Threat Research

VB2011 talks, Part 2

By Axelle Apvrille | October 18, 2011

A second life in a virtual environment: from simple socialization to revealing sensitive information - Sabina Raluca Datcu **

Sabina conducted a study on how much security-aware people are likely to reveal on social networks.
To do so, she took 50 people from a hacking community, and 50 from the IT security world, and built a fake female profile in both cases with similar interests. She shows that she makes contact with all 100 people over time, and that over time, all 100 people do reveal some personal information to her. Personal information can be something like maiden's name, address, type of passwords used (!), kids etc. Tends to show that we are all likely to fall for good social engineering.

I am personally very interested by the survey, but I see a few limits to the way it was conducted:

1- a study on two groups of 50 people is not big enough (Sabina mentions the fact in her paper). With a bigger group, she would probably not be able to contact everybody and to engage a chat.

2- the boundary between IT security guys and hackers is not very clear. Looks like she meant cyber-criminals or underground groups. Strange vocabulary?

3- actually, although Sabina used the same account to contact people within a same group, the chats were all manual of course. But then, people are not compared with exactly the same virtual person, are they? Consequently, apart from saying that everybody is vulnerable to smart social engineering, any other conclusion might be flawed because people are not compared to the same individual. In some cases, gaining trust might have required far more psychology than in other cases.

Malware mining - Igor Muttik

Data mining is the process of discovering patterns in a large group of data. For malware, the idea is to be able to differentiate malicious software from genuine one, based on various of its properties. There are three methods to experiment data mining: Decision Trees (DT), Decision Forests (multiple trees) and Support Vector Machines. To get good result (i.e good rate of differences between malicious and genuine), you need a large set of input. He tried with 300,000 malware (PE executables) and many more clean ones.
For each sample, he extracts several properties such as is a DLL, is packed, nb of imports etc. Then, he builds a DT out of all those properties. It is possible to configure the DT with more or less False Positives / True Positives. He selects the best ratio.
Unfortunately, he observes that 6 months later, the ratio when using his DT has decreased. If he selects more properties, then, the ratio decreases less over time.

Cracking Xpaj; code and payload - Andrea Lelli

Xpaj is a malware piece that uses encryption and obfuscation (the decryptor module actually consisting in a custom virtual machine with its own custom byte code), and that seems to be coming from different IP addresses, from random ISPs -- which might suggest it has peer to peer functionality.
Cyber-criminals have been making $46404 with the malware, which accounts for more than $50 per day.
Symantec contacted (one of the) hosting company which agreed to cooperate. They blocked the server of course, but also provided an image of the disks of the servers which were hosting the virus.

-- the Crypto Girl


Join the Discussion