Embed Size (px)
Citation preview
Discovering Encrypted Bot and RansomwarePayloads Through Memory Inspection Without
A Priori KnowledgePeter McLaren, William J Buchanan, Gordon Russell, Zhiyuan Tan
School of Computing, Edinburgh Napier University, Edinburgh, UK.
Abstract—Malware writers frequently try to hide the activitiesof their agents within tunnelled traffic. Within the Kill Chainmodel the infection time is often measured in seconds, and ifthe infection is not detected and blocked, the malware agent,such as a bot, will often then set up a secret channel tocommunicate with its controller. In the case of ransomware thecommunicated payload may include the encryption key usedfor the infected host to register its infection. As a malwareinfection can spread across a network in seconds, it is oftenimportant to detect its activities on the air, in memory and at-rest.Malware increasingly uses encrypted channels for communicatingwith their controllers. This paper presents a new approach todiscovering the cryptographic artefacts of real malware clientsthat use cryptographic libraries of the Microsoft Windowsoperating system. This enables malware secret communicationsto be discovered without any prior malware knowledge.
Index Terms—network traffic; decryption; memory analysis;Transport Layer Security; bot; ransomware
I. INTRODUCTION
Malicious actors employ secure channels to hide com-munications from detection agents. These channels enableactivities such as the installation of exploit kits, distribution ofmalware and adware, and communicating useful informationto controllers. So, knowledge of channel contents is unknownwhile malicious use of secure channel surges - a cloud vendorblocked 1.7 billion threats using TLS in he second half of 2018[1]. Malware classes that frequently uses TLS secure channelfor communications are bots and ransomware.
The ransomware element of an attack can be defined asthe weaponisation part, where a ransomware element can bepackaged with a defined distribution and infection methods,and then targeted as required. The first phase of ransomware,such as WannaCry, was often fairly scattergun in its targets,but the usage of ransomware in targeted attacks increases. In2019, Symantec found that enterprise-targeting ransomwareshowed a yearly increase of 12% and attacks on mobile devicesrose by 33% [2]. With WannaCry we saw the weaponisationof ransomware, which used the Eternal Blue vulnerability forits infection. The NHS in the UK was but one organizationof many who suffered major outages from the ransomwareinfection [3].
Modern bot malware is generally multi-purpose. Once in-stalled on a client, an external controller determines bot ac-tivities through issued commands. Encrypted controller-to-botchannels prevent defenders from discovering commands. Ran-somware clients are generally single purpose in that users pay
to recover document or device access. Crypto-ransomware,where documents on an infected client are encrypted and apayment is required, typically in Bitcoins, for the decryp-tion key, is a common variant [4]. Communications betweencrypto-ransomware clients and controllers may include usefulinformation such as encryption keys.
Current methods of dealing with malicious use of securechannels have limitations. Whereas in unencrypted channels,payload inspection provides knowledge of malware activity,with encrypted channels, detection methods rely on discover-ing anomalies between benign and malicious activity. Thesemethods assist in the detection and possible prevention of pos-sible malicious activity but cannot provide detailed knowledgeof the malicious activity.
This paper investigates decrypting TLS communications ofreal-world malware. A framework uses a standard approachfor decrypting TLS traffic to analyse and decrypt the securecommunications. For malware, performance challenges canresult from malware use of different cryptographic libraries.So, the framework is extended to accommodate the Windowscryptographic library. Experiments evaluate decrypting realbot and ransomware command and control communicationsusing the extension. The contribution is a novel method todiscovering cryptographic artefacts used by real malware. Asthese are discovered in single memory extracts and decryptedin less than a second, the communicated activities of unknownmalware can be discovered.
The rest of the paper is structured as follows. Related re-search on malware command and control channels is presentedin Section II. Section III discusses sourcing of real-worldmalware samples while Section IV evaluates and discussesthe limitations of decrypting using a standard TLS decryptionmethodology. An new approach for decrypting traffic usingWindows cryptographic libraries is presented in Section V.The results are presented and discussed in Section VI andconclusions drawn in Section VII.
II. RELATED WORK
A number of papers focus on memory inspection to discoverthe malware threat using calls to APIs. Gupta et al [5] analysedAPI calls within Windows and mapped a total of 534 importantAPI calls with 26 categories (A-Z). These were then usedto identify five types of malware (Worm, Trojan-Downloader,Trojan-Spy, Trojan-Dropper and Backdoor). Hampton et al [6]
arX
iv:1
907.
1195
4v1
[cs
.CR
] 2
7 Ju
l 201
9
furthered this work by analysing 14 strains of ransomwareon Windows platforms and created mappings of the API callfrequencies.
Other studies detect the presence of malware command andcontrol channels. Signature-based detection systems that checkfor known byte sequences in packet headers or payloads maybe less successful with new malware variants or encryptedtraffic. So, anomaly detection methods using data miningmethods [7] can distinguish benign from malware traffic.For example, features such as correlations between malwarechannel request and response times [8], short packet sizes [9],TLS header information [10], or a combination of features [11]are possible differentiators. The features facilitate malwaredetection and prevention but the encrypted contents are hidden.
Controller emulation can discover malware client plaintext.Logging client requests may provide useful insights althoughcited challenges may be environment security, scalability forlarge botnets, and transparency, where malware detects thepresence of a test environment and terminates [12]. Althougha controlled environment is advantageous [13] and can beused to detect adversaral activities [14] emulator drawbacksfor decrypting real-world malware communications may benot knowing valid controller responses but, perhaps moreimportantly, the malware must be known a priori to executein the environment.
Patil et al [15] define an investigation framework foranalysing captured memory for the detection of malware usinginformation from processes, running threads, opened registrykeys, and user authentication details. Google, too, focus onmemory inspection for the detection of malware [16] and usea number of virtual machines to detect anomalous behaviour.
Feichtner et al [17] defines a method of detecting crypto-graphic misuse in Apple iOS applications. Their work uses adecompilation method to analyse the code calls to the corecryptographic libraries. In their analysis they found that 82%of the applications sampled had a cryptographic flaw. For thisthey defined six main rules to identify a cryptographic flaw.These included: the usage of the ECB mode for encryption;the usage of a non-random IV for CBC encryption; and theusage of constant encryption keys. Most of flaws found relatedto the usage of a non-random Initialization Vector (IV) and theusage of constant encryption keys. They also found that 27%of the sampled apps used ECB (Electronic Code Book) for thesymmetric key encryption.
A priori malware knowledge may also enable plaintextdiscovery. While virtual machine environments, such asDRAKVUF [18], support malware dynamic analysis, suchsolutions succeed only where actual, or suspected, malwareis obtained. Our approach requires no prior knowledge sodiscovering the plaintext in the encrypted communications ofunknown malware is possible.
Discovery of malware cryptographic artefacts may en-able their communications to be decrypted. For example,researchers have discovered TLS encryption keys in mem-ory [19]. Initialization vectors were not discovered, whichfor commonly-used AES-GCM encryption is necessary, so
plaintext was not derived. Furthermore, whereas keys werediscovered in Linux memory, malware is still predominantlyWindows-focused [10].
III. SOURCING MALWARE SAMPLES
Malware communications analysis ideally executes realmalware samples. Samples of recent provenance are preferableas these may reflect the approaches of modern malwareauthors, Maintained online databases provide guides to currentusage. For SSL traffic, the SSL Blacklist website [20] listsbot and ransomware clients in reverse chronological orderof awareness. From the list, 35 potential malware entitieswere identified. For each, multiple client executable sampleswere downloaded in compressed, password protected from theVirusShare website [21]. The compressed files are securelycopied to the client. on which Windows Defender is disabled,the compressed files uncompressed and executed. As theresponder acting as a malware controller was not configuredto respond appropriately, only three executables successfullyestablished a TLS connection including a data exchange witha server running the OpenSSL server application [22]. Thethree malware executables are listed in Table I followed bypertinent background.
TABLE IMALWARE SAMPLES
Type Class MD5Bot Zbot eeef1e062c8011cabb23b3c833ff766aRansomware Torrentlocker aeb5bb78ab442bc94bb94d968754e523Bot Gozi 67a775879d3664456cb6a5026c518ca0
Zbot, also known as ZeuS or Zeus, is a well-known botmalware instance. Detected in 2006 [23], Zbot is primarilyknown for stealing banking passwords by injecting code into auser browser as illustrated in Figure 1. Other Zbot functionalityincludes extracting information such as browser history andcookies, certificates, and mail account information as wellas perform actions such as manipulate local files, installransomware, log keystrokes, take screenshots, and managea botnet of other infected computers [24] [25]. AlthoughZbot previously used the HTTP protocol for communications,information and commands are now generally concealed withTLS.
Gozi, also known as Ursnif inter alia, is also an information-stealing bot. Detected in 2007 [27], Gozi is commonly usedby malicious actors for stealing and other confidential bankinginformation [28] [29] [30] as shown in 2. Although functionsinclude theft of cookies and email credential, and loggingof keystrokes and browsing activity [31], a key feature isintercepting network traffic to hijack financial transactions. Forexample, when a money transfer is detected, Gozi issues anencrypted message through its command and control serverto prevent the correct transfer and redirect the funds to acontrolled account [32].
TorrentLocker is an instance of crypto-ransomware. Knownsince 2014, sufficiently similar to CryptoLocker to also beknown as Crypt0L0cker, it encrypts user documents including
Fig. 1. Zbot Fake [26]
pictures, advises the user of its action, and demands paymentusing Bitcoins [33] as indicated in Figure 3. Although client-controller communications were previously encrypted usingXOR, TLS is now a common communications mechanism[34]. Information transmitted to the controller includes theransom page, the encryption key which is RSA-encrypted witha TorrentLocker public key, counts of encrypted files, addressbook contacts, email credentials, and logs [33].
IV. APPROACH
The analysis framework executes in a virtualized environ-ment, A hypervisor supports a virtual machine monitor exe-cuting on a privileged virtual machine, a suspect client virtualmachine executing malware samples, and virtual machinesproviding server functionality for client communications. Theframework extracts read/write client virtual machine memory,analyses memory extracts to discover small sets of candidatecryptographic artefacts, and decrypts encrypted network trafficuntil a decrypt is validated. The framework accommodatesSSH and TLS protocols and encryption algorithms such asAES and ChaCha20.
A standard TLS extension searches memory extracts for keyblocks that a pseudo-random number generator (PRNG) createafter the handshake. For AES-GCM, the agreed encryptionalgorithm for each malware sample, key blocks contain clientand server encryption keys, and client and server implicitinitialization vector (IV) segments. MemDecrypt memoryanalysis searches for key blocks following the process illus-trated in 4 where the explicit IV segment in an ApplicationData network packet enables searches for candidate implicitIVs, which enable candidate key block discovery. Candidateimplicit IVs are memory extract segments co-located withexplicit IV segment values. Candidate key blocks are mem-ory extract segments co-located with candidate implicit IVsegments and where the key block client key and server keyexceed a threshold.
A. Test Environment
The Xen Project 4.4.1 hypervisor runs on a Core 2 DuoDell personal computer with 40 GB of disk storage and 3 GBof RAM, It supports a privileged hypervisor console running
Debian release 3.16.0-4-amd64 version and the MemDecryptframework. and three unprivileged virtual machines. Exper-iments execute on a Windows client and a Linux servervirtual machine. The client runs the Windows 10 (10.0.16299)operating system with 2 GB of memory and 40 GB of disk,and the server runs an Ubuntu 14.04 build (“Trusty”) with512 MB of allocated memory and 4 GB of disk storage.
The environment is configured for malware containment.The malware client is prevented from communicating withexternal servers to prevent possible corruption of otherenvironments. So, an additional Linux machine runningUbuntu 14.04 build (“Trusty”) with 512 MB of allocatedmemory and 4 GB of disk storage is established as a DNSserver using the ‘dnsmasq’ package. Responses to benignDNS requests, such as *.microsoft.com, return the DNSserver IP address and to other requests the IP address of thetarget TLS server. For the first experiment, debug mode wasenabled to log keys, IVs and plaintext. The OpenSSL servercommand used was:
openssl s_server -accept 443 -debug -cert crt.pem -keykey.pem -WWW
B. Results
With Zbot, the application of the standard TLS extensionto memory extraction and analysis, the decrypt analysis com-ponent was projected to require approximately 34 hours toidentify correct artefacts. By excluding artefacts less than1000 bytes apart in memory extracts, this reduced to 15minutes so the combined analysis duration was 38 minutes.Although quicker than brute-force, cryptanalytic, and side-channel approaches, the duration may be insufficient for prac-tical application in live scenarios. Furthermore, the duration issubstantially longer than earlier experiments with, for example,the OpenSSL library, warranting further analysis.
Two factors cause this increase. One is the 8-byte explicitIV segment obtained from an Application Data Message. ForZbot, the first explicit IV segment is ’0x0000000000000001’as illustrated in the highlighted section of the Wireshark packetcapture in Figure 5. This byte sequence occurs more frequentlythan randomly generated explicit IVs in memory extracts. So,when the explicit IV is used to discover possible four-byteimplicit IV segments, 578,629 possible instances were found.Entropy measure thresholds reduced the candidate key blocksize to 23,361. By contrast, an experiment with an OpenSSLclient application yielded three candidate implicit IVs and 79candidate keys.
The other factor is masquerading. To evade detection,malware applications may camouflage their activities and onesuch mechanism is masquerading as a benign applicationso the malware may also be known as a ‘trojan’. In theWindows environment, examples of benign applications usedfor masquerading includes the Edge browser and WindowsExplorer. However, when Zbot masquerades as the WindowsExplorer, for example, the data collection component extracts
Fig. 2. Gozi Data Theft [27]
Fig. 3. TorrentLocker/Crypt0L0cker Warning
265 read/write memory files totalling 73.2 MB for each sepa-rate extraction. The combination of these two factors leads tolarge sets of candidate keys and IVs.
V. WINDOWS LIBRARY EXTENSION
Memory extract features suggest a more efficient alternative.Using the session key and IV from OpenSSL server logs,a search of malware client application memory yielded in-teresting facts: the key occurs frequently in different extractfiles, memory extract files sizes containing the key are withinspecific ranges, and two unusual ASCII strings are presentnear encryption key locations in the memory extract files.
The repeated occurrence of the key in memory extracts mayresult from data protection or an absence of data cleansing.After a TLS handshake when client and server keys have beengenerated by a pseudo-random generator, the keys may becopied to record data structures for simplified access by theencryption process. The malware may copy the keys repeatedlyto ensure access. Alternatively, the malware writer may copykeys on different occasions but fail to cleanse the source orcopy. In any case, this feature is not used in the extension.
Sizes of memory extract files containing encryption keysranged between 2 MB and 4 MB. Consistent with prior SSHand TLS investigations, the size probably originates from anapplication memory allocation request (‘malloc’) for a datastructure to hold the encryption, or decryption fields such as
Fig. 4. GCM Memory Analysis Approach
Fig. 5. Gozi Handshake & Application Data message
keys, encrypt/decrypt flags, key length, mode, etc. As illus-trated in Figure 6 which maps the number of segments abovea 4.5 threshold (Y-axis) against the extracted size (X-axis),the distribution of high-entropy counts in malware applicationmemory suggests that prioritizing regions for analysis mayspeed up the IV and key discovery process.
The presence of specific ASCII strings in memory extractscontaining keys is more significant. The strings are ‘3LLS’and ‘KSSM’, or in big-endian format" ’SSL3’ and ‘MSSK’.Researchers identified ‘MSSK’ in the Windows security pol-icy application, Local Security Authority Subsystem Service(LSASS) as a possible acronym for ‘Microsoft SymmetricKey’ or ‘Microsoft Symmetric Key’ [35]. ‘SSL3’ may refer tothe deprecated forerunner of TLS, SSLv3. Kambic identifiedprobable fields in the undocumented LSASS data structureincluding: encryption data structure sizes; TLS version; andthe encryption key. The field identified by Kambic as theprobable IV field is inconsistent with MemDecrypt memoryextracts. The implicit IV is located approximately 20 bytesafter the ‘3LLS’ string, and the key approximately 30 bytesafter the ‘KSSM’ string. Although random occurrences arepossible, the strings provide good indicators for identifyingcandidate memory extracts containing cryptographic artefactswhen Microsoft security libraries are used.
A MemDecrypt extension to decrypt TLS communicationsfrom executables that use Microsoft security librariesaccommodates these features. Microsoft encryption librariesare assumed When TLS Application Data messages containexplicit IV values of ‘x0000000000000001’, Additionaltechniques such as the identification of executable linkedlibraries might validate this assumption. Extract file sizes arebanded to prioritise medium-sized files. The extract files aresearched for the ASCII strings and fields in near locations inthe same extracts and of sufficient entropy to be candidatekeys and IVs are identified. The Microsoft memory analysisalgorithm is shown in Algorithm 1. The banding is wider,and the maximum allowable distances in memory between’3LLS’ and a candidate IV, and ’KSSM’ and a candidatekey exceed the empirically observed values to allow forpotential data structure changes, as may result from operatingsystem upgrades. The entropy thresholds for ’IVsize’ and’keysize’ are set to 1.5 and 4.5 respectively based on previousexperiments with PRNG functions. If the Microsoft libraryextension fails to find cryptographic artefacts, the TLSextension provides a fall-back.
Fig. 6. Windows Explorer High-entropy Regions
Data: Extracts folder, entropy thresholds, keysizeResult: Z = candidate keys, Y = candidate IVsfor file in folder do
if 1 MB < size(file) < 8MB thenBand1 += file;
endif 0 MB < size(file) < 1MB then
Band2 += file;endif 8 MB < size(file) then
Band3 += file;end
endIVsize = 4;for each file in Bands 1-3 do
if ‘KSSM’ in extract thenstart = location (‘3LLS’);for i = start to MaxIVdistance inc by 4 do
s = extract[i:i+4];if entropy(s) > threshold(IVsize) then
Y += send
endStart = location ‘KSSM’;for i = start to MaxKeydistance increment by 4
dos = extract[i:i+keysize];if entropy (s) > threshold(keysize) then
Z += s;end
endend
endAlgorithm 1: Windows Library Memory Analysis
VI. WINDOWS LIBRARY EXTENSION EVALUATION
Experiments were executed to evaluate the Windows libraryextension. Each malware sample was executed on a Windows10 client, memory extracted and Ubuntu OpenSSL serverlogs collected. Analysis decrypts were validated by evaluatingcompliance with HTTP 1.1 and comparison with server logs.An example of Zbot decrypted analysis output is illustrated inFigure 7 and verification provided by the OpenSSL server logshown in Figure 8. Each Zbot, Gozi, and TorrentLocker sam-ples decrypted with 100% success. Decrypt output examplesfor all malware samples are shown in Table II. Host names andGET image names vary for different test runs, and furthermore,Gozi decrypts produce POST as well as GET requests.
Analysis component durations for each malware sampleconfirm the extension’s performance. As illustrated in TableIII the maximum combined duration for memory analysis anddecrypt analysis is below 1 second, a direct consequence ofreduced candidate cryptographic artefact set sizes. With theMicrosoft library extension, the set sizes range between threeand six, and IV set sizes between 79 and 483.
A. Analysis
The small experimental set size might inhibit completeconfidence in the extension’s capacity to decrypt encryptedmalware command and control traffic. When malware writershave developed custom security routines, analysts have brokenthem easily broken so known cryptographic libraries are morecommonly used. Microsoft library presents a good opportu-nity for malware writers being pre-loaded with a Windowsoperating system. Use of libraries such as OpenSSL wouldrequire additional download increasing the risk of detection.It is concluded that payloads of secure TLS communicationsbetween malware clients executing on Windows clients andtheir controllers can be rapidly discovered.
Fig. 7. Zbot Decrypt Log
Fig. 8. Zbot Server Log
Decrypting a single request is not conclusive. This out-come is determined by testbed configuration as the serverresponds with OK to any TLS requests, In the absence of areasonable response, the client may terminate or cease furthercommunications with the controller. Also, decryption may notnecessarily provide useable information, particularly wherethe plaintext includes a secondary encryption layer as withTorrentLocker. However, having discovered the key and IV, acomplete session is decryptable.
VII. CONCLUSIONS
Rapid decryption of live TLS malware traffic offers excitingprospects. For instance, by permitting the client to communi-cate with its controller in a managed environment, knowledgesuch as client-controller interaction details may contribute toenhanced malware defences. Furthermore, decrypting unman-aged communications between malware and controller mayprovide ransomware keys or stolen banking details. Future
work will explore these opportunities as well as expandingthe range of tested malware clients.
REFERENCES
[1] D. Desai, “What’s hiding in encrypted traffic? Millions of advancedthreats,” 2019. [Online]. Available: https://www.zscaler.com/blogs/research/whats-hiding-encrypted-traffic-millions-advanced-threats
[2] Symantec, “Internet Security Threat Report (ISTR) 2019,”https://solutionsreview.com/endpoint-security/by-the-numbers-endpoint-security-vulnerabilities/, 2019, [Online; accessed 20-Mar-2019].
[3] J. Hoeksma, “NHS cyberattack may prove to be a valuable wake upcall,” BMJ: British Medical Journal (Online), vol. 357, 2017.
[4] A. Kharraz, W. Robertson, D. Balzarotti, L. Bilge, and E. Kirda, “Cuttingthe gordian knot: A look under the hood of ransomware attacks,” inInternational Conference on Detection of Intrusions and Malware, andVulnerability Assessment. Springer, 2015, pp. 3–24.
[5] S. Gupta, H. Sharma, and S. Kaur, “Malware characterization usingwindows API call sequences,” in International Conference on Security,Privacy, and Applied Cryptography Engineering. Springer, 2016, pp.271–280.
[6] N. Hampton, Z. Baig, and S. Zeadally, “Ransomware behaviouralanalysis on Windows platforms,” Journal of information security andapplications, vol. 40, pp. 44–51, 2018.
TABLE IIMALWARE DECRYPT ANALYSIS OUTPUT EXAMPLES
Malware Decrypt
Zbot GET /images/iWjLmuDOy7/XYiI3c6Yc19CBsArB/rO6Z4SdMsmUI/_2FtdYcDlyk/LoNJcQlukRof2E/wEtt4hPTStlxvgVkkzKsg/60jtn5ijtM8aubv/YKQoZfCXiA4x01o/rjcmP9NhrPGMZrGeb/mWLp7cs9z/83p8sChdoB_2FBMuejFT/IP3nyBFsFoV/U.jpegHTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 10.0; Win64; x64)Host: aineiounfafjnafjwnaefoiajwnf.netConnection: Keep-AliveCache-Control: no-cache
TorrentLocker POST /topic.php HTTP/1.1Accept: */*Host: orbfoz.drinkmilks.orgContent-Length: 176Cache-Control: no-cache
Gozi GET/images/SZK2b21jT4lHGlPQ/dzUZdQ7R6GQ9vDq/_2Bubb8ji761TySLT2/0hh3OGhrh/Gp933q_2BuLnl3Zz6zem/PlUvBGkYtrVJ8DUn8vN/LcmmaA101YcrEmAU5RwlEy/zK8Z9xa06n3R/g0EFUOhv/8sDfI2Goa3803Voj6biFmRG/JDejp7Gffn/y7.jpeg HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 10.0; Win64; x64)Host: wjenqwdqwdwdqwd.comConnection: Keep-AliveCache-Control: no-cache
TABLE IIIMALWARE EXTENSION ANALYSIS TIMES (SECS)
Memory Analysis Decrypt AnalysisMaximum 0.21 0.41Minimum 0.18 0.03Mean 0.17 0.16Standard Deviation 0.03 0.18
[7] A. S. Shekhawat, F. Di Troia, and M. Stamp, “Feature analysis ofencrypted malicious traffic,” Expert Systems with Applications, 2019.
[8] G. Gu, J. Zhang, and W. Lee, “BotSniffer: Detecting botnet commandand control channels in network traffic,” in NDSS ’08 Proceedings ofthe 15th Annual Network and Distributed System Security Symposium,2008.
[9] X. Ma, X. Guan, J. Tao, Q. Zheng, Y. Guo, L. Liu, and S. Zhao, “Anovel IRC botnet detection method based on packet size sequence,” in2010 IEEE International Conference on Communications. IEEE, 2010,pp. 1–5.
[10] B. Anderson, S. Paul, and D. McGrew, “Deciphering malware’s use oftls (without decryption),” Journal of Computer Virology and HackingTechniques, pp. 1–17, 2016.
[11] P. McLaren, G. Russell, and B. Buchanan, “Mining malware commandand control traces,” in 2017 Computing Conference. IEEE, 2017, pp.788–794.
[12] B. Lin, Q. Hao, L. Xiao, L. Ruan, Z. Zhang, and X. Cheng, “Botnetemulation: challenges and techniques,” in Emerging Technologies forInformation Systems, Computing, and Management. Springer, 2013,pp. 897–908.
[13] C. P. Lee, “Framework for botnet emulation and analysis,” Ph.D.dissertation, Georgia Institute of Technology, 2009.
[14] S. Sentanoe, B. Taubmann, and H. P. Reiser, “Virtual machine intro-spection based ssh honeypot,” in Proceedings of the 4th Workshop onSecurity in Highly Connected IT Systems. ACM, 2017, pp. 13–18.
[15] D. N. Patil and B. B. Meshram, “Windows Physical Memory Analysis toDetect the Presence of Malicious Code,” in Recent Findings in IntelligentComputing Techniques. Springer, 2019, pp. 3–13.
[16] E. Thioux, M. Amin, and O. A. Ismael, “System and method for analysisof a memory dump associated with a potentially malicious contentsuspect,” Feb. 5 2019, uS Patent App. 10/198,574.
[17] J. Feichtner, D. Missmann, and R. Spreitzer, “Automated Binary Analy-sis on iOS: A Case Study on Cryptographic Misuse in iOS Applications,”in Proceedings of the 11th ACM Conference on Security & Privacy inWireless and Mobile Networks. ACM, 2018, pp. 236–247.
[18] T. K. Lengyel, S. Maresca, B. D. Payne, G. D. Webster, S. Vogl, andA. Kiayias, “Scalability, Fidelity and Stealth in the DRAKVUF DynamicMalware Analysis System,” in Proceedings of the 30th Annual ComputerSecurity Applications Conference, ser. ACSAC ’14. ACM, 2014, pp.386–395.
[19] B. Taubmann, C. Frädrich, D. Dusold, and H. P. Reiser, “TLSkex:Harnessing virtual machine introspection for decrypting TLS communi-cation,” Digital Investigation, vol. 16, pp. S114–S123, 2016.
[20] “SSL Blacklist,” 2018. [Online]. Available: https://sslbl.abuse.ch[21] “VirusShare.” [Online]. Available: https://virusshare.com/[22] OpenSSL Software Foundation, “OpenSSL: Cryptography and SSL/TLS
toolkit,” https://www.openssl.com/, 2018, [Online; accessed 29-Jan-2019].
[23] Trend Micro, “Trend Micro,” https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/online-banking-trojan-brief-history-of-notable-online-banking-trojans, 2015, [Online;accessed 20-Mar-2019].
[24] “Trojan.Zbot,” 2016. [Online]. Available: https://www.symantec.com/security-center/writeup/2010-011016-3514-99
[25] Panda, “Zeus is Still the Base of Many Current Trojans,” 2017. [Online].Available: https://www.pandasecurity.com/mediacenter/panda-security/zeus-trojan/
[26] R. PP, “Zeus/Zbot Trojan Attacks Credit Cards of Banks,”2016. [Online]. Available: https://techpp.com/2010/07/15/zeuszbot-trojan-attacks-credit-cards-of-banks/
[27] D. Jackson, “Gozi Trojan,” 2007.[28] M. Alvarez, T. Agayev, and T. Darsan, “Q1 2018 Results: Gozi (Ursnif)
Takes Larger Piece of the Pie and Distributes IcedID,” 2018. [Online].Available: https://securityintelligence.com/q1-2018-results-gozi-ursnif-takes-larger-piece-of-the-pie-and-distributes-icedid/
[29] E. Brumaghin, H. Unterbrink, and A. Weller, “Gozi ISFB RemainsActive in 2018, Leverages "Dark Cloud" Botnet For Distribution,”2018. [Online]. Available: https://blogs.cisco.com/security/talos/gozi-isfb-remains-active-in-2018
[30] M. Garnaeva, F. Sinitsyn, Y. Namestnikov, D. Makrushin, and A. Liskin,“Kaspersky Security Bulletin: Overall Statistics for 2016,” p. 31,2016. [Online]. Available: https://kasperskycontenthub.com/securelist/files/2016/12/Kaspersky_Security_Bulletin_2016_Statistics_ENG.pdf
[31] A. Mohanta, A. Saldanha, and P. Kimayong, “The Gozi Sleeper Cell,”2018.
[32] C. Weller, “CyberSecurity in 120 Secs_ The Comeback of GoziMalware,” 2016. [Online]. Available: https://blog.ensilo.com/cyber-security-in-120-secs-the-comeback-of-gozi-malware
[33] M.-E. M. Léveillé, “TorrentLocker,” ESET, Tech. Rep., 2014. [Online].Available: http://www.welivesecurity.com/wp-content/uploads/2014/12/torrent_locker.pdf
[34] M.-E. M.Léveillé, “TorrentLocker: Crypto-ransomware stillactive, using same tactics,” 2016. [Online]. Avail-able: https://www.welivesecurity.com/2016/09/01/torrentlocker-crypto-ransomware-still-active-using-tactics/
[35] J. M. Kambic, “Extracting CNG TLS/SSL Artifacts from LSASSMemory,” 2016.
