Ulrich Flegel Evangelos Markatos William Robertson (Eds.) LNCS 7591 Detection of Intrusions and Malware, and Vulnerability Assessment 9th International Conference, DIMVA 2012 Heraklion, Crete, Greece, July 2012 Revised Selected Papers 123
Lecture Notes in Computer Science 7591 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbruecken, Germany
Ulrich Flegel Evangelos Markatos William Robertson (Eds.) Detection of Intrusions and Malware, and Vulnerability Assessment 9th International Conference, DIMVA 2012 Heraklion, Crete, Greece, July 26-27, 2012 Revised Selected Papers 13
Volume Editors Ulrich Flegel HFT Stuttgart, Department C Schellingstr. 24, 70174 Stuttgart, Germany E-mail: ulrich.flegel@hft-stuttgart.de Evangelos Markatos Foundation for Research and Technology Hellas (FORTH) Department of Computer Science 100 Plastira Ave, Vassilika Vouton, 70013 Heraklion, Crete, Greece E-mail: markatos@ics.forth.gr William Robertson Northeastern University College of Computer and Information Science 360 Huntington Ave, Boston, MA 02115, USA E-mail: wkr@ccs.neu.edu ISSN 0302-9743 e-issn 1611-3349 ISBN 978-3-642-37299-5 e-isbn 978-3-642-37300-8 DOI 10.1007/978-3-642-37300-8 Springer Heidelberg Dordrecht London New York Library of Congress Control Number: 2013934265 CR Subject Classification (1998): K.6.5, D.4.6, K.4.4, D.2, C.2, C.5.3 LNCS Sublibrary: SL 4 Security and Cryptology Springer-Verlag Berlin Heidelberg 2013 This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks. Duplication of this publication or parts thereof is permitted only under the provisions of the German Copyright Law of September 9, 1965, in ist current version, and permission for use must always be obtained from Springer. Violations are liable to prosecution under the German Copyright Law. The use of general descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Typesetting: Camera-ready by author, data conversion by Scientific Publishing Services, Chennai, India Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com)
Preface On behalf of the Program Committee, it is our pleasure to present to you the proceedings of the 9 th GI International Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA). Each year, DIMVA brings together international experts from academia, industry, and government to present and discuss novel security research. DIMVA is organized by the Special Interest Group Security Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). The DIMVA 2012 Program Committee received 44 submissions from a diverse set of countries. All submissions were carefully reviewed by Program Committee members and external experts according to the criteria of scientific novelty, technical quality, and practical impact. The final selection took place at the Program Committee meeting held on April 5, 2012, at the University of Bonn. Ten full papers and four short papers were selected for presentation at the conference and publication in the proceedings. The conference took place July 26 27 at the Astoria Capsis Hotel in Heraklion, Crete. The program featured both theoretical and practical research results grouped into five sessions spanning malware, intrusion detection, mobile security, secure systems, and network design. We sincerely thank all those who submitted papers as well as the Program Committee members and external reviewers for their valuable contributions to an excellent conference program. For further details about DIMVA 2012, please refer to the conference website at http://www.dimva.org/dimva2012. July 2012 Ulrich Flegel Evangelos Markatos William Robertson
Organization DIMVA 2012 was organized by the Special Interest Group Security Intrusion Detection and Response (SIDAR) of the German Informatics Society (GI). Organizing Committee General Chair Program Chair Financial Chair Evangelos Markatos (FORTH) William Robertson (Northeastern University) Ulrich Flegel (HFT Stuttgart) Program Committee Davide Balzarotti Erik-Oliver Blass Juan Caballero Lorenzo Cavallaro Stephen Checkoway Mihai Christodorescu Marco Cova Manuel Egele Ulrich Flegel Felix Freiling Chris Grier Guofei Gu Thorsten Holz Martin Johns Andrea Lanzi Wenke Lee Corrado Leita Ben Livshits Lorenzo Martignoni Michael Meier Paolo Milani Comparetti Collin Mulliner Roberto Perdisci Adrienne Porter Felt Konrad Rieck Giovanni Vigna Heng Yin Eurécom, France Northeastern University IMDEA-Software Royal Holloway, University of London, UK UC San Diego, USA IBM Research Birmingham University, UK UC Santa Barbara, USA HFT Stuttgart University of Applied Sciences, Germany Friedrich Alexander University, Germany ICSI, UC Berkeley, USA Texas A&M Ruhr University Bochum, Germany Universität Passau, Germany Eurécom, France Georgia Tech, USA Symantec Research Labs Microsoft Research Google University of Bonn, Germany LastLine TU Berlin, Germany University of Georgia, USA UC Berkeley, USA University of Göttingen, Germany UC Santa Barbara, USA Syracuse University, USA
VIII Organization Steering Committee Chairs Ulrich Flegel Michael Meier HFT Stuttgart, Germany University of Bonn, Germany Members Herbert Bos Danilo M. Bruschi Roland Büschkes Hervé Debar Bernhard Haemmerli Marc Heuse Thorsten Holz Marko Jahnke Klaus Julisch Christian Kreibich Christopher Kruegel Pavel Laskov Robin Sommer Diego Zamboni VU University Amsterdam, The Netherlands Università degli Studi di Milano, Italy RWE AG, Germany Télécom SudParis, France Acris GmbH & HSLU Lucerne, Switzerland Baseline Security Consulting, Germany Ruhr-University Bochum, Germany Fraunhofer FKIE, Germany Deloitte, Switzerland International Computer Science Institute, USA UC Santa Barbara, USA University of Tübingen, Germany ICSI/LBNL, USA CFEngine AS, Norway
Table of Contents Malware I Using File Relationships in Malware Classification... 1 Nikos Karampatziakis, Jack W. Stokes, Anil Thomas, and Mady Marinescu Understanding DMA Malware... 21 Patrick Stewin and Iurii Bystrov Large-Scale Analysis of Malware Downloaders... 42 Christian Rossow, Christian Dietrich, and Herbert Bos Mobile Security Juxtapp: A Scalable System for Detecting Code Reuse among Android Applications... 62 Steve Hanna, Ling Huang, Edward Wu, Saung Li, Charles Chen, and Dawn Song ADAM: An Automatic and Extensible Platform to Stress Test Android Anti-virus Systems... 82 Min Zheng, Patrick P.C. Lee, and John C.S. Lui Malware II A Static, Packer-Agnostic Filter to Detect Similar Malware Samples... 102 Grégoire Jacob, Paolo Milani Comparetti, Matthias Neugschwandtner, Christopher Kruegel, and Giovanni Vigna Experiments with Malware Visualization (Short Paper)... 123 Yongzheng Wu and Roland H.C. Yap Tracking Memory Writes for Malware Classification and Code Reuse Identification (Short Paper)... 134 André Ricardo Abed Grégio, Paulo Lício de Geus, Christopher Kruegel, and Giovanni Vigna Secure Design System-Level Support for Intrusion Recovery... 144 Andrei Bacs, Remco Vermeulen, Asia Slowinska, and Herbert Bos
X Table of Contents NetGator: Malware Detection Using Program Interactive Challenges... 164 Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou SmartProxy: Secure Smartphone-Assisted Login on Compromised Machines... 184 Johannes Hoffmann, Sebastian Uellenbeck, and Thorsten Holz IDS BISSAM: Automatic Vulnerability Identification of Office Documents (Short Paper)... 204 Thomas Schreck, Stefan Berger, and Jan Göbel Self-organized Collaboration of Distributed IDS Sensors... 214 Karel Bartos, Martin Rehak, and Michal Svoboda Shedding Light on Log Correlation in Network Forensics Analysis... 232 Elias Raftopoulos, Matthias Egli, and Xenofontas Dimitropoulos Author Index... 243