References
- Primiero G, Solheim FJ, Spring JM. On malfunction, mechanisms and malware classification. Philos Technol. 2019;32(2):339–362. doi:10.1007/s13347-018-0334-2
- Firoozjaei MD. A study on privacy-preserving systems for network services [ phdthesis], Sungkyunkwan University; 2018.
- Castro RL, Schmitt C, Rodosek GD. ARMED: how automatic malware modifications can evade Static detection? In: 2019 5th International Conference on Information Management (ICIM), Cambridge, UK; IEEE, 2019. p. 20–27.
- Rauti S, Laurén S, Mäki P, et al. Internal interface diversification as a method against malware. J Cyber Secur. 2021;5(1):15–40. doi:10.1080/23742917.2020.1813397
- Mangione-Smith W, Roychowdhury V, Bridgewater J. Malware mutation detector. US Pat App. 2007; 11/537,443. https://patentimages.storage.googleapis.com/6f/7a/5e/2fcdc70f396f9b/US20070094734A1.pdf
- OKane P, Sezer S, McLaughlin K. Obfuscation: the hidden malware. IEEE Secur Privacy. 2011;9(5):41–47. doi:10.1109/MSP.2011.98
- Biondi F, Josse S, Legay A. Bypassing malware obfuscation with dynamic synthesis. ERCIM News, hal-01378662, 2016.
- Tanenbaum AS, Bos H. Modern operating systems. fourth ed. London, UK: Pearson; 2015.
- MITRE ATT@CK. Access token manipulation: Create process with token. https://attack.mitre.org/techniques/T1134/002/, 2020.
- Sikorski M, Honig A. Practical malware analysis: the hands-on guide to dissecting malicious software. San Francisco, California, USA: No Starch Press; 2012.
- Firoozjaei MD, Habibi Lashkari A, Ghorbani AA. Memory forensics tools: a comparative analysis. J Cyber Secur Technol. 2022;6(3):1–25.
- Volatility Foundation. Volatility 2.6 (Windows 10/Server 2016). https://www.volatilityfoundation.org/26. VOLATILITY FOUNDATION.
- Johansen G. Digital forensics and incident response. Birmingham, UK: Packt Publishing Ltd; 2017.
- Hartrell GD, Steeves DJ, Hudis E. Malicious code infection cause-and-effect analysis. https://patentimages.storage.googleapis.com/28/2d/57/2ab93c1faaf698/US8117659.pdf, 2012. US Patent 8,117,659.
- Firoozjaei MD, Kim M, Song J, et al. O2TR: offline OTR messaging system under network disruption. Computers & Security. 2019;82:227–240. doi:10.1016/j.cose.2018.12.013
- Onashoga AS, Ojo OE, Soyombo OO. Securix: a 3d game-based learning approach for phishing attack awareness. J Cyber Secur Technol. 2019;3(2):108–124. doi:10.1080/23742917.2019.1624011
- MITRE ATT@CK. Matrix for enterprise. https://attack.mitre.org/, 2020.
- Monnappa KA. Blackout – memory analysis of blackenergy big dropper. https://cysinfo.com/blackout-memory-analysis-of-blackenergy-big-dropper/, 2016.
- Firoozjaei MD, Park J, Kim H. Detecting false emergency requests using callers’ reporting behaviors and locations. In: 2016 30th International Conference on Advanced Information Networking and Applications Workshops (WAINA), Crans-Montana, Switzerland; IEEE, 2016. p. 243–247.
- Firoozjaei MD, Kim M, Alhadidi D. Time-series load data analysis for user power profiling. In 2023 25th International Conference on Advanced Communication Technology (ICACT), PyeongChang, Korea; IEEE; 2023. p. 382–387.
- Nguyen AM, Schear N, Jung H, et al. MAVMM: lightweight and purpose built VMM for malware analysis. In 2009 Annual Computer Security Applications Conference, Honolulu, Hawaii, USA; IEEE, 2009. p. 441–450.
- Mankin J. Classification of malware persistence mechanisms using low-artifact disk instrumentation [ PhD thesis], Northeastern University; 2013.
- Akbanov M, Vassilakis VG, Logothetis MD. WannaCry ransomware: analysis of infection, persistence, recovery prevention and propagation mechanisms. J Telecommun Inf Technol. 2019;1(2019):113–124. doi: 10.26636/jtit.2019.130218
- Microsoft. Run and RunOnce registry keys. https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys?redirectedfrom=MSDN, 2018.
- INFOSEC. Common malware persistence mechanisms. https://resources.infosecinstitute.com/common-malware-persistence-mechanisms/, 2016.
- Tajoddin A, Abadi M. Ramd: registry-based anomaly malware detection using one-class ensemble classifiers. Appl Intell. 2019;49(7):2641–2658. doi:10.1007/s10489-018-01405-0
- Sanmillan I. Ramsay: a cyber-espionage toolkit tailored for air-gapped networks. https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/, 2020.
- Microsoft. Dynamic-link library search order. https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN, 2020.
- Chakkaravarthy SS, Sangeetha D, Vaidehi V. A survey on malware analysis and mitigation techniques. Comput Sci Rev. 2019;32:1–23. doi:10.1016/j.cosrev.2019.01.002
- Microsoft. Insecure library loading could allow remote code execution. https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637, 2017.
- Microsoft. Dynamic-link library redirection. https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN, 2018.
- Botacin MF, de Geus PL, Grégio AA. The other guys: automated analysis of marginalized malware. J Comput Virol Hacking Tech. 2018;14(1):87–98. doi:10.1007/s11416-017-0292-8
- Microsoft. Authentication packages. https://docs.microsoft.com/en-us/windows/win32/secauthn/authentication-packages?redirectedfrom=MSDN, 2018.
- Bencsáth B, Pék G, Buttyán L, et al. Skywiper (aka flame aka flamer): a complex malware for targeted attacks. CrySyS Lab Technical Report, 2012.
- Jones AR. A review of loadable kernel modules. SANS Security Essen. 2001 1 1–6 .
- Remillano A, Urbanec E, Luy W. Skidmap malware uses rootkit to hide mining payload. https://www.trendmicro.com/en_us/research/19/i/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload.html, 2019.
- MITRE ATT@CK. Create or modify system process: windows service. https://attack.mitre.org/techniques/T1543/003/, 2020.
- AntiyLabs. Antiy released technical analysis of industrial control malware TRISIS. https://www.antiy.net/p/antiy-released-technical-analysis-of-industrial-control-malware-trisis/, 2019.
- Firoozjaei MD, Mahmoudyar N, Baseri Y, et al. An evaluation framework for industrial control system cyber incidents. Int J Crit Infrastruct Prot. 2022;36:100487. doi: 10.1016/j.ijcip.2021.100487
- MITRE ATT@CK. Process injection. https://attack.mitre.org/techniques/T1055/, 2017.
- Hosseini A. Ten Process injection techniques: a technical survey of common and trending process injection techniques. Endpoint Security Blog. 2017. https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process.
- hasherezade. A technical look at dyreza. https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/, 2015.
- Trend Micro Cyber safety solutions team. A closer look at DYRE malware, part 1. Trend Micro Cyber Safety Solutions Team; 2014. https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-dyre-malware-part-1/.
- Ebach L. Analysis results of Zeus.Variant.Panda. G DATA Advanced Analytics. 2017 https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf.
- MITRE ATT@CK. Process injection: process doppelgänging. https://attack.mitre.org/techniques/T1055/013/, 2020.
- Galvin PB, Gagne G, Silberschatz A. Operating system Concepts. Hoboken, New Jersey, USA: John Wiley & Sons; 2003.
- IEEE and the Open Group. The open group base specifications issue 7. 2018; https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap03.html#tag_03_343
- Microsoft. CreateProcessA function (processthreadsapi.H). https://docs.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa?redirectedfrom=MSDN, 2018.
- Stevens D. Quickpost: SelectMyParent or playing with the Windows process tree. https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/, 2009.
- Stevens D. That is not my child process! https://blog.didierstevens.com/2017/03/20/that-is-not-my-child-process/, 2017.
- MITRE ATT@CK. Access token manipulation: parent PID spoofing. https://attack.mitre.org/techniques/T1134/004/, 2020.
- Hyvarinen N. Detecting parent PID spoofing. https://blog.f-secure.com/detecting-parent-pid-spoofing/, 2018.
- Beek C, Samani R. A case of mistaken identity? The role of blackenergy in Ukrainian power grid disruption. https://www.mcafee.com/blogs/other-blogs/mcafee-labs/blackenergy_ukrainian_power_grid/?hilite=%27orkin%27, 2016.
- Securityinbits. Parent PID spoofing (stage 2) Ataware ransomware– part 0x3. https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3/, 2019.
- MITRE ATT@CK. Access token manipulation. https://attack.mitre.org/techniques/T1134/, 2017.
- Borana P, Sihag V, Choudhary G, et al. An assistive tool for fileless malware detection. In 2021 World Automation Congress (WAC), Taipei, Taiwan; IEEE; 2021. p. 21–25.
- Zeitlin E, Axelrod A, Thomas AF, et al. Protecting user mode processes from improper tampering or termination. https://patentimages.storage.googleapis.com/2d/12/3d/514fcdcc09cb04/US8621628.pdf, 2013. US Patent 8,621,628.
- Wilander J, Kamkar M. A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention Network and Distributed System Security Symposium (NDSS), San Diego, California, USA: 2003. p. 149–162.
- Li D, Zhu H, Chen J, et al. System and method for process state processing. https://patentimages.storage.googleapis.com/d8/32/78/74be5097ccc688/US10769001.pdf, 2020. US Patent 10,769,001.
- Schultz JS. Offline forensic analysis of Microsoft Windows XP physical memory. Technical report, NAVAL POSTGRADUATE SCHOOL MONTEREY CA DEPT OF COMPUTER SCIENCE, 2006.
- Garfinkel T, Pfaff B, Chow J, et al. Data lifetime is a systems problem. In Proceedings of the 11th workshop on ACM SIGOPS European workshop, Leuven, Belgium; 2004. p. 10–es.
- Schuster A. The impact of Microsoft windows pool allocation strategies on memory forensics. Dig Inv. 2008;5:S58–S64. doi:10.1016/j.diin.2008.05.007
- Michalas A, Murray R. MemTri: a memory forensics triage tool using bayesian network and Volatility. In Proceedings of the 2017 International Workshop on Managing Insider Security Threats, Dallas, Texas, USA; 2017. p. 57–66.
- ORACLE. VirtualBox. https://www.virtualbox.org/.
- ACCESSDATA. FTK® IMAGER, evidence acquisition tool. https://accessdata.com/products-services/forensic-toolkit-ftk/ftkimager.
- Svensson R. DAS MALWERK//malware samples. https://dasmalwerk.eu/.
- VirusTotal. https://www.virustotal.com/gui/home/upload.
- Zamora W. How to avoid potentially unwanted programs. https://blog.malwarebytes.com/101/2016/02/how-to-avoid-potentially-unwanted-programs/, 2016.
- Rodola G. Psutil documentation. https://psutil.readthedocs.io/en/latest/, 2020.
- ITSafety. TabReports.Exe problem. How to eliminate TabReports.Exe from task manager. https://itsafety.net/report/20190724-4c9be0e97fbb8da12582f3252173f48b-tabreports-exe_general-threat, 2019.
- ITSafety. How to remove TabAllTools.Exe (uninstall guide). https://itsafety.net/report/20200815-5eab5b3004e0fb51ed7e24a4359239b9-taballtools-exe_general-threat, 2020.
- Firoozjaei MD, Yu J, Kim H. Privacy preserving nearest neighbor search based on topologies in cellular networks. In 2015 IEEE 29th International Conference on Advanced Information Networking and Applications Workshops, Gwangiu, South Korea; IEEE; 2015. p. 146–149.
- Eresheim S, Luh R, Schrittwieser S. The evolution of process hiding techniques in malware-current threats and possible countermeasures. J Inf Process. 2017;25():866–874. doi: 10.2197/ipsjjip.25.866
- Lookout. Monokle: the mobile surveillance tooling of the special technology center. Secur Res Report. 2019. https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
- Mohanta A, Saldanha A. Code injection, process hollowing, and api hooking. Malware Analysis Detection Eng. 2020;1:267–329. https://link.springer.com/chapter/10.1007/978-1-4842-6193-4_10#citeas
- Trend Micro. The xcsset malware: Inserts malicious code into xcode projects, performs uxss backdoor planting in safari, and leverages two zeroday exploits. 2020. https://www.trendmicro.com/en_ca/research/20/h/xcsset-mac-malware--infects-xcode-projects--uses-0-days.html.
- Penetration Testing Lab. Token manipulation. https://pentestlab.blog/2017/04/03/token-manipulation/, 2017. Security Research Report.
- Dillon K. Feature-level malware obfuscation in deep learning. arXiv. 2002. https://arxiv.org/abs/2002.05517.
- Redondo A, Insua DR Protecting from malware obfuscation attacks through adversarial risk analysis. Risk Analysis. 2019;40(12):2598–2609. arXiv preprint arXiv:1911.03653. doi: 10.1111/risa.13567
- Kalaimannan E, John SK, DuBose T, et al. Influences on ransomware’s evolution and predictions for the future challenges. J Cyber Secur Technol. 2017;1(1):23–31. doi:10.1080/23742917.2016.1252191
- Wampler J, Martiny I, Wustrow E. Exspectre: hiding malware in speculative execution. Network and Distributed Systems Security (NDSS) Symposium, San Diego, CA, USA. 2019.
- Chen X, Li C, Wang D, et al. Android hiv: a study of repackaging malware for evading machine-learning detection. IEEE Trans Inf Forensics Secur. 2019;15:987–1001. doi:10.1109/TIFS.2019.2932228
- Ispoglou KK, Payer M. Malwash: washing malware to evade dynamic analysis. 10th USENIX Workshop on Offensive Technologies (WOOT '16), Austin, Texas, USA. 2016.