Technical Tuesday – 5 June 2012 – Anatomy of Malware Ecosystem by Dr. Srinivas Mukkamala

Posted by on Jun 5, 2012 in Events Archive | No Comments

One of the major problems concerning information security is malicious code. To evade detection, malware (an unwanted malicious piece of code) is packed, encrypted, and obfuscated to produce variants that continue to plague properly defended and patched systems and networks with zero-day exploits.

What is making the situation worse is the ease of producing polymorphic (or variants of) and metamorphic computer viruses using Do-It-Yourself Malware kits (DIY) that are even more complex and difficult than their original versions to detect. The effectiveness of up to date antivirus and signature based technologies against Complex Crimeware is thus not 100%, not 90%, not even 50%, which is alarming.

To add to this complexity, dynamic web links enable malware to change the payload servers and avoid detection. In most instances malware compromises trusted and most visited web domains or uses popular Internet search terms and trends to lure users to click these malicious links.

In this talk we present web crawling, Meta searches, geo location tools, and computational intelligent techniques to assess the characteristics of a cyber-incident to determine if an incident is likely to be caused by a certain group, geographical location of the source, intent of the attack, and useful behavioral aspects of the attack.

The malicious websites extracted from the identified sources acted as seeds for our crawler and were crawled up to two hops traversing through all the hyperlinks emerging out from these pages. After crawling, all the websites were translated to their geographic locations based on the location of the server on which the website is hosted using the Internet Protocol (IP) address to the geographical location mapping databases.

We applied social networking analysis techniques to the link structure of the malicious websites to put forward the properties of the malicious websites and compared them with that of the legitimate websites. We identified the potential sources or websites that publish malicious websites using the meta-searches.

In addition to the link analysis on malicious websites, we visualized the links obtained during crawling on the world map depicting links traversing across different regions of the world. Our approach revealed interesting facts about the malicious websites and web infrastructure that facilitated malware. This near real-time and dynamic analysis helps us to get a better understanding of the malware infrastructure and increases the efficiency of proactive detection and better attribution.

Presented by: Srinivas Mukkamala of New Mexico Tech Institute for Complex Additive Systems Analysis (ICASA) & Computational Analysis and Network Enterprise Solutions (CAaNES)

Dr. Mukkamala is the chief security strategist and chief technology officer of CAaNES; is also a Senior Research Scientist with ICASA (Institute for Complex Additive Systems Analysis).  ICASA is a statutory research division of New Mexico Tech performing work on information technology, information assurance, and analysis and protection of critical infrastructures (as complex interdependent systems). NMT/ICASA is a DHS/NSA Center of Academic Excellence in Information Assurance Education and Research (CAE/IAE-R).

Dr. Mukkamala has over 10 years of experience in Information Security and is one of the lead researchers for CACTUS (Computational Analysis of Cyber Terrorism against the US). He was a project lead for over 125 Security Posture and Vulnerability Assessments, Incident Response, and Digital Forensics projects in the last 3 years. He has a patent on Intelligent Agents for Distributed Intrusion Detection System and Method of Practicing Same.

Dr. Mukkamala leads the Cyber Strike Team. The Cyber Strike Team provides 24×7 preventive and responsive network security assessments for critical infrastructure entities identified by the federal, state, local and private sectors. On order, the Cyber Strike Team would be mobilized to conduct network performance and vulnerability analysis, penetration testing and forensics, security enhancements, education, training and awareness. Key to the concept would be deployment of security services at all layers of application within the organization.

The Cyber Strike Team developed a reputation for tackling major projects with relatively short turnaround times, which has earned its reputation as one of the best places in the southwest US to seek assistance with information assurance needs.

Dr. Mukkamala has over 120 peer reviewed publications in the areas of information security, digital forensics, data mining, simulation and modeling, and bioinformatics. His current research interests are intrusion and threat analysis, risk management, vulnerability assessments, digital forensics, malware mitigation and prevention, machine learning, data mining, and information security with a high citation index.

Dr. Mukkamala received his Bachelor of Engineering (B.E.) in Computer Science and Engineering from University of Madras and his M.S. and Ph.D. in Computer Science from New Mexico Tech.