Real-Time Static Analysis: Detecting Zero-Day Ransomware Campaigns

Friday 7 October 10:00 - 10:30, Green room

Erdem Aktas (Intel)
Rachit Mathur (Intel)

It is well known that most malware (including ransomware families such as CryptoWall) use various tools and techniques to avoid static analysis based detection, thus making it hard to statically detect and categorize their binaries. On the other hand, dynamic analysis can help to identify zero-day malware but it can be costly and time consuming. And in the case of ransomware, detection after infection is not desirable because files would have already been encrypted.

In this paper, we will present the results of a study based on the idea that performing static analysis in 'real time' can not only be used to identify zero-day samples but can also be used to categorize and identify the middle actors. By 'real time' we mean a time after the malware starts to execute BUT before it gets to the payload or does any damage / modification to the system. The idea comes from the observation that malware authors usually keep using the same code after a few initial layers of unpacking. And they tend to re-use their favourite tools (middle-level code) to package their payload. This middle-level code can not only help in the identification of malware, but also be used to categorize them based on their actors.

Using this approach, our experiments show that we are able to detect and block all the CryptoWall campaign samples using only the analysis from the very first early CryptWall samples. In the paper, we will also suggest how this approach can be automated and extended to detect other attacks.

Click here for more details about the conference.


Erdem Aktas

Erdem Aktas works at Intel Labs, Security and Privacy group as a research scientist. He holds a Ph.D. degree from State University of New York at Binghamton with the dissertation on "Authenticating executions for trusted systems". Erdem joined Intel Security (formerly McAfee) in 2012 and has contributed many research and engineering projects on large-scale cloud and client solutions related to the identifying and detecting malware using static and dynamic behaviours with machine learning. Erdem continues to his research at the Intel Labs, Security and Privacy group with special interest in control flow integrity and enforcement, trusted execution, efficiently using machine learning on identifying malware and preventing code reuse attacks. Erdem was born in Kars, Turkey in 1982 and currently lives in Hillsboro, OR, USA.




 Rachit Mathur

Rachit Mathur works at Intel Security as a research architect. He graduated from the University of Louisiana at Lafayette with an M.S. (computer science) in 2006, specializing in reverse engineering, program transformation and metamorphic malware. At Intel Security (formerly McAfee) Rachit has taken on both management and technical roles to successfully lead the development of innovative anti-malware solutions. His current interests are working on creating effective anti-malware solutions using both client and cloud, behaviour tracers, machine learning applications for security, rootkits and anti-analysis techniques. He has published work in the Journal in Computer Virology, Virus Bulletin, International Conference on Information Warfare, IEEE International Workshop on Source Code Analysis and Manipulation, EICAR, CARO, McAfee Focus, etc. Rachit was born in India in 1982. He currently lives in Hillsboro (USA) with his wife and daughter.