Acceleration of Statistical Detection of Zero-day Malware ...

Annual ADFSL Conference on Digital Forensics, Security and Law 2016 Proceedings

May 24th, 1:00 PM

Acceleration of Statistical Detection of Zero-day Malware in the Acceleration of Statistical Detection of Zero-day Malware in the

Memory Dump Using CUDA-enabled GPU Hardware Memory Dump Using CUDA-enabled GPU Hardware

Igor Korkin Independent Researchers, Moscow, Russia, [email protected]

Iwan Nesterow Independent Researchers, Moscow, Russia, [email protected]

(c)ADFSL

Follow this and additional works at: https://commons.erau.edu/adfsl

Part of the Aviation Safety and Security Commons, Computer Law Commons, Defense and Security

Studies Commons, Forensic Science and Technology Commons, Information Security Commons,

National Security Law Commons, OS and Networks Commons, Other Computer Sciences Commons, and

the Social Control, Law, Crime, and Deviance Commons

Scholarly Commons Citation Scholarly Commons Citation Korkin, Igor and Nesterow, Iwan, "Acceleration of Statistical Detection of Zero-day Malware in the Memory Dump Using CUDA-enabled GPU Hardware" (2016). Annual ADFSL Conference on Digital Forensics, Security and Law. 10. https://commons.erau.edu/adfsl/2016/tuesday/10

This Peer Reviewed Paper is brought to you for free and open access by the Conferences at Scholarly Commons. It has been accepted for inclusion in Annual ADFSL Conference on Digital Forensics, Security and Law by an authorized administrator of Scholarly Commons. For more information, please contact [email protected].

http://commons.erau.edu/

http://commons.erau.edu/

https://commons.erau.edu/adfsl

https://commons.erau.edu/adfsl/2016

https://commons.erau.edu/adfsl/2016

https://commons.erau.edu/adfsl?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

http://network.bepress.com/hgg/discipline/1320?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages










https://commons.erau.edu/adfsl/2016/tuesday/10?utm_source=commons.erau.edu%2Fadfsl%2F2016%2Ftuesday%2F10&utm_medium=PDF&utm_campaign=PDFCoverPages

mailto:[email protected]

/creativecommons.org/licenses/by-nc-nd/4.0/

/creativecommons.org/licenses/by-nc-nd/4.0/

Acceleration of Statistical Detection of Zero-day … CDFSL Proceedings 2016

© 2016 ADFSL Page 47

ACCELERATION OF STATISTICALDETECTION OF ZERO-DAY MALWARE IN THEMEMORY DUMP USING CUDA-ENABLED GPU

HARDWAREIgor Korkin Iwan Nesterow

Independent ResearchersMoscow, Russia

{igor.korkin, i.nesterow}@gmail.com

ABSTRACTThis paper focuses on the anticipatory enhancement of methods of detecting stealth software.Cyber security detection tools are insufficiently powerful to reveal the most recent cyber-attackswhich use malware. In this paper, we will present first an idea of the highest stealth malware, asthis is the most complicated scenario for detection because it combines both existing anti-forensictechniques together with their potential improvements. Second, we will present new detectionmethods which are resilient to this hidden prototype. To help solve this detection challenge, wehave analyzed Windows’ memory content using a new method of Shannon Entropy calculation;methods of digital photogrammetry; the Zipf–Mandelbrot law, as well as by disassembling thememory content and analyzing the output. Finally, we present an idea and architecture of thesoftware tool, which uses CUDA-enabled GPU hardware, to speed-up memory forensics. All threeideas are currently a work in progress.

Keywords: rootkit detection, anti-forensics, memory analysis, scattered fragments, anticipatoryenhancement, CUDA.

INTRODUCTIONAccording to the major antivirus companies,there is presently a significant rise in cyber-attacks using hidden or rootkit malware(McAfee Labs, 2015a; Wangen, 2015;Symantec, 2015). Three tendencies in malwareevolution have become apparent presentingcorresponding cyber-security challenges. Thefirst one is the custom-made malware attacks.Applying zero-day or unknown malware makesinvestigation of cyber security incidentssignificantly more difficult (Jochheim, 2012).Second, malware uses various anti-forensictechniques, evasion approaches, and rootkitmechanisms, which substantially impair their

detection. Finally, investigating this malwarehas to meet very tight deadlines.

Well-targeted malware attacks. Recentcyber security breaches appear to suggest thata wide range of cyber-attacks are well-targeted.Nowadays cyber intrusions are rising at anunprecedented pace. The modern malware suchas BlackEnergy malware infiltrated thesystems that control critical infrastructure,including oil and gas pipelines, waterdistribution systems, and the power grid. Theeconomic impact of such attacks will becolossal; for example, a cyber-attack on the 50power plants in the USA could cause $1T ineconomic damage (Jeff, 2015). US Nuclear

ADFSL Conference Proceedings 2016 Acceleration of Statistical Detection of Zero-day …

Page 48 © 2016 ADFSL

Regulatory Commission experienced an 18%increase in computer security incidents in theNuclear Power Plants. These incidents includeunauthorized access, malicious code, and otheraccess attempts (Dingbaum, 2016). Thesecyber–attacks are already happening. Israel’sMinister of Infrastructure, Energy and Watersaid that the country’s Public UtilityAuthority had been targeted by malware. Hebelieves that the terrorist organizations such asDaesh, Hezbollah, Hamas, and Al Qaeda haverealized this attack (Ragan, 2016). In addition,the U.K. government believes that ISIS isplanning major cyber-attacks against airlines,hospitals, and nuclear power plants (Gilbert,2015). The recent hackers’ attack onKaspersky Lab, which was the first cyber-attack on Antivirus Company and car cyberhijacking look paltry and unimportant. TheStuxnet-like malware’s tendency was reinforcedby a cyber-attack on the Kaspersky Lab(Kaspersky Lab, 2015). In this case, themalware focused on stealing technologies andsnooping on ongoing investigations. The CEOsaid the following: “the cost of developing andmaintaining such a malicious framework iscolossal. The thinking behind it is a generationahead of anything we’d seen earlier – it uses anumber of tricks that make it really difficult todetect and neutralize. It looks like the peoplebehind Duqu 2.0 were fully confident that itwould be impossible to have their clandestineactivity exposed” (Kaspersky, 2015). Thisvulnerability of a respected antivirus companyreflects a highly sophisticated level of cyber-attacks. It presents a considerable challenge forzero-day detection for both Windows andUnix-based operating systems (Farrukh, &Muddassar, 2012).

Anti-forensic techniques. Malwareapplies a variety of anti-forensic and rootkittechniques to overcome detection, or makes itmuch more difficult. Currently, the abnormalrise of anti-forensic techniques and digital

investigators cannot match this challenge(SANS Institute, 2015a). According to AlissaTorres, founder of Sibertor Forensics andformer member of the Mandiant ComputerIncident Response Team (MCIRT), “Attackersknow how forensics investigators work andthey are becoming increasingly moresophisticated at using methods that leave fewtraces behind – we are in an arms race wherethe key difference is training” (Seals, 2015).This trend has been confirmed by the recentattack on Windows operating system (OS)using malware, which by encrypting itself wasable to evade popular debugging tools (TheRegister, 2015). The authors also underlinethat “the attack is more likely to bypasssecurity checks” and “the source of the attackis not easily identified by forensics analysis”(Nat, & Mehtre, 2014). According to theMcAfee Labs 2016 Threats Predictions, “cyberespionage attacks have become stealthier andthat they have become more impactful thanprior breaches” (McAfee Labs, 2015b). As aresult, it is not enough to create a newdetection tool. We need to take into accountboth anti-forensic techniques: current ones andtheir expected future developments.

Long-term malware infection.Malicious activity of stealth malware can resultin financial, reputational, process, and otherlosses. There are several examples of malwarewhich have been stealing data for years. Spynetwork Red October (Kaspersky Lab's GlobalResearch & Analysis Team, 2013) collecteddata from diplomatic, government, and scienceagencies from the whole world for five years.Another example was the stealthy,sophisticated Regin malware, which has beeninfecting computers since 2008; the recentdetection of dozens of its modules shows thatthis spy network is still active (Weil, 2014;Paganini, 2015). Such a long-term malwareinfection is completely unacceptable for allbusiness.


© 2016 ADFSL 9

Modern antiviruses do not cover thesethree aspects of new malware and have noability to react swiftly against such highlysophisticated malware. Thus actual cybersecurity threats demand a complex review ofall existing hidden malware detection methods.

Aim of this project. There is a need todevelop new methods of detecting hiddenmalware, which will be resilient to existinganti-forensic techniques such as rootkitcountermeasures.

In this paper, we present a research projectwhich seeks to detect zero-day malware in thememory dump under deliberatecountermeasures. By applying the synthesis ofnew methods, we can detect unknown malwarein the memory at a very early stage and thusprevent their negative sequelae.

Motivation. This paper was inspired bythe book ‘The Art of Memory Forensics’ (Ligh,Case, Levy, & Walters, 2014) and thepreliminary version of the book ‘Rootkits andBootkits: Reversing Modern Malware and NextGeneration Threats’ (Matrosov, Rodionov, &Bratus, 2016) and other papers. We were alsoinspired by helpful comments on the rootkitdetection system MASHKA (Korkin, &Nesterov, 2014) from Luka Milkovic, NicolasRuff, Giovanni Vigna, Stefan Vömel andIbrahim (Abe) Baggili.

This paper consists of six sections.Section 2 is devoted to the comparative

analysis of the methods used to detect stealthsoftware. It describes how these methods workand what their vulnerabilities are. Thecombination of existing anti-forensic techniquesshows that hidden malware can overcome allpopular stealth software detection methods.

Section 3 contains the several scenarios offurther improvements of anti-forensic methods.The idea of the most hidden driver or higheststealth malware (HighSteM), which overcomes

all popular detection methods and theirpossible development. HighSteM functionalitywill be given; HighSteM can acquire sensitiveinformation using memory access without anyinteraction with OS functions. The example ofthe keyboard keylogger, which works in thisway, is discussed. As a result, we can simulatethe most difficult case scenario for detection,and this will be used in further research of itsdetection.

In section 4, HighSteM detection methodsare presented. We will present a variety ofideas to solve the detection challenge, usingmethods of digital photogrammetry, the ZipfMandelbrot law, and methods of artificialimmune systems as well as by disassemblingthe memory content and analyzing the output.These methods will be analyzed in terms oftheir vulnerabilities to possible anti-forensictechniques. Developing, testing, and applyingthese new methods require a huge amount ofcomputational resources which are notaccessible to the vast majority of laboratories.To solve this time consuming task, weproposed using modern graphics cards orCUDA-enabled GPU hardware.

Section 5 explores the idea of signaturesearch optimization. As a basis for signaturesearch, the algorithm from the rootkitdetection system MASHKA was chosen. Thesuggestion is to combine the facilities of CPUand GPU so that the part with calculating andlinear search will use the number of cores ofGPU. This helps to significantly acceleratelinear search in the memory dump.

Section 6 contains the main conclusionsand further research directions.


0 © 2016 ADFSL

ANALYSIS OF THEDRIVER DETECTIONAPPROACHES IN THE

MEMORY DUMPThis project focuses on the detection of hiddendrivers, as they have many opportunities toconceal themselves and because of operating ina high privilege mode they can affect the OSand antivirus software. Hidden drivers featuresare commonly used in spyware (Paganini,2015; Musavi, & Kharrazi, 2014) and so thepriority task for cyber-security is the detectionof hidden drivers in the Windows and Unix-based OS. Further analysis will be carried outfor the most popular Windows OS, but allresults can be adopted for Unix-based OS aswell.

This analysis of the more popular methodsfor detecting hidden software and theirresilience to anti-forensic techniques should beof great interest to cyber-security experts. Thisanalysis of detection methods andcorresponding countermeasures will be basedonly on publicly available information sources:books, papers in scientific journals, conferencepresentations, blog posts as well as discussionsin forums.

The explanation will be provided throughthe increasing number of drivers’manipulations for self-concealment. Eachdetection method will include thecorresponding rootkit techniques to hinder themalware or prevent its work. In addition, everyfollowing analyzed method will be resilienttowards countermeasures of the previouslyanalyzed method.

Classification of MethodsUsed to Reveal Drivers

The creation of resilient detection methodsrequires answers to the following questions:

How drivers work in Windows OSand how they can be hidden;

How to detect hidden drivers;

How to predict and face anti-forensic techniques.

To formulate the prerequisites of driverdetection, the following topics will be coveredin the next section:

The virtual memory content after adriver has been loaded;

The details and vulnerabilities of aWindows built-in tool, whichcollects data about installed drivers;

Analysis of the resilience ofalternative approaches to detectdrivers.

In addition, the classification of thedifferent methods used to detect drivers will begiven.

According to Blunden (2012), before akernel mode driver has been started, itsexecutable file is loaded in the memory, andthe driver’s information is added in to severalOS’ linked lists and after that, the DriverEntryfunction is executed.

Consider the situation with three loadeddrivers- A, B, and C. Figure 1 shows thecontent of the virtual memory prior to theloading of these drivers. To simplify the model,on the top of the figure, there are only two OS’linked lists with three drivers’ structures,which correspond to the three loaded drivers.At the bottom there are three executabledriver files. All these objects may be used asfingerprints to detect drivers.

According to Russinovich, Solomon, &Ionescu, (2012) the Windows built-in tool usesone of these lists to receive information aboutloaded drivers, assuming that list #1 is the listutilized by the built-in tool, e.g. called



NtQuerySystemInformation withSystemModuleInformation (11) informationclass. However, as this is a list-basedmechanism, it is vulnerable to anti-forensictechniques. According to Blunden (2012), byunlinking a driver’s structure from this list it ispossible to conceal the driver from the built-intool. This unlinking attack is also known asDirect Kernel Object Manipulation (DKOM)and this technique yields two positive results.The first is that the built-in tool is not able tofind this driver; and second is that WindowsOS and the hidden driver will continue to workcorrectly.

Thus, the hidden driver is one of the maincyber-security threats, and to eliminate it, areliable method of detection is required todetect all hidden drivers. After all the stealthdrivers are detected, the incident response canbe carried out using special pre-filinginvestigations, such as reverse-engineering(Matrosov, Rodionov, & Bratus, 2016),although a review of this topic is beyond thescope of this paper.

The most common technique to discover ahidden driver or any rootkit is to apply thecross-view approach, which checks equalitybetween two drivers’ lists. The first list wascreated by the built-in tool and the second listuses one of the alternative drivers’ detectionapproaches.

Alternative detection approaches can beclassified into two categories according to thesubject of the search: first by using OS driverstructures and second by using the content ofthe driver’s files in the memory. Theirclassification is given in Figure 2. The firstapproach can be further sub-divided into twogroups: based on the links between structuresand a signature based search of driversstructures.

The second approach can also be furtherpartitioned into two subsets: signatures and astatistically-based approach to detect thedriver’s files in the memory. Each of thesemethods will be analyzed. The new detectionapproach proposed at the end of this paper isbased on the statistically-based approach.

Figure 1. Fingerprints of kernel-mode drivers in a memory dump: loaded drivers and their metadata

System List #1 of Drivers Structures

Struct ofDriver A

System List #2 of Drivers Structures

Struct ofDriver B

Struct ofDriver C

Struct ofDriver A

Tag Tag Tag Tag

Struct ofDriver C

Tag

Struct ofDriver B

Tag

Loaded executablefile of Driver A

(PE .sys file)

Loaded executablefile of Driver B

(PE .sys file)

Loaded executablefile of Driver C

(PE .sys file)



ApproachesBased on theLinks between Structures

These methods receive the list of drivers bywalking through the various linked lists ofdriver structures in the memory.

We will be focusing on the most popularOS’ linked lists, which are used to detectdrivers (Vomel, & Lenz, 2013):

List of drivers’ modules, also calledPsLoadedModuleList;

List of kernel mode threads from‘System’ process;

Drivers’ objects list from the objectdirectory also calledObjectDirectory;

List of recently unloaded drivers;

Service record lists in the memoryalso called ServiceDatabase;

Database of installed services in thesystem registry.

We will shortly discuss each of these listsand techniques used to hide data from each ofthem.



PsLoadedModuleList. The first and themost famous list is PsLoadedModuleList,which is used by ZwQuerySystemInformationfunction or, in other words, by the Windowsbuilt-in tool. This is double linked to the list ofKLDR_DATA_TABLE_ENTRY structures,which contains the data about each kernelmodule. The Volatility’s modules plugin usesthis list. It is possible to hide a driver structurefrom this list by using DKOM unlinking. Thedetails of this anti-forensic technique are given

in Hoglund, & Butler (2005) and also in Tsaur,& Wu (2014a) and realized in theDhpHideModule function of Dementia, theproof of the concept memory anti-forensictoolkit by Milkovic (2012).

Kernel-mode threads. According to thebook (Ligh, Case, Levy, & Walters, 2014a) theprocess ‘System’ with PID 4 includes the list ofkernel mode threads. This list contains theETHREAD structures. This idea is also usedin the Volatility’s orphan plugin; however, an

Figure 2. Classification of methods to detect drivers



intruder is able to prevent detection using thislist by rewriting sensitive information from thecorresponding ETHREAD structure, e.g. fieldStartAddress. As a result, the modifiedstructure will be of no use for detection. Thisanti-forensic technique will be referred to asDKOM patching.

DKOM patching is a widely-usedtechnique. Here is an idea of how to hideEPROCESS structure – “instead of removingthe process from the linked list, replace itscontent and technically the process should be‘hidden,’ meaning it will still show up ontaskmanager etc but when you try to close ordump it, it will close/dump the dummyprocess instead” (Ch40zz, 2015).

ObjectDirectory. The third list is theWindows Object Directory list or the objecttree, which contains structures of differentobjects. In this paper, we are focusing onDRIVER_OBJECT structures. The details ofhow this tree is organized is given inZhanglinfu2000 (2013) and Probert (2004).The documented functionNtQueryDirectoryObject uses this tree to getthe information about the specified directoryobject (MSDN, n.d.-a); however, the driver isable to conceal the correspondingDRIVER_OBJECT structures by DKOMunlinking. The details of this anti forensictechnique are given in (Tsaur, & Yeh, 2015;Jakobsson, & Ramzan, 2008; Tsaur, & Wu,2014a). The attack of hiding a driver from anobject directory is implemented by theStealthInitializeLateMore function in theAntiMida by Pistelli (n.d) and in the Zionopen source rootkit by Chen (2008).

Recently unloaded drivers. This listincludes the names, times, the start and finishaddresses of recently unloaded drivers (Ligh,Case, Levy, & Walters, 2014b). This list ismentioned in the following papers (MJ0011,2009; SANS Institute, 2015b) as well as in the

forum discussion (KernelMode.info, 2012). TheVolatility’s unloadedmodules plugin uses thislist. According to the Windows ResearchKernel (WRK) the variablePUNLOADED_DRIVERSMmUnloadedDrivers stores the address of thetop of this list, and by usingMmLocateUnloadedDriver function, it canlocate the specified virtual address in the list(Microsoft, n.d.-a; Microsoft, n.d.-b). We canalso get this address by callingReadDebuggerData function with parameterDEBUG_DATA_MmUnloadedDriversAddr(MSDN, n.d.-b). However, an attacker canapply DKOM patching and overwrite sensitivefields in the corresponding structure, andtherefore it makes the list unusable fordetection.

ServiceDatabase in the memory.According to Ligh et al (2014c), after theinstallation of a driver using Service ControlManager (SCM), corresponding information isadded to the two lists. The first is the doublelinked list of service record structures inservices.exe also known as ServiceDatabase.The second list is located in the systemregistry. Thus it is possible to get informationabout loaded drivers from ServiceDatabaseusing the EnumServicesStatus function withparameter SERVICE_KERNEL_DRIVER(MSDN, n.d.-c). The detailed analysis of SCMmechanisms is explained is several recent books(Stuttard, Pinto, Ligh, Adair, Hartstein, &Richard, 2014; Ligh, Case, Levy, & Walters,2014d) as well as in the blog of D.Clark (Clark,2014). The ServiceDatabase details and themany ways to conceal the service recordstructure and this is in the context of BlazgelTrojan in the book (Ligh, Adair, Hartstein, &Richard, 2010), which hides services by DKOMunlinking. Further examples of how to unlink astructure of hidden service are given inWineblat (2009); Mask (2011); and Louboutin(2010).



Database of Installed Services in theSystem Registry. As mentioned before, if adriver is loaded using SCM, this informationwill also be duplicated in the system registry.The list of registered kernel mode drivers anduser mode services is located in the followingregistry path:“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services”(MSDN, n.d.-d;Microsoft, n.d.-c). The detailed description ofthis list can be found on the OSR online site.(OSR Online, 1997). We can get informationfrom this list; it can also be obtained by usingregistry API function RegEnumKeyEx;however, this list is also susceptible to intrudercountermeasures such as deleting thecorresponding registry key, which contains theinformation about a hidden driver. An exampleof removing the driver-related information inthe registry is given in Tsaur, & Wu (2014b;ZCM Services, 2010).

Table 1 summarizes the various analyzedapproaches to detect drivers and theirvulnerabilities. The first column gives the listand the respective structure names. Thesecond column contains the software tools,which apply these lists. The last column showsthe anti-forensic techniques, which can defeator overcome the detection.

As a result, we can conclude that allapproaches based on the links between

structures are susceptible to anti-forensictechniques such as DKOM unlinking, DKOMpatching and removing registry keys. Next, thepaper will review the driver detection methods,which are resilient to these countermeasures,although they may have other weaknesses.

0.1. Signature-Based Search of DriverStructures

When a driver structure is concealed byusing DKOM patching and all informativefields are rewritten, then this structure isuseless for detection, however, if a structure ishidden only by DKOM unlinking it, it can berevealed by a signature-based search.

Signature-based search of driver structuresis based on the fact that driver structures havetypical fragments, or in other words,signatures, which are the same for allstructures from one list. We can reveal alldrivers’ structures by using byte-to-bytesignature search regardless of whether or not astructure is unlinked. Signature based searchcan retrieve data and does not rely on APIcalls that can be subverted. Signature-basedsearch, in some cases, can be sped upsignificantly using the fact that driverstructures, e.g. DRIVER_OBJECT, arelocated closely to each other in the memory(Korkin, & Nesterov, 2014).



Table 1Summary table of the detection approaches based on the links between structures and their vulnerabilities

List and structure names Examples of lists using Examples of AttacksPsLoadedModuleList,

KLDR_DATA_TABLE_ENTRY ZwQuerySystemInformation Volatility’s modules plugin

DKOM unlinkingObjectDirectory, DRIVER_OBJECT ZwQueryDirectoryObjectService Record List,

SERVICE_RECORD EnumServicesStatus

List of kernel mode system threads,ETHREAD Volatility’s orphan plugin

DKOM patchingMmUnloadedDrivers,UNLOADED_DRIVERS

ReadDebuggerData Volatility’s unloadedmodules plugin

Service Record List in registry RegEnumKeyEx Removing registry keys

Two signature types can be distinguished:

Signatures based on short bytesequence, also known as pool-tagscanning;

Signatures based on stand-alonebytes, also known as magicnumbers in the structures.

Pool-tag scanning. This signature isbased on the fact that each structure from onelist contains the same four byte tags. This isone of the most popular ways to findstructures in the memory. This tag could beadded to the structure using two ways: withthe function ExAllocatePoolWithTag ormanual by a programmer. In the first case afour-byte tag value is added automatically atthe beginning of the allocated pool memory.These values are reserved for each systemstructures. The pool tag list of Windowsdrivers is given in Rhee (2009). In the secondcase, such byte signature is added by theprogrammer. For example, while a driver isstarted, SCM creates theSERVICE_RECORD structure and adds thepool-tag value: (*ServiceRecord)->Signature =SERVICE_SIGNATURE, whereSERVICE_SIGNATURE is 0x76724573 or"sErv" in ASCII. The details of thismanipulation are in the source code (Microsoft,

n.d. d). M. Ligh used the pool-tag scanningdetect Windows threads (Ligh, 2011).

Magic numbers in the structures. Thesecond type of signature is based on the factthat structures from one list have somecommon peculiarities. This signature includesonly the bytes whose values are the same forall linked structures on the list. Also, apartfrom the single bytes, we can also use the factthat kernel mode structures include the fields,whose values are linked with other kernel modestructures. Therefore, these values exceed thevalues of 0x8000_0000 (Schuster, 2006). Thispeculiarity was described by Tsaur, & Chen(2010) and Haukli (2014) and after that wasenhanced in Dynamic Bit Signature (DBS) todetect hidden structures (Korkin, & Nesterov,2014).

The summary table of signature-basedsearch methods of driver structures is in

Table 2.As a result, simultaneously applying both

anti forensic techniques: DKOM unlinking andDKOM patching renders drivers’ structuresuseless for detection and significantly hindersfurther analysis. Next, we will cover driverdetection approaches, which do not rely ondriver structures; therefore, these approachesare able to detect the hidden driver, which



uses both the above mentioned countermeasures.

Table 2.Summary table of signature-based search methods of driver structures

List and structure names Signatureexamples Signature using example

PsLoadedModuleList,KLDR_DATA_TABLE_ENTRY

Tag signature“MmLd” Cohen (2014)

Service Record List,SERVICE_RECORD

Tag signature“sErv” or “serH”

Hidden Service Detector (hsd) by EiNSTeiN_Ligh, Case, Levy, & Walters (2014f)

Volatility’s SvcScan plugin byLigh, Case, Levy, & Walters (2014g) and

Vomel, & Lenz (2013)

ObjectTable, DRIVER_OBJECT

Tag signature“Driv”

Volatility’s modscan plugin byLigh, Case, Levy, & Walters (2014h)

Byte signature Tsaur, & Chen (2010) and Haukli (2014)Dynamic bit

signature Korkin, & Nesterov (2014)

Signature-based Detection ofDrivers Files

Signature-based search of drivers’ files usespriority known fragments of drivers’ files assignatures; therefore, these methods are notsusceptible to manipulation with drivers’structures. In comparison with the previoussignature-based methods, these methods use asimilar byte-to-byte search for drivers’ files,but not for drivers’ structures.

There are three types of signatures to finddriver files to be discussed:

ASCII strings;

Magic numbers in the PE-header;

OpCode patterns.

ASCII strings. The first type ofsignatures includes various strings from anexecutable file. The best known example ofASCII strings signatures is “This programcannot be run in DOS mode” from MS-DOSheader (Timzen, 2015; x86Disassembly/Windows Executable Files, n.d.).M. Russinovich used this string while

analyzing Stuxnet (Russinovich, 2011), andalso, import table, in other words, symbolicnames of functions belonging to ASCII stringssignatures. The example of this signature isused to analyze packed PE files, “The Presenceof certain functions in the import” (NTInfo,2014).

How to bypass ASCII stringssignatures? The ASCII strings signatures arenot resilient to the following countermeasures.First, the hidden driver can overwrite its MS-DOS header in the memory; and thismanipulation does not influence its OS work(Qark, n.d.). Moreover, to hinder detection, ahidden driver can use only two importedfunctions LoadLibrary and GetProcAddress. Itis also able to perform the function-resolutiontasks and to call on any other functions (Eagle,2011). As a result, the import table willinclude just only two names, which will not beenough for detection.

Magic numbers in the PE-header. Thesecond type of signature is based on thepeculiarities of the PE-header content (ELF-header in UNIX case) or in the magic numbers.



This signature is a byte template, whichincludes the field values of PE header and theircorresponding offsets from the beginning of thefile (Dorfman, 2014; Choi, Kim, Oh, & Ryou,2009). An example of the application of magicnumbers in the PE-header to detect unknownmalware is presented by Wang, Wu, & Hsieh(2009). An example of adopting this signatureto ELF-header for unknown malware detectionin the OS Linux is given in Farrukh, &Muddassar (2012).

How to bypass magic numbers in thePE-header? The hidden driver can bypassthis type of signature using a similaroverwriting technique. After the driver hasbeen loaded its PE-header integrity is notneeded. Therefore a rootkit can overwrite thecontent of PE-header and bypass signaturesbased on magic numbers. This approach wasalso proposed by Tsaur, & Wu (2014c).

Opcode patterns. The third type ofsignatures is based on the common factors inthe content of the compiled file. Each driver isan executable file, which includes sets ofmachine language instruction or operationcodes, and further opcodes, which are executedby CPU. An Instruction Set Architecture(ISA) includes a specification of the set ofopcodes. Different drivers have similar opcodefragments because they are executed on thesame CPU architecture. The most popularexample of using opcodes as a signature is thesearch of starting and ending of functions. Thecorresponding opcodes are also known as‘functions prolog and epilog’ and they dependon calling convention (Calvet, 2012). There arethree popular calling conventions that are usedwith C/C++ language: stdcall, cdecl andthiscall (Chen, 2004). Opcode based signaturesare used to detect various malware (Santos,Brezo, Nieves, Penya, Sanz, Laorden, &Bringas, 2010; Santos, Sanz, Laorden, Brezo, &Bringas, 2011; Zolotukhin, & Hamalainen,2014). There are numerous examples of using

opcodes for detection (Ghezelbigloo, &VafaeiJahan, 2014; Singla, Gandotra, Bansal,& Sofat, 2015; Yu, Zhou, Liu, Yang, & Luo,2011).

An example of using opcode bytecombination to find hidden service structures isgiven in the information from Ligh, M. (Ligh,M., 2015a, 2015b). Opcode patterns are alsoused in firmware analysis. The patternmatching tool Binwalk detects the potentiallyexecutable data by identifying known functionprolog and epilog patterns (Binwalk, 2015).

Opcode-based signatures could be furtherdeveloped using control flow analysis (Ding,Dai, Yan, & Zhang, 2014) and data miningtechniques (Siddiqui, Wang, & Lee 2008;Santos, Brezo, Ugarte-Pedrero, & Bringas,2013) and also varied classification techniques(Shabtai, Moskovitch, Feher, Dolev, & Elovici,2012).

How to bypass opcode patterns?Several authors have pointed out that applyingprolog and epilog signatures as well as usingother ISA opcode patterns does not make itresilient to anti-forensic techniques. A rootkitcan bypass opcode patterns by obfuscatingprolog and epilog functions. An example ofhiding functions call is given in Emil’s Projects(2010). Also malware can evade the signature-based detection by packing the original codeusing custom packers (Arora, Singh, Pareek, &Edara, 2013).

As a result, we can conclude, that despitethe fact that the signature-based search ofdrivers files is resilient to manipulation withdriver structures, this search is susceptible toother anti-forensic techniques. An intruder cancircumvent signature based search of driversfiles in memory by overwriting sensitive datafor ASCII-based signatures and signaturesbased on PE-header features; as well asencrypting, packaging and obfuscating ofcontent of a driver file (Saleh, Ratazzi, & Xu,



2014; Dang, Gazet, Bachaalany, & Josse, 2014;Aronov, 2015).

Further, we will present an analysis ofdriver-detection approach, which is resilient tocombination of all previous anti-forensictechniques.

Statistical Detection ofDriver Files

Statistical detection of driver files is able toreveal loaded drivers in the memory files,without using any fixed signature. Thisdetection approach is based on the fact thatthe content of driver files is significantlydifferent from the content of other memoryparts.

Statistical detection of driver files includestwo phases. In the first step, we evaluate thememory content by calculating variousstatistics for each memory offset. Thistechnique is also known as the ‘sliding windowsapproach.’ In the second step, we find memoryregions with abnormal values for the calculatedstatistics. These memory regions are very likelyto have a driver code or raw machine code.

An impulse of using the statistical memoryanalysis to find an executable code in thememory is given in Lyda & Hamrock (2007),which specified the Shannon's entropy notionand was the first to apply binary entropy. Theauthors discovered that by comparing entropyvalues, it is possible to separate different datatypes: plain text, native executables, packedexecutables, and encrypted executables(Brown, 2009).

According to the blog post by Suszter(2014), “entropy analysis is very useful tolocate compressed, encrypted, and other wayencoded data; higher entropy can indicateencoding of some kind; lower entropy is likelyto include anything else such as text, code,header and data structures.”

Our analysis of publicly available sourcesshows that there are no facts of using entropyto detect hidden drivers in the memory;however, entropy is applied in various spheresof cyber security (Matveeva, 2014), such asfinding an executable code in the officedocument files (Jochheim, 2012; Pareek,Eswari, Babu, & Bangalore, 2013; Iwamoto, &Wasaki, 2014; Tabish, Shafiq, & Farooq, 2009),in PDF-files (Schmidt, Wahlisch, & Groning,2011; Pareek, Eswari, & Babu, 2013), in thenetwork traffic (Nguyen, Tran, Ma, & Sharma,2014), and in the analysis of unknown binaryfiles (Yurichev, 2015). Entropy analysis is alsoused to find cryptographic keys in the memorydump (Maartmann-Moe, 2008). This successfulexperience can be applied to find hidden drivercontent in the memory and detect rootkits.

Entropy analysis of individual files is themost commonly used method to solve the taskof files classification, for example, to separatepacked and encrypted file from an unprotectedfile. According to Devi, & Nandi (2012), “it isvery important to figure out whether a givenexecutable is packed or non-packed beforedetermining whether it is malicious or benign.”If certain conditions are true, such as the filehas a high entropy value, unknown MD5 hashvalue and also it has no digital signature, it ismost likely that this executable file is malware(SANS Institute, 2014; Nataraja, Jacob, &Manjunatha, 2010). In addition, in thisauthor’s opinion, antiviruses can usually detectweird applications using entropy. To develop a‘well done rootkit’ we need to be creativeabout entropy (Lupi, 2011).

The sliding window approach allows us tocalculate a variety of statistics. Together withthe formula of binary entropy by Lyda andHamrock (2007) there are other ways ofcalculating entropy (Hall, & Davis, 2006). Alsoapart from entropy in the sliding windowapproach, we can use other statistics such asarithmetic mean, Chi square and Hamming



weight (Conti, et al., 2010). Jochheim (2012)finds that the most useful statistics in fileclassification are the following: average,kurtosis, distribution of averages, standarddeviation, and distribution of standarddeviations. One of the prospective methods tomeasure binaries is to apply Kolmogorovcomplexity for detecting malware (Alshahwan,Barr, Clark, & Danezis, 2015).

In the case of memory dump, we do nothave separate files, so we can apply the slidingwindow approach or its various modifications.One such example is given by Matveeva andEpishkina (2015). The authors proposedconstructing a byte value / byte offsetdependency graph. Byte offsets are placed onthe horizontal axis, and byte values are on thevertical axis. After that, the authors calculateand construct a frequency byte distribution forvarious window-form fragments of the firstplot. The authors suggest using the followingfragment sizes: 100x100 and 2000x50.

Another approach is to use the followingconfiguration of sliding window method: eachblock has fixed length 256 bytes, “Each blockhas an overlap of 4 bytes…A short-termFourier analysis is applied to every 4 bytes ofthe entropy stream” (Jochheim, Schmidt, &Wahlisch, 2011).

For further analysis of the memory dumpthese authors suggest the following methods:Short-term Fourier Transform (STFT)(Schmidt, Wahlisch, & Groning, 2011;Iwamoto, & Wasaki, 2014) or Wavelettransform (Matveeva, & Epishkina, 2015).

Other ways of calculating statistics apartfrom binary entropy by are suggested by Lydaand Hamrock (2007), who suggest by using onebyte, we can also calculate entropy using twobytes or using bigram analysis (Nataraja,Jacobb, & Manjunatha, 2010), as well as usingthree bytes or trigrams (Conti, et al., 2010).Along with the analysis of individual values

statistics, we can also evaluate the memorycontent using n-gram analysis (Pareek, Eswari,& Babu, 2013; Nath, & Mehtre, 2014).

It is possible to carry out memory analysisusing both manual and automatic modes. Theidea of automated classification of different filetypes, such as random, text, machine code,bitmap, compressed images, encoded andencrypted data exposed in the paper (Conti, etal., 2010). To solve a classification problem,the authors first calculated threshold values fordifferent data types by using test samples.Their results solved the classification problemwith the appropriate values of false positivesand false negatives. An alternative example ofsolving the classification problem by usingentropy is given in the work by Bat Erdene,Kim, Li, and Lee (2013).

Artificial intelligence methods look verypromising for solving the classificationproblem, but the authors thought that thesemethods are insufficiently precise because ofthe errors of the first and second types(Jochheim, 2012).

To make manual analysis of memory easierand faster we can use various visualizationtechniques. In his paper, Jocheim suggestedusing the following byte blot: each byte in thefile was colored according to this byte hexvalue, e.g. zero bytes and bytes with value0xFF are black and white correspondingly.Using this approach, we can easily locate zeropages in the memory as well as the particularsections of an executable file – .text, .data,.rsrc.

An alternative approach for visualizingdata uses space-filling curves proposed by A.Cortesi. He analyzed various approaches ofhow to visualize the file content, such asZigzag, Z-order, and Hilbert to find encryptedblocks (Cortesi, 2012). As a result of this work,the author developed tools to visualize content



using both web-site (Cortesi, 2015a) and localhost PC (Cortesi, 2015b).

Visualization of files or memory dumps isan up-and-coming direction in cyber-security,which was confirmed by various projects: thusthe cantor.dust project was presented at theREcon'13 conference, Binwalk, binglide,Vix/Biteye, senseye, and many others(Visualizing ELF binaries, 2014).

In addition, it is possible to apply acombination of the approaches mentionedbefore. An example of using signature-basedand statistical approach was presented in theworks by Merkel, Hoppe, Kraetzer, andDittmann (2010).

How to bypass statistical detection?At the same time, the statistical detectionapproach is also vulnerable to anti-forensictechniques. The idea of countermeasures is toapply the manipulations, which decrease theentropy of driver content and as a resultseriously hinder localizing a driver code in thememory areas.

There are only two publicly availablecountermeasures to decrease entropy: the firstis to use Multiple Files and the second is toadd memory blocks with zero entropy.

The first method is used in the Stuxnetand Flame, which deliberately decreased theentropy values using Multiple Files to achieve‘lesser maliciousness entropy’ (Teller, 2013;Schuberth, 2014).

The second one is also known as a meta-obfuscation technique by null contentinsertion. Executable code can also hide itselfby reducing entropy values of its memorycontent with the help of including memoryfragments with low entropy. An example ofsuch manipulation is used in spyware programZeus, and it includes inserting blocks ofsymbols with zero entropy. Moreover,according to the blog post, many packers use

this anti-forensic technique to hide the factthat this file has been encrypted – “some verygood packers and protectors of malware try toreduce entropy by inserting zero bytes in data.The reason is that virus scanners react to fileswith high entropy” (NTInfo, 2014).

To bypass the circumvention, i.e., to detectsuch malware the authors (Pedrero, Santos,Sanz, Laorden, & Bringas, 2012) proposed away to localize and delete such data blocks,and after that, calculate entropy values. Thelatter was made possible by applying bytehistograms to analyze the contents of the file.However, applying byte histograms is alsovulnerable to the corresponding anti-forensictechnique, as discussed below.

ConclusionThe above analysis shows that all popularapproaches to detect drivers are susceptible toanti-forensic techniques: seeTable 3.

By joining the results of this chapter andthe work by Korkin and Nesterov (2014) wecan state that the most popular framework formemory analysis, Volatility, is also vulnerableto anti-forensic technique and moreover, thatmalware can overcome Volatility in bothstages: memory acquisition and memory dumpanalysis.

To sum up, we can conclude that a drivercan be hidden in different ways (Jason, 2012)but the results will always be the same –running uncontrolled code in the privilegememory area and the content of this code willhave a low entropy value.

This work focuses on the anticipatorydevelopment of advanced cyber-securitysolutions. As a result, in this project we willcreate a new hidden-driver detection method,which will be resilient to current drivercountermeasures and their possibledevelopment.



The task to detect a driver comes down tothe recognition task between the executable

driver code and data fragments, which arestored in the memory.

Table 3The list of popular approaches to detect drivers and their vulnerabilities

The ways to detect drivers Anti-forensic technique

Using driverstructures

Using links between structures DKOM unlinkingSignature-based search DKOM patching

Using content ofdriver files

Signature-based detection DKOM patching & PE packingStatistical-based detection Memory patching

THE IDEA OF THEHIGHEST STEALTH

MALWARE(HIGHSTEM)

In this section we will look at a prototype ofthe most hidden driver, or Highest StealthMalware (HighSteM). The goal of this sectionis to create a list of possible anti-forensictechniques, which includes both evasionmechanisms for popular detection approaches,and the present authors’ ideas on how to avoidstatistically-based detection (Pedrero, Santos,Sanz, Laorden, & Bringas, 2012). We aretrying to create anti-forensic measures, whichcan prevent detection even by future detectiontools. As a result, we will formulate the mostdifficult scenario for detection. The nextsection will deal with detection of HighSteM.

Malware can use different ways to start up:using shellcode in PDF-file or by registryfacilities for loading instead of the file system(Santos, 2014; Marcos, 2014), but all in all, themalware executable code will be loaded andreside in the memory.

It is well known that the code, which isrunning in the lowest level and is close tohardware, has the greatest potential for self-concealment. There are various levels of codeexecution: inside OS user mode (ring 3), kernelmode (ring 0) and outside OS VMX root mode

or hypervisor (ring -1), SMM (ring -2), andAMT (ring -3). We chose kernel mode (ring 0),which is the most popular among malware andspyware platforms. HighSteM will be thekernel mode driver for Windows OS or aloadable kernel module (LKM) for UNIX-basedsystems.

As a basis to develop the HighSteMprototype, we will select the FU rootkit(Blunden, 2012) or a stub driver, which isloaded using ATSIV utility by Linchpin Labs(Linchpin Labs, 2010). The results of ourpreliminary research revealed that ATSIV usesan undocumented startup method, whichconceals a driver from the most popular anti-rootkit tools (Korkin, 2012). In addition, it ispossible to use Turla Driver Loader, whichloads a driver without involving Windowsloader (hfiref0x, 2016).

We can load any driver using both built-inWindows tool (eg Service Control Manager)and by third party software (like Atsiv orTurla Driver Loader). In the first case, drivers’information is added in all system lists, whilein the second case just a few lists will beupdated.

The HighSteM prototype will apply avariety of anti-forensic techniques. First of all,HighSteM will include techniques to preventthe detection of existing approaches; thedetails are in Section 2. Then we present some



ideas on how to improve these anti-forensictechniques. HighSteM could improve Zeus’manipulations to hide from entropy-analysis bythe following three steps:

1. Insert blocks of symbols with lownonzero entropy value.

2. Use blocks with different size.3. Significantly increase size and number

of inserted blocks.On one hand, applying these three steps

makes a driver definitively hidden fromPedrero’s methods (Pedrero, Santos, Sanz,Laorden, & Bringas, 2012) and, moreover, theycan help to develop the most complex case fordetection; however, on the other hand, thesesteps will lead to certain negative effects: thesize of the driver will increase and its speed ofoperation will decrease. The reasons for thesedisadvantages are blocks of inserted symbols,so there will be many time-consuming jumpsbetween pieces of the driver code.

We also propose an idea based onHighSteM’s payload and how to realize this ina stealthy way. The main strategy is to elicitsensitive information by reading variousmemory regions without using the functions,which can be hooked by anti-viruses. An ideaof the keylogger, which collects keystrokes bychecking the corresponding memory fragment,was first proposed by Ladakis et al (2013).These authors apply the GPU facilities toaccess physical memory. They also proposed tocheck a memory region by including keystrokeswith 100ms delay. This time is enough tocollect all keystrokes with an average typingspeed and also with optimal system’s overhead,which is less than 0.1%. This paper focusedonly on the Linux OS.

Adapting this idea for Windows OS isgiven by Stewin and Bystrov (2012). Theseauthors describe how to find the OS structurethat contains the most recent keystrokes, butwithout its internal details. To find out these

details, the authors propose using reverse-engineering analysis of the kbdhid.sys file,which may be challenging.

Our preliminary research reveals thatkeystrokes’ buffer is stored in theDEVICE_EXTENSION structure, the sourcecode for a USB keyboard can be found atMicrosoft’s website (n.d.-e) and so can a PC/2keyboard (Microsoft, n.d.-f). This structureincludes the KEYBOARD_ATTRIBUTESstructure, which contains the desired codes ofkeystrokes and other additional flags. Thesimilar structure –KBDHID_DEVICE_EXTENSION is used inReactOS, which is close to Windows OS(ReactOS, n.d.).

This memory-based monitoring techniquelooks promising. On one hand, it acquiressensitive information, and on the other hand,cyber-security tools and well-known eventtracing solutions are not able to controlmemory access. This is the most difficultsituation for detection.

In the next section, we suggest some ideasof how to detect HighSteM-based rootkits.

DETECTION OFHIDDEN SOFTWARE

UNDERCOUNTERMEASURES

To achieve this goal, the following three tasksthat need to be addressed:

1. Research and develop a prototype ofthe hidden driver which can overcomeexisting detection methods.

2. Check the driver prototype usingexisting detection methods and tools.

3. Design new methods to detect hiddendrivers using analysis of Windows OSmemory.

To solve task 1, we are going to use theexample of the keyboard driver filter as the



basis for the prototype of the hidden driver(Blunden, 2009). We are planning to take thefollowing measures to hide this driver. We willload the driver prototype with the help ofpublicly available ATSIV utility by LinchpinLabs (2010). This driver will be concealed fromthe signature search by patching its PE-headerin the memory. To develop HighSteM, we willsolve the optimization problem with thefollowing two variables – the size and numberof inserted blocks of symbols and the followingthree constraints:

The maximum driver size – up to10 megabytes.

The level of decreasing speed ofoperation – no more than twotimes.

The level of entropy decreasing – nofewer than two times.

To speed up the development and testingof this driver, we will use the already preparedmemory analysis system (Korkin, & Nesterov,2014).

To solve task 2, we will use the followingpopular tools to detect a deliberately hiddendriver: Kaspersky TDSSKiller, GMER,RootRepeal, Avast Anti-Rootkit, Dr.WebCureIt!, Sophos Anti-Rootkit, F-SecureBlacklight and the most popular memoryanalysis platform – Volatility Framework(MidnightCowboy, 2015; Ligh, Case, Levy, &Walters, 2014). As a result, we willexperimentally prove that these cyber-securitysolutions are not able to detect this prototypeof the hidden driver.

On stage 3, we are going to apply thesethree ideas to find the executable code in thememory dump:

1. New methods of entropy calculationand data analysis:

a. Use function P*(2-P^2) insteadof P*log(P) to calculate

entropy. Our preliminaryanalysis showed that thisfunction grows faster on theinterval from 0 to 1 than theoriginal entropy and that is whyit looks more appropriate forthe analysis of computermemory.

b. Analyze dependence ofcalculated entropy values fromdifferent lengths of slidingwindows and its further spectraland wavelet analysis.

c. Apply methods of digitalphotogrammetry to find theexecutable code in the graphicaldiagrams of the memorycontent.

d. Use Zipf–Mandelbrot law toanalyze the executable code anddata in the memory content.

2. Disassemble memory content and carryout the thorough analysis of thereceived assembler code, using thefollowing ways:

a. Instruction Frequency Analysis.b. Evaluation of the logic of the

assembler code.c. Design and analysis of the

control flow graph based on thereceived set of the assemblercode.

To implement the first idea, we areplanning to use numerical computingenvironment MATLAB. Applying MATLAB’sbuilt-in functions help us to focus on statisticalideas rather than on their implementation andtesting.

Methods of digital photogrammetry arecommonly used to locate different objects onthe digital images, for example, human faceson photographs. When it comes to hiddendrivers’ detection, we have to face a similarchallenge – to localize memory fragments with



anomalous entropy values, which correspond tothe executable code (Cortesi, 2012; Kohli,Lempitsky, & Barinova, 2015).

The Zipf–Mandelbrot law is used to checkthe self-organization, correctness, andsystematicity of literary works. The executablecode has similar properties, which is why wewill use this law to evaluate the code and datain the memory.

To realize the second idea about applyingdisassembling, we will use the Capstone andBeaEngine, which are the open source librariesto disassembly both 32 and 64 bits code(Nguyen, 2014).

Analysis of frequency of assemblerinstructions includes preliminary and detectionphases. In the preliminary phase, we willcalculate the threshold frequency ofinstructions from memory fragments, whichinclude only the executable code and only thedata. In the detection phase, we will calculatefrequency instructions from each memoryfragment and compare their frequency withthreshold values. Evaluation of logic will bemade by checking that the result of theinstructions execution does not overwrite thepreviously achieved results. The design andanalysis of control flow graph will beperformed using Interactive Disassembler IDA(Blunden, 2012). A similar idea ofdisassembling the part of the code is utilized inVolatility’s driverirp plugin with ‘--verbose’flag to reveal TDL3 infection. TDL3 uses theStealth Hooks technique and Redirector Stubsto hide the fact of hooking functions (Ligh,Case, Levy, & Walters 2014i).

We will consider the following twolimitations of this research:

1. Analysis of the memory content will begiven only for 32-bit and 64-bitWindows 7 OS, as the most popularOS, without analysis of Unix-based OS,such as Mac OS, Linux and mobile OS.

2. We will consider the executablesamples, which do not applyobfuscation and polymorphismtechniques.

However, such analysis requires significantcomputing capabilities from the analysts’workspace, for example, rootkit detectionsystem MASHKA spends about half hour tocheck memory dump, which is far too long andhence not applicable in practice.

To speed-up the analysis, we proposed anidea based on the use of modern video orgraphics cards. To do this we will present anidea of accelerating memory analysis using theCUDA library and NVIDIA graphics card.

GPU ACCELERATEDSIGNATURE-BASEDMEMORY DUMP

ANALYSISNowadays modern workstations, laptops,notebooks, and even tablets are equipped withone or several GPU components. Besidesgaming opportunities, such components offergeneral high-performance parallel computingpossibilities for a long time. For memory dumpanalysis, it is important that such devices cantransfer CPU load to GPU, and also are verysuitable for signature-based and statisticalanalysis. Obtaining memory dump on modernworkstations is a separate CPU-intensive task,thus permanent analysis is barely possible butperiodic continual dumping is a realisticscenario. Such time-based periodic dumpingand analysis can dramatically load CPU andmay be inappropriate during simultaneousregular work.

This paper offers a statistical confidence-estimation of hidden malware and severalalgorithms to form a criterion of significancefor memory dump segments. Most of thementioned algorithms may be efficiently run in



parallel due to inner data parallelism. As aresult, most of the analysis may be effectivelytransferred to GPU, dramatically diminishingthe CPU-load during processing. This sectionalso describes the principles of fine-grainedalgorithm splitting to run memory dumpanalysis effectively on hybrid CPU/GPU awarearchitectures.

The reason we need to develop anappropriate GPU kernel based code for CUDAaware GPUs is the internal highly localizedcohesion between memory dump data segmentsand applicable statistical algorithms. Suchcohesion makes memory dump analysis veryclose to classical box filtering and convolutionfilters run on GPU. Both of them have goodand effective implementations for CUDA awareGPUs and also show very high scalability andperformance. Memory throughput is no longerpossible because of a bottleneck, due toextensive data transfer between host based andGPU-based memories. As a part of the newlyannounced “Boltzmann Initiative,” AMDpresents the Heterogeneous-computer Interfacefor Portability (HIP) tool. New heterogeneoussystem architecture will allow us toautomatically convert CUDA code by HIP andexpand the possible hardware base available torun what was formerly an exclusively CUDA-based application (Silcott, & Swinimer, 2015).So nowadays, CUDA may be the best choice tomeet current and future requirements forconsumer and enterprise-based hardware fromboth vendors.

This approach further involvesdifferentiating memory dump analysisalgorithms based on different memory-accessprofiles during processing. Two main profilesare easily discovered: local signature-baseddetection and memory lookups to resolvevirtual to physical memory layouts (Korkin, &Nesterov, 2014).

Local signature-based detection is the mostappropriate for running on GPU; memory

model and kernel execution principles are bestsuited for running such analysis. CUDA boxfiltering and convolution-based examplesbundled with the CUDA toolkit are optimalstarting points, and such processing iseffectively done to boost filtering and analysisperformance.

To utilize multiple available GPU, thereare two ways to handle them either asindependent devices or alternatively as a singleone through a unified memory model usingmodern CUDA improvements. Starting withCUDA 4 unified virtual addressing issupported, and this provides a single virtualmemory address space for all the memoryavailable in the system. Memory addressingand management enables pointers to beaccessed from the GPU code no matter wherein the system they reside, whether in devicememory (on the same or a different GPU),host memory, or on-chip shared memory.Latter improvements to overcome PCI-Express’s low bandwidth and high latency areavailable since CUDA 6 platform. This bringsout managed memory, which is accessible toboth the CPU and GPU by using a singlepointer. The key of the improvement is thatthe system automatically migrates dataallocated in unified memory between the hostand device so that it looks like CPU memoryto code running on the CPU, and like GPUmemory to code running on the GPU.

Despite the above mentioned advances, itis a complicated task to utilize suchfunctionality when non-uniform GPUs areinstalled and so hand-coded algorithm splittingmust be done to avoid non-local memoryaddressing. To counter this, another approachwas developed with high-grained algorithmsplitting based on memory-access patternsduring signature-based detection.

Hybrid CPU/GPUArchitecture Requirements



Software architecture for signature-baseddetection must allow effective, highly-scalableand accelerated memory dumps analysis.Memory datasets may be accessed throughinterposes- communication with dumpingroutines or inner communication throughshared-thread storage. Another source of bulkdatasets may be from some SOCKET-based

network layer where datasets from differentnodes are aggregated and analyzed. As a partof the research, such a SOCKED-based layerwas developed to further allow research andinvestigation into building trusted networkswith secure runtime memory dump analysisand incident systems.

A signature-based threaded-detectionsystem must:

Effectively run on nodes with singleor multiple GPUs, on multicore andmultiprocessor systems;

Allow different GPU memorylayouts and data handling strategiesto allow benchmarking and work ondifferent GPU architectures;

Meet CPU counterpartimplementations;

Do benchmarking and algorithmvariations for different global,texture, constant, and shared

memory available resources anddata arrangement;

Minimize thread divergence, wherethreads of the same wrap branch todifferent sections of code.

Confirm single instruction multiplethread manner and prevent GPUscheduler from allocating extraexecution slices to possiblebranches;

Ensure coalesced memory access bywrapping branches.

The goal to promote a network-awaresoftware platform to memory dump analysisnaturally leads on to the development of

Figure 3. Architecture of a network-aware software platform for memory dump analysis

replies

RDBMS Cluster

Network client node

Message broker RDBMS Master

Instance

CPU processing units

requests

Monitoring and

logging components

RDBMS Hot Standby

node

GPU Processing units

«flow»

«flow»

Write

channel

Read

channel

PUB/SUB

subscription

«flow»

«flow»

Async

replication



scalable tool and architecture to be able tosimultaneously perform statistical-processingand provide analytics. The main architectureprinciple lies in modular and an extensibleobject-oriented pipelined framework to allowparallel code execution on shared memorymulti-processor platforms. A reliable networkaware software platform consists of a dedicatedmessage broker and dedicated RDBMS clusterto register network connections and analysisrequests, as shown in Figure 3.

Overview ofNetwork-awareArchitecture

A server-side component was also developed,which provides endpoints of communicationusing a socket network programming interface.Server-side components are responsible forhandling connections from the different nodes,which make requests to perform the forensicsanalysis of their memory dumps.

In its turn, an object-oriented pipelinedframework is responsible for promoting eventdemultiplexing and concurrent processing ofthe heterogeneous CPU/GPU architecture.The application starts a stream that presents aset of hierarchically-related analysis andreporting services. Network datademultiplexing and further asynchronousprocessing Reactor (Reactor pattern, n.d.) wasselected as the main programming pattern.This programming pattern makes a unifiedasynchronous event handling which isgenerated by a timer-driven callout queue, I/O

events received on communication ports,events from GPU kernels, and CPU-processingthreads, as shown in Figure 4.

Each processing step in the hierarchically-related analysis and reporting stream presentsa threading pool that makes parallel processingpossible. The thread-pool is configurable andresponsible for spawning, executing,synchronizing, and gracefully terminatingmanaged threads and data flow through theprocessing stream. Initial benchmarking is doneto adjust the different task decompositionpolicies to permit parallel processing on GPUand CPU resources with different computingcapabilities and performances.

Overview of PipelinedProcessing Workflow.Further

DevelopmentNetwork-aware software platforms for memorydump analysis may be an essential componentfor Intrusion Detection Systems (IDS). Suchcomponents may reside on dedicated high-performance hardware or virtualized platforms.High-performance tools that can utilizeavailable multicore CPU and multiple GPUare required. Such tools process highly-sensitive data and further research anddevelopment must be done to assure securityand confidence. Digital signing and correctidentification, authentication and authorizationschemes must be provided, and there is also aneed for mechanisms for integration with thelatest directory services.



CONCLUSIONS &FUTURE WORK

1. Detection of zero-day malware is awell-known and current centralchallenge in cyber-security. Thisanalysis shows that existing detectionapproaches are susceptible to rootkitswhich apply a variety of differentcountermeasures.

2. To create the most difficult casescenario for detection, we propose adriver prototype based on existing anti-

forensic techniques and their possibleupgrades. To find such a driver, wepropose various improvements onstatistically-based detection.

3. We proposed an idea of using thefacilities of both GPU and CPU tospeed up memory analysis.

The Idea of a DynamicMemory Map

Another idea of rootkit detection is theDynamic Memory Map tool. This tool will helpto visualize memory content of virtual or

Figure 4. Architecture of Parallel Processing on GPU and CPU resources

Shared key-value storage

of memory dump statistic

Local memory lookups and

processing on GPU

Nonlocal memory lookups

and algorithms on CPU

GPU Thread

pool

CPU Thread

pool

Task decomposition

Networking layer

Task analytics (data

consolidation and reporting)

«flow»

«use»

«flow»

«use»

«use»

«use»



physical addresses with multicoloredrectangles, corresponding to different driversand kernel services, as well as a user-modeprocess. If we have found a memory fragmentwith an executable code which is not registeredin the OS, it will mean that our OS has beeninfected and this executable code has to besubject to an additional inspection. This toolwill have two modes of operating: as an on-airmap and a logger of all memory accessesto/from the chosen memory scope. Using IntelVT-x with Extended Page Tables (EPT)technology we will be able to achieveportability for all new Intel CPUs, reducesignificant performance losses and make thistool resilient to common OS-based anti-forensictechniques. A collaboration with SatoshiTanda (2015) has suggested a preliminaryimplementation of such a tool and early resultslook promising. These results will be presentedat the REcon conference 2016 in the paper“Monitoring & controlling kernel-mode eventsby HyperPlatform.”

Applying Virtual Reality(VR) Headset to DigitalForensics Applications

Modern technologies present new devices forhead-mounted display (HMD) system: VirtualReality (VR) headset or VR gear, which areextremely popular nowadays. These deviceshave the following advantages:

Comfortable for eyes, “it's likewatching a 130-inch televisionscreen from 10 feet away”;

Cheap, “Google Cardboard headsetsare built out of simple, low-costcomponents”;

VR useful in a wider variety ofroles, not only for gaming.

We propose an idea to use theopportunities of VR headset in an incidentresponse during the analysis of various system

logs and memory dumps. In addition, VRheadsets can be used to analyze the control-flow-graph of disassembled code duringreverse-engineering process. New 3D view fromVR headset, instead of existing 2D picturefrom desktop PC could speed-up analysis andmake it more convincing.

ACKNOWLEDGEMENTSWe would like to thank Andrey Chechulin,Ph.D research fellow of Laboratory ofComputer Security Problems (Scientificadvisor – Prof. Igor Kotenko) of the St.Petersburg Institute for Informatics andAutomation of the Russian Academy ofScience (SPIIRAS) for his insightful commentsand feedback which helped us to substantiallyimprove the quality of the paper.

We would like to thank SamanthaGonzalez from Miami High School, Florida, USand Sarah Wilson teacher of English, Kenosha,Wisconsin, US for their time and effort inchecking a preliminary version of this paper.

We would also like to thank Ben Stein,teacher of English, Kings Education, London,UK for his invaluable corrections of the paper.



REFERENCES

Alshahwan, N., Barr, E.E., Clark, D., &Danezis, D. (2015). Detecting Malwarewith Information Complexity. [arXivpreprint]. Retrieved on December 8, 2015,from http://arxiv.org/pdf/1502.07661.pdf

Aronov, I. (2015). An Example of CommonString and Payload ObfuscationTechniques in Malware. SecurityIntelligence. Retrieved on December 8,2015, fromhttps://securityintelligence.com/an-example-of-common-string-and-payload-obfuscation-techniques-in-malware/

Arora, R., Singh, A., Pareek, H., & Edara,U.R. (2013). A Heuristics-based StaticAnalysis Approach for Detecting PackedPE Binaries. International Journal ofSecurity and Its Applications. 7(5). 257-268. Retrieved on December 8, 2015, fromhttp://www.sersc.org/journals/IJSIA/vol7_no5_2013/24.pdfhttp://dx.doi.org/10.14257/ijsia.2013.7.5.24

Bat-Erdene, M., Kim, T., Li, H., & Lee, H.(2013). Dynamic Classification of PackingAlgorithms for Inspecting Executablesusing Entropy Analysis. Proceedings of the8th International Conference Malicious andUnwanted Software: "The Americas"(MALWARE). Fajardo, PR.http://dx.doi.org/10.1109/MALWARE.2013.6703681

Binwalk. (2015). Firmware Analysis Tool.Retrieved on December 8, 2015, fromhttp://binwalk.org/

Blunden, B. (2009). The Rootkit Arsenal:Escape and Evasion in the Dark Corners of

the System. 1st edition. Jones & BartlettLearning.

Blunden, B. (2012). The Rootkit Arsenal:Escape and Evasion in the Dark Corners ofthe System. 2nd edition. Burlington, MA:Jones & Bartlett Publishers.

Brown, W. (2009). Building and Using anAutomated Malware Analysis PipelineTools, Techniques, and Mindset.Proceedings of the Hack in The BoxSecurity Conference (HITB), Malaysia.Retrieved on December 8, 2015, fromhttp://conference.hitb.org/hitbsecconf2009kl/materials/D2T3%20-%20Wes%20Brown%20-%20Building%20and%20Using%20an%20Automated%20Malware%20Analysis%20Pipeline.pdf

Calvet, J. (2012). Cryptographic FunctionIdentification in Obfuscated BinaryPrograms. Proceedings of the RECon.Montreal, Canada. Retrieved on December8, 2015, fromhttp://recon.cx/2012/schedule/attachments/46_Joan_CryptographicFunctionIdentification.pdf

Chen, L. (2008). Zion system DKOM driverkernel. Microsoft Corporation. Retrieved onDecember 8, 2015, fromhttp://blogs.technet.com/cfs-filesystemfile.ashx/__key/telligent-evolution-components-attachments/01-6336-00-00-03-07-17-55/Zion.zip

Chen, R. (2004). The history of callingconventions, part 3. MSDN. Retrieved onDecember 8, 2015, from



https://blogs.msdn.microsoft.com/oldnewthing/20040108-00/?p=41163/

Choi, Y., Kim, I., Oh, J., & Ryou, J. (2009).Encoded Executable File DetectionTechnique via Executable File HeaderAnalysis. International Journal of HybridInformation Technology. 2(2). Retrieved onDecember 8, 2015, fromhttp://www.sersc.org/journals/IJHIT/vol2_no2_2009/3.pdf

Ch40zz. (2015). PspCidTable and Patchguardon x64. Rohitab. Retrievedfrom http://www.rohitab.com/discuss/topic/41909-pspcidtable-and-patchguard-on-x64/?p=10101659

Clark, B. (2014). Unlinking Windows Servicesfrom the Service Record List. Retrieved onDecember 8, 2015, fromhttp://speakingofcyber.blogspot.ru/2014/08/unlinking-windows-services-from-service.html

Cohen, M. (2014).Pooltags for commonobjects. Rekall Memory ForensicsRetrieved on December 8, 2015, fromhttp://www.rekall-forensic.com/epydocs/rekall-module.html

Conti, G., Bratus, S., Shubina, A., Sangster,B., Ragsdale, R., Supan, M., Lichtenberg,A.. & Perez-Alemany, R. (2010).Automated Mapping of Large BinaryObjects Using Primitive Fragment TypeClassification. The International Journal ofDigital Forensics & Incident Response.Volume 7. Pages S3-S12. Elsevier SciencePublishers. Amsterdam, The Netherlands.

Cortesi, A. (2012) Visualizing Entropy inBinary Files. Retrieved on December 8,2015, fromhttp://corte.si/posts/visualisation/entropy/index.html

Cortesi, A. (2015a). A Browser-based Tool forVisualizing Binary Data. Retrieved on

December 8, 2015, fromhttp://binvis.io/#/

Cortesi, A. (2015b). BinVis tool download.Retrieved on December 8, 2015, fromhttp://www.rumint.org/gregconti/publications/binviz_0.zip

Dang, B., Gazet, A., Bachaalany, E., & Josse,S. (2014). Practical Reverse Engineering:x86, x64, ARM, Windows Kernel,Reversing Tools, and Obfuscation.Indianapolis, IN, USA: John Wiley & Sons,1 edition, 384 p.

Devi, D., & Nandi, S. (2012). PE File Featuresin Detection of Packed Executables.International Journal of Computer Theoryand Engineering. (4)3. Retrieved onDecember 8, 2015, fromhttp://www.ijcte.org/papers/512-S10014.pdf

Ding, Y., Dai, W., Yan, S., & Zhang, Y.(2014). Control Flow-based OpcodeBehavior Analysis for Malware Detection.Computers & Security. Volume 44. 65–74.http://dx.doi.org/10.1016/j.cose.2014.04.003

Dingbaum, S. (2016). Audit Of NRC’SNetwork Security Operations Center.United States Nuclear RegulatoryCommission. Reference # OIG-16-A-07.Retrievedfrom http://pbadupws.nrc.gov/docs/ML1601/ML16011A319.pdf

Dorfman, A. (2014). FRODO: FormatReverser of Data Objects. Proceedings ofthe Hack In The Box Security Conference(HITB), Amsterdam, Netherlands.Retrieved on December 8, 2015, fromhttp://bofh.nikhef.nl/events/HitB/hitb-2014-amsterdam/praatjes/D2T3-Format-Reverser-of-Data-Objects.pdf

Eagle, C. (2011). The IDA Pro Book: TheUnofficial Guide to the World's Most



Popular Disassembler. No Starch Press.2nd Edition. 672p.

Emil's Projects. (2010). Tiny C ScramblingCompiler. OpenHardware & OpenSource.Retrieved on December 8, 2015, fromhttp://uglyduck.ath.cx/ep/archive/2010/04/Tiny_C_Scrambling_Compiler.html

Farrukh, S., & Muddassar, F. (2012). ELF-Miner: Using Structural Knowledge andData Mining Methods To Detect New(Linux) Malicious Executables. Knowledgeand Information Systems. 30 (3), 589-612Springer-Verlag New York, NY, USAhttp://dx.doi.org/10.1007/s10115-011-0393-5

Gilbert, В. (2015). ISIS Planning MajorCyberattacks Against Airlines, HospitalsAnd Nuclear Power Plants. InternationalBusiness Times. Retrievedfrom http://www.ibtimes.com/isis-planning-major-cyberattacks-against-airlines-hospitals-nuclear-power-plants-2187567

Ghezelbigloo, Z., & VafaeiJahan, M. (2014).Role-opcode vs. Opcode: the New methodin Computer Malware Detection.International Congress on Technology,Communication and Knowledge (ICTCK).1-6. Mashhad. Iran.http://dx.doi.org/10.1109/ICTCK.2014.7033534

Hall, G.A., & Davis, W.P. (2006). SlidingWindow Measurement for File TypeIdentification. Technical report, ComputerForensics and Intrusion Analysis Group,ManTech. Security and Mission Assurance,Rexas

Haukli, L. (2014). Exposing Bootkits withBIOS Emulation. Black Hat USA.Retrieved on December 8, 2015, fromhttps://www.blackhat.com/docs/us-

14/materials/us-14-Haukli-Exposing-Bootkits-With-BIOS-Emulation.pdf

hfiref0x. (2016). Driver loader for bypassingWindows x64 Driver SignatureEnforcement. GitHub. Retrievedfrom https://github.com/hfiref0x/TDL

Hoglund, G., & Butler, J. (2005). DirectKernel Object Manipulation. Rootkits:Subverting the Windows Kernel. 169-212.Addison-Wesley Professional.

Iwamoto, K., & Wasaki, K. (2014). A Methodfor Shellcode Extraction from MaliciousDocument Files Using Entropy andEmulation. IACSIT International Journalof Engineering and Technology. (8)2. 101-106. Singapore,http://dx.doi.org/10.7763/IJET.2016.V8.866

Jakobsson, M., & Ramzan, Z. (2008). DirectKernel Object Manipulation. Crimeware:Understanding New Attacks and Defenses.1st edition. 253-254. Addison-WesleyProfessional.

Jason, A. (2012). Ghost in the Shell: ACounter-intelligence Method for Spyingwhile Hiding in (or from) the Kernel withAPCs. Thesis. Queen’s University.Kingston, Ontario, Canada. Retrieved onDecember 8, 2015, fromhttps://qspace.library.queensu.ca/bitstream/1974/7605/1/Alexander_Jason_S_201210_MSC.pdf

Jeff, J. (2015). Cyberattack on US PowerPlants Could Cause $1T in EconomicDamage. Green Technology. Retrievedfrom http://www.greentechmedia.com/articles/read/cyber-attack-on-u.s.-power-plants-could-cause-1t-in-economic-damage

Jochheim, B. (2012). On the AutomaticDetection of Embedded Malicious BinaryCode using Signal Processing Techniques.Project Report. Retrieved on December 8,



2015, from http://inet.cpt.haw-hamburg.de/teaching/ss-2012/master-projects/benjamin_jochheim_pr1.pdf

Jochheim, B. (2012, October 17). On theAutomatic Detection of EmbeddedMalicious Binary Code using SignalProcessing Techniques. Project Report.Retrieved on December 8, 2015, fromhttps://inet.cpt.haw-hamburg.de/teaching/ss-2012/master-projects/benjamin_jochheim_pr1.pdf

Jochheim, B., Schmidt, T.C., & Wahlisch, M.(2011). A Signature-free Approach toMalicious Code Detection by ApplyingEntropy Analysis to Network Streams.Project SKIMS. Retrieved on December 8,2015, fromhttps://tnc2011.terena.org/getfile/489

Kaspersky Lab. (2015, June 11). The Duqu 2.0Technical Details. Retrieved on December8, 2015, fromhttps://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf

Kaspersky Lab's Global Research & AnalysisTeam. (2013, January 14). “Red October”Diplomatic Cyber Attacks Investigation.Retrieved on December 8, 2015, fromhttps://securelist.com/analysis/publications/36740/red-october-diplomatic-cyber-attacks-investigation/

Kaspersky, E. (2015, June 10). Kaspersky Labinvestigates hacker attack on its ownnetwork. Retrieved on December 8, 2015,fromhttps://blog.kaspersky.com/kaspersky-statement-duqu-attack/8997/

KernelMode.info. (2012). [Kernel] Unloadedmodules list. Forum discussion. Retrievedon December 8, 2015, fromhttp://www.kernelmode.info/forum/viewtopic.php?t=1549

Kohli, P., Lempitsky, V., & Barinova. O.(2015). Detecting and Localizing MultipleObjects in Images Using ProbabilisticInference, U.S. Patent No. US8953888 B2.Washington, DC: U.S. Patent andTrademark Office.

Korkin, I., & Nesterov I. (2014, May 28-29).Applying Memory Forensics to RootkitDetection. Paper presented at theProceedings of the 9th annual Conferenceon Digital Forensics, Security and Law(CDFSL), 115-141, Richmond, VA, USA.

Korkin, I. (2012). Windows 8 is Cyber-Battlefield. Retrieved on December 8, 2015,fromhttp://www.igorkorkin.blogspot.ru/2012/09/windows-8-is-cyber-battlefield.html

Ladakis, E., Koromilas, L., Vasiliadis, G.,Polychronakis, M., & Ioannidis, S.(2013).You Can Type, but You Can’t Hide:A Stealthy GPU-based Keylogger.Proceedings of the 6th European Workshopon System Security (EuroSec). Prague,Czech Republic. Retrieved on December 8,2015, fromhttp://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf

Ligh MH., Case, A., Levy, J., & Walters, A.(2014a). Detecting Orphan Threads. TheArt of Memory Forensics: Detectingmalware and threats in Windows, Linux,and Mac memory. 379-380. 1st edition.Wiley. Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014b). Recently Unloaded Modules. TheArt of Memory Forensics: Detectingmalware and threats in Windows, Linux,and Mac Memory. 374-375. 1st edition.Wiley. Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014c). Windows Services. The Art ofMemory Forensics: Detecting malware and



threats in Windows, Linux, and MacMemory. 343-366. 1st edition. Wiley.Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014d). Revealing Hidden Services. TheArt of Memory Forensics: Detectingmalware and threats in Windows, Linux,and Mac Memory. 362-366. 1st edition.Wiley. Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014e). Revealing Hidden Services. TheArt of Memory Forensics: Detectingmalware and threats in Windows, Linux,and Mac memory. 362-366. 1st edition.Wiley. Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014f). Scanning Memory. The Art ofMemory Forensics: Detecting malware andthreats in Windows, Linux, and MacMemory. 351-352. 1st edition. Wiley.Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014g). Volatility’s SvcScan Plugin. TheArt of Memory Forensics: Detectingmalware and threats in Windows, Linux,and Mac Memory. 352-353. 1st edition.Wiley. Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014h). Revealing Hidden Services. TheArt of Memory Forensics: Detectingmalware and threats in Windows, Linux,and Mac Memory. 362-366. 1st edition.Wiley. Indianapolis, IN, USA.

Ligh MH., Case, A., Levy, J., & Walters, A.(2014i). Stealthy Hooks. The Art ofMemory Forensics: Detecting malware andthreats in Windows, Linux, and MacMemory. 384-386. 1st edition. Wiley.Indianapolis, IN, USA.

Ligh, MH. (2015a). PlugX: The MemoryForensics Lifecycle. Retrieved on December8, 2015, from

https://prezi.com/6ruvzpnpp-8y/plugx-the-memory-forensics-lifecycle/

Ligh, MH.. (2015b). ScInitDatabase signature.Retrieved on December 8, 2015, fromhttps://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/malware/servicediff.py

Ligh, MH.., Adair, S., Hartstein, B., &Richard, M. (2010). The Case of Blazgel.Malware Analyst's Cookbook and DVD:Tools and Techniques for FightingMalicious Code. 664-669. 1st edition.Wiley.

Ligh, MH. (2011). Investigating WindowsThreads with Volatility. MNIN SecurityBlog. Retrieved on December 8, 2015, fromhttp://mnin.blogspot.ru/2011/04/investigating-windows-threads-with.html

Ligh, MH., Case, A., Levy, J., & Walters, A.(2014, July 28). The Art of MemoryForensics: Detecting Malware and Threatsin Windows, Linux, and Mac Memory. 1stedition. 912 pp. Wiley Publishing.

Linchpin Labs (2010). ATSIV utility.Retrieved on December 8, 2015, fromhttp://www.linchpinlabs.com

Louboutin, C. (2010). Service Hiding.Retrieved on December 8, 2015, fromhttp://club.1688.com/article/12193937.htm

Lupi, V. (2011). How to Write a Good Rootkit:a Different Approach. Hakin9 ExtraMagazine, English Edition. 06. 18-21.Retrieved on December 8, 2015, fromhttp://codelaughs.blogspot.it/2011/11/how-to-write-good-rootkit-different.html

Lyda, R., & Hamrock, J. (2007). UsingEntropy Analysis to Find Encrypted andPacked Malware. Journal IEEE Securityand Privacy. 5(2). 40-45. Piscataway, NJ,USA.http://dx.doi.org/10.1109/MSP.2007.48



Maartmann-Moe, C. (2008). Forensic KeyDiscovery and Identification. Master ofScience in Communication Technology.Norwegian University of Science andTechnology. Retrieved on December 8,2015, from http://www.diva-portal.org/smash/get/diva2:347635/FULLTEXT01.pdf

Marcos, M. (2014). Without a Trace: FilelessMalware Spotted in the Wild. TrendMicro. Security Intelligence Blog. Retrievedon December 8, 2015, fromhttp://blog.trendmicro.com/trendlabs-security-intelligence/without-a-trace-fileless-malware-spotted-in-the-wild/

Mask, A. (2011). Service Hiding. Retrieved onDecember 8, 2015, fromhttp://maskattached.blogspot.ru/2011/04/service-hiding.html

Matrosov, A., Rodionov, E., & Bratus, S.(2016). Rootkits and Bootkits. ReversingModern Malware and Next GenerationThreats. ISBN: 978-1-59327-716-1. 304 pp.No Starch Press.

Matveeva, V., & Epishkina, A. (2015).Searching for Random Data in File SystemDuring Forensic Expertise. Biosciences,Biotechnology Research Asia, BBRA.12(1). 745-752.http://dx.doi.org/10.13005/bbra/1720

Matveeva, V. (2014). Information Entropy andIts Application for Information SecurityTasks. Security of InformationTechnologies, Issue #4, ISSN 2074-7128,30-36.

McAfee Labs. (2015a). Threats Report.Retrieved on December 8, 2015, fromhttp://www.mcafee.com/us/resources/reports/rp-quarterly-threat-q1-2015.pdf

McAfee Labs. (2015b). 2016 ThreatsPredictions report. Retrieved on December8, 2015, from

http://www.mcafee.com/us/resources/reports/rp-threats-predictions-2016.pdf

Merkel, R., Hoppe, T., Kraetzer, C., &Dittmann, J. (2010). Statistical Detectionof Malicious PE-Executables for FastOffline Analysis. Proceedings ofCommunications and Multimedia Security.93-105. Linz. Austria.http://dx.doi.org/10.1007/978-3-642-13241-4_10

Microsoft. (n.d.-a). File sysload.c. WindowsResearch Kernel Source Code. Retrieved onDecember 8, 2015, fromhttp://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/mm/sysload.c

Microsoft. (n.d.-b). File mm.h. WindowsResearch Kernel Source Code. Retrieved onDecember 8, 2015, fromhttp://gate.upm.ro/os/LABs/Windows_OS_Internals_Curriculum_Resource_Kit-ACADEMIC/WindowsResearchKernel-WRK/WRK-v1.2/base/ntos/inc/mm.h

Microsoft. (n.d.-c). CurrentControlSet\ServicesSubkey Entries.https://support.microsoft.com/en-us/kb/103000

Microsoft. (n.d.-d). Filewindows_nt_4_source_code_IK\nt4\private\windows\screg\sc\server\dataman.c.Windows NT 4.0 Full Free Source Code.Retrieved on December 8, 2015, fromhttp://igorkorkin.blogspot.ru/2013/09/windows-nt-40-full-free-source-code-912_16.html

Microsoft. (n.d.-e). Filewindows_nt_4_source_code_IK\nt4\private\ntos\dd\kbdclass\kbdclass.h.Windows NT 4.0 Full Free Source Code.Retrieved on December 8, 2015, fromhttp://igorkorkin.blogspot.ru/2013/09/win



dows-nt-40-full-free-source-code-912_16.html

Microsoft. (n.d.-f). Filewindows_nt_4_source_code_IK\nt4\private\ntos\dd\i8042prt\i8042prt.h. WindowsNT 4.0 Full Free Source Code. Retrievedon December 8, 2015, fromhttp://igorkorkin.blogspot.ru/2013/09/windows-nt-40-full-free-source-code-912_16.html

MidnightCowboy (2015, May 25). Best FreeRootkit Scanner and Remover. Retrievedon December 8, 2015, fromhttp://www.techsupportalert.com/best-free-rootkit-scanner-remover.htm

Milkovic, L. (2012). DriverHider. DementiaProject. Retrieved on December 8, 2015,from http://dementia-forensics.googlecode.com/svn/trunk/DementiaKM/DriverHider.cpp

MJ0011. (2009). Analysis OS and DetectionRootkit Outside the VMWare. Retrievedon December 8, 2015, fromhttp://powerofcommunity.net/poc2009/mj.pdf

MSDN. (n.d.-a). NtQueryDirectoryObjectfunction. Retrieved on December 8, 2015,from https://msdn.microsoft.com/en-us/library/bb470238(v=vs.85).aspx

MSDN. (n.d.-b).IDebugDataSpaces::ReadDebuggerDatamethod. Retrieved on December 8, 2015,from https://msdn.microsoft.com/en-us/library/windows/hardware/ff553536(v=vs.85).aspx

MSDN. (n.d.-c). EnumServicesStatus function.Retrieved on December 8, 2015, fromhttps://msdn.microsoft.com/en-us/library/windows/desktop/ms682637(v=vs.85).aspx

MSDN. (n.d.-d). Introduction to Registry Keysfor Drivers. Retrieved on December 8,2015, from https://msdn.microsoft.com/en-us/library/windows/hardware/ff544262(v=vs.85).aspx

Musavi, S.A., & Kharrazi, M. (2014). Back toStatic Analysis for Kernel-Level RootkitDetection. IEEE Transactions onInformation Forensics and Security. (9)9.1465-1476.http://dx.doi.org/10.1109/TIFS.2014.2337256

Nataraja, L., Jacobb, G., & Manjunatha, B.S.(2010). Detecting Packed Executablesbased on Raw Binary Data. TechnicalReport. Retrieved on December 8, 2015,fromhttps://vision.ece.ucsb.edu/sites/vision.ece.ucsb.edu/files/publications/packed-unpacked-tech-report.pdf

Nath, H.V., & Mehtre, B.M. (2014, March13-14). Static Malware Analysis UsingMachine Learning Methods. Recent Trendsin Computer Networks and DistributedSystems Security. Proceedings of theSecond International Conference, SNDS2014, Trivandrum, India. 440-450.http://dx.doi.org/10.1007/978-3-642-54525-2_39

Nguyen, A. (2014, August 7). Capstone: Next-Gen Disassembly Framework. BlackhatUSA. Retrieved on December 8, 2015, fromhttp://capstone-engine.org/BHUSA2014-capstone.pdf

Nguyen, K., Tran, D., Ma, W., & Sharma, D.(August 19-21, 2014). An Approach toDetect Network Attacks Applied forNetwork Forensics. 11th InternationalConference on Fuzzy Systems andKnowledge Discovery (FSKD). 655-660.Xiamen, China.http://dx.doi.org/10.1109/FSKD.2014.6980912



NTInfo. (2014). Entropy and the distinctivesigns of packed PE files. Retrieved onDecember 8, 2015, fromhttp://n10info.blogspot.ru/2014/06/entropy-and-distinctive-signs-of-packed.html

OSR Online. (1997). Using the NT Registry forDriver Install. Retrieved on December 8,2015, fromhttps://www.osronline.com/article.cfm?id=170

Paganini, P. (2015, August 28). Symantecdiscovered 49 New Modules of the Reginespionage platform. Retrieved on December8, 2015, fromhttp://securityaffairs.co/wordpress/39647/cyber-crime/symantec-49-new-regin-modules.html

Paganini, P. (June 17, 2015). Duqu 2.0: TheMost Sophisticated Malware Ever Seen.Retrieved on December 8, 2015, fromhttp://resources.infosecinstitute.com/duqu-2-0-the-most-sophisticated-malware-ever-seen

Pareek, H., Eswari, P. R. L., & Babu S.C.(2013). Entropy and n-gram Analysis ofMalicious PDF Documents. InternationalJournal of Engineering. 2(2). Retrieved onDecember 8, 2015, fromhttps://www.researchgate.net/publication/235974671_Entropy_and_n-gram_analysis_of_malicious_PDF_documents

Pedrero, X.-U., Santos, I., Sanz. B., Laorden,C., & Bringas P.-G. (2012, January 14-17).Countering Entropy Measure Attacks onPacked Software Detection. Proceedings ofthe 9th IEEE Consumer Communicationsand Networking Conference (CCNC2012),Las Vegas, NV, USA.http://dx.doi.org/10.1109/CCNC.2012.6181079

Pistelli, D. (n.d.). AntiMida 1.0. Retrieved onDecember 8, 2015, fromhttp://www.ntcore.com/files/antimida_1.0.htm

Probert, D. (2004). Windows Kernel InternalsObject Manager & LPC. Retrieved onDecember 8, 2015, from http://i-web.i.u-tokyo.ac.jp/edu/training/ss/msprojects/data/04-ObjectManagerLPC.ppt

Qark. (n.d.). Windows Executable Infection.VX Heaven. Retrieved on December 8,2015, fromhttp://vxheaven.org/lib/static/vdat/tuvd0004.htm

Ragan, S. (2016). Israel's electric grid targetedby malware, energy minister says. CSOOnline. Retrieved fromhttp://www.csoonline.com/article/3026604/security/israels-electric-grid-targeted-by-malware-energy-minister-says.html

Reactor pattern. (n.d.). In Wikipedia.Retrieved on December 8, 2015, fromhttps://en.wikipedia.org/wiki/Reactor_pattern

ReactOS. (n.d.).KBDHID_DEVICE_EXTENSION StructReference. Retrieved on December 8, 2015,fromhttp://doxygen.reactos.org/da/daa/structKBDHID__DEVICE__EXTENSION.html

Rhee, Y. (2009). Pool tag list. TechNet Blogs.Retrieved on December 8, 2015, fromhttp://blogs.technet.com/b/yongrhee/archive/2009/06/24/pool-tag-list.aspx

Russinovich, M., Solomon, D., & Ionescu, A.(2012). Windows Internals, Parts 1 and 2(Developer Reference). 6th edition.Microsoft Press.

Russinovich, M. (2011). Analyzing a StuxnetInfection with the Sysinternals Tools, Part



1. Microsoft TechNet. Retrieved onDecember 8, 2015, fromhttps://blogs.technet.microsoft.com/markrussinovich/2011/03/26/analyzing-a-stuxnet-infection-with-the-sysinternals-tools-part-1/

Saleh, M., Ratazzi E.P., & Xu S, (2014).Instructions-based Detection ofSophisticated Obfuscation and Packing.Proceedings of the 33rd Annual IEEEMilitary Communications Conference,MILCOM, 1-6, Baltimore, MD, USA.dx.doi.org/10.1109/MILCOM.2014.9

SANS Institute (2014). A Case Study of anIncident: A Day in the Life of an IR Team.Retrieved on December 8, 2015, fromhttp://computerforensicsblog.champlain.edu/wp-content/uploads/2014/06/APT-Attacks-Exposed-Network-Host-Memory-and-Malware-Analysis-Lee-Tilbury-Hagen-5-21-2014.pdf

SANS Institute (2015b). How to Parse aMemory Image with the VolatilityFramework. Sans Memory ForensicsPoster. Retrieved on December 8, 2015,from http://digital-forensics.sans.org/media/Poster-2015-Memory-Forensics2.pdf

SANS Institute. (2015a). Rise of anti-forensicstechniques requires response from digitalinvestigators [Press release]. Retrieved onDecember 8, 2015, fromhttps://www.sans.org/press/announcement/2015/09/07/1

Santos, I., Brezo, F., Nieves, J. K., Penya,Y.K., Sanz, B., Laorden, C., & Bringas,P.G. (2010). Idea: Opcode-sequence-basedMalware Detection. In Engineering SecureSoftware and Systems, SecondInternational Symposium, ESSoS, F.Massacci, D. S. Wallach, and N. Zannone,Eds., vol. 5965 of Lecture Notes inComputer Science, Springer, 35-43.

http://dx.doi.org/10.1007/978-3-642-11747-3_3. Retrieved on December 8, 2015, fromhttp://paginaspersonales.deusto.es/ypenya/publi/penya_ESSoS2010_Opcode-sequence-based%20Malware%20Detection.pdf

Santos, I., Brezo, F., Ugarte-Pedrero, X., &Bringas, P.G. (2013). Opcode Sequences asRepresentation of Executables for Data-mining-based Unknown Malware Detection.Information Sciences. 231. 64-82. ElsevierScience. New York, NY, USA.http://dx.doi.org/10.1016/j.ins.2011.08.020

Santos, I., Sanz, B., Laorden, C., Brezo, F., &Bringas, P.G. (2011). Opcode-sequence-based semi-supervised unknown malwaredetection. Proceedings of the 4thInternational Conference on ComputationalIntelligence in Security for InformationSystems, CISIS’11. 50-57. Berlin,Heidelberg. http://dx.doi.org/10.1007/978-3-642-21323-6_7

Santos, R. (2014). Poweliks: Malware Hides inWindows Registry. Trend Micro. SecurityIntelligence Blog. Retrieved on December8, 2015, fromhttp://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/

Schmidt, T., Wahlisch, M., & Groning, M.(2011, June 15-17). Context-adaptiveEntropy Analysis as a LightweightDetector of Zero-day Shellcode Intrusionfor Mobiles. Poster at The ACMConference on Wireless Network Security(WiSec). Hamburg, Germany.

Schuberth, T. (2014). Modern Threats andMalware and IT-Security’s Future.Retrieved on December 8, 2015, fromhttp://www.swisst.net/files/swisstnet/de/dokumente/Communication_Conference_2014/aktuelle_gefahren_und_die_zukunft_der_it_security.pdf



Schuster, A. (2006). Searching for processesand threads in Microsoft Windows memorydumps. Journal Digital Investigation: TheInternational Journal of Digital Forensics& Incident Response. 3, 10-16.http://dx.doi.org/10.1016/j.diin.2006.06.010

Seals, T. (2015, September 8). Anti-ForensicMalware Widens Cyber-Skills Gap.Retrieved on December 8, 2015, fromhttp://www.infosecurity-magazine.com/news/antiforensic-malware-widens

Shabtai, A., Moskovitch, R., Feher, C., Dolev,S., & Elovici, Y. (2012). DetectingUnknown Malicious Code by ApplyingClassification Techniques on OpCodePatterns. Security Informatics. 1(1).Retrieved on December 8, 2015, fromhttp://www.security-informatics.com/content/pdf/2190-8532-1-1.pdf

Siddiqui, M., Wang, M.C., & Lee., J. (2008).Data Mining Methods for MalwareDetection Using Instruction Sequences.Proceedings of the 26th IASTEDInternational Conference on ArtificialIntelligence and Applications, (AIA’08).358-363. Anaheim, CA, USA. ACTA Press.

Silcott, G., & Swinimer, J. (2015). AMDLaunches ‘Boltzmann Initiative’ toDramatically Reduce Barriers to GPUComputing on AMD FirePro Graphics.[Press Releases]. Retrieved on December 8,2015, from http://www.amd.com/en-us/press-releases/Pages/boltzmann-initiative-2015nov16.aspx

Singla, S., Gandotra, E., Bansal, D., & Sofat,S. (2015). A Novel Approach to MalwareDetection using Static Classification.International Journal of Computer Scienceand Information Security (IJCSIS). 13(3).Retrieved on December 8, 2015, from

https://www.academia.edu/11754857/A_Novel_Approach_to_Malware_Detection_using_Static_Classification

Stewin, P., & Bystrov, I. (2012).Understanding DMA Malware. Paperpresented at Proceedings of the 9thConference on Detection of Intrusions andMalware & Vulnerability Assessment.Heraklion, Crete, Greece. Retrieved onDecember 8, 2015, fromhttp://www.stewin.org/papers/dimvap15-stewin.pdf

Stuttard, D., Pinto, M., Ligh, M.H., Adair, S.,Hartstein, B., & Richard, M. (2014,January 28). Attack and Defend ComputerSecurity Set. 1st Edition. Wiley.

Suszter, A. (2014). Examining UnknownBinary Formats Retrieved on December 8,2015, fromhttp://reversingonwindows.blogspot.ru/2014/04/examining-unknown-binary-formats.html

Symantec. (2015, August 27). Regin: Top-tierespionage tool enables stealthy surveillance.Retrieved on December 8, 2015, fromhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/regin-analysis.pdf

Tabish, S.M., Shafiq, M.Z., & Farooq, M.(2009). Malware Detection using StatisticalAnalysis of Byte-Level File Content.Proceedings of the ACM SIGKDDWorkshop on CyberSecurity andIntelligence Informatics (CSI-KDD’09). 23-31.http://dx.doi.org/10.1145/1599272.1599278New York, NY, USA

Tanda, S. (2015). GitHub. Retrieved onDecember 8, 2015, fromhttps://github.com/tandasat

Teller, T. (2013). Detecting the One Percent:Advanced Targeted Malware Detection.



Proceedings of the RSA Conference. SanFrancisco. USA. Retrieved on December 8,2015, fromhttps://www.rsaconference.com/writable/presentations/file_upload/spo2-t19_spo2-t19.pdf

The Register. (2015, October 8). New mysteryWindows-smashing RAT found incorporate network. Retrieved on December8, 2015, fromhttp://www.theregister.co.uk/2015/10/08/monker_rat/

Timzen, T. (2015). Kernel Forensics andRootkits. Course material for ComputerForensics III (Memory Forensics) / CS407.[Lecture notes]. Retrieved on December 8,2015, fromhttps://www.tophertimzen.com/resources/cs407/slides/week06_01-Rootkits.html#slide1

Tsaur, W.J., & Chen, Y.C. (2010). ExploringRootkit Detectors' Vulnerabilities Using aNew Windows Hidden Driver BasedRootkit. Paper presented at The SecondIEEE International Conference on SocialComputing (SocialCom2010), Minneapolis,MN, USA. 842-848.http://dx.doi.org/10.1109/SocialCom.2010.127

Tsaur, W.J., & Wu, J.X. (2014b). Removingthe driver-related information in theregistry. New Windows RootkitTechnologies for Enhancing Digital RightsManagement in Cloud ComputingEnvironments. Proceedings of the 2014International Conference on e-Learning, e-Business, Enterprise Information Systems,and e-Government (EEE’14). Las Vegas,USA. 3-4. Retrieved on December 8, 2015,from http://worldcomp-proceedings.com/proc/p2014/EEE2315.pdf

Tsaur, W.J., & Wu, J.X. (2014c). Removingthe Signature of PE (Portable Executable)

Image. New Windows Rootkit Technologiesfor Enhancing Digital Rights Managementin Cloud Computing Environments. 2-3.Proceedings of the 2014 InternationalConference on e-Learning, e-Business,Enterprise Information Systems, and e-Government (EEE’14). Las Vegas, USA.Retrieved on December 8, 2015, fromhttp://worldcomp-proceedings.com/proc/p2014/EEE2315.pdf

Tsaur, W.J., & Yeh, L.Y. (2015, July 27-30).New Protection of Kernel-level DigitalRights Management in Cloud-basedConsumer Electronics Environments.Proceedings of the 2015 InternationalConference on Grid & Cloud Computingand Applications (GCA’15). Monte CarloResort, Las Vegas, USA. Retrieved onDecember 8, 2015, from http://worldcomp-proceedings.com/proc/p2015/GCA2880.pdf

Tsaur, W.J., & Wu, J.X. (2014a). RemovingDrivers from PsLoadedModuleList. NewWindows Rootkit Technologies forEnhancing Digital Rights Management inCloud Computing Environments.Proceedings of the 2014 InternationalConference on e-Learning, e-Business,Enterprise Information Systems, and e-Government (EEE’14). Las Vegas, USA.Retrieved on December 8, 2015, fromhttp://worldcomp-proceedings.com/proc/p2014/EEE2315.pdf

Visualizing ELF binaries. (2014). ReverseEngineering. Retrieved on December 8,2015, fromhttp://reverseengineering.stackexchange.com/questions/6003/visualizing-elf-binaries

Vomel, S., & Lenz, H. (2013, March 12-14).Visualizing Indicators of Rootkit Infectionsin Memory Forensics, Paper presented at7th International Conference on ITSecurity Incident Management and IT



Forensics (IMF), 122-139, Nuremberg,German.

Wang, T.Y., Wu, C.H., & Hsieh, C.C. (2009).Detecting Unknown Malicious ExecutablesUsing Portable Executable Headers.Proceedings of the 2009 Fifth InternationalJoint Conference on INC, IMS and IDC.278-284. Washington, DC, USA.http://dx.doi.org/10.1109/NCM.2009.385

Wangen, G. (2015, May 18). The Role ofMalware in Reported Cyber Espionage: AReview of the Impact and Mechanism.Information. 6(2). 183-211.http://dx.doi.org/10.3390/info6020183

Weil, N. (2014, November 24). Stealthy,sophisticated 'Regin' malware has beeninfecting computers since 2008. Retrievedon December 8, 2015, fromhttp://www.pcworld.com/article/2851472/symantec-identifies-sophisticated-stealthy-regin-malware.html

Wineblat, E. (2009). Service Hiding. AprioritInc. Retrieved on December 8, 2015, fromhttp://www.codeproject.com/Articles/46670/Service-Hiding

x86 Disassembly/Windows Executable Files.(n.d.). In Wikipedia. Retrieved onDecember 8, 2015, fromhttps://en.wikibooks.org/wiki/X86_Disassembly/Windows_Executable_Files

Yu, S., Zhou, S., Liu, L., Yang, R., & Luo, J.(2011). Detecting Malware Variants byByte Frequency. 2010 Second InternationalConference on Networks Security WirelessCommunications and Trusted Computing(NSWCTC). 32-35. Wuhan, Hubei, China.http://dx.doi.org/10.1109/NSWCTC.2010.145

Yurichev, D. (2015). Analyzing unknownbinary files using information entropy.Retrieved on December 8, 2015, fromhttp://yurichev.com/blog/entropy/

ZCM Services. (2010). Manually Adding orRemoving Services and Devices. Retrievedon December 8, 2015, fromhttp://nt4ref.zcm.com.au/mansd.htm

zhanglinfu2000. (2013). The organization of theWindows object. Retrieved on December 8,2015, fromhttp://www.developermemo.com/3524027/

Zolotukhin, M. & Hamalainen, T. (2014).Detection of Zero-Day Malware Based Onthe Analysis of Opcode Sequences.Proceedings of the 11th ConsumerCommunications and NetworkingConference (CCNC). 386-391. Las Vegas,NV, USA.http://dx.doi.org/10.1109/CCNC.2014.6866599

Acceleration of Statistical Detection of Zero-day Malware ...

Documents

Transcript of Acceleration of Statistical Detection of Zero-day Malware ...