Android Malware is on the rise, say researchers at G Data Security. A new report by the security firm revealed that in the first of 2017, over 750, 000 new malware apps were discovered. Android holds a 72 percent share of the mobile market and so it is reasonable that more attacks would happen on this platform. The number of malware samples cropping up each day are nonetheless staggering and there's no sign the problem will be corrected anytime soon. Since 2012, new Android malware samples have increased each year with the greatest hikes occurring over the last year.
With the rapid proliferation and increased sophistication of malicious software (malware), detection methods no longer rely only on manually generated signatures but have also incorporated more general approaches like Machine Learning (ML) detection. Although powerful for conviction of malicious artifacts, these methods do not produce any further information about the type of malware that has been detected. In this work, we address the information gap between ML and signature-based detection methods by introducing an ML-based tagging model that generates human interpretable semantic descriptions of malicious software (e.g. file-infector, coin-miner), and argue that for less prevalent malware campaigns these provide potentially more useful and flexible information than malware family names. For this, we first introduce a method for deriving high-level descriptions of malware files from an ensemble of vendor family names. Then we formalize the problem of malware description as a tagging problem and propose a joint embedding deep neural network architecture that can learn to characterize portable executable (PE) files based on static analysis, thus not requiring a dynamic trace to identify behaviors at deployment time. We empirically demonstrate that when evaluated against tags extracted from an ensemble of anti-virus detection names, the proposed tagging model correctly identifies more than 93.7% of eleven possible tag descriptions for a given sample, at a deployable false positive rate (FPR) of 1% per tag. Furthermore, we show that when evaluating this model against ground truth tags derived from the results of dynamic analysis, it correctly predicts 93.5% of the labels for a given sample. These results suggest that an ML tagging model can be effectively deployed alongside a detection model for malware description.
Even though Donald Trump is on good terms with North Korea, the Department of Homeland Security is still following that country's ongoing cyberattack campaign (which it's dubbed "Hidden Cobra"). Now CNN reports there's a new variant of North Korean malware to look out for: Typeframe. In a report released yesterday, the DHS says it's able to download and install additional malware, proxies and trojans; modify firewalls; and connect to servers for additional instructions. These are attacks we've seen in plenty of malware variants, Typeframe is just the latest addition. Since last May, the DHS has issued a slew of alerts and reports about North Korea's malicious cyber activity.
During 2014, we focused mostly on stabilizing the system – fixing bugs and taking care of corner cases here and there. Then, in 2015, we began talking about a major rewrite of the generator algorithm. So far our approach did not really leverage the full capabilities of the underlying database system – namely the similarity search which was used very naively to perform a k-NN search with some domain specific constraints and expert knowledge rules. After some research, we concluded that using HDBSCAN (a variant of https://en.wikipedia.org/wiki/DBSCAN) was the best fit and our preliminary tests showed it to be promising. However developing a variant that performed well under the time constraints we had (remember the system is supposed to create a definition in real-time!)
A version of the Bashlite IoT malware has received an update over the past few weeks that allows it to target Belkin WeMo home automation switches. Further, as part of this update, the malware can now open backdoors and run commands on infected devices, deploy a cryptocurrency mining module, can detect and remove competing IoT malware, and has also expanded the types of DDoS attacks it can launch from infected devices. "While we have not seen significant detections for these versions of Bashlite, it's worth noting that it's already in the wild," cyber-security firm Trend Micro said in a report today. The company's experts believe the person who modified recent versions of the Bashlite malware to improve it with new functionality is using a module for the Metasploit penetration testing framework to infect smart devices via the Belkin WeMo UPnP SDK. This includes Belkin WeMo home automation switches, but also routers, smart lightbulbs, electrical plugs, light switches, motion sensors, surveillance cameras, and other devices that support this SDK.