In the targeted email attacks, it is often used the documentation file embedded with the execution files. To detect this kind of malicious documentation file, researching with the malcode detection approach has been focused. However, because the attacker can write the arbitrary code, thus it is always behind of the attacker to find the unknown malcode by focusing the traditional malcode detection methods.
In this talk I will introduce a different analytical approach compared to the more traditional malcode detection approach to detecting targeted email attacks by focusing on structural analysis of file formats. I will explain the ability to detect malware solely on file size and introduce o-checker which has implemented a general detection method that does not rely on the content of malicious code.
Yuuhei Ootsubo
Started to be interested in programming around 1987.
2005 Employed by the National Police Agency.
2007 National Police Agency Public Safety Information Technology Counter Crime Division.
2001 National Police Agency Information Communication Division Information Technology Analysis Division.
2012 Assigned to The National Information Security Center.
This document provides information about the Semester VII curriculum including course details, teaching schemes, and examination schemes. Key points:
- The semester includes courses like Compiler Construction and Design, Computer Forensics and Cyber Laws, Software Testing, and an elective.
- Courses involve lectures, tutorials, and practical sessions. Examinations include internal assessments, unit tests, term work assignments, and end semester exams.
- Detailed course objectives, prerequisites, outcomes are provided for Compiler Construction and Design along with unit-wise syllabus and assignment lists.
- Similarly, course details like objectives, prerequisites, outcomes are given for Computer Forensics and Cyber Laws along with its unit-wise syllabus
FoRREST is a Python framework that provides tools for reverse engineering binaries. It represents information extracted from binaries in a hierarchy of levels from raw data to high-level analysis. FoRREST implements plugins that interface with tools like Radare2 and Boomerang to decompile and infer control flow. It stores results in a database and provides an intuitive interface to simplify reverse engineering for novices. The goals are to make as much information accessible, implement high-level analysis, and ensure the framework is extensible.
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdf
Linux provides a vast range of forensic analysis tools that can be used to conduct digital investigations. The use of these tools is crucial to ensure the
integrity of the evidence collected and to maintain the chain of custody. Acquiring evidence, analyzing it, and reporting on the findings are the three main steps of a digital investigation. In this article, we have covered how to use Linux forensic analysis tools for each of these steps.
Linux forensic analysis tools provide a powerful and cost-effective solution for digital investigations. These tools are regularly updated to keep up with the latest technology and techniques. However, it is important to note that the use of these tools requires a high level of expertise and knowledge in digital forensics.
In summary, Linux forensic analysis tools are an essential part of digital investigations, and their use is becoming increasingly important as digital data continues to play a crucial role in legal proceedings. With the right expertise and knowledge, these tools can be used to acquire, analyze, and report on electronic evidence in a reliable and secure manner.
FAQs
What is a digital investigation? A digital investigation is the process of collecting, analyzing, and reporting on electronic data to uncover facts that can be used in legal proceedings.
What are Linux forensic analysis tools? Linux forensic analysis tools are a collection of software tools used to acquire, analyze, and report on electronic evidence in a digital investigation.
What are the benefits of using Linux forensic analysis tools? Linux forensic analysis tools provide a cost-effective and powerful solution for digital investigations. They are regularly updated to keep up with the latest technology and techniques.
Are Linux forensic analysis tools difficult to use? The use of Linux forensic analysis tools requires a high level of expertise and knowledge in digital forensics. However, with the right expertise, these tools can be used effectively to acquire, analyze, and report on electronic evidence.
Can Linux forensic analysis tools be used in legal proceedings? Yes, Linux forensic analysis tools can be used in legal proceedings to provide evidence in a case. However, it is important to ensure that the evidence collected is reliable, secure, and admissible in court.
Linux provides a vast range of forensic analysis tools that can be used to conduct digital investigations. The use of these tools is crucial to ensure the
integrity of the evidence collected and to maintain the chain of custody. Acquiring evidence, analyzing it, and reporting on the findings are the three main steps of a digital investigation. In this article, we have covered how to use Linux forensic analysis tools for each of these steps.
Linux forensic analysis tools provide a powerful and cost-effective solution for digital investigations. These tools are regularly updated to keep up with the latest technology and techniques. However, it is important to
La préservation des logiciels: défis et opportunités pour la reproductibilité...
This document discusses the challenges of software preservation and reproducibility in science and technology. It outlines how software is a key component of modern research but is fragile and can be lost. The state of software reproducibility in computer systems research is examined, finding that the majority of papers could not be reproduced. The Software Heritage project is introduced which aims to collect, organize, preserve and share all software to address these issues and support reproducibility. Open source software and replication are advocated for as important principles for software preservation platforms. Collaboration from the community is needed to integrate software preservation into development and publishing workflows while addressing legal and licensing issues.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
FuzzyDbg is a debugger that integrates fuzzing and execution tracing functionality. It generates mutated inputs to test programs and identify crashes. When a crash occurs, it saves the crashing input and execution trace which details the functions triggered prior to the crash. This provides more information for analyzing crashes than a typical debugger. It aims to reduce performance overhead during tracing and provide a one-stop debugging solution.
The document discusses a smart fuzzer tool that can automatically generate test cases to test applications by providing semi-valid or corrupted input files. It specifically describes a smart fuzzer for PNG image files that understands the PNG file format and can selectively corrupt chunks like IHDR, pHYs and other common chunks. The smart fuzzer aims to test application robustness by detecting crashes or abnormal behavior when handling invalid input. It also discusses how fuzzing tools can range from simple to more advanced ones that virtualize file streams for fuzz testing at scale.
The MOOSE framework is an object-oriented multiphysics PDE solver written primarily in C++. It has over 22,000 commits from 203 contributors representing over 448,000 lines of code. It is a mature, well-established codebase maintained by a large development team with stable yearly growth. The framework takes an estimated 121 years of effort to develop and focuses on handling all parallelism so users can focus on modeling physics.
Abstract-Software is ubiquitous in our daily life. It brings us great convenience and a big headache about software reliability as well: Software is never bug-free, and software bugs keep incurring monetary loss of even catastrophes. In the pursuit of better reliability, software engineering researchers found that huge amount of data in various forms can be collected from software systems, and these data, when properly analyzed, can help improve software reliability. Unfortunately, the huge volume of complex data renders the analysis of simple techniques incompetent; consequently, studies have been resorting to data mining for more effective analysis. In the past few years, we have witnessed many studies on mining for software reliability reported in data mining as well as software engineering forums. These studies either develop new or apply existing data mining techniques to tackle reliability problems from different angles. In order to keep data mining researchers abreast of the latest development in this growing research area, we propose this paper on data mining for software reliability. In this paper, we will present a comprehensive overview of this area, examine representative studies, and lay out challenges to data mining researchers.
Improvement of Software Maintenance and Reliability using Data Mining Techniques
This document discusses using data mining techniques to improve software maintenance and reliability. It provides an overview of applying techniques like classification, association rule mining, and clustering to mine software engineering data from code bases, change histories, and bug reports. Specifically, it describes mining frequent patterns and rules from source code and revision histories to detect bugs as deviations from these patterns. A methodology is presented that involves parsing source code to build an itemset database, applying frequent itemset mining to extract programming patterns and rules, and detecting violations of rules as potential bugs. Challenges and limitations of these approaches are also discussed.
This document contains a question bank for the subject Cyber Forensics. It includes questions related to various topics in the subject organized under different parts (A, B, C). The topics covered include processing crime scenes, working with Windows/DOS systems, computer forensics tools, validating forensic data, data hiding techniques, network forensics, email investigations, and mobile device forensics. For each topic, questions ranging from basic to advanced level are provided along with their knowledge level, number of times the question has appeared in previous exams.
SHIELDEXTM is a solution that uses content disarm and reconstruction (CDR) technology to sanitize incoming external files by removing potentially malicious code and reconstructing only approved contents, in order to protect against advanced persistent threats (APTs) in a way that existing security methods cannot. The solution scans file structures, applies CDR technology, and provides logging and reporting while allowing only safe documents internally through various network access points.
This document provides an overview and outline for a research project titled "Finding Forensic Artifacts From Window Registry". The research aims to analyze the Windows Registry to find forensic artifacts from USB devices and unauthorized access. The summary provides background on the structure and contents of the Windows Registry. It also outlines some open problems regarding artifacts left in the Registry when USB devices are connected. The proposed solution will analyze specific locations in the Registry related to USB and other forensic artifacts. This research aims to build upon prior work by providing a deeper analysis of USB device identifiers and Registry locations beyond just installation locations.
Software Preservation: challenges and opportunities for reproductibility (Sci...
The document discusses the challenges of preserving software to ensure reproducibility in science. It notes that 81% of computer science papers studied were found to be non-reproducible due to a lack of available source code and documentation. Preserving software is complex as it often has dependencies on other software and hardware. However, software embodies much of our scientific and technical knowledge, so efforts must be made to preserve and provide access to source code in order to establish reproducibility as the foundation of scientific inquiry.
"Keynote - Preserving Software: Challenges and Opportunities for Reproducibility of Science and Technology"
By Roberto Di Cosmo, Irill for ScilabTEC 2015
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
Mitigating the Impact of State Management in Cloud Stream Processing Systems
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
How Social Media Hackers Help You to See Your Wife's Message.pdf
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
The document provides an overview of a product demonstration of Fidelis Cybersecurity's product line that will take place over 2 hours. It introduces two members of Fidelis' threat research team, John Laycock and Chris Rogers, and their backgrounds. The demonstration will include graphs on current APT threats, deployment best practices diagrams, optimization of infrastructure for the cyber kill chain, and pricing/availability information. The document then covers deductive reasoning techniques for file analysis, including analyzing NTFS metadata like MAC times, common file system locations for malware, registry keys used for persistence, Prefetch files, and the Task Scheduler. It discusses tools like hex editors, entropy analyzers, hash calculators, and PE analyzers that
The document summarizes a cyber espionage attack against the Georgian government discovered in March 2011. Advanced malware was collecting sensitive security documents from Georgian and American systems and uploading them to command and control servers linked to Russian security agencies. The sophisticated malware infected over 390 computers, 70% of which were in Georgia, through compromised Georgian news websites. It was able to fully control infected machines, search for sensitive words, and record audio and video. After extensive analysis of command and control servers and malware files, Georgian authorities determined that the Russian government was behind the attack.
2014 10-14: GitHub plus FOSS == 1 million SPDXNuno Brito
SPDX is an open format for describing software licenses, contents and ownership. It is a simple text document with great benefits for software governance. But have you ever seen one? Despite being an open standard, there aren't many available to public. Using only Linux, GitHub and F/OSS tools, Nuno and Ben were fuelled to prove that SPDX is also applicable to everyday projects. As result, the first large-scale SPDX Internet archive came to exist. Join this presentation to learn how over 1 million SPDX documents were created using open data in large-scale repositories and how easy it is to create one. From now forward you'll be able to express the licenses in your code automatically and create licensing transparency by yourself.
This document provides information about the Semester VII curriculum including course details, teaching schemes, and examination schemes. Key points:
- The semester includes courses like Compiler Construction and Design, Computer Forensics and Cyber Laws, Software Testing, and an elective.
- Courses involve lectures, tutorials, and practical sessions. Examinations include internal assessments, unit tests, term work assignments, and end semester exams.
- Detailed course objectives, prerequisites, outcomes are provided for Compiler Construction and Design along with unit-wise syllabus and assignment lists.
- Similarly, course details like objectives, prerequisites, outcomes are given for Computer Forensics and Cyber Laws along with its unit-wise syllabus
FoRREST is a Python framework that provides tools for reverse engineering binaries. It represents information extracted from binaries in a hierarchy of levels from raw data to high-level analysis. FoRREST implements plugins that interface with tools like Radare2 and Boomerang to decompile and infer control flow. It stores results in a database and provides an intuitive interface to simplify reverse engineering for novices. The goals are to make as much information accessible, implement high-level analysis, and ensure the framework is extensible.
How to Use Linux Forensic Analysis Tools for Digital Investigations.pdfuzair
Linux provides a vast range of forensic analysis tools that can be used to conduct digital investigations. The use of these tools is crucial to ensure the
integrity of the evidence collected and to maintain the chain of custody. Acquiring evidence, analyzing it, and reporting on the findings are the three main steps of a digital investigation. In this article, we have covered how to use Linux forensic analysis tools for each of these steps.
Linux forensic analysis tools provide a powerful and cost-effective solution for digital investigations. These tools are regularly updated to keep up with the latest technology and techniques. However, it is important to note that the use of these tools requires a high level of expertise and knowledge in digital forensics.
In summary, Linux forensic analysis tools are an essential part of digital investigations, and their use is becoming increasingly important as digital data continues to play a crucial role in legal proceedings. With the right expertise and knowledge, these tools can be used to acquire, analyze, and report on electronic evidence in a reliable and secure manner.
FAQs
What is a digital investigation? A digital investigation is the process of collecting, analyzing, and reporting on electronic data to uncover facts that can be used in legal proceedings.
What are Linux forensic analysis tools? Linux forensic analysis tools are a collection of software tools used to acquire, analyze, and report on electronic evidence in a digital investigation.
What are the benefits of using Linux forensic analysis tools? Linux forensic analysis tools provide a cost-effective and powerful solution for digital investigations. They are regularly updated to keep up with the latest technology and techniques.
Are Linux forensic analysis tools difficult to use? The use of Linux forensic analysis tools requires a high level of expertise and knowledge in digital forensics. However, with the right expertise, these tools can be used effectively to acquire, analyze, and report on electronic evidence.
Can Linux forensic analysis tools be used in legal proceedings? Yes, Linux forensic analysis tools can be used in legal proceedings to provide evidence in a case. However, it is important to ensure that the evidence collected is reliable, secure, and admissible in court.
Linux provides a vast range of forensic analysis tools that can be used to conduct digital investigations. The use of these tools is crucial to ensure the
integrity of the evidence collected and to maintain the chain of custody. Acquiring evidence, analyzing it, and reporting on the findings are the three main steps of a digital investigation. In this article, we have covered how to use Linux forensic analysis tools for each of these steps.
Linux forensic analysis tools provide a powerful and cost-effective solution for digital investigations. These tools are regularly updated to keep up with the latest technology and techniques. However, it is important to
La préservation des logiciels: défis et opportunités pour la reproductibilité...Roberto Di Cosmo
This document discusses the challenges of software preservation and reproducibility in science and technology. It outlines how software is a key component of modern research but is fragile and can be lost. The state of software reproducibility in computer systems research is examined, finding that the majority of papers could not be reproduced. The Software Heritage project is introduced which aims to collect, organize, preserve and share all software to address these issues and support reproducibility. Open source software and replication are advocated for as important principles for software preservation platforms. Collaboration from the community is needed to integrate software preservation into development and publishing workflows while addressing legal and licensing issues.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
FuzzyDbg is a debugger that integrates fuzzing and execution tracing functionality. It generates mutated inputs to test programs and identify crashes. When a crash occurs, it saves the crashing input and execution trace which details the functions triggered prior to the crash. This provides more information for analyzing crashes than a typical debugger. It aims to reduce performance overhead during tracing and provide a one-stop debugging solution.
The document discusses a smart fuzzer tool that can automatically generate test cases to test applications by providing semi-valid or corrupted input files. It specifically describes a smart fuzzer for PNG image files that understands the PNG file format and can selectively corrupt chunks like IHDR, pHYs and other common chunks. The smart fuzzer aims to test application robustness by detecting crashes or abnormal behavior when handling invalid input. It also discusses how fuzzing tools can range from simple to more advanced ones that virtualize file streams for fuzz testing at scale.
The MOOSE framework is an object-oriented multiphysics PDE solver written primarily in C++. It has over 22,000 commits from 203 contributors representing over 448,000 lines of code. It is a mature, well-established codebase maintained by a large development team with stable yearly growth. The framework takes an estimated 121 years of effort to develop and focuses on handling all parallelism so users can focus on modeling physics.
Abstract-Software is ubiquitous in our daily life. It brings us great convenience and a big headache about software reliability as well: Software is never bug-free, and software bugs keep incurring monetary loss of even catastrophes. In the pursuit of better reliability, software engineering researchers found that huge amount of data in various forms can be collected from software systems, and these data, when properly analyzed, can help improve software reliability. Unfortunately, the huge volume of complex data renders the analysis of simple techniques incompetent; consequently, studies have been resorting to data mining for more effective analysis. In the past few years, we have witnessed many studies on mining for software reliability reported in data mining as well as software engineering forums. These studies either develop new or apply existing data mining techniques to tackle reliability problems from different angles. In order to keep data mining researchers abreast of the latest development in this growing research area, we propose this paper on data mining for software reliability. In this paper, we will present a comprehensive overview of this area, examine representative studies, and lay out challenges to data mining researchers.
Improvement of Software Maintenance and Reliability using Data Mining Techniquesijdmtaiir
This document discusses using data mining techniques to improve software maintenance and reliability. It provides an overview of applying techniques like classification, association rule mining, and clustering to mine software engineering data from code bases, change histories, and bug reports. Specifically, it describes mining frequent patterns and rules from source code and revision histories to detect bugs as deviations from these patterns. A methodology is presented that involves parsing source code to build an itemset database, applying frequent itemset mining to extract programming patterns and rules, and detecting violations of rules as potential bugs. Challenges and limitations of these approaches are also discussed.
This document contains a question bank for the subject Cyber Forensics. It includes questions related to various topics in the subject organized under different parts (A, B, C). The topics covered include processing crime scenes, working with Windows/DOS systems, computer forensics tools, validating forensic data, data hiding techniques, network forensics, email investigations, and mobile device forensics. For each topic, questions ranging from basic to advanced level are provided along with their knowledge level, number of times the question has appeared in previous exams.
SHIELDEXTM is a solution that uses content disarm and reconstruction (CDR) technology to sanitize incoming external files by removing potentially malicious code and reconstructing only approved contents, in order to protect against advanced persistent threats (APTs) in a way that existing security methods cannot. The solution scans file structures, applies CDR technology, and provides logging and reporting while allowing only safe documents internally through various network access points.
This document provides an overview and outline for a research project titled "Finding Forensic Artifacts From Window Registry". The research aims to analyze the Windows Registry to find forensic artifacts from USB devices and unauthorized access. The summary provides background on the structure and contents of the Windows Registry. It also outlines some open problems regarding artifacts left in the Registry when USB devices are connected. The proposed solution will analyze specific locations in the Registry related to USB and other forensic artifacts. This research aims to build upon prior work by providing a deeper analysis of USB device identifiers and Registry locations beyond just installation locations.
Software Preservation: challenges and opportunities for reproductibility (Sci...Roberto Di Cosmo
The document discusses the challenges of preserving software to ensure reproducibility in science. It notes that 81% of computer science papers studied were found to be non-reproducible due to a lack of available source code and documentation. Preserving software is complex as it often has dependencies on other software and hardware. However, software embodies much of our scientific and technical knowledge, so efforts must be made to preserve and provide access to source code in order to establish reproducibility as the foundation of scientific inquiry.
"Keynote - Preserving Software: Challenges and Opportunities for Reproducibility of Science and Technology"
By Roberto Di Cosmo, Irill for ScilabTEC 2015
Similar to o-checker : Malicious document file detection tool - Malicious feature can be detected based on file size by Yuuhei Ootsubo (20)
[cb22] Hayabusa Threat Hunting and Fast Forensics in Windows environments fo...CODE BLUE
It started with computer hacking and Japanese linguistics as a kid. Zach Mathis has been based in Kobe, Japan, and has performed both red team services as well as blue team incident response and defense consultation for major Japanese global Japanese corporations since 2006. He is the founder of Yamato Security, one of the largest and most popular hands-on security communities in Japan, and has been providing free training since 2012 to help improve the local security community. Since 2016, he has been teaching security for the SANS institute and holds numerous GIAC certifications. Currently, he is working with other Yamato security members to provide free and open-source security tools to help security analysts with their work.
[cb22] Tales of 5G hacking by Karsten NohlCODE BLUE
An expert in mobile network security provided a summary of hacking 5G networks. Some key points include:
1) Standard IT security techniques uncovered issues when applied to upgraded legacy 4G networks, such as unpatched operating systems, weak configurations, and lack of encryption.
2) Future 5G networks introduce new security risks due to increased complexity from virtualization and automation layers, as well as a continuously evolving attack surface extending into cloud infrastructure.
3) Red team exercises show that hacking mobile networks has become a multi-step process, where initial access through one vulnerability can enable lateral movement and privilege escalation to compromise critical systems or customer data.
[cb22] Your Printer is not your Printer ! - Hacking Printers at Pwn2Own by A...CODE BLUE
Printer has become one of the essential devices in the corporate intranet for the past few years, and its functionalities have also increased significantly. Not only print or fax, cloud printing services like AirPrint are also being supported as well to make it easier to use. Direct printing from mobile devices is now a basic requirement in the IoT era. We also use it to print some internal business documents of the company, which makes it even more important to keep the printer safe.
Nowadays, most of the printers on the market do not have to be connected with USB or traditional cable. As long as you are using a LAN cable connected to the intranet, the computer can find and use the printer immediately. Most of them are based on protocols such as SLP and LLMNR. But is it really safe when vendors adopt those protocols? Furthermore, many printers do not use traditional Linux systems, but use RTOS(Real-Time Operating System) instead, how will this affect the attacker?
In this talk, we will use Canon ImageCLASS MF644Cdw and HP Color LaserJet Pro MFP M283fdw as case study, showing how to analyze and gain control access to the printer. We will also demonstrate how to use the vulnerabilities to achieve RCE in RTOS in unauthenticated situations.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
[cb22] ”The Present and Future of Coordinated Vulnerability Disclosure” Inte...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] "The Present and Future of Coordinated Vulnerability Disclosure" Inter...CODE BLUE
While hackers have known the importance of sharing research to improve security for years, the importance of coordinated vulnerability disclosure is increasingly recognized by governments around the world. The principals of disclosure an protecting security researchers are common across borders, but different countries have some key differences. This panel will present a global perspective that may in turn inform key public policy and company behavior.
ENISA has published 'Coordinated Vulnerability Disclosure policies in the EU' in April 2022 . This report not only provides an objective introduction to the current state of coordinated vulnerability disclosure policies in the Member States of the European Union, but also introduces the operation of vulnerability disclosure in China, Japan and the USA. Based on these findings, the desirable and good practice elements of a coordinated vulnerability disclosure process are examined, followed by a discussion of the challenges and issues.
This session aims to share the contents of this report and clarify the challenges and future direction of operations in Japan, as well as national security and vulnerability handling issues in the US, in a panel discussion with representatives from various jurisdictions.
The panelists are involved in the practice of early warning partnership notified bodies in Japan, the authors of the above report in Europe and the contributors to the above report in the US.
In Japan, the issues of system awareness, incentives, increase in the number of outstanding cases in handling and so-called triage in handling vulnerabilities will be introduced.
From the United States, the Vulnerabilities Equities Process for National Security and the publication of a non-prosecution policy for vulnerability research will be introduced, as well as a historical background on the issue.
The aim is that the panel discussion will enable the audience to understand the international situation surrounding CVD, as well as future trends, in particular the important role of vulnerability in cybersecurity and the challenges faced by society around it.
[cb22] Are Embedded Devices Ready for ROP Attacks? -ROP verification for low-...CODE BLUE
Yuuma Taki is enrolled in the Hokkaido Information University Information Media Faculty of Information Media (4th year).
At university he is focusing on learning about security for lower-level components, such OS and CPU. In his third year of undergraduate school, he worked on trying to implement the OS security mechanism "KASLR", at Sechack365.
Currently, he is learning about ROP derivative technology and embedded equipment security.
[cb22] Under the hood of Wslink’s multilayered virtual machine en by Vladisla...CODE BLUE
In October 2021, we published the first analysis of Wslink – a unique loader likely linked to the Lazarus group. Most samples are packed and protected with an advanced virtual machine (VM) obfuscator; the samples contain no clear artifacts and we initially did not associate the obfuscation with a publicly known VM, but we later managed to connect it to CodeVirtualizer. This VM introduces several additional obfuscation techniques such as insertion of junk code, encoding of virtual operands, duplication of virtual opcodes, opaque predicates, merging of virtual instructions, and a nested VM.
Our presentation analyzes the internals of the VM and describes our semi automated approach to “see through” the obfuscation techniques in reasonable time. We demonstrate the approach on some bytecode from a protected sample and compare the results with a non-obfuscated sample, found subsequent to starting our analysis, confirming the method’s validity. Our solution is based on a known deobfuscation method that extracts the semantics of the virtual opcodes, using symbolic execution with simplifying rules. We further treat the bytecode chunks and some internal constructs of the VM as concrete values instead of as symbolic ones, enabling the known deobfuscation method to deal with the additional obfuscation techniques automatically.
[cb22] CloudDragon’s Credential Factory is Powering Up Its Espionage Activiti...CODE BLUE
Kimsuky is a North Korean APT possibly controlled by North Korea's Reconnaissance General Bureau. Based on reports from the Korea Internet & Security Agency (KISA) and other vendors, TeamT5 identified that Kimsuky's most active group, CloudDragon, built a workflow functioning as a "Credential Factory," collecting and exploiting these massive credentials.
The credential factory powers CloudDragon to start its espionage campaigns. CloudDragon's campaigns have aligned with DPRK's interests, targeting the organizations and key figures playing a role in the DPRK relationship. Our database suggested that CloudDragon has possibly infiltrated targets in South Korea, Japan, and the United States. Victims include think tanks, NGOs, media agencies, educational institutes, and many individuals.
CloudDragon's "Credential Factory" can be divided into three small cycles, "Daily Cycle," "Campaign Cycle," and "Post-exploit Cycle." The"Daily Cycle" can collect massive credentials and use the stolen credentials to accelerate its APT life cycle.
In the "Campaign Cycle," CloudDragon develops many new malware. While we responded to CloudDragon's incidents, we found that the actor still relied on BabyShark malware. CloudDragon once used BabyShark to deploy a new browser extension malware targeting victims' browsers. Moreover, CloudDragon is also developing a shellcode-based malware, Dust.
In the "Post-exploit Cycle," the actor relied on hacking tools rather than malicious backdoors. We also identified that the actor used remote desktop software to prevent detection.
In this presentation, we will go through some of the most significant operations conducted by CloudDragon, and more importantly, we will provide possible scenarios of future invasions for defense and detection.
[cb22] From Parroting to Echoing: The Evolution of China’s Bots-Driven Info...CODE BLUE
Social media is no doubt a critical battlefield for threat actors to launch InfoOps, especially in a critical moment such as wartime or the election season. We have seen Bot-Driven Information Operations (InfoOps, aka influence campaign) have attempted to spread disinformation, incite protests in the physical world, and doxxing against journalists.
China's Bots-Driven InfoOps, despite operating on a massive scale, are often considered to have low impact and very little organic engagement. In this talk, we will share our observations on these persistent Bots-Driven InfoOps and dissect their harmful disinformation campaigns circulated in cyberspace.
In the past, most bots-driven operations simply parroted narratives of the Chinese propaganda machine, mechanically disseminating the same propaganda and disinformation artifacts made by Chinese state media. However, recently, we saw the newly created bots turn to post artifacts in a livelier manner. They utilized various tactics, including reposting screenshots of forum posts and disguised as members of “Milk Tea Alliance,” to create a false appearance that such content is being echoed across cyberspace.
We particularly focus on an ongoing China's bots-driven InfoOps targeting Taiwan, which we dub "Operation ChinaRoot." Starting in mid-2021, the bots have been disseminating manipulated information about Taiwan's local politics and Covid-19 measures. Our further investigation has also identified the linkage between Operation ChinaRoot and other Chinese state-linked networks such as DRAGONBRIDGE and Spamouflage.
[cb22] Who is the Mal-Gopher? - Implementation and Evaluation of “gimpfuzzy”...CODE BLUE
Malwares written in Go is increasing every year. Go's cross-platform nature makes it an opportune language for attackers who wish to target multiple platforms. On the other hand, the statically linked libraries make it difficult to distinguish between user functions and libraries, making it difficult for analysts to analyze. This situation has increased the demand for Go malware classification and exploration.
In this talk, we will demonstrate the feasibility of computing similarity and classification of Go malware using a newly proposed method called gimpfuzzy. We have implemented "gimpfuzzy", which incorporates Fuzzy Hashing into the existing gimphash method. In this talk, we will verify the discrimination rate of the classification using the proposed method and confirm the validity of the proposed method by discussing some examples from the classified results. We will also discuss issues in Go-malware classification.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
This document discusses the results of long-term scanning and analysis of Winnti 4.0 and ShadowPad malware command and control (C2) protocols. It finds that Winnti 4.0 C2s primarily use TLS, HTTPS, and HTTP, while ShadowPad variants primarily use TCP, HTTPS, and HTTP. Analysis of the protocols reveals encryption methods, packet structures, and server-side functionality. Over time, the number and distribution of active C2s changed, likely in response to research publications and incident response actions. The document advocates for anonymization techniques and merits and risks of future research publications.
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...CODE BLUE
We are swamped with new types of malware every day. The goal of malware analysis is not to reveal every single detail of the malware. It is more important to develop tools for efficiency or introduce automation to avoid repeating the same analysis process. Therefore, malware analysts usually actively develop tools and build analysis systems. On the other hand, it costs a lot for such tool developments and system maintenance. Incident trends change daily, and malware keeps evolving. However, it is not easy to keep up with new threats. Malware analysts spend a long time maintaining their analysis systems, and it results in reducing their time for necessary analysis of new types of malware.
To solve these problems, we incorporate DevOps practices into malware analysis to reduce the cost of system maintenance by using CI/CD and Serverless. This presentation shares our experience on how CI/CD, Serverless, and other cloud technologies can be used to streamline malware analysis. Specifically, the following case studies are discussed.
* Malware C2 Monitoring
* Malware Hunting using Cloud
* YARA CI/CD system
* Malware Analysis System on Cloud
* Memory Forensic on Cloud
Through the above case studies, we will share the benefits and tips of using the cloud and show how to build a similar system using Infrastructure as Code (IaC). The audience will learn how to improve the efficiency of malware analysis and build a malware analysis system using Cloud infrastructure.
Blockchain technology is transforming industries and reshaping the way we conduct business, manage data, and secure transactions. Whether you're new to blockchain or looking to deepen your knowledge, our guidebook, "Blockchain for Dummies", is your ultimate resource.
Mitigating the Impact of State Management in Cloud Stream Processing SystemsScyllaDB
Stream processing is a crucial component of modern data infrastructure, but constructing an efficient and scalable stream processing system can be challenging. Decoupling compute and storage architecture has emerged as an effective solution to these challenges, but it can introduce high latency issues, especially when dealing with complex continuous queries that necessitate managing extra-large internal states.
In this talk, we focus on addressing the high latency issues associated with S3 storage in stream processing systems that employ a decoupled compute and storage architecture. We delve into the root causes of latency in this context and explore various techniques to minimize the impact of S3 latency on stream processing performance. Our proposed approach is to implement a tiered storage mechanism that leverages a blend of high-performance and low-cost storage tiers to reduce data movement between the compute and storage layers while maintaining efficient processing.
Throughout the talk, we will present experimental results that demonstrate the effectiveness of our approach in mitigating the impact of S3 latency on stream processing. By the end of the talk, attendees will have gained insights into how to optimize their stream processing systems for reduced latency and improved cost-efficiency.
Support en anglais diffusé lors de l'événement 100% IA organisé dans les locaux parisiens d'Iguane Solutions, le mardi 2 juillet 2024 :
- Présentation de notre plateforme IA plug and play : ses fonctionnalités avancées, telles que son interface utilisateur intuitive, son copilot puissant et des outils de monitoring performants.
- REX client : Cyril Janssens, CTO d’ easybourse, partage son expérience d’utilisation de notre plateforme IA plug & play.
How Social Media Hackers Help You to See Your Wife's Message.pdfHackersList
In the modern digital era, social media platforms have become integral to our daily lives. These platforms, including Facebook, Instagram, WhatsApp, and Snapchat, offer countless ways to connect, share, and communicate.
Coordinate Systems in FME 101 - Webinar SlidesSafe Software
If you’ve ever had to analyze a map or GPS data, chances are you’ve encountered and even worked with coordinate systems. As historical data continually updates through GPS, understanding coordinate systems is increasingly crucial. However, not everyone knows why they exist or how to effectively use them for data-driven insights.
During this webinar, you’ll learn exactly what coordinate systems are and how you can use FME to maintain and transform your data’s coordinate systems in an easy-to-digest way, accurately representing the geographical space that it exists within. During this webinar, you will have the chance to:
- Enhance Your Understanding: Gain a clear overview of what coordinate systems are and their value
- Learn Practical Applications: Why we need datams and projections, plus units between coordinate systems
- Maximize with FME: Understand how FME handles coordinate systems, including a brief summary of the 3 main reprojectors
- Custom Coordinate Systems: Learn how to work with FME and coordinate systems beyond what is natively supported
- Look Ahead: Gain insights into where FME is headed with coordinate systems in the future
Don’t miss the opportunity to improve the value you receive from your coordinate system data, ultimately allowing you to streamline your data analysis and maximize your time. See you there!
Sustainability requires ingenuity and stewardship. Did you know Pigging Solutions pigging systems help you achieve your sustainable manufacturing goals AND provide rapid return on investment.
How? Our systems recover over 99% of product in transfer piping. Recovering trapped product from transfer lines that would otherwise become flush-waste, means you can increase batch yields and eliminate flush waste. From raw materials to finished product, if you can pump it, we can pig it.
論文紹介:A Systematic Survey of Prompt Engineering on Vision-Language Foundation ...Toru Tamaki
Jindong Gu, Zhen Han, Shuo Chen, Ahmad Beirami, Bailan He, Gengyuan Zhang, Ruotong Liao, Yao Qin, Volker Tresp, Philip Torr "A Systematic Survey of Prompt Engineering on Vision-Language Foundation Models" arXiv2023
https://arxiv.org/abs/2307.12980
Scaling Connections in PostgreSQL Postgres Bangalore(PGBLR) Meetup-2 - MydbopsMydbops
This presentation, delivered at the Postgres Bangalore (PGBLR) Meetup-2 on June 29th, 2024, dives deep into connection pooling for PostgreSQL databases. Aakash M, a PostgreSQL Tech Lead at Mydbops, explores the challenges of managing numerous connections and explains how connection pooling optimizes performance and resource utilization.
Key Takeaways:
* Understand why connection pooling is essential for high-traffic applications
* Explore various connection poolers available for PostgreSQL, including pgbouncer
* Learn the configuration options and functionalities of pgbouncer
* Discover best practices for monitoring and troubleshooting connection pooling setups
* Gain insights into real-world use cases and considerations for production environments
This presentation is ideal for:
* Database administrators (DBAs)
* Developers working with PostgreSQL
* DevOps engineers
* Anyone interested in optimizing PostgreSQL performance
Contact info@mydbops.com for PostgreSQL Managed, Consulting and Remote DBA Services
UiPath Community Day Kraków: Devs4Devs ConferenceUiPathCommunity
We are honored to launch and host this event for our UiPath Polish Community, with the help of our partners - Proservartner!
We certainly hope we have managed to spike your interest in the subjects to be presented and the incredible networking opportunities at hand, too!
Check out our proposed agenda below 👇👇
08:30 ☕ Welcome coffee (30')
09:00 Opening note/ Intro to UiPath Community (10')
Cristina Vidu, Global Manager, Marketing Community @UiPath
Dawid Kot, Digital Transformation Lead @Proservartner
09:10 Cloud migration - Proservartner & DOVISTA case study (30')
Marcin Drozdowski, Automation CoE Manager @DOVISTA
Pawel Kamiński, RPA developer @DOVISTA
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
09:40 From bottlenecks to breakthroughs: Citizen Development in action (25')
Pawel Poplawski, Director, Improvement and Automation @McCormick & Company
Michał Cieślak, Senior Manager, Automation Programs @McCormick & Company
10:05 Next-level bots: API integration in UiPath Studio (30')
Mikolaj Zielinski, UiPath MVP, Senior Solutions Engineer @Proservartner
10:35 ☕ Coffee Break (15')
10:50 Document Understanding with my RPA Companion (45')
Ewa Gruszka, Enterprise Sales Specialist, AI & ML @UiPath
11:35 Power up your Robots: GenAI and GPT in REFramework (45')
Krzysztof Karaszewski, Global RPA Product Manager
12:20 🍕 Lunch Break (1hr)
13:20 From Concept to Quality: UiPath Test Suite for AI-powered Knowledge Bots (30')
Kamil Miśko, UiPath MVP, Senior RPA Developer @Zurich Insurance
13:50 Communications Mining - focus on AI capabilities (30')
Thomasz Wierzbicki, Business Analyst @Office Samurai
14:20 Polish MVP panel: Insights on MVP award achievements and career profiling
Fluttercon 2024: Showing that you care about security - OpenSSF Scorecards fo...Chris Swan
Have you noticed the OpenSSF Scorecard badges on the official Dart and Flutter repos? It's Google's way of showing that they care about security. Practices such as pinning dependencies, branch protection, required reviews, continuous integration tests etc. are measured to provide a score and accompanying badge.
You can do the same for your projects, and this presentation will show you how, with an emphasis on the unique challenges that come up when working with Dart and Flutter.
The session will provide a walkthrough of the steps involved in securing a first repository, and then what it takes to repeat that process across an organization with multiple repos. It will also look at the ongoing maintenance involved once scorecards have been implemented, and how aspects of that maintenance can be better automated to minimize toil.
The Rise of Supernetwork Data Intensive ComputingLarry Smarr
Invited Remote Lecture to SC21
The International Conference for High Performance Computing, Networking, Storage, and Analysis
St. Louis, Missouri
November 18, 2021
YOUR RELIABLE WEB DESIGN & DEVELOPMENT TEAM — FOR LASTING SUCCESS
WPRiders is a web development company specialized in WordPress and WooCommerce websites and plugins for customers around the world. The company is headquartered in Bucharest, Romania, but our team members are located all over the world. Our customers are primarily from the US and Western Europe, but we have clients from Australia, Canada and other areas as well.
Some facts about WPRiders and why we are one of the best firms around:
More than 700 five-star reviews! You can check them here.
1500 WordPress projects delivered.
We respond 80% faster than other firms! Data provided by Freshdesk.
We’ve been in business since 2015.
We are located in 7 countries and have 22 team members.
With so many projects delivered, our team knows what works and what doesn’t when it comes to WordPress and WooCommerce.
Our team members are:
- highly experienced developers (employees & contractors with 5 -10+ years of experience),
- great designers with an eye for UX/UI with 10+ years of experience
- project managers with development background who speak both tech and non-tech
- QA specialists
- Conversion Rate Optimisation - CRO experts
They are all working together to provide you with the best possible service. We are passionate about WordPress, and we love creating custom solutions that help our clients achieve their goals.
At WPRiders, we are committed to building long-term relationships with our clients. We believe in accountability, in doing the right thing, as well as in transparency and open communication. You can read more about WPRiders on the About us page.
Choose our Linux Web Hosting for a seamless and successful online presencerajancomputerfbd
Our Linux Web Hosting plans offer unbeatable performance, security, and scalability, ensuring your website runs smoothly and efficiently.
Visit- https://onliveserver.com/linux-web-hosting/
INDIAN AIR FORCE FIGHTER PLANES LIST.pdfjackson110191
These fighter aircraft have uses outside of traditional combat situations. They are essential in defending India's territorial integrity, averting dangers, and delivering aid to those in need during natural calamities. Additionally, the IAF improves its interoperability and fortifies international military alliances by working together and conducting joint exercises with other air forces.
o-checker : Malicious document file detection tool - Malicious feature can be detected based on file size by Yuuhei Ootsubo
1. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
o-checker :
Malicious document file detection tool
- File sizes tell whether the document file is malicious or not -
Yuhei Otsubo
1
2. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Agenda
2
1. Background
2. Structure of malicious document files
3. Overview of o-checker
4. Detection mechanism
5. Demo
6. Application
7. Conclusion
3. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
1. BACKGROUND
3
4. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Increase in targeted email attacks (1/3)
4http://www.symantec.com/threatreport/topic.jsp?aid=industrial_espionage&id=malicious_code_trends
1. Background
5. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Increase in targeted email attacks (2/3)
5
Number of security advisories on targeted email attacks to government
institutions
※GSOC:Government Security Operation Coordination team
1. Background
6. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Increase in targeted email attacks (3/3)
6
5.4% → 33%
research commissioned by METI(Ministry of Economy, Trade and Industry), (2007,2011)
Rate of companies that had experienced targeted attacks
1. Background
2007 2011
7. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Example of target attacks
7
secret
Send emails
with malware
Open an
attachment
Infected
with malware
Network of companies
and private individuals
Attacker Victim
Data
exfiltration
1
2
3
④
1. Background
8. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
File types of targeted email attacks
8
Trend of the extension of the attachment of targeted email attacks,Trend Micro Japan(2013)
http://is702.jp/special/1431/
Executable files :59%
Document files :41%
1. Background
9. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
2. STRUCTURE OF MALICIOUS
DOCUMENT FILES
9
10. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
文書ファイル
Exploit
Shellcode
Malware executable file
Decoy file(for display)
Structure of malicious document files
10
Abuses a browsing
software
vulnerability
Creates a malware
executable file and
a decoy file then
executes/opens them
Encoded by various
ways.
No relation with
document contents
2. Structure of malicious document files
11. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Example of malicious document files
11
2. Structure of malicious document files
Bitmap View Hex View
12. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Exploit(1/2)
12
• Object 29
• A JavaScript action
• Its script is stored in object
31.
2. Structure of malicious document files
• Object 31
• A JavaScript script(Exploit)
• Flate compression method
13. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Exploit(2/2)
13
After decoding the Flate compression data
↓Shellcode encoded by escape() function
2. Structure of malicious document files
14. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Shellcode
14
2. Structure of malicious document files
15. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Shellcode
15
2. Structure of malicious document files
Decoder : 40 Bytes
Shellcode is encoded with
printable characters
16. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Executable file(1/2)
16
Encoded executable file
2. Structure of malicious document files
17. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Executable file(2/2)
17
After decode
2. Structure of malicious document files
18. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Decoy file
18
2. Structure of malicious document files
19. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
3. OVERVIEW OF O-CHECKER
19
20. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Utilizes particular patterns found
through static/dynamic analysis.
Document file
Exploit
Shellcode
Malware executable file
Decoy file(for display)
traditional methods of malicious document detection
20
malicious code
3. Overview of o-checker
Traditional methods
• Particular patterns can be changed
by encode.
• There are cases when exploits only
work on specific environments and
dynamic analysis is difficult.
Problems
21. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Vicious circle
21
If a detection method focuses on codes that can be written
arbitrarily by attackers
Vicious circle
Creates a signature based on
malicious code.
Defender
Changes malicious code so that it can
avoid detection.
Attacker
3. Overview of o-checker
22. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Breaking the vicious circle
22
Vicious circle
Creates a signature based on
structural analysis of file formats.
Defender
Changes malicious code so that it can
avoid detection.
Attacker
Changes file format syntax so that it
can avoid detection.
3. Overview of o-checker
If a detection method focuses on file formats that cannot be written
arbitrarily by attackers
23. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Characteristic of malicious document ~based on file format
23
A document file is an aggregate of pictures, text, and auxiliary data.
There is no data which a browsing software does not process.
Whether a browsing software processes data or not
reason
Exploit
for abusing a browsing software
vulnerabilities
Shellcode exploit code includes shellcode
Executable file -
If a browsing software parses it, the
contents will be displayed garbled or
a browsing software will malfunction.
Decoy file -
If a browsing software parses it, the
contents will be displayed garbled or
a browsing software will malfunction.
Each data has its purpose.
3. Overview of o-checker
24. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Detection mechanism (simplified)
All of structures match
directly to contents
Contents Structures
A part of structures is
mismatched to contents
Contents Structures
Normal document files Malicious document files
Detection based on structural analysis
of document formats
3. Overview of o-checker
25. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Performance of o-checker
25
• High speed and high detection rates
detection rates:98.9% Average execution time:0.3s
• Almost maintenance-free
Updating
frequency
Remarks
Anti-virus software Every day 200,000 new type of malware per day
(2012)※
o-checker
Almost
none
It needs update, if a new document
file format comes out.
msanalysis.py
input
Documentation files
embedded with
executable files
pdfanalysis.py
input
Alert
3. Overview of o-checker
※:http://www.kaspersky.com/about/news/virus/2012/2012_by_the_numbers_Kaspersky_Lab_now_detects_200000_new_malicious_programs_every_day
26. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
4. DETECTION MECHANISM
26
27. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Inspection items
27
(A) Attached data after EOF
(B) Anomaly file size
(C) Data not referred from FAT
(D) Free sector in the last sector
(E) Unaccounted-for sector
(F) Unaccounted-for section
(G) Unreferenced object
(H) Camouflaged stream
Rich Text
CFB
PDF
o-checker
4. Detection mechanism
28. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of Rich Text files
28
{¥rtf
Hello!¥par
This is some {¥b bold} text.¥par
}
RTF files are usually 7-bit ASCII plain text. RTF consists of
control words, control symbols, and groups. ※
※:wikipedia
an example, RTF code
The signature that
indicates a RTF file
(}) corresponding to the first ({) is located
at the end of a file (EOF).
4. Detection mechanism
29. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(A) Attached data after EOF
29
{¥rtf
Hello!¥par
This is some {¥b bold} text.¥par
}
MZ・
ク
・ コ エ ヘ!ク
L!This program cannot be run in
DOS mode.$ 猝t讀ォオ、ォオ、ォオュモ
招ヲォオュモ楫喚オ、ォオ0ェオュモ卸・オュモ匏ウォ
Rich、ォオ
PE d・ ヤノ[J ・ "
An executable
file is
inserted at
the end of a
file in order
not to affect
the display.
a RTF file embedded with an executable files.
Data exists after EOF.
4. Detection mechanism
30. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
CFB (doc,xls,ppt,jtd/jtdc)
30
Root Storage
Storage 1 Storage 2
Storage 3
Stream A
Stream B Stream C
[MS-CFB] – v20130118 Compound File Binary Format (http://msdn.microsoft.com/en-us/library/dd942138.aspx)
In file system
Stream → File
Storage → Folder
CFB:Compound File Binary
• A layered structure can be stored in one file.
• An archive format which Microsoft Corp. developed
• It is used by Microsoft Word etc.
doc,ppt,xls,jtd/jtdc※
4. Detection mechanism
※:jtd and jtdc are used by Ichitaro (一太郎),
a Japanese word processor developed by
JustSystems Corp.
31. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of CFB files
31
Header
FAT0
Directory Entry
Stream A
Stream A
Free Sector
Stream B
1
2
3
4
5
Physical Structure
-2
-2
3
-2
-1
-2
Directory Entry
index
sector
Stream Name:a.txt
Size:696 Index:2
Stream Name:b.txt
Size:318 Index:5
Storage Name:root
Size:- Index:-
FAT
(File Allocation Table)
4. Detection mechanism
32. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Physical structure of CFB
32
Header
FAT0
Directory Entry
Stream A
Stream A
Free Sector
Stream B
1
2
3
4
5
Physical Structure
512 Byte
(512 or 4096) x N Byte
FileSize = 512 + (512 or 4096) x N
= 512 x M
The file size of a regular CFB file is
certainly a multiple of 512.
4. Detection mechanism
33. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(B) Anomaly file size
33
Header
FAT0
Directory Entry
Stream A
Stream A
Free Sector
Stream B
1
2
3
4
5
Physical Structure
-2
-2
3
-2
-1
-2
FAT
(File Allocation Table)
Directory Entry
malware6
7
The size of the file except a header is not
a multiple of the size of sector.
If the file size is divided by 512, the
remainder will come out.
Stream Name:a.txt
Size:696 Index:2
Stream Name:b.txt
Size:318 Index:5
Storage Name:root
Size:- Index:-
4. Detection mechanism
34. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(C) Data not referred from FAT
34
Header
FAT0
Directory Entry
Stream A
Stream A
Free Sector
Stream B
1
2
3
4
5
Physical Structure
-2
-2
3
-2
-1
-2
Directory Entry
malware6
7
The file exceeds the area
-1
The area which can be referred to by FAT:
(The number of sectors of FAT)×128×512 (Byte)
Stream Name:a.txt
Size:696 Index:2
Stream Name:b.txt
Size:318 Index:5
Storage Name:root
Size:- Index:-
FAT
(File Allocation Table)
?
4. Detection mechanism
35. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(D) Free sector in the last sector
35
Header
FAT0
Directory Entry
Stream A
Stream A
Free Sector
Stream B
1
2
3
4
5
Physical Structure
-2
-2
3
-2
-1
-2
Directory Entry
malware6
The sector corresponding to the end of the
file (n-th sector) is a free sector.
-1
When the size of sector is 512,
n = (file size-512)/512
n
Stream Name:a.txt
Size:696 Index:2
Stream Name:b.txt
Size:318 Index:5
Storage Name:root
Size:- Index:-
FAT
(File Allocation Table)
4. Detection mechanism
36. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(E) Unaccounted-for sector
36
Header
FAT0
Directory Entry
Stream A
Stream A
Free Sector
Stream B
1
2
3
4
5
Physical Structure
-2
-2
3
-2
-1
-2
Directory Entry
malware6
There is a sector which cannot be classified
into FAT (DI-FAT and mini-FAT are included),
DE, stream and free sector.
-2
Stream Name:a.txt
Size:696 Index:2
Stream Name:b.txt
Size:318 Index:5
Storage Name:root
Size:- Index:-
FAT
(File Allocation Table)
4. Detection mechanism
37. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
PDF document
Structure of PDF:Physical structure
Comment (Header)
Body
Cross-reference table
Trailer Comment(EOF)
Sequence of indirect
objects (fonts, pages and
sampled images)
1 0 obj
2 0 obj
n 0 obj
End-of-file marker
x 0 obj <</R2 /P-64 /V 2 /O
(dfhjaklgk… …>>
A PDF file is an aggregate of many objects(numeric, string, a
sequence of bytes etc.)
4 elements
4. Detection mechanism
38. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of PDF:Types of objects
38
Basic Objects
(A) Numeric
(B) String
(C) Name
(D) Boolean
(E) Null
Composite Objects
(F) Array
(G) Dictionary
Others
(H) Stream(a sequence of bytes)
(I) Indirect(referring to other objects)
(PDF32000-1:2008 7.3)
4. Detection mechanism
39. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of PDF:Stream filter
39
Filter Name Description
/ASCIIHexDecode Decodes data encoded in an ASCII hexadecimal representation, reproducing
the original binary data.
/ASCII85Decode Decodes data encoded in an ASCII base-85 representation, reproducing the
original binary data.
/LZWDecode Decompresses data encoded using the LZW adaptive compression method,
reproducing the original text or binary data.
/FlateDecode Decompresses data encoded using the zlib/deflate compression method,
reproducing the original text or binary data.
/RunLengthDecode Decompresses data encoded using a byte-oriented run-length encoding
algorithm, reproducing the original text or binary data.
/CCITTFaxDecode Decompresses data encoded using the CCITT facsimile standard, reproducing
the original data.
/JBIG2Decode Decompresses data encoded using the JBIG2 standard, reproducing the
original monochrome image data.
/DCTDecode Decompresses data encoded using a DCT technique based on the JPEG standard,
reproducing image sample data that approximates the original data.
/JPXDecode Decompresses data encoded using the wavelet-based JPEG2000 standard,
reproducing the original image data.
(PDF32000-1:2008 7.4)
Stream filters indicate how to decode stream data. The standard filters
are summarized in the following table.
4. Detection mechanism
40. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of PDF:Document structure
40
Trailer
Document
information
Document catalog
Outline
hierarchy
Page tree
Page Page
Content stream Annotations Content stream Thumbnail image
:Object
Structure of a PDF document
:Link
By following the link from trailer, all objects
can be referred to.
4. Detection mechanism
41. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of PDF:Encryption
41
Structure of a PDF document enctypted
Encryption applies to almost all strings and streams in the PDF file.
Leaving the other object types unencrypted allows random access to the
objects within a document. (except for the object stored in ObjStm)
Trailer
Document
information
Document catalog
Outline
hierarchy
Page tree
Page Page
Content stream Annotations Content stream Thumbnail image
:Object
:Link
4. Detection mechanism
42. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Structure of PDF:ObjStm (Object Streams)
42
ObjStm (Object Streams) are introduced in
PDF 1.5. The purpose of ObjStm is to allow
indirect objects other than streams to be
stored more compactly by using the facilities
provided by stream compression filters.
( PDF32000-1:2008 7.5.7)
Packing Compressing Encryption
4. Detection mechanism
43. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(F) Unaccounted-for section
43
PDF Document
Comment(Header)
Body
Cross-reference table
Trailer
Comment(EOF)
Executable file
Classifying objects into four
elements from the head of a
file, there is data which
cannot be classified.
4. Detection Mechanism
44. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
(G) Unreferenced object
44
Executable file
A PDF file embedded with a executable files
When an executable file is inserted as an object in disregard of
document structure, it is often unreferenced.
Executable file :Object embedded with
an executable file
Trailer
Document
information
Document catalog
Outline
hierarchy
Page tree
Page Page
Content stream Annotations Content stream Thumbnail image
:Object
:Link
4. Detection mechanism
45. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Executable file
(H) Camouflaged Stream
45
Camouflaged Filter
Putting to the end of Streams
Regular Stream EOD
End-of-data marker
Data used for decoding
(Decoding is successful.)
Data which is not used for decoding
When the filter is FlateDecode, DCTDecode or JBIG2Decode,
entropy
Plain Text small
FlateDecode big
Execution file big
An attacker camouflages as the
object is using the filter of which
value of entropy is similar to the
value of entropy of executable
files.
(Decoding goes wrong.)
4. Detection mechanism
46. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Malicious documents Clean documents
File type Extension Quantity
Average
size(KB)
Quantity
Average
size(KB)
Rich Text rtf 98 266.5 199 516.2
doc 36 252.2 1,195 106.1
CFB xls 49 180.4 298 191.7
jtd/jtdc 17 268.5 - -
PDF pdf 164 351.2 9,109 101.7
Total 364 291.8 10,801 322.7
Experiment
46
Document files used for
targeted email attacks
from 2009 to 2012※1
Clean document files
classified according to
contagio a malware dump
site※2
※1:Rich Text by which the extension was camouflaged by doc is
counted as rtf.
※2:http://contagiodump.blogspot.jp/2013/03/16800-clean-and-11960-
malicious-files.html
4. Detection mechanism
47. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Detection rate of o-checker
47
99.0%
77.5%
90.2%
97.1%
96.1%
49.4%
43.9%
63.4%
99.0%
98.0%
99.4%
Rich Text
CFB
PDF
o-checker
4. Detection mechanism
(A) Attached data after EOF
(B) Anomaly file size
(C) Data not referred from FAT
(D) Free sector in the last sector
(E) Unaccounted-for sector
(F) Unaccounted-for section
(G) Unreferenced object
(H) Camouflaged stream
49. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Output of o-checker
49
C:¥tmp>pdfanalysis.py a.pdf
00000000-00000008:comment,
00000009-0000000F:comment,
00000010-00000110:obj 25 0 old(not used)
00000111-00000197:obj 26 0 old(not used)
:
00003622-000036B0:trailer
000036B1-000036C2:startxref 00003617
000036C3-000036C9:comment,
000036CA-0000E9E2:unknown
0000E9E3-0000E9E9:comment,
0000E9EA-0000EAEA:obj 25 0 ObjStm [7, 8, 13]
:
0001209D-000120A3:comment,
000120A4-000120A7:unknown
FFFFFFFF-FFFFFFFF:obj 7 0 xref from None
FFFFFFFF-FFFFFFFF:obj 8 0 xref from None
:
Offset address Classification result
Decoy Document
ObjStm
5. Demo
50. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Judgment option
50
C:¥tmp>pdfanalysis.py a.pdf -j
00000000-00000008:comment,
00000009-0000000F:comment,
00000010-00000110:obj 25 0 old(not used)
00000111-00000197:obj 26 0 old(not used)
:
:
0001209D-000120A3:comment,
FFFFFFFF-FFFFFFFF:obj 7 0 xref from None
FFFFFFFF-FFFFFFFF:obj 8 0 xref from None
:
Malicious!
“-j” is
a judgment option.
The three judgment types
“Malicious!”,
“Suspicious!” or
“None!”
will be shown at the end
of an output.
5. Demo
52. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
6. APPLICATION
52
53. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Application to NIDS
53
Network cable
NIDS
o-checker
Packet
Capture
Reconstruct
e-mails
Alert
o-checker can be introduced into an existing system
without updating.
6. Application
54. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
NIDS
Problems of the application
54
o-checker
Alert
Failure to recover
e-mails
~2%
Broken document files
~2%
False positive
up ~2%
False positives increases because of the performance
of e-mail recovering software.
Network cable
Packet
Capture
Reconstruct
e-mails
6. Application
55. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
NIDS
Enhanced o-checker
55
new
o-checker
Alert
Deselection of broken document files based on
structural analysis of file formats
Network cable
Packet
Capture
Reconstruct
e-mails
Failure to recover
e-mails
~2%
Broken document files
~2%
False positive
up ~0%
6. Application
56. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
o-checker
Application to android (1)
56
Mail server
Manual delete
Manual check
58. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
E-mailer
o-checker
Application to android (2)
58
Mail server
Auto delete
Auto check
59. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
7. CONCLUSION
59
60. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
Conclusion
60
• Tradition detectional method reaches
its limit.
• Structural analysis of file formats
is effective to detect malicious
document files that have embedded
executable files.
• Various application of o-checker is
possible. Because it can detect
malicious documents by high
probability at high speed.
7. Conclusion
61. CODE BLUE Feb.17 (Mon) - 18 (Tue), 2014 Tokyo, Japan
61
Thank you!