DefMal Webinar

Would you like to receive webinar invitations? Contact us by email at: maira.nassau@loria.fr

We are pleased to invite you to the next DefMal webinar by 
Marcus BOTACIN ( Texas A&M University )
on October 15th at 2 p.m.
 

Towards Fully Automated Malware Analysis

This talk discusses the ideas developed in Botacin’s lab toward the goal of creating an end-to-end, fully automated malware detection solution. Let’s together discuss solutions for each step of a malware detection pipeline, including: (1) How to efficiently build ML detectors in the presence of evolving attacks via concept drift detection and distributed learning; (2) How to test detectors’ robustness with automated adversarial attack generation; (3) How to enhance model’s robustness via adversarial retraining based on the augmentation of the training set with synthetic samples generated by GPT models; (4) How to derive rules from ML models for efficient matching at the endpoint with hardware support; and (5) How to advance threat intelligence in analysis platforms with LLMs.

Marcus Botacin is an assistant professor in the computer science and engineering department at Texas A&M University. He holds a Ph.D. in computer Science (Federal University of Paraná, Brazil, 2021), a master’s in computer science (University of Campinas, Brazil, 2017) and a bachelor’s in computer engineering (University of Campinas, Brazil, 2015). Botacin’s main research interests are malware analysis and reverse engineering. Botacin’s research has been published in the major scientific venues (e.g., ACM Transactions and USENIX Security). Botacin has spoken of academic, industry and hacking conferences (e.g., USENIX Enigma and HackInTheBox).


We are pleased to invite you to the next DefMal webinar by  Giada Stivala (CISPA) on 17th September at 2 p.m.

Giada Stivala is a senior PhD student in the group of Giancarlo Pellegrino at CISPA, focusing on web security, large-scale measurements, phishing, and cybercrime. Her recent works present Clickbait PDFs, an attack vector for malicious links, and investigate the web infrastructure behind clickbait PDF campaigns. Previously, she studied malicious link distribution on social platforms, focusing on trustworthiness (or deception) of link previews in social media posts.

Deceptive Link Distribution and the Tactics Behind Malicious Web Campaigns.

Our browsers, whether on mobile or desktop, are gateways to a vast universe of information. Accessing online content, like reading a blog post linked on social media or searching for a document, is part of our daily routine. However, seemingly legitimate social media posts can lead to malicious websites, and search engine results can be manipulated to rank harmful content higher than legitimate sources.
In this talk, I explore two emerging methods of malicious link distribution. The first involves the programmatic manipulation of social media link previews. Attackers can create deceptive previews not only by controlling the linked page but also by exploiting flaws in the preview creation process. While some platforms make it easy to craft deceptive previews, they can also easily block link distribution via blocklisting.The second distribution method involves embedding malicious links within PDF files known as “Clickbait PDFs.” These files don’t contain malware but use misleading visuals to trick users into clicking, directing them to harmful websites. Attackers poisoned search results to reach victims, uploading hundreds of thousands of clickbait PDF files for months. Our studies show that SEO-driven Clickbait PDF campaigns have distinct patterns compared to traditional file-based Web attacks, and that fighting their distribution is complex.


We are pleased to invite you to the next DefMal webinar by 
Davide Balzarotti (EURECOM) on 10th July at 11 a.m.

Davide Balzarotti is a full Professor and the head of the Digital Security Department at EURECOM. He received his Ph.D. from Politecnico di Milano in 2006 and his research interests include most aspects of software and system security and in particular the areas of binary and malware analysis, fuzzing and vulnerability discovery, computer forensics, and web security. Davide authored more than 100 publications in leading conferences and journals. He has been the Program Chair Usenix Security 2024, ACSAC 2017, RAID 2012, and Eurosec 2014. Davide received in an ERC Consolidator and an ERC PoC Grants for his research in the analysis of compromised systems. Davide is also member of the « Order of the Overflow » team, which organized the DEF CON CTF competition between 2018 and 2021.
Malware Research: History, Milestones, and Open Questions  
Abstract Researchers have worked on the analysis, detection, and classification of malicious software since the first early viruses in the 1980s. After more than 40 years of academic research and thousands of papers published on this topic, what have we learned about malware? Which problems and questions have attracted the interest of researchers? And for which of those did we find some answers so far? In this talk, I will go through some of these past achievements (shamelessly using some of my research as an example) and discuss past findings as well as open questions for the future.


We are pleased to invite you to the next DefMal webinar by 
Leo COSSERON on 18th June at 2 p.m.

Léo COSSERON
Léo Cosseron est doctorant en 2ème année dans l’équipe MAGELLAN à l’IRISA (Rennes), et titulaire d’un M2 en informatique de l’ENS Rennes (2022). Ses centres d’intérêts en recherche sont la virtualisation matérielle, la simulation réseau et la sécurité des systèmes. Pendant sa thèse, Léo cherche à synchroniser précisément un simulateur réseau avec une sandbox d’analyse de malware, dans le but de créer un environnement réseau factice qui soit indistinguable d’un réseau réel, afin de contrer des malware évasifs basés sur le fingerprinting des performances du réseau.

Simuler l’environnement réseau de sandboxes pour cacher les pauses d’introspection de machines virtuelles
  Les sandboxes d’analyse de logiciels malveillants utilisent l’introspection de machines virtuelles (VMI) pour analyser ces programmes. La VMI est un ensemble de techniques pour observer l’exécution dans une machine virtuelle (VM) en restant isolé de la VM. Certains logiciels malveillants dits évasifs détectent les pauses d’exécution de la VM causées par la VMI et évitent alors d’activer leur comportement malveillant. Ce problème tend à disparaître puisque les concepteurs de sandboxes manipulent l’horloge des VMs pour cacher ces pauses. En revanche le réseau factice créé par une sandbox offre de nouvelles opportunités aux logiciels malveillants évasifs. En effet les pauses VMI ont un impact mesurable sur les performances réseau.
Les logiciels malveillants peuvent ainsi détecter les écarts de performance entre le réseau observé et celui du système ciblé. Pour résoudre ce problème, l’approche TANSIV consiste à construire le réseau de la sandbox au-dessus d’un simulateur réseau à événements discrets. Le simulateur définit la référence de temps et TANSIV coordonne l’écoulement du temps, en synchronisant les horloges virtuelles avec l’horloge du simulateur. Les paquets émis par les VMs sont interceptés et transmis à la VM destinataire à l’heure virtuelle calculée par le simulateur. Les VMs sont régulièrement interrompues à des heures virtuelles calculées avec le simulateur afin de les resynchroniser, et de faire avancer l’horloge du simulateur en fonction des événements réseau. Dans le cas de la virtualisation matérielle, en plus de manipuler les horloges virtuelles pour masquer les pauses VMI, TANSIV cache les pauses de synchronisation avec le simulateur réseau [1]. TANSIV est portable entre hyperviseurs et supporte QEMU, en modes émulation et KVM, ainsi que Xen. Pour évaluer expérimentalement TANSIV, nous avons mesuré le RTT entre deux VMs, en utilisant sur une VM un script VMI suffisamment agressif pour déclencher une pause VMI entre chaque envoi de paquet. Nos résultats montrent que la distribution des RTT est cohérente en utilisant TANSIV, que ce soit avec ou sans VMI, alors que ne pas masquer les pauses VMI ou utiliser un réseau sans synchronisation résulte en une distribution incohérente des RTTs.

[1] Léo Cosseron, Louis Rilling, Matthieu Simonin, Martin Quinson. Simulating the Network Environment of Sandboxes to Hide Virtual Machine Introspection Pauses. EuroSec 2024 – 17th European Workshop on Systems Security, Apr 2024, Athène, Greece. pp.1-7, ⟨10.1145/3642974.3652280⟩. ⟨hal-04537165⟩


16 th April, 2 p.m by
Aurore FASS
Aurore Fass is a Tenure-Track Faculty at CISPA Helmholtz Center for Information Security. She got her Ph.D. from CISPA & Saarland University in 2021. From 2021 to 2023, she was a Visiting Assistant Professor of Computer Science at Stanford University.
Aurore’s research broadly focuses on Web Security & Privacy and Web Measurements. Specifically, she designs practical approaches to protect the security and privacy of Web users. She builds systems to proactively detect malicious JavaScript code and suspicious browser extensions. Aurore co-chaired the MADWeb 2024 & 2023 workshop, co-located with NDSS, and she is ACM CCS 2024 workshop co-chair. In addition, she has served on the program committees of the leading security conferences and has received Distinguished Reviewer Awards at ACM CCS 2023 & 2022, ACSAC 2023, and TheWebConf 2022.

«Studying JavaScript Security Through Static Analysis: Detection of Malicious and Vulnerable Code» JavaScript is a browser scripting language that was designed to create sophisticated and interactive web pages. However, JavaScript also provides an entry point for an attacker to exploit bugs and vulnerabilities in web pages and browser extensions. In practice, an attacker can leverage both malicious and vulnerable JavaScript code to compromise the security and privacy of Web users.
In this talk, I will approach these issues by proposing several systems to statically analyze real-world JavaScript code.
First, I will focus on _malicious JavaScript_. I will briefly introduce static detectors, which leverage machine learning techniques to detect malicious JavaScript samples. Then, I will evaluate the robustness of such static detectors in an adversarial setting. In particular, I will introduce HideNoSeek, our generic camouflage attack that consists of rewriting malicious JavaScript samples so that they have the same syntactic structure as existing benign scripts.
Finally, I will focus on _vulnerable JavaScript_ code from browser extensions. I will present DoubleX, our open-source static analyzer that detects vulnerable data flows in browser extensions with high precision (89%) and recall (93%).
Through this talk, I aim to raise awareness about the risks posed by malicious and vulnerable JavaScript code, and to discuss strategies for mitigating such threats.


19 th Mars, 2 p.m by Luca Demetrio
Luca Demetrio is Assistant Professor at the University of Genoa, and he received his Ph.D. in 2021.
His research focuses on assessing the security of machine learning threat detectors, with a strong focus on Windows malware. He is first author on several paper on the topic, and he is maintainer of SecML Malware (https://github.com/pralab/secml_malware) which automates the generation of adversarial EXEmples. He has been awarded with an honourable mention by the “Gruppo 2003” for your researchers in 2023 for his contribution on the topic, and he is reviewer for top-tier conferences like USENIX and ICLR.Also, he took part to industrial conferences like TROOPERS, and, together with other people, he will also deliver a training to BlackHat 2024 covering machine learning for malware detection and pentesting techniques with EXEmples.

Title: « Pentesting Windows malware detectors with Adversarial EXEmples ? »
  Machine learning for malware detection has received a great boost in popularity, given its inhuman performances with extremely-low numbers of false alarms, compared to static signature which are unable to cope with all the possible variants. However, recent research shows that these techniques are not bullet-proof since they are vulnerable to Adversarial EXEmples, carefully-crafted malware samples optimised to bypass detection. These are implemented through manipulations that preserve the original functionality, and their generation can be easily automated and targeted against both machine learning models and commercially-available antivirus programs.Hence, in this talk, we will provide insights on how to properly formulate these novel threats, and how they can be used to test malware detectors. Thanks to cutting-edge advancements, we will also share details on possible defenses and mitigations against Adversarial EXEmples, and we will close by highlighting limitations and possible future directions to improve this novel research field.


February 20th at 2 p.m by
Simone AONZO

Simone Aonzo is an Assistant Professor at EURECOM (France), where he teaches and conducts research in the Digital Security Department. He has extensive experience and knowledge in malware analysis (covering both Windows and Android platforms), reverse engineering, phishing, and mobile security. He is also interested in the human factors of security processes and has recently started publishing papers on this topic. He is passionate about finding and solving real-world security challenges and educating the next generation of security professionals.

Title: « Do Androids Dream of Electric Phishing? »
  In this seminar, I will present two novel and practical phishing attacks on Android that exploit some convenience features. In the first attack, I will abuse features unique to Android, namely the Autofill Framework and Instant Apps, to show how an attacker can trick password managers into autofilling credentials for malicious websites. In the second attack, I demonstrate a state inference-based phishing attack that uses the inotify APIs, in this case a feature of the Linux kernel on which Android is based, to monitor file system events and detect when the victim launches a target application.
Several vulnerabilities and their fixes were reported to both Google and major password manager developers, but even now these issues have not been fully resolved, proving once again that while secure solutions exist in theory, they are difficult to implem


Tuesday 16/01 at 2pm by Gregoire Menguy, CEA List.

Black-box Code Analysis for Reverse Engineering Through Constraint Acquisition and Program Synthesis
Software always becomes larger and more complex, making crucial tasks like code testing, verification, or code understanding highly difficult for humans. Hence the need for methods to reason about code automatically. These are usually white-box, and use the code syntax to deduce its properties. While they have proven very powerful, they also show limitations: they need the source code, the code size and the data structures’ complexity degrade their efficiency, they are highly impacted by syntactic code complexity amplified by optimizations or obfuscations. We explore how black-box code analysis can infer valuable properties for reverse engineering through data-driven learning. First, we consider the function contracts inference problem, which aims to infer over which inputs a code function can be executed to get good behaviors only. We extend the constraint acquisition learning framework, notably solving one of its major flaws: the dependency on a human user. It leads to PreCA, the first black-box approach enjoying clear theoretical guarantees. It makes PreCA especially suitable for development uses. Second, we consider the deobfuscation problem, which aims to simplify obfuscated code. Our proposal, Xyntia, synthesizes code block semantics through S-metaheuristics to offer an understandable version of the code. Xyntia significantly improves the state-of-the-art in terms of robustness and speed. In addition, we propose the two first protections efficient against black-box deobfuscation.

Comments are closed.