeping is conducted in real world can further help in strengthening defenses accordingly and spread more awareness about dangers of IP camera. In this research, we observed peeps by setting up a honeypot using decoy cameras in two scenarios. First, where background information (handwritten URL and ID/password bait) can be read by humans. Second, simulating a living-room in a home environment. As a result, many examples of peeping into the decoy cameras were confirmed in reality. Also, a rapid increase in peeping (over 20,000 times/day) was seen after a decoy camera's feed got posted on a well-known website, showing a large scale peeping danger also exists due to such websites. The results of this study were used in several TV programs to show the dangers of using IP cameras over a national broadcasting station and also were directly shared with IP camera vendors, resulting in the improvement of IP camera security. Therefore, we believe that this study can further help in improving the security and awareness on the dangers associated with IP cameras.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
hi@scite.ai
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.