M. Zubair Rafique

This user hasn't shared any biographical information

Homepage: http://zubair.wordpress.com

[NDSS 2016] It’s Free for a Reason: Exploring the Ecosystem of Free Live Streaming Services

PDF

Abstract: Recent years have seen extensive growth of services enabling free broadcasts of live streams on the Web. Free live streaming (FLIS) services attract millions of viewers and make heavy use of deceptive advertisements. Despite the immense popularity of these services, little is known about the parties that facilitate it and maintain webpages to index links for free viewership. more

Coverage: WashingtonTimes  BBC  Fortune  Wired  ITProPorta  TechWeekEurope  BoxCryptorAnonymous Trusted Reviews  Advanced Television  After Dawn  Dream Team FC  Anonymous Headquarter  KU-Leuven

Clarification on media quoting me:

“[To watch the stream] users are typically asked (or lured) to install the browser extensions, and once the user installs the extension, it can potentially change any website inside the computer browser (e.g., through ad injection etc.).

So, if a person installs an extension while watching a stream, and then visits a site like BBC.com (or any other site), these extensions can potentially change the contents of BBC.com *in the user browser* and can include malicious links.”

, , , , , ,

Leave a comment

INVITE of Death and Network Dialog Minimization (New Vulnerability in VoIP Server)

Network dialog minimization is the problem of given an original dialog that satisfies a goal, producing a minimized dialog comprising the smallest subset of the original dialog that when replayed still achieves the same goal as the original dialog. In essence, the minimized dialog provides a shortcut to the goal, removing all connections and messages in the original dialog unrelated to the goal. A minimized dialog enables understanding what parts of a dialog really matter for the goal e.g., determining which messages and fields are really required to exploit a network server without expensive code analysis. We use our dialog minimization technique to replay an INVITE of Death attack on the OpenSBC SIP server. The minimization reveals another, previously unknown, attack on the OpenSBC server OSVDB 86607. The attack input is shown in Figure below.

New VoIP Vulnerability

Experiment: To obtain the original dialog we deploy a test OpenSBC server, configured in UDP stateful proxying mode without authentication, and use SIPp to simulate both a SIP user agent client (UAC) and a SIP user agent server (UAS). Then, we use the available attack tool against the test server, producing an attack trace with INVITE of Death packet in it.

sipdialog

New Vulnerability: The 3-level minimization outputs that a single 74-byte SIP INVITE request is needed to crash the server (Figure 1). However, the minimized input does not contain the Via header, whose flawed processing created the original vulnerability (aka. INVITE of Death). Replaying the minimized input against a version of OpenSBC that patches the original vulnerability, still crashes the server. We have reported the new vulnerability to the OpenSBC author, who has confirmed that it corresponds to a null-pointer dereference in the parser. The details on vulnerability can be found here. This example illustrates that the dialog minimization is useful for capturing the essential constraints to reach and exercise a vulnerability, without expensive code analysis.

Conclusion: Dialog minimization and replay is a useful capability in vulnerability analysis. Minimizing a network attack dialog enables understanding the conditions leading to exploitation without expensive code inspection, and the minimized dialog can be used as an exploit signature. Furthermore, minimization is fundamental to isolate the real attack when the input is a network trace (e.g., captured at an IDS) that contains an attack on a vulnerability but also much other traffic unrelated to the attack. In this case we applied network dialog minimization technique to minimize an attack on the OpenSBC SIP server. More details on dialog minimization and its different security applications can be found here.

BibTex

@inproceedings{ndm,
author = {M. Zubair Rafique and Juan Caballero and Christophe Huygens and Wouter Joosen},
title = {{Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications}},
booktitle = {Proceedings of the 2014 Annual Computer Security Applications Conference},
address = {New Orleans, LA},
month = {December},
year = {2014},
}

, , , , , , , , ,

Leave a comment

[ACSAC 2014] Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications

In this work, we present two fundamental primitives for network security: network dialog minimization and network dialog diffing. Network dialog minimization (NDM) simplifies an original dialog with respect to a goal, so that the minimized dialog when replayed still achieves the goal, but requires minimal network communication, achieving significant time and bandwidth savings. We present network delta debugging, the first technique to solve NDM. Network dialog diffing compares two dialogs, aligns them, and identifies their common and different parts. We propose a novel dialog diffing technique that aligns two dialogs by finding a mapping that maximizes similarity.
We have applied our techniques to 5 applications. We apply our dialog minimization approach for: building drive-by download milkers for 9 exploit kits, integrating them in a infrastructure that has collected over 14,000 malware samples running from a single machine; efficiently measuring the percentage of popular sites that allow cookie replay, finding that 31% do not destroy the server-side state when a user logs out and that 17% provide cookies that live over a month; simplifying a cumbersome user interface, saving our institution 3 hours of time per year and employee; and finding a new vulnerability in a SIP server. We apply our dialog diffing approach for clustering benign (F-Measure = 100%) and malicious (F-Measure = 87.6%) dialogs.

BibTex                                     Download


@inproceedings{ndm,
author = {M. Zubair Rafique and Juan Caballero and Christophe Huygens and Wouter Joosen},
title = {{Network Dialog Minimization and Network Dialog Diffing: Two Novel Primitives for Network Security Applications}},
booktitle = {Proceedings of the 2014 Annual Computer Security Applications Conference},
address = {New Orleans, LA},
month = {December},
year = {2014},
}

, , , , , , , , , , , , ,

Leave a comment

[GECCO 2014] Evolutionary Algorithms for Classification of Malware Families through Different Network Behaviors

Evolutionary Algorithms for Classification of Malware Families through Different Network Behaviors

, , , , , , , , , ,

Leave a comment

[RAID 2013] FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors.

FIRMA: Malware Clustering and Network Signature Generation with Mixed Network Behaviors.

The ever-increasing number of malware families and polymorphic variants creates a pressing need for automatic tools to cluster the collected malware into families and generate behavioral signatures for their detection. Among these, network traffic is a powerful behavioral signature and network signatures are widely used by network administrators. In this paper we present FIRMA, a tool that given a large pool of network traffic obtained by executing unlabeled malware binaries, generates a clustering of the malware binaries into families and a set of network signatures for each family. Compared with prior tools, FIRMA produces network signatures for each of the network behaviors of a family, regardless of the type of traffic the malware uses (e.g., HTTP, IRC, SMTP, TCP, UDP). We have implemented FIRMA and evaluated it on two recent datasets comprising nearly 16,000 unique malware binaries. Our results show that FIRMA’s clustering has very high precision (100% on a labeled dataset) and recall (97.7%). We compare FIRMA’s signatures with manually generated ones, showing that they are as good (often better), while generated in a fraction of the time.

Some Reviews: ICT-Networks

, , , ,

Leave a comment