CAREER: GLEAN: Gearing Rapid Malware Forensics Toward Holistic Mobile Botnet Takedown

职业生涯：GLEAN：利用快速恶意软件取证实现全面摧毁移动僵尸网络

• 批准号: 2143689
• 负责人: Brendan Saltaformaggio
• 金额: $ 51.98万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2022
• 资助国家: 美国
• 起止时间: 2022-02-01 至 2027-01-31
• 项目状态: 未结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2143689&HistoricalAwards=false
• 关键词: CAREER; GLEAN; Gearing; Rapid; Malware

This award is funded in whole or in part under the American Rescue Plan Act of 2021 (Public Law 117-2).This research benefits national security by advancing science in cyber forensics and malicious software (malware) prevention. Cybercriminals construct massive networks of malware running on infected victim devices that connect to command-and-control servers online. For decades, law enforcement and commercial entities have attempted to take down these globally distributed malware networks with mixed success. This research develops an automated approach to holistic take down such type of malware: both monitoring and disabling their command-and-control servers as well as remediating or removing the malware from the victim’s devices. This approach puts malware operators at a disadvantage (they must reinfect victim’s devices), thus protecting users and organizations. The output of this research, including software, demo videos, and scholarly publications, is being made freely available to the public to empower future research in this area. Discoveries from this project are being transitioned into workforce development activities and educational materials that introduce students to current and emerging cyber-attack investigation techniques.This work proposes that takedown attempts must not only remediate command-and-control (C&C) servers but also disable or remove frontend bots from infected devices, effectively eliminating the chances for a botnet revival. The investigator uses code reflection for C&C payload distribution, a popular trend in bot design that enabled many botnets to survive takedowns. This research is developing GLEAN, a program-analysis-centric pipeline combining automated malware forensics techniques toward holistic remediation of frontend bots and command and control backends. First, GLEAN identifies network behaviors, capabilities, and code reflection routines in the malware sample. Next, GLEAN performs covert monitoring of the C&C server via protocol identification to establish an effective strategy for their takedown. Finally, GLEAN enables the automated generation of a customized remediation payload, by examining the malware’s code reflection routines, capable of disabling the bot or alerting the infected-device’s user.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

该奖项全部或部分由2021年美国救援计划法案（公法117-2）资助。这项研究通过推进网络取证和恶意软件（恶意软件）预防科学而有利于国家安全。网络犯罪分子构建了在受感染的受害者设备上运行的大量恶意软件网络，这些设备连接到在线命令和控制服务器。几十年来，执法部门和商业实体一直试图摧毁这些分布在全球的恶意软件网络，但成功率参差不齐。这项研究开发了一种自动化的方法来全面消除这种类型的恶意软件：监控和禁用其命令和控制服务器，以及从受害者的设备中修复或删除恶意软件。这种方法使恶意软件运营商处于不利地位（他们必须重新感染受害者的设备），从而保护用户和组织。这项研究的成果，包括软件、演示视频和学术出版物，将免费提供给公众，以促进这一领域的未来研究。该项目的发现正在转化为劳动力发展活动和教育材料，向学生介绍当前和新兴的网络攻击调查技术。这项工作提出，拆除尝试不仅要修复命令和控制（C C）服务器，还要禁用或删除受感染设备的前端僵尸程序，有效地消除僵尸网络复活的机会。研究人员使用代码反射进行C C有效载荷分发，这是僵尸程序设计中的一个流行趋势，使许多僵尸网络能够在拆除后幸存下来。这项研究正在开发GLEAN，这是一个以程序分析为中心的管道，将自动化恶意软件取证技术与前端机器人和命令和控制后端的整体修复相结合。首先，GLEAN识别恶意软件样本中的网络行为、功能和代码反射例程。接下来，GLEAN通过协议识别对C C服务器进行隐蔽监控，以建立有效的策略来拆除它们。最后，GLEAN通过检查恶意软件的代码反射例程，能够自动生成定制的补救有效负载，能够禁用机器人程序或警告受感染设备的用户。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Hiding in Plain Sight: An Empirical Study of Web Application Abuse in Malware

• 发表时间: 2023
• 作者: Mingxuan Yao;J. Fuller;R. Sridhar;Saumya Agarwal;A. Sikder;Brendan Saltaformaggio