Papers and Presentations

In 2009, a new Symbian malware named SymbOS/Yxes was detected and quickly hit the headlines as one of the first malware for Symbian OS 9 and above all as the foretaste of a mobile botnet. Yet, the detailed analysis of the malware was still missing. This paper addresses this issue and details how the malware silently connects to the Internet, installs new malware or spreads to other victims. Each of these points is illustrated with commented assembly code taken from the malware or re-generated Symbian API calls. Besides those implementation aspects, the paper also provides a global overview of Yxes's behaviour. It explains how malicious remote servers participate in the configuration and propagation of the malware, including Yxes's similarities with a botnet. It also tries to shed light on some incomplete or misleading statements in prior press articles. Those statements are corrected, based on the reverse engineering evidence previously. Finally, the paper concludes on Yxes's importance and the lack of security on mobile phones. It also indicates several aspects future work should focus on such as communication decryption, tools to analyze embedded malware or cybercriminals motivations.

This is a PDF-specific exploitation research focusing on the custom heap management on Adobe Reader. When Adobe Reader is processing a PDF file, in most allocation cases, it does not directly use the system's heap, but maintains its own heap management system on top of the system-level heap management system. This feature provides an easier and reliable way to leverage PDF heap-based vulnerabilities.

Late last year Gartner analyst Greg Young wrote a blog post about the varying worldwide security threat levels as indicated in vendor online threat centres. He pointed out that, since global vendors are likely to detect the same active threats, they should post the same threat levels. However, vendors use different scale factors with conditions ranging from one to four or levels ranging from one to nine. Other vendors do not even provide threat levels on their public websites - possibly because they are providing details directly to their enterprise users or because they have no precise way of assigning public levels. Sadly, the threat level posting is proving to be more of a marketing add-on than a tool for security awareness.
Threat level is not just a number. This paper exposes the computation and logic behind threat levels and covers the three different security threat categories (virus/spyware, spam and vulnerabilities) that are different in nature. It will also touch on the complex formula affecting current threat levels. After all, the security community needs a standard way of assigning threat levels so it is transparent and helpful to end users.

Since the massive rise of cybercrime in 2005, which now steadily drains several billion dollars (if not hundreds of billions) per year, a variety of challenges in efficiently fighting cybercriminals have been clearly identified. Clearly? Well, perhaps not.
While it is widely recognized that the big struggle against cybercrime is severely hampered by the combination of the 'no cyber-borders between countries' factor and the 'heterogeneous laws among them' factor, in-depth examinations of the issue are scarce, and often overlook key aspects of the problem. Beyond the juridical issues, the technical challenges involved in fighting cybercrime may be misunderstood by political deciders, and the ethical aspects often set aside - as demonstrated by the action various governments have taken lately to address the cybercrime issue.
This paper, reviewed by parties with technical, legal, or law enforcement backgrounds, will shed light on those aspects and attempt to answer the numerous questions subsequently raised: Do we need more processes for international cooperation? Would an 'Internetpol' be the solution, or is everything we need already in place at a juridical level, as we're only lacking will, knowledge, and concrete collaboration between deciders and experts? Could we end up endangering liberties in the process of addressing cybercrime?

Looking back, the past year has seen botnet-powered SQL injection attacks reaching a rampant level, sparing no category of websites in their malicious code injection campaigns. With several millions of reported attempts from several hundreds of thousands of IP addresses, and successfully compromised websites ranging from MTV to the Canadian National Defence, few other threats can boast as high a profile.
Looking within, the threat's internals reveal a sophisticated technique and a steady evolution. As early as May 2008, a new Asprox botnet variant acquired an interesting - and previously unseen - behaviour: it started to look for SQL servers via search engines, such as Google. Once found, it would attempt to perform an SQL injection attack on those, following a simple, yet effective scenario: an HTTP Get request is issued as an attempt to inject some malicious Javascript in the content database, which is used to provide data front end to the final user. The blind requests may be repeated with varied parameters, effectively making this early version of the threat a 'brute force' attack.
This paper dissects the attack at a fairly technical level, elaborates on its evolution up to now, and discusses the protection and mitigation strategies relevant to its class.

After the emergence of Cabir mobile virus, the mobile virus has become a new trend. To date, there are more than 400 types of mobile viruses discovered. As we know, most of them are executing on the Symbian platform.

It has been a long time since the first mobile virus. Many anti-virus venders have released their mobile anti-virus utilities out. But until now, we could hardly find out a paper to let us know how to identify a mobile virus.

Taking into account the analysis technical difficulty, we think that Symbian virus will give us significant insight into mobile viruses. In this paper, I will provide you a general analysis method for Symbian virus. And then, I will also show you how to analyze some Symbian viruses based on this method. In the last section of this paper, I will provide suggestions in the automatic analysis of Symbian virus. I hope that you can find the "Bad guys" on Symbian by yourself with this paper.

Despite researcher curiosities about how each and every type of malware works, the cyber world still suffers a deluge of more than thousands of malware per day. Malware packers and encoders are building an outer shell for these massive malicious files in order to try and drop the detection rate. Looking at the assortment and properties of these files, rather than the files alone, could prove promising in thwarting these efforts and increasing detection rates. Unbelievable as it may seem, 'PE_Patch', the top one packer for executable files is only 5% detected by a few anti-malware vendors. Aside from the packer, investigating on the file properties particularly, its size, can elaborate and expand the details of the collections. Roughly 97% of malware discovered in 2006 was below one megabyte in size. Through incorporating these two facets - packer and file size - on the design of security products, detection and performance rate are undeniably going to improve.

In such cases, deeper inspection of each piece of malware is half of the story in mitigating threats. The presentation shows how looking into a collection of malware as a whole and grouping those by its properties can add significant improvement on detection and performance. Besides being purely statistical, this may be viewed as food for refined heuristics.

Today, the profits generated by cybercrime worldwide are somewhere between $50 billion and $100 billion per annum, flirting with the revenues yielded by the 'historic' business of trading illegal drugs.

However, as the public becomes aware of the situation, user education and global security policies tend to improve as well. To sustain profitable balances - or simply to optimize their gains - money-driven cyber criminals are pushed to innovate, to polish their social engineering methods and to go as far as taking physical action to implement their business logic. While companies are not spared, their targets of choice remain the average user. You, me, anyone.

While 'Dirty Money on the Wires' [1] was a snapshot of the most 'traditional' business models among the cyberunderground scene over the past two years, this paper will go deeper underground, closer to the culprits: based on quantified data, light will be shed on new - or anticipated - business models, following the evolution of cyber criminals as we are entering the Web 2.0 era, and as borders between crime and cybercrime become thinner every day.

Malware is typically found within files that are less than one megabyte (MB) in size. According to Fortinet research, 97% of malware discovered since the beginning of 2006 is below one MB in size. The small size of the malware file allows malicious content to be downloaded and executed quickly, creating an unnoticeable infection.

With the development of mobile hardware and software, Mobile device is becoming a mini PC device, and even more powerful to some extent, as Mobile communication device, WIFI device, Bluetooth device and Infrared device. Mobile device operating systems provide more and diversified functions and software. As a result, Mobile device viruses are able to intrude the mobile system through traditional and mobile specified ways. Carbir and its variants demonstrate ways to spread via Bluetooth, Skull and its variants demonstrate ways to disable system functions and lead mobile unable to work properly. Could mobile viruses do even more harm to the system? Unfortunately, the answer is yes!

In this paper, I will first introduce new ways that mobile virus writers might use in the near future, like tricks to force users to do hard reset, executable file infection in Symbian, mobile virus polymorph, new ways to spread themselves etc. Then I will propose an integrated mobile protection system which includes a powerful virus scanner and a multi-dimension real-time monitor set. Virus scanner must support both the traditional pattern-scanning method and heuristics method which I will go a little further to describe its main rules. Real-time monitors include low level monitors like file system monitor and network monitor and high level monitors like Bluetooth monitor, MMS monitor and email monitor etc.

Scammers, phishers, bot herders, spammers, online extortioners, identity thieves... The names may seem obscure, but their intent is not: they are all out to steal our money. It is no secret that, today, cyber crime is draining massive amounts of money every year, all around the globe. And while old-school hackers would rent their services to conduct a limited number of high-profile industrial spying operations, today's cyber criminals combine social engineering, viruses, trojans and spyware to target average, everyday users.

There are several questions that we must try and understand in order to fight these cyber criminals: who are the culprits and do they fit any standard profile? What is their business model and how easy is it to set up? Through which channels is the cyber crime money flowing and who is getting this money, eventually? Are the 'real' organized criminals - the so called mob - implicated at certain levels in the model?

This paper will attempt to shed some light on these questions. Answers will be developed, correlated and backed up by concrete data, numbers, and figures. The expected proliferation of increasingly used mobile smart phones will open the door for a broad range of new cyber crime possibilities and business models, which this paper will also examine. The goal is to raise public awareness and industry anticipation of this potentially severe issue.

Metamorphic viruses have posed a challenge for the anti-virus industry for quite some time. This article focuses on a number of metamorphic techniques and highlights different methods for detecting them.