-
Target Attack Backdoor Malware Analysis and Attribution
Authors:
Anthony Cheuk Tung Lai,
Vitaly Kamluk,
Alan Ho,
Ping Fan Ke,
Byron Wai
Abstract:
Backdoor Malware are installed by an attacker on the victim's server(s) for authorized access. A customized backdoor is weaponized to execute unauthorized system, database and application commands to access the user credentials and confidential digital assets. Recently, we discovered and analyzed a targeted persistent module backdoor in Web Server in an online business company that was undetectabl…
▽ More
Backdoor Malware are installed by an attacker on the victim's server(s) for authorized access. A customized backdoor is weaponized to execute unauthorized system, database and application commands to access the user credentials and confidential digital assets. Recently, we discovered and analyzed a targeted persistent module backdoor in Web Server in an online business company that was undetectable by their deployed Anti-Virus software for a year. This led us to carry out research to detect this specific type of persistent module backdoor installed in Web servers. Other than typical Malware static analysis, we carry out analysis with binary similarity, strings, and command obfuscation over the backdoor, resulting in the Target Attack Backdoor Malware Analysis Matrix (TABMAX) for organizations to detect this sophisticated target attack backdoor instead of a general one which can be detected by Anti-Virus detectors. Our findings show that backdoor malware can be designed with different APIs, commands, strings, and query language on top of preferred libraries used by typical Malware.
△ Less
Submitted 5 February, 2025; v1 submitted 4 February, 2025;
originally announced February 2025.
-
An Attack-Driven Incident Response and Defense System (ADIRDS)
Authors:
Anthony Cheuk Tung Lai,
Siu Ming Yiu,
Ping Fan Ke,
Alan Ho
Abstract:
One of the major goals of incident response is to help an organization or a system owner to quickly identify and halt the attacks to minimize the damages (and financial loss) to the system being attacked. Typical incident responses rely very much on the log information captured by the system during the attacks and if needed, may need to isolate the victim from the network to avoid further destruct…
▽ More
One of the major goals of incident response is to help an organization or a system owner to quickly identify and halt the attacks to minimize the damages (and financial loss) to the system being attacked. Typical incident responses rely very much on the log information captured by the system during the attacks and if needed, may need to isolate the victim from the network to avoid further destructive attacks. However, there are real cases that there are insufficient log records/information for the incident response team to identify the attacks and their origins while the attacked system cannot be stopped due to service requirements (zero downtime online systems) such as online gaming sites. Typical incident response procedures and industrial standards do not provide an adequate solution to address this scenario. In this paper, being motivated by a real case, we propose a solution, called "Attack-Driven Incident Response and Defense System (ADIRDS)" to tackle this problem. ADIRDS is an online monitoring system to run with the real system. By modeling the real system as a graph, critical nodes/assets of the system are closely monitored. Instead of relying on the original logging system, evidence will be collected from the attack technique perspectives. To migrate the risks, realistic honeypots with very similar business context as the real system are deployed to trap the attackers. We successfully apply this system to a real case. Based on our experiments, we verify that our new approach of designing the realistic honeypots is effective, 38 unique attacker's IP addresses were captured. We also compare the performance of our realistic honey with both low and high interactive honeypots proposed in the literature, the results found that our proposed honeypot can successfully cheat the attackers to attack our honeypot, which verifies that our honeypot is more effective.
△ Less
Submitted 4 February, 2025;
originally announced February 2025.
-
Ransomware IR Model: Proactive Threat Intelligence-Based Incident Response Strategy
Authors:
Anthony Cheuk Tung Lai,
Ping Fan Ke,
Alan Ho
Abstract:
Ransomware impact different organizations for years, it causes huge monetary, reputation loss and operation impact. Other than typical data encryption by ransomware, attackers can request ransom from the victim organizations via data extortion, otherwise, attackers will publish stolen data publicly in their ransomware dashboard forum and data-sharing platforms. However, there is no clear and prove…
▽ More
Ransomware impact different organizations for years, it causes huge monetary, reputation loss and operation impact. Other than typical data encryption by ransomware, attackers can request ransom from the victim organizations via data extortion, otherwise, attackers will publish stolen data publicly in their ransomware dashboard forum and data-sharing platforms. However, there is no clear and proven published incident response strategy to satisfy different business priorities and objectives under ransomware attack in detail. In this paper, we quote one of our representative front-line ransomware incident response experiences for Company X. Organization and incident responder can reference our established model strategy and implement proactive threat intelligence-based incident response architecture if one is under ransomware attack, which helps to respond the incident more effectively and speedy.
△ Less
Submitted 3 February, 2025;
originally announced February 2025.
-
Negative bases and automata
Authors:
Christiane Frougny,
Anna Chiara Lai
Abstract:
We study expansions in non-integer negative base -β introduced by Ito and Sadahiro. Using countable automata associated with (-β)-expansions, we characterize the case where the (-β)-shift is a system of finite type. We prove that, if β is a Pisot number, then the (-β)-shift is a sofic system. In that case, addition (and more generally normalization on any alphabet) is realizable by a finite transd…
▽ More
We study expansions in non-integer negative base -β introduced by Ito and Sadahiro. Using countable automata associated with (-β)-expansions, we characterize the case where the (-β)-shift is a system of finite type. We prove that, if β is a Pisot number, then the (-β)-shift is a sofic system. In that case, addition (and more generally normalization on any alphabet) is realizable by a finite transducer. We then give an on-line algorithm for the conversion from positive base β to negative base -β. When β is a Pisot number, the conversion can be realized by a finite on-line transducer.
△ Less
Submitted 16 December, 2010;
originally announced December 2010.
