טכניון מכון טכנולוגי לישראל
הטכניון מכון טכנולוגי לישראל - בית הספר ללימודי מוסמכים  
M.Sc Thesis
M.Sc StudentNachum Shay
SubjectDetection in the Dark-Exploiting XSS Vulnerability in C&C
Panels to Detect Malwares
DepartmentDepartment of Industrial Engineering and Management
Supervisors Professor Assaf Schuster
Dr. Opher Etzion
Full Thesis textFull thesis text - English Version


Abstract

Numerous defense techniques exist for preventing and detecting malware on end stations and servers (endpoints). Although these techniques are widely deployed on enterprise networks, many types of malware manage to stay under the radar, executing their malicious actions time and again. Therefore, a more creative and effective solution is necessary, especially as classic threat detection techniques do not utilize all stages of the attack kill chain and focus on unique attributes or specific behavior in their attempt to detect malicious behavior on endpoints.


In this study, we propose a novel approach for detecting malware. Our approach uses offensive and defensive techniques for detecting active malware attacks by exploiting the vulnerabilities of their command and control panels. Our technique manipulates significant values on endpoints and utilize the trusted communication between the panel and the infected machine in order to attack command and control servers of the attacker.

In contrast to classic detection techniques, our approach focuses on goals and objectives of malware programs, hence it is able to detect unknown live malware. This approach was implemented in a Proof-of-Concept tool (PoC) that was tested on 3 different malwares (MegalodonHTTP, Dexter and DiamondFox) and succeeded in exploiting their vulnerabilities. The results of our experimentation prove that our innovative detection technique can be used to achieve an extra layer of detection in addition to the classic threat detection techniques exist today.