• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.21 no.3
• /
• pp.89-100
• /
• 2011

As the Internet usage with web browser is more increasing, the web-based malware which is distributed in websites is going to more serious problem than ever. The central type malicious website detection method based on crawling has the problem that the cost of detection is increasing geometrically if the crawling level is lowered more. In this paper, we proposed a security tool based on web browser which can detect the malicious web pages dynamically and support user's safe web browsing by stopping navigation to a certain malicious URL injected to those web pages. By applying these tools with many distributed web browser users, all those users get to participate in malicious website detection and feedback. As a result, we can detect the lower link level of websites distributed and dynamically.

• Smart Media Journal
• /
• v.8 no.1
• /
• pp.19-26
• /
• 2019

At the opening ceremony of 2018 Winter Olympics in PyeongChang, an unknown cyber-attack occurred. The malicious code used in the attack is based on in-memory malware, which differs from other malicious code in its concealed location and is spreading rapidly to be found in more than 140 banks, telecommunications and government agencies. In-memory malware accounts for more than 15% of all malicious codes, and it does not store its own information in a non-volatile storage device such as a disk but resides in a RAM, a volatile storage device and penetrates into well-known processes (explorer.exe, iexplore.exe, javaw.exe). Such characteristics make it difficult to analyze it. The most recently released in-memory malicious code bypasses the endpoint protection and detection tools and hides from the user recognition. In this paper, we propose a method to efficiently extract the payload by unpacking injection through IDA Pro debugger for Dorkbot and Erger, which are in-memory malicious codes.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.22 no.4
• /
• pp.869-882
• /
• 2012

With the growth of Web services and the development of web exploit toolkits, web-based malware has increased dramatically. Using Javascript Obfuscation, recent web-based malware hide a malicious URL and the exploit code. Thus, pattern matching for network intrusion detection systems has difficulty of detecting malware. Though various methods have proposed to detect Javascript malware on a users' web browser, the overall detection is needed to counter advanced attacks such as APTs(Advanced Persistent Treats), aimed at penetration into a certain an organization's intranet. To overcome the limitation of previous pattern matching for network intrusion detection systems, a novel deobfuscating method to handle obfuscated Javascript is needed. In this paper, we propose a framework for effective hidden malware detection through an automated deobfuscation regardless of advanced obfuscation techniques with overriding JavaScript functions and a separate JavaScript interpreter through to improve jsunpack-n.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.25 no.1
• /
• pp.17-30
• /
• 2015

Unlike existing widely used bytecode-centric Android application code obfuscation methodology, our scheme in this paper makes encrypted file i.e. DEX file self-extracted arbitrary Android application. And then suggests a method regarding making the loader app to execute encrypted file's code after saving the file in arbitrary folder. Encrypted DEX file in the loader app includes original code and some of Manifest information to conceal event treatment information. Loader app's Manifest has original app's Manifest information except included information at encrypted DEX. Using our scheme, an attacker can make malicious code including obfuscated code to avoid anti-virus software at first. Secondly, Software developer can make an application with hidden main algorithm to protect copyright using suggestion technology. We implement prototype in Android 4.4.2(Kitkat) and check obfuscation capacity of malicious code at VirusTotal to show effectiveness.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.28 no.5
• /
• pp.1197-1207
• /
• 2018

PowerShell is command line shell and scripting language, built on the .NET framework, and it has several advantages as an attack tool, including built-in support for Windows, easy code concealment and persistence, and various pen-test frameworks. Accordingly, malwares using PowerShell are increasing rapidly, however, there is a limit to cope with the conventional malware detection technique. In this paper, we propose an improved monitoring method to observe commands executed in the PowerShell and a deep learning based malware classification model that extract features from commands using Convolutional Neural Network(CNN) and send them to Recurrent Neural Network(RNN) according to the order of execution. As a result of testing the proposed model with 5-fold cross validation using 1,916 PowerShell-based malwares collected at malware sharing site and 38,148 benign scripts disclosed by an obfuscation detection study, it shows that the model effectively detects malwares with about 97% True Positive Rate(TPR) and 1% False Positive Rate(FPR).

• Proceedings of the Korean Society of Computer Information Conference
• /
• 2014.07a
• /
• pp.369-370
• /
• 2014

본 논문에서는 안드로이드 환경에서 클래스 반사(Reflection)과 예외처리를 이용하여 안드로이드 보호 시스템을 우회하여 임의의 코드를 수행할 수 있는 방법을 제시한다. 일반적인 자바 환경과는 달리 안드로이드 환경에서는 보안 강화를 위해 APK 파일 내 루트 디렉토리의 클래스 파일만을 반사를 통해 동적 로딩이 가능하다. 하지만, 본 논문에서는 클래스 반사와 예외 처리를 이용하여 임의의 디렉토리 내 파일을 로딩 및 동적 실행할 수 있는 방법을 보이며 이 방법은 저자가 알기로는 기존에 알려지지 않은 방법이다. 이를 기반으로, 본 논문에서는 AES 암호와 동적 로딩을 이용하여, 모바일 어플리케이션의 내부 코드를 은폐하는 기법을 제안한다. 제안기법을 활용 시, 첫째 공격자의 입장에서는 내부 코드를 은폐하여 백신을 우회하는 악성코드 제작이 가능하고, 둘째, 프로그램 제작자의 입장에서는 핵심 알고리즘을 은폐하여 저작권을 보호하는 코드 제작이 가능하다. 안드로이드 버전 4.4.2(Kitkat)에서 프로토타입을 구현하여 제안 기법의 실효성을 보였다.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.23 no.6
• /
• pp.1121-1129
• /
• 2013

Recent malware distribution causes severe and nation-wide problems such as 3 20 cyber attack in Korea. In particular, Drive-by download attack, which is one of attack types to distribute malware through the web, becomes the most prevalent and serious threat. To prevent Drive-by download attacks, it is necessary to analyze MDN(Malware Distribution Networks) of Drive-by download attacks. Effective analysis of MDN requires a detection of obfuscated and/or encapsulated JavaScript in a web page. In this paper, we propose the scheme called Multi-level emulation to analyze the process of malware distribution. The proposed scheme analyzes web links used for malware distribution to support the efficient analysis of MDN.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.17 no.6
• /
• pp.89-98
• /
• 2007

We have come a long way in the information age. Thanks to the advancement of such technologies as the internet, we have discovered new ways to convey information on a broader scope. However, negative aspects exist as is with anything else. These may include invasion of privacy over the web, or identity theft over the internet. What is more alarming is that malwares so called 'maliciouscodes' are rapidly spreading. Its intent is very destructive which can result in hacking, phishing and as aforementioned, one of the most disturbing problems on the net, invasion of privacy. This thesis describes the technology of how you can effectively analyze and detect these kind of malicious codes. We propose sequencial hybrid analysis for API calls that are hooked inside user-mode and kernel-level of Windows. This research explains how we can cope with malicious code more efficiently by abstracting malicious function signature and hiding attribute.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.32 no.4
• /
• pp.629-635
• /
• 2022

Cyber threats are also increasing with recent social changes and the development of ICT technology. Malicious codes used in cyber threats are becoming more advanced and intelligent, such as analysis environment avoidance technology, concealment, and fileless distribution, to make analysis difficult. Machine learning technology is being used to effectively analyze these malicious codes, but a lot of effort is needed to increase the accuracy of classification. In this paper, we propose a malicious code detection technology based on API call interval characteristics to improve the classification performance of machine learning. The proposed technology uses API call characteristics for each section and entropy of binary to separate characteristic factors into sections based on the extraction malicious code and API call order of normal binary. It was verified that malicious code can be well analyzed using the support vector machine (SVM) algorithm for the extracted characteristic factors.

• Convergence Security Journal
• /
• v.6 no.3
• /
• pp.59-67
• /
• 2006

Recently the Personal Computer hacking and game hacking for the purpose of gaining an economic profit is increased in Windows system. Malicious code often uses methods which inject dll or code into memory in target process for using covert channel for communicating among them, bypassing secure products like personal firewalls and obtaining sensitive information in system. This paper analyzes the technique for injecting and executing code into memory area in target process. In addition, this analyzes the PE format and IMPORT table for extracting injected dll in running process in affected system and describes a method for extracting and analyzing explicitly loaded dll files related with running process. This technique is useful for finding and analyzing infected processes in affected system.