Carrillo-Mondéjar, Javier; Rodríguez, Ricardo J.
Identifying Runtime Libraries in Statically Linked Linux Binaries Journal Article
In: Future Generation Computer Systems, vol. 164, pp. 107602, 2025, ISSN: 0167-739X.
Abstract | Links | BibTeX | Tags: Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries
@article{CarrilloR-FGCS-25,
title = {Identifying Runtime Libraries in Statically Linked Linux Binaries},
author = {Javier Carrillo-Mondéjar and Ricardo J. Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/CarrilloR-FGCS-25.pdf},
doi = {10.1016/j.future.2024.107602},
issn = {0167-739X},
year = {2025},
date = {2025-01-01},
journal = {Future Generation Computer Systems},
volume = {164},
pages = {107602},
abstract = {Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).},
keywords = {Binary code analysis, IoT, malware, Runtime library identification, Statically linked binaries},
pubstate = {published},
tppubtype = {article}
}
Vulnerabilities in unpatched applications can originate from third-party dependencies in statically linked applications, as they must be relinked each time to take advantage of libraries that have been updated to fix any vulnerability. Despite this, malware binaries are often statically linked to ensure they run on target platforms and to complicate malware analysis. In this sense, identification of libraries in malware analysis becomes crucial to help filter out those library functions and focus on malware function analysis. In this paper, we introduce tt MANTILLA, a system for identifying runtime libraries in statically linked Linux-based binaries. Our system is based on radare2 to identify functions and extract their features (independent of the underlying architecture of the binary) through static binary analysis and on the K-nearest neighbors supervised machine learning model and a majority rule to predict final values. tt MANTILLA is evaluated on a dataset consisting of binaries built for different architectures (tt MIPSeb, tt ARMel, tt Intel x86, and tt Intel x86-64) and different runtime libraries (tt uClibc, tt glibc, and tt musl), achieving very high accuracy. We also evaluate it in two case studies. First, using a dataset of binary files belonging to the tt binutils collection and second, using an IoT malware dataset. In both cases, good accuracy results are obtained both in terms of runtime library detection ($94.4%$ and $95.5%$, respectively) and architecture identification ($100%$ and $98.6%$, respectively).
Martín-Pérez, Miguel; Rodríguez, Ricardo J
Quantifying Paging on Recoverable Data from Windows User-Space Modules Proceedings Article
In: Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime, Springer, 2021, (Accepted for publication. To appear).
Abstract | Links | BibTeX | Tags: digital forensics, malware, memory forensics, paging, Windows modules
@inproceedings{MR-ICDF2C-21,
title = {Quantifying Paging on Recoverable Data from Windows User-Space Modules},
author = {Miguel Martín-Pérez and Ricardo J Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/MR-ICDF2C-21.pdf},
year = {2021},
date = {2021-01-01},
booktitle = {Proceedings of the 12th EAI International Conference on Digital Forensics & Cyber Crime},
publisher = {Springer},
abstract = {Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed.},
note = {Accepted for publication. To appear},
keywords = {digital forensics, malware, memory forensics, paging, Windows modules},
pubstate = {published},
tppubtype = {inproceedings}
}
Memory forensic analysis enables a forensic examiner to retrieve evidence of a security incident, such as encryption keys, or analyze malware that resides solely in memory. During this process, the current state of system memory is acquired and saved to a file denoted as memory dump, which is then analyzed with dedicated software for evidence. Although a memory dump contains large amounts of data for analysis, its content can be inaccurate and incomplete due to how an operating system's memory management subsystem works: page swapping, on-demand paging, or page smearing are some of the problems that can affect the data that resides in memory. In this paper, we evaluate how these issues affect user-mode modules by measuring the ratio of modules that reside in memory on a Windows 10 system under different memory workloads. On Windows, a module represents an image (that is, an executable, shared dynamic library, or driver) that was loaded as part of the kernel or a user-mode process. We show that this ratio is particularly low in shared dynamic library modules, as opposed to executable modules. We also discuss the issues of memory forensics that can affect scanning for malicious evidences in particular. Additionally, we have developed a Volatility plugin, dubbed pluginName, which helps forensic analysts obtain paging information from a memory dump for each process running at the time of acquisition, providing them with information on the amount of data that cannot be properly analyzed.
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names Journal Article
In: IEEE Access, vol. 9, pp. 126446–126456, 2021.
Abstract | Links | BibTeX | Tags: deep learning, domain generation algorithms, LSTM, malware
@article{SRS-ACCESS-21,
title = {Towards Optimal LSTM Neural Networks for Detecting Algorithmically Generated Domain Names},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ACCESS-21.pdf},
doi = {10.1109/ACCESS.2021.3111307},
year = {2021},
date = {2021-01-01},
urldate = {2021-01-01},
journal = {IEEE Access},
volume = {9},
pages = {126446--126456},
abstract = {Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.},
keywords = {deep learning, domain generation algorithms, LSTM, malware},
pubstate = {published},
tppubtype = {article}
}
Malware detection is a problem that has become particularly challenging over the last decade. A common strategy for detecting malware is to scan network traffic for malicious connections between infected devices and their command and control (C&C) servers. However, malware developers are aware of this detection method and begin to incorporate new strategies to go unnoticed. In particular, they generate domain names instead of using static Internet Protocol addresses or regular domain names pointing to their C&C servers. By using a domain generation algorithm, the effectiveness of the blacklisting of domains is reduced, as the large number of domain names that must be blocked greatly increases the size of the blacklist. In this paper, we study different Long Short-Term Memory neural network hyperparameters to find the best network configuration for algorithmically generated domain name detection. In particular, we focus on determining whether the (complex) feature engineering efforts required when using other deep learning techniques, such as Random Forest, can be avoided. In this regard, we have conducted a comparative analysis to study the effect of using different network sizes and configurations on network performance metrics. Our results show an accuracy of 97:62% and an area under the receiver operating characteristic curve of 0:9956 in the test dataset, indicating that it is possible to obtain good classification results despite avoiding the feature engineering process and additional readjustments required in other machine learning techniques.
Selvi, Jose; Rodríguez, Ricardo J; Soria-Olivas, Emilio
Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams Journal Article
In: Expert Systems with Applications, vol. 124, pp. 156–163, 2019, ISSN: 0957-4174.
Abstract | Links | BibTeX | Tags: Domain-generated algorithms, malware, Random Forest
@article{SRS-ESWA-19,
title = {Detection of Algorithmically Generated Malicious Domain Names using Masked N-Grams},
author = {Jose Selvi and Ricardo J Rodríguez and Emilio Soria-Olivas},
url = {http://webdiis.unizar.es/~ricardo/files/papers/SRS-ESWA-19.pdf},
doi = {10.1016/j.eswa.2019.01.050},
issn = {0957-4174},
year = {2019},
date = {2019-01-01},
journal = {Expert Systems with Applications},
volume = {124},
pages = {156--163},
abstract = {Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.},
keywords = {Domain-generated algorithms, malware, Random Forest},
pubstate = {published},
tppubtype = {article}
}
Malware detection is a challenge that has increased in complexity in the last few years. A widely adopted strategy is to detect malware by means of analyzing network traffic, capturing the communications with their command and control (C&C) servers. However, some malware families have shifted to a stealthier communication strategy, since anti-malware companies maintain blacklists of known malicious locations. Instead of using static IP addresses or domain names, they algorithmically generate domain names that may host their C&C servers. Hence, blacklist approaches become ineffective since the number of domain names to block is large and varies from time to time. In this paper, we introduce a machine learning approach using Random Forest that relies on purely lexical features of the domain names to detect algorithmically generated domains. In particular, we propose using masked N-grams, together with other statistics obtained from the domain name. Furthermore, we provide a dataset built for experimentation that contains regular and algorithmically generated domain names, coming from different malware families. We also classify these families according to their type of domain generation algorithm. Our findings show that masked N-grams provide detection accuracy that is comparable to that of other existing techniques, but with much better performance.
Uroz, Daniel; Rodríguez, Ricardo J
Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics Journal Article
In: Digital Investigation, vol. 28, pp. S95–S104, 2019, ISSN: 1742-2876.
Abstract | Links | BibTeX | Tags: Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry
@article{UR-DIIN-19,
title = {Characteristics and Detectability of Windows Auto-Start Extensibility Points in Memory Forensics},
author = {Daniel Uroz and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/UR-DIIN-19.pdf},
doi = {10.1016/j.diin.2019.01.026},
issn = {1742-2876},
year = {2019},
date = {2019-01-01},
journal = {Digital Investigation},
volume = {28},
pages = {S95--S104},
abstract = {Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.},
keywords = {Auto-start extensibility points, malware, memory forensics, System persistence, Volatility, Windows registry},
pubstate = {published},
tppubtype = {article}
}
Computer forensics is performed during a security incident response process on disk devices or on the memory of the compromised system. The latter case, known as memory forensics, consists in dumping the memory to a file and analyzing it with the appropriate tools. Many security incidents are caused by malware that targets and persists as long as possible in a Windows system within an organization. The persistence is achieved using Auto-Start Extensibility Points (ASEPs), the subset of OS and application extensibility points that allow a program to auto-start without any explicit user invocation. In this paper, we propose a taxonomy of the Windows ASEPs, considering the features that are used or abused by malware to achieve persistence. This taxonomy splits into four categories: system persistence mechanisms, program loader abuse, application abuse, and system behavior abuse. We detail the characteristics of each extensibility point (namely, write permissions, execution privileges, detectability in memory forensics, freshness of system requirements, and execution and configuration scopes). Many of these ASEPs rely on the Windows Registry. We also introduce the tool Winesap, a Volatility plugin that analyzes the registry-based Windows ASEPs in a memory dump. Furthermore, we state the order of execution of some of these registry-based extensibility points and evaluate the effectiveness of our tool in memory dumps taken from a Windows OS where extensibility points were used. Winesap was successful in marking all the registry-based Windows ASEPs as suspicious registry keys.
Rodríguez, Ricardo J
Evolution and Characterization of Point-of-Sale RAM Scraping Malware Journal Article
In: Journal in Computer Virology and Hacking Techniques, vol. 13, no. 3, pp. 179–192, 2017, ISSN: 2263-8733.
Abstract | Links | BibTeX | Tags: Evolution, malware, POS RAM scraping, Software security, Taxonomy
@article{R-CVHT-17,
title = {Evolution and Characterization of Point-of-Sale RAM Scraping Malware},
author = {Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/R-CVHT-17.pdf},
doi = {10.1007/s11416-016-0280-4},
issn = {2263-8733},
year = {2017},
date = {2017-01-01},
journal = {Journal in Computer Virology and Hacking Techniques},
volume = {13},
number = {3},
pages = {179--192},
abstract = {Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.},
keywords = {Evolution, malware, POS RAM scraping, Software security, Taxonomy},
pubstate = {published},
tppubtype = {article}
}
Credit and debit cards are becoming the primary payment method for purchases. These payments are normally performed in merchant's in-store systems as known as Point-of-Sale (POS) systems. Since these systems handle payment card data while processing the customer transactions, they are becoming a primary target for cybercriminals. These data, when remain at memory, are scraped and exfiltrated by specially crafted malicious software named POS RAM scraping malware. In recent years, large data breaches occurred in well-known US retail companies were caused by this kind of malware. In this paper, we study the features of these malware based on their behavior on different stages: infection and persistence, process and data of interest search, and exfiltration. Then, we classify samples of 22 known POS RAM scraping malware families from 2009 to 2015 according to these features. Our findings show these malware are still immature and use well-defined behavioral patterns for data acquirement and exfiltration, which may make their malicious activity easily detectable by process and network monitoring tools.
García, Laura; Rodríguez, Ricardo J
A Peek Under the Hood of iOS Malware Proceedings Article
In: Proceedings of the 2016 11th International Conference on Availability, Reliability and Security (ARES), pp. 590–598, 2016.
Abstract | Links | BibTeX | Tags: attacks, classification, iOS, malware, threats
@inproceedings{GR-WMA-16,
title = {A Peek Under the Hood of iOS Malware},
author = {Laura García and Ricardo J Rodríguez},
url = {http://webdiis.unizar.es/~ricardo/files/papers/GR-WMA-16.pdf},
doi = {10.1109/ARES.2016.15},
year = {2016},
date = {2016-08-01},
booktitle = {Proceedings of the 2016 11th International Conference on Availability, Reliability and Security (ARES)},
pages = {590--598},
abstract = {Malicious software specially crafted to proliferate in mobile platforms are becoming a serious threat, as reported by numerous software security vendors during last years. Android and iOS are nowadays the leaders of mobile OS market share. While malware targeting Android are largely studied, few attention is paid to iOS malware. In this paper, we fill this gap by studying and characterizing malware targeting iOS devices. To this regard, we study the features of iOS malware and classify samples of 36 iOS malware families discovered between 2009 and 2015. We also show the methodology for iOS malware analysis and provide a detailed analysis of a malware sample. Our findings evidence that most of them are distributed out of official markets, target jailbroken iOS devices, and very few exploit any vulnerability.},
keywords = {attacks, classification, iOS, malware, threats},
pubstate = {published},
tppubtype = {inproceedings}
}
Malicious software specially crafted to proliferate in mobile platforms are becoming a serious threat, as reported by numerous software security vendors during last years. Android and iOS are nowadays the leaders of mobile OS market share. While malware targeting Android are largely studied, few attention is paid to iOS malware. In this paper, we fill this gap by studying and characterizing malware targeting iOS devices. To this regard, we study the features of iOS malware and classify samples of 36 iOS malware families discovered between 2009 and 2015. We also show the methodology for iOS malware analysis and provide a detailed analysis of a malware sample. Our findings evidence that most of them are distributed out of official markets, target jailbroken iOS devices, and very few exploit any vulnerability.