skip to main content
10.1145/2841113.2841116acmotherconferencesArticle/Chapter ViewAbstractPublication PagesnspwConference Proceedingsconference-collections
research-article

Milware: Identification and Implications of State Authored Malicious Software

Published: 08 September 2015 Publication History

Abstract

The pervasive development and deployment of malicious software by states presents a new challenge for the information security and policy communities because of the resource advantage and legal status of governments. The difference between state and non-state authored code is typically described in vague terms of sophistication, contributing to the inaccurate confirmation bias of many that states simply `do it better'. This paper attempts to determine if state authored code is demonstrably different from that written by non-state actors and if so, how. To do so, we examine a collection of malware samples which, through existing analytic techniques, have been attributed to a mix of state and non-state actors. Reviewing technical information available in the public domain for each sample, reverse-engineering a sub-set, we determine that there is a set of criteria by which state authored code can be differentiated from the conventional malware of non-state groups. This MAlicious Software Sophistication or MASS index relies on a set of characteristics which describe the behavior and construction of malware including the severity of exploits and customization of the payload. In addition to highlighting these particular differences, the paper discusses several policy implications which arise from identifying a separate class of state-authored code. This is an interdisciplinary effort and pilot project based on a limited dataset however the conclusions drawn have important ramifications for both the information security and relevant policymaking communities.

References

[1]
Seth Hardy, Masashi Crete-Nishihata, Katharine Kleemola, and Adam Senft. Targeted threat index: Characterizing and quantifying politically-motivated targeted malware. In This paper is included in the Proceedings of the 23rd USENIX Security Symposium., pages 527--541, August 2014.
[2]
Trey Herr. PrEP: A framework for malware & cyber weapons. http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2343798, February 2014.
[3]
P Bright. Massive sql injection attack making the rounds-694k urls so far. http://arstechnica.com/security/2011/03/massive-sql-\\injection-attack-making-the-rounds694k-urls-so-far/, March 2010.
[4]
Ekta Gandotra, Divya Bansal, and Sanjeev Sofat. Malware analysis and classification: A survey. http://www.scirp.org/journal/PaperDownload.aspx?paperID=44440, May 2014.
[5]
U Bayer, A Moser, C Kruegel, and E Kirda. Dynamic analysis of malicious code. http://dx.doi.org/10.1007/s11416-006-0012-2, August 2006.
[6]
I You and K Yim. Malware obfuscation techniques: A brief survey. http://dx.doi.org/10.1109/BWCCA.2010.85, November 2010.
[7]
A Moser, C Kruegel, and E Kirda. Limits of static analysis for malware detection, 2007.
[8]
M Schultz, E Eskin, F Zadok, and S Stolfo. Data mining methods for detection of new malicious executables, May 2001.
[9]
D Ddl F Li, A Lai. Evidence of advanced persistent threat: A case study of malware for political espionage. http://ieeexplore.ieee.org/xpl/articleDetails.jsp?tp=&arnumber=6112333&url=http%3A%2F%2Fieeexplore.ieee.org%2Fxpls%2Fabs_all.jsp%3Farnumber%3D6112333, October 2011.
[10]
Nikolaj Goranin and Cenys Antanas. Analysis of malware propagation modeling methods, April 2008.
[11]
Andrea Shalal. U.s. firm crowdstrike claims success in deterring chinese hackers. http://www.reuters.com/article/2015/04/13/us-cyberattack-usa-china-crowdstrike-idUSKBN0N41PT20150413, April 2014.
[12]
Virustotal. https://www.virustotal.com/cs/file/39df364a0bb19018127e0a258eb65f1d\\1ab2d6c86f1b9ab6fc5d93b8ca8c92f5/analysis/, September 2014.
[13]
NightWatcher. http://greatis.com/cleanvirus/remove-malware/w32lohmys-atr-arquivo_solicitado-exe.htm, December 2014.
[14]
David Emm, Maria Garnaeva, Victor Chebyshev, Roman Unuchek, Denis Makrushin, and Anton Ivanov. It threat evolution q3 2014. https://securelist.com/analysis/quarterly-malware-reports/67637/it-threat-evolution-q3-2014/, November 2014.
[15]
Angelica Mari. Brazil tops banking malware list. http://www.zdnet.com/article/brazil-tops-banking-malware-list/, December 2014.
[16]
Brett Stone-Gross and Russell Dickerson. Upatre: Another day another downloader. http://www.secureworks.com/cyber-threat-intelligence/threats/analyzing-upatre-downloader/, October 2013.
[17]
Trend Micro. Upatre. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/upatre, June 2015.
[18]
GReAT. `red october'. detailed malware. https://securelist.com/analysis/publications/36830/red-october-detailed-malware-description-1-first-stage-of-attack/, January 2013.
[19]
Symantec Security Response. Symantec protections for red october. http://www.symantec.com/connect/blogs/symantec-protections-red-october, January 2013.
[20]
Kaspersky. `red october' diplomatic cyber attacks investigation. https://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/, January 2014.
[21]
Kim Zetter. Countdown to zero day: Stuxnet and the launch of the world's first digital weapon, November 2014.
[22]
Richard Lagner. Stuxnet: dissecting a cyberwarfare weapon. Security & Privacy, IEEE, 2011.
[23]
Nicolas Falliere, Liam Murchu, and Eric Chien. W32.stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf, February 2011.
[24]
Ralph Langer. To kill a centrifuge. http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf, November 2013.
[25]
CrySyS. Duqu: A stuxnet-like malware found in the wild. https://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf, October 2011.
[26]
Symantec. W32.duqu: The precursor to the next stuxnet.
[27]
Kim Zetter. Attackers stole certificate from foxconn to hack kaspersky with duqu 2.0. http://www.wired.com/2015/06/foxconn-hack-kaspersky-duqu-2/, June 2015.
[28]
CrySys Lab. Duqu 2.0: A comparison to duqu, June 2015.
[29]
Kaspersky Lab. The duqu 2.0, June 2015.
[30]
Eduard Kovacs. Newly discovered `turla' malware targets linux systems. http://www.securityweek.com/newly-discovered-turla-malware-targets-linux-systems, December 2014.
[31]
Jen Weedon and Laura Galante. Intelligence analysts dissect the headlines: Russia, hackers, cyberwar! not so fast. https://www.fireeye.com/blog/executive-perspective/2014/03/intel-analysts-dissect-the-headlines-russia-hackers-cyberwar-not-so-fast.html, March 2014.
[32]
Kurt Baumgartner and Costin Raiu. The penquin turla. https://securelist.com/blog/research/67962/the-penquin-turla-2/, December 2014.
[33]
Dave Lee. Russia and ukraine in cyber `stand-off'. urlhttp://www.bbc.com/news/technology-26447200, March 2014.
[34]
GReAT. The epic turla operation, August 2014.
[35]
Kaspersky. The epic turla (snake/uroburos) attacks. http://www.kaspersky.com/internet-security-center/threats/epic-turla-snake-malware-attacks.
[36]
https://www.hex-rays.com/products/ida/.
[37]
http://bochs.sourceforge.net/.
[38]
http://www.windbg.org/.
[39]
http://debugger.immunityinc.com/.
[40]
http://www.woodmann.com/collaborative/tools/index.php/SysAnalyzer.
[41]
http://www.tcpdump.org/.
[42]
https://www.wireshark.org/.
[43]
Petar Maymounkov and David Mazieres. Kademlia: A peer-to-peer information system based on the xor metric. 2002.
[44]
Brett Stone-Gross. The lifecycle of peer-to-peer (gameover) zeus, July.
[45]
Peter Kruse. Threat report: W32.tinba (tinybanker) the turkish incident. 2012.
[46]
Assaf Regev. Tinba malware reloaded and attacking banks around the world, September 2014.
[47]
Fraser Howard. Exploring the blackhole exploit kit. March 2012.
[48]
Stephen Ward. isight discovers zero-day vulnerability cve-2014-4114 used in russian cyber-espionage campaign. http://www.isightpartners.com/2014/10/cve-2014-4114/, October 2014.
[49]
William Sanchez. Timeline of sandworm attacks. http://blog.trendmicro.com/trendlabs-security-intelligence/timeline-of-sandworm-attacks/, November 2014.
[50]
NIST. Vulnerability summary for cve-2014-4114. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114, October 2014.
[51]
Cisco. Blackhole exploit kit version 2. http://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=2123&signatureSubId=0&softwareVersion=6.0&releaseVersion=S715, May 2013.
[52]
David Fiser. Tiny banker trojan targets customers of major banks worldwide. https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/, September 2014.
[53]
FIRST. Common vulnerability scoring system v3.0: Specification document. https://www.first.org/cvss/specification-document, 2015.
[54]
Kafiene. Blackhole exploit kit goes 2.1.0, shows new url patterns, June 2013.
[55]
Aurelian Neagu. The top 10 most dangerous malware that can empty your bank account. https://heimdalsecurity.com/blog/top-financial-malware/, August 2014.
[56]
Kaspersky Labs. Kaspersky lab statistics: attacks involving financial malware rise to 28 million in 2013. http://www.kaspersky.com/about/news/virus/2014/Kaspersky-Lab-statistics-attacks-involving-financial-malware-rise-to-28-million-in-2013, April 2014.
[57]
Dell SecureWorks Counter Threat Unit(TM) Threat Intelligence. Top banking botnets of 2013. http://www.secureworks.com/cyber-threat-intelligence/threats/top-banking-botnets-of-2013/, March 2014.
[58]
Critical Intelligence. Sans icsthreat briefing. http://www.critical-intelligence.com/resources/papers/CI-Sandworm-BE2.pdf, October 2014.
[59]
Bruce Schneier. More data on attributing the sony attack. https://www.schneier.com/blog/archives/2014/12/more_data_on_at.html, December 2014.
[60]
US-CERT. Alert (ta14-353a) targeted destructive malware. https://www.us-cert.gov/ncas/alerts/TA14-353A, December 2014.
[61]
Kyle Wilhoit and Jim gogolinski. Sandworm to blacken: The scada connection. http://blog.trendmicro.com/trendlabs-security-intelligence/sandworm-to-blacken-the-scada-connection/, October 2014.
[62]
Brian Krebs. Researchers clobber khelios spam botnet. http://krebsonsecurity.com/2012/03/researchers-clobber-khelios-spam-botnet/, August 2013.
[63]
Tom Fox-Brewster. Russian malware used by `privateer' hackers against ukrainian government. http://www.theguardian.com/technology/2014/sep/25/russian-malware-privateer-hackers-ukraine, September 2014.
[64]
MITRE. Vulnerability summary for cve-2014-4114. https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-4114, October 2014.
[65]
4Armed. Galileo rcs running and espionage operation, July 2015.
[66]
Crowdstrike. Putter panda. http://resources.crowdstrike.com/putterpanda/, June 2014.
[67]
Mandiant. Apt1: Exposing one of chinas cyber espionage units, 2013.
[68]
Symantec Security Response. Regin: Top-tier espionage tool enables stealthy surveillance. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf, November 2014.
[69]
Kaspersky Labs Research Team. Equation: The death star of malware galaxy. https://securelist.com/blog/research/68750/equation-the-death-star-of-malware-galaxy/, February 2014.
[70]
Ralph Langner. To kill a centrifuge. http://www.langner.com/en/wp-content/uploads/2013/11/To-kill-a-centrifuge.pdf, 2013.
[71]
Udi Shamir. The case of gyges, the invisible malware government-grade now in the hands of cybercriminals. http://www.sentinel-labs.com/wp-content/uploads/2014/07/Sentinel-Labs-Intelligence-Report_0714.pdf, July 2014.
[72]
Andy Greenberg. hopping for zero-days: A price list for hackers' secret software exploits. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/, March 2013.
[73]
Chris Borgen. Regulating the global market for zero-day exploits. http://opiniojuris.org/2013/07/15/regulating-the-global-market-of-zero-day-exploits/, July 2013.
[74]
Jaziar Radianti, Eliot Rich, and Jose Gonzalez. Vulnerability black markets: Empirical evidence and scenario simulation. IEEE, 2009.
[75]
Allan Friedman, Tyler Moore, and Ariel Procaccia. Cyber-sword v. cyber-shield: The dynamics of us cybersecurity policy priorities. http://www.nspw.org/papers/2010/nspw2010-moore.pdf, September 2010.

Cited By

View all
  1. Milware: Identification and Implications of State Authored Malicious Software

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      NSPW '15: Proceedings of the 2015 New Security Paradigms Workshop
      September 2015
      163 pages
      ISBN:9781450337540
      DOI:10.1145/2841113
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

      In-Cooperation

      • ACSA: Applied Computing Security Assoc

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 08 September 2015

      Permissions

      Request permissions for this article.

      Check for updates

      Qualifiers

      • Research-article
      • Research
      • Refereed limited

      Conference

      NSPW '15
      NSPW '15: New Security Paradigms Workshop
      September 8 - 11, 2015
      Twente, Netherlands

      Acceptance Rates

      Overall Acceptance Rate 98 of 265 submissions, 37%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)14
      • Downloads (Last 6 weeks)1
      Reflects downloads up to 24 Jan 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2023)Detecting Targeted Phishing Websites for Brand Protection and Cyber Defence Using Computer Vision2023 IEEE International Workshop on Technologies for Defense and Security (TechDefense)10.1109/TechDefense59795.2023.10380893(1-6)Online publication date: 20-Nov-2023
      • (2018)Development and Proliferation of Offensive Weapons in Cyber-SecurityCyber Weaponry10.1007/978-3-319-74107-9_10(125-141)Online publication date: 5-Apr-2018
      • (2017)Information hidingCommunications of the ACM10.1145/315841661:1(86-94)Online publication date: 27-Dec-2017
      • (2017)Software and Malware Capabilities: Opinions on (Inter)national Security2017 International Conference on Cyberworlds (CW)10.1109/CW.2017.46(96-102)Online publication date: Sep-2017
      • (2017)Governing Proliferation in CybersecurityGlobal Summitry10.1093/global/gux0063:1(86-107)Online publication date: 3-Jul-2017
      • (2016)Malware counter-proliferation and the Wassenaar Arrangement2016 8th International Conference on Cyber Conflict (CyCon)10.1109/CYCON.2016.7529434(175-190)Online publication date: May-2016

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media