Posts Tagged ‘research’

Open Position – Senior Researcher (Statistics and Algorithms)

Monday, September 6th, 2010

Damballa’s Research team is always on the hunt for the most talented security researchers on the planet. This week we’re looking to recruit a Senior Researcher within the Statistics and Algorithms team. The role is based in sunny Atalanta.

The job specification is as follows…

Internet security is evolving at an increasingly rapid pace.  As the thrust and parry of attack vectors and defensive tactics force technologies to advance, the biggest security threat now facing enterprise organizations lies with botnets and targeted attacks.  The Damballa Research team spearheads global threat research and targeted threat detection innovation.

Damballa’s dedicated research team is responsible for threat analysis and detection innovation. From our Internet observation portals, and using the latest investigative technologies to intercept and capture samples, the research team studies the techniques employed by criminal botnet operators to command and control their victim hordes – mapping their spread and evolution – and developing new technologies to both detect and thwart the threat.

As a Senior Research Analyst you would be part of the team responsible for masterminding the core technologies of Damballa’s products – working on advanced pattern detection algorithms, massive data collection and analysis solutions, prototyping new detection systems, and advancing large-scale applications that deliver actionable threat intelligence.

The rapid evolution of the threat means that, as a Senior Researcher, you will perform statistical analysis on massive sets of network-derived data and develop efficient algorithms to distinguish between malicious and benign activity.  Source data includes Domain Name Service usage, Internet Protocol network flow records and packet payloads, packed and unpacked forms of software, and other data related to Internet usage.
Collaborating with the marketing and engineering teams, the Senior Researcher will typically need to design and construct analysis tools that automate the extraction of threat intelligence and make it available to the company’s other technologies.

Responsibilities:

  • Development of tools to convert unstructured data to partially- or fully-structured representations
  • Development of tools to process massive sets of data (structured or not) and derive statistical information
  • Development of mathematical and statistical models for distinguishing malicious from benign content or usage
  • Constructs and conducts experiments to measure efficacy and accuracy of algorithms
  • Research in to new methods for detecting and reporting botnet activities based on *flow and/or DNS
  • Contribution to research and commercial papers describing the evolving botnet threat

Skills & Experience:

  • Statistical analysis of network traffic (*flow and/or DNS)
  • Development and testing of statistical pattern recognition systems
  • Familiar with malware analysis and dissection techniques

Requirements:

  • PhD in Computer Science, Statistics, Mathematics or Physics – or similar academic pedigree
  • Outstanding understanding of Network and System security
  • Proficient with Unix (Linux preferred) development and production environment
  • Excellent formal communication and presentation skills
  • Published in top tier academic security conferences (e.g. IEEE S&P, USENIX Sec, CCS, RAID, NDSS, ACSAC)

Tags: ,
Posted in Damballa News, Threat Research | No Comments »

Good news everyone!

Monday, September 8th, 2008

According to a report from Websense, “60 percent of the top 100 most popular Web sites have either hosted or been involved in malicious activity in the first half of 2008.” With the explosion of Web 2.0 sites and the clamoring of users eager to be socially networked, the predators are rising to the surface of the watering hole. When MySpace and Excite become conduits for malicious programs, how does the average Web user know if they’re safe? When your Facebook friends are being impersonated to spread a virus, who do you trust? With such fluid dangers, can we ever find sanctuary online?

It is only natural for the wild things to be where the prey romps so using popular sites for malware propagation is a logical shift. This is by no means a sign of abandonment for the other areas of malware permeation. Don’t think your inbox is going to be spam free anytime soon. The malicious software creators are still tossing out plenty of email chum. With a focus on social engineering, the clicking temptation here is essentially no different, but somehow the same bloody bait seems less suspect in the dumping grounds of user-generated content and masked sources.

People are mostly aware of the general risks they take by getting online, and Internet users in the past few years have become either smart or scared, installing AV software or limiting their explorative curiosity. What do they have in common? Their computers are both laden with malware. Like children at the playground, we start fearless and then we get hurt. Then we’re cautious, and still we get hurt. At this point we can become hermits or weave a delusionary safety net and “keep on truckin.” (1980s mud flaps continue to yield insight and quality advice for every situation. If you don’t think that’s true, “Back off!”) Both the timid and the wise can manage to stay out of trouble in real life, but when online the playing field is leveled. Why is being attacked through a website so blindsiding?

There is an idea of transitive trust mentioned in the Websense report where people believe all the content on a site they trust is also trustworthy. This is possibly why people are lowering their guards. Perhaps people are of the mindset that if the site is not in the Internet alleyways with porn and illegal activity it can’t be dangerous. Maybe there is a sense of safety in numbers and a well known and widely used site must have better protection for its users. Unfortunately, no site is impenetrable and if there is an exploit open, someone is taking advantage of it. The Internet best practices safety manual is slimming. In the near future it may just be a general safety advisory, “stay off the Internet to stay free of infection.” However in the presence of opportunity, as in other arenas, abstinence is just a theory.

- Matt Sully, Damballa Researcher

Tags: , , ,
Posted in Threat Research | No Comments »

Russia-Georgia Cyber War

Monday, August 18th, 2008

The recent war between Russia and Georgia is being fought in cyberspace as well as with more traditional weapons such as bombs and guns. While the Russians have DDoS’ed the websites of the Georgian government, the Georgians themselves have retaliated and attacked South Ossetian news outlets and stopgeorgia.ru, the main site coordinating the Russian DDoS campaign.

The cyber warfare surrounding the recent Russia-Georgia conflict is of particular interest to computer security researchers due to its unique nature. During this conflict, ordinary citizens could download a point-and-click DoS tool from www.stopgeorgia.ru (which interestingly enough is itself a pirated version of a commercial DoS tool. Is there no honor among criminals?) and join the coordinated effort to DoS a continually updated list of Georgian government websites.

These like-minded individuals form what amounts to a volunteer botnet, with potentially considerable bandwidth. Whereas in times past politically motivated attacks were the domain of dedicated hacktivists, the citizen-DDoS-army is a recent phenomenon, but one that has played a large part in recent DDoS attacks. Such attacks include the Chinese DDoS on CNN, the Russian DDoS on Estonian websites, and now the Russia-Georgia conflict.

With few potential repercussions (What government would want to prosecute its most ardent supporters?), the great ease of joining (don’t have to leave your seat), and real effects (the enemy government goes offline) such attacks are very attractive to angry civilians. I expect that future conflicts will continue to have a larger cyber warfare component, with ordinary citizens — and their bandwidth — becoming an increasingly utilized weapon.

- Artem Dinaburg, Damballa Researcher

Tags: , , , , , , ,
Posted in Threat Research | No Comments »

Racing to Zero

Monday, August 11th, 2008

Last Friday Artem and I competed in Race to Zero at DefCon 16, using a custom packer we designed and developed for the contest. While designing the packer, we discovered that generic detection heuristics in AV tools make it difficult to create effective packers using traditional approaches. As an example, try simply adding an empty section to Microsoft Notepad and submitting the modified executable to VirusTotal – multiple AV tools will erroneously flag it as generic malware.

As an alternative, Artem architected a packer that places obfuscated malware inside a benign executable. The resulting packer – ZeroPack – uses Quickman, an open source fractal visualization tool. During compilation of the modified Quickman, the XOR-obfuscated malware instance and its corresponding one-time are inserted as binary resources. When a ZeroPack-obfuscated malware instance is executed, fractals are generated and visualized, then unpacking begins.

During unpacking another Quickman process is created in a suspended state and its in-memory image is overwritten with that of the obfuscated malware. A byte-by-byte deobfuscation is then performed, wherein a byte read from the one-time pad is used to XOR a corresponding location of the obfuscated malware’s in-memory image. When the transformation completes, the second Quickman process (containing the now-deobfuscated malware instance) is unsuspended.

Using ZeroPack, Artem and I completed Race to Zero in 2 hours, 25 minutes. We won the “Dirtiest Hack” category (for launching Office on a malicious MS Word documents a modified ZeroPack would spit out) and finished second overall. We have also subsequently tested it with samples from our research malware corpus: any sample we obfuscate with ZeroPack and upload to VirusTotal gets 0/32 detections.

In closing, Danny Quist of OC was right when he called Race to Zero a “Golden Opportunity for the Antivirus Industry.” With the mainstream public starting to learn about the waning efficacy of traditional AV approaches, the time for AV companies to begin moving to the tune of a different drum is now.

- Paul Royal, Damballa Principal Researcher

Tags: , , , , , ,
Posted in Threat Research | No Comments »