Papers
Topics
Authors
Recent
Search
2000 character limit reached

Discovering Encrypted Bot and Ransomware Payloads Through Memory Inspection Without A Priori Knowledge

Published 27 Jul 2019 in cs.CR | (1907.11954v1)

Abstract: Malware writers frequently try to hide the activities of their agents within tunnelled traffic. Within the Kill Chain model the infection time is often measured in seconds, and if the infection is not detected and blocked, the malware agent, such as a bot, will often then set up a secret channel to communicate with its controller. In the case of ransomware the communicated payload may include the encryption key used for the infected host to register its infection. As a malware infection can spread across a network in seconds, it is often important to detect its activities on the air, in memory and at-rest. Malware increasingly uses encrypted channels for communicating with their controllers. This paper presents a new approach to discovering the cryptographic artefacts of real malware clients that use cryptographic libraries of the Microsoft Windows operating system. This enables malware secret communications to be discovered without any prior malware knowledge.

Citations (1)

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.