Abstract
Targeted attacks pose a great threat to governments and commercial entities. Every year, an increasing number of targeted attacks are being discovered and exposed by various cyber security organizations. The key characteristics of these attacks are that they are conducted by well-funded and skilled actors who persistently target specific entities employing sophisticated tools and tactics to obtain a long-time presence in the breached environments. Malware plays a crucial role in a targeted attack for various tasks. Because of its stealthy nature, malware used in targeted attacks is expected to act differently compared to the traditional malware. However, to our knowledge, there is no previous study that performed an empirical validation to this assumption.
In this paper, we perform a study to understand whether malware used in targeted attacks is any different than traditional malware. To this end, we dynamically analysed a set of targeted and traditional malware to extract more than 700 features to be able to measure their discriminative power. These features are calculated from the network, host and memory behavior of malware. The rigorous experimentation we performed with several machine learning algorithms suggest that targeted malware indeed behaves differently and even with raw features extracted from the dynamic analysis reports, fairly good classification accuracy could be achieved to distinguish them from traditional malware.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ambroise, C., McLachlan, G.J.: Selection bias in gene extraction on the basis of microarray gene-expression data. Proc. Natl. Acad. Sci. 99(10), 6562–6566 (2002)
Anderson, B., Storlie, C., Lane, T.: Improving malware classification: bridging the static/dynamic gap. In: Proceedings of the 5th ACM Workshop on Security and Artificial Intelligence, pp. 3–14. ACM (2012)
Bailey, M., Oberheide, J., Andersen, J., Mao, Z.M., Jahanian, F., Nazario, J.: Automated classification and analysis of internet malware. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 178–197. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-74320-0_10
Barbosa, G.N., Branco, R.R.: Prevalent characteristics in modern malware. Black Hat USA (2014)
Bayer, U., Comparetti, P.M., Hlauschek, C., Kruegel, C., Kirda, E.: Scalable, behavior-based malware clustering. In: NDSS, vol. 9, pp. 8–11 (2009)
Bayer, U., Kruegel, C., Kirda, E.: TTAnalyze: a tool for analyzing malware. na (2006)
Bilge, L., Kirda, E., Kruegel, C., Balduzzi, M.: Exposure: finding malicious domains using passive DNS analysis. In: Ndss (2011)
Chen, X.W., Jeong, J.C.: Enhanced recursive feature elimination. In: Sixth International Conference on Machine Learning and Applications, ICMLA 2007, pp. 429–435. IEEE (2007)
Christopher, K.: Evasive malware exposed and deconstructed. In: RSA Conference (2015)
Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. (CSUR) 44(2), 6 (2012)
Guarnieri, C., Tanasi, A., Bremer, J., Schloesser, M.: The cuckoo sandbox (2012)
Harrell, C.: Prefetch file meet process hollowing (2014). https://journeyintoir.blogspot.be/2014/12/prefetch-file-meet-process-hollowing_17.html
Islam, R., Tian, R., Batten, L.M., Versteeg, S.: Classification of malware based on integrated static and dynamic features. J. Netw. Comput. Appl. 36(2), 646–656 (2013)
Kolter, J.Z., Maloof, M.A.: Learning to detect malicious executables in the wild. In: Proceedings of the Tenth ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 470–478. ACM (2004)
M-Labs: Reversing malware command and control: From sockets to com. FireEye (2010). https://www.fireeye.com/blog/threat-research/2010/08/reversing-malware-command-control-sockets.html
Microsoft: Common folder variables (2015). https://www.microsoft.com/security/portal/mmpc/shared/variables.aspx
MITRE: Process hollowing (2016). https://attack.mitre.org/wiki/Technique/T1093
Mohaisen, A., Alrawi, O., Mohaisen, M.: Amal: high-fidelity, behavior-based automated malware analysis and classification. Comput. Secur. 52, 251–266 (2015)
Moser, A., Kruegel, C., Kirda, E.: Limits of static analysis for malware detection. In: Twenty-Third Annual Computer Security Applications Conference, ACSAC 2007, pp. 421–430. IEEE (2007)
Optiv: Improving reliability of sandbox results (2014). https://www.optiv.com/blog/improving-reliability-of-sandbox-results
Ortega, A.: Pafish (paranoid fish) (2012). https://github.com/a0rtega/pafish/
Rieck, K., Holz, T., Willems, C., Düssel, P., Laskov, P.: Learning and classification of malware behavior. In: Zamboni, D. (ed.) DIMVA 2008. LNCS, vol. 5137, pp. 108–125. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70542-0_6
Schultz, M.G., Eskin, E., Zadok, F., Stolfo, S.J.: Data mining methods for detection of new malicious executables. In: Proceedings of 2001 IEEE Symposium on Security and Privacy, S&P 2001, pp. 38–49. IEEE (2001)
Spengler, B.: Modified edition of cuckoo. Github (2013). https://github.com/brad-accuvant/cuckoo-modified
Symantec: Internet Security Threat Report, vol. 21, April 2016. https://www.symantec.com/security-center/threat-report
Tankard, C.: Advanced persistent threats and how to monitor and deter them. Netw. Secur. 2011(8), 16–19 (2011)
Teller, T., Hayon, A.: Enhancing Automated Malware Analysis Machines with Memory Analysis. Black Hat, USA (2014)
Tian, R., Batten, L.M., Versteeg, S.: Function length as a tool for malware classification. In: 3rd International Conference on Malicious and Unwanted Software, MALWARE 2008, pp. 69–76. IEEE (2008)
Tian, R., Islam, R., Batten, L., Versteeg, S.: Differentiating malware from cleanware using behavioural analysis. In: 2010 5th International Conference on Malicious and Unwanted Software (MALWARE), pp. 23–30. IEEE (2010)
VirusShare: Virusshare.com - because sharing is caring (2017). https://virusshare.com/
Virustotal: Virustotal - free online virus, malware and URL scanner (2012). https://www.virustotal.com/
Virustotal: YARA - the pattern matching swiss knife for malware researchers (2014). https://virustotal.github.io/yara/
Virvilis, N., Gritzalis, D., Apostolopoulos, T.: Trusted computing vs. advanced persistent threats: can a defender win this game? In: 2013 IEEE 10th International Conference on Ubiquitous Intelligence and Computing and 10th International Conference on Autonomic and Trusted Computing (UIC/ATC), pp. 396–403. IEEE (2013)
Walters, A.: The volatility framework: volatile memory artifact extraction utility framework (2007)
Willems, C., Holz, T., Freiling, F.: CWSandbox: towards automated dynamic binary analysis. IEEE Secur. Privacy 5(2), 32–39 (2007)
Wilson, T.: Move over, apts - the ram-based advanced volatile threat is spinning up fast. DarkReading (2013). www.darkreading.com/vulnerabilities--threats/move-over-apts--the-ram-based-advanced-volatile-threat-is-spinning-up-fast/d/d-id/1139211
Ye, Y., Wang, D., Li, T., Ye, D., Jiang, Q.: An intelligent pe-malware detection system based on association mining. J. Comput. Virol. 4(4), 323–334 (2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Baychev, Y., Bilge, L. (2018). Spearphishing Malware: Do We Really Know the Unknown?. In: Giuffrida, C., Bardin, S., Blanc, G. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2018. Lecture Notes in Computer Science(), vol 10885. Springer, Cham. https://doi.org/10.1007/978-3-319-93411-2_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-93411-2_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-93410-5
Online ISBN: 978-3-319-93411-2
eBook Packages: Computer ScienceComputer Science (R0)