Papers - September 2015 September 10, 2015

I am starting a new series on this site, where I comment on papers I read in the last few weeks. I intend to publish these articles bimonthly!

> Lines of Malicious Code: Insights Into the Malicious Software Industry (2012)

Some interesting techniques but almost no usable results: Malware changes over time, but remains stable for large periods of time. Who would have thought that binary matching and diffing were hard and you trade off speed versus accuracy? The bottom line is: malware changes just as normal software does, adding approximately 100-300 LoC on average in each new version.

> Before We Knew It - An Empirical Study of Zero-Day Attacks In The Real World (2012)

The paper uses surprisingly simple tactics to achieve its result, which is the identification of 18 zero-day attacks - of which 11 were unknown at the time of publication - from more or less publicly available data (Symantec’s WINE dataset).

Some of the more interesting tidbits are these:

  • A ‘typical zero-day attack’ lasts 312 days on average
  • 10% of security patches have bugs of their own (Check out [1, 2] for recent examples)
  • The number of attacks increase 2 - 100 000 times after the public disclosure of vulnerabilites

> Twitter Games: How Successful Spammers Pick Targets (2012)

Spammers use Twitter with varying degree of success. Spam tacts evolve quickly and are hard to analyse automatically. Ratelimiting and, more generally, costs associated with the modern Twitter API result in studies that work on very small data sets and are thus not really representative. Since the article is a couple of years old, chances are the findings are irrelevant by now. Be sure to check out related works if you are interested in the topic.

> Vanity, Cracks and Malware - Insights into the Anti-Copy Protection Ecosystem (2012)

Surprise! Cracks are used by criminals to spread malware! The original source - dubbed the scene - is mostly fine and has mechanisms to deal with malicious or faulty uploads (which result in what’s called a NUKE). Instead, the intermediate distribution steps such as OCH, BitTorrent or even Usenet, allow parties unrelated to the original warez groups to attach their own malicious software.

  • The authors could be the only people to ever purchase a Letitbit premium account
  • AVG free apparently was at some point a state of the art AV
  • Authors speculate that they could have found 0-day malware, because they found new samples.
  • Even though their AV reported 2/3 of all files to be infected, only 13.33% actually infected the host. This is what’s called a false positive, and is most likely not because the malicious code did not manage to persist, as the authors seem to assume.

The article highlights the need for users to be able to verify the integrity of a certain crack or keygen downloaded through untrusted channels. To this end, it might be useful for release groups to sign their releases. The exact infrastructure to support this endeavor could be as simple as using PGP.

> Dual EC: A Standardized Back Door (2015)

Offers interesting views behind the scenes of the Dual EC standardization effort. Be sure to also check out Schneier’s paper “Surreptitiously Weakening Cryptographic Systems”, as well as Project Bullrun, the project’s website containing lots of referenced documents.

> Visualizing signatures of human activity in cities across the globe (2015)

What the hell is that font? Short and sweet paper, though it’s interactive web counterpart is much more exciting.