Profile picture
, 6 tweets, 2 min read
My Authors
Read all threads
1\ Surprisingly, you could build a very mediocre PE malware detector with a single PE feature: the PE compile timestamp. In fact, I built a little random forest detector that uses only the timestamp as its feature that gets 62% detection on previously unseen malware at a 1% FPR.
2\ The timestamp field poses a low-key problem for attackers. If they leave the compiler-assigned value they reveal telling details. If they assign a concocted value, their tampering can make them easier to detect. Here's an 'allaple' malware set's random, insane timestamps:
3\ Now let's look at a big malware dataset's compile timestamp behavior. Notice the straight horizontal lines. Those are unique polymorphic hashes reusing the *same* compile timestamp month after month. Also, notice the number of insane back-to-the-future timestamps.
4\ In contrast, benign files' timestamp behavior is far more well behaved. That line at 1993 is a special case: Delphi binaries all have that timestamp field setting, regardless of when they were created.
5\ From an ML and signatures perspective, the detection signal here comes from two places: 1) there are exact-match timestamps that allow us to detect entire toolkits and polymorphic families. 2) Pathological timestamps are far more likely to come from malware.
6\ The timestamp field has a non-linear (to say the least) but high mutual information relationship with the bad/good labels. Decision trees are a natural modeling fit here. Here's the ROC curve we get when we fit a random forest detector on just the timestamp feature.
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with Joshua Saxe

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @joshua_saxe see all

Profile picture
Joshua Saxe
@joshua_saxe
1/ Here's a thread on how to build the kind of security artifact "social network" graph popularized by @virustotal and others, but customized, and on your own private security data. Consider the following graph, where the nodes are malware samples:
2/ What you're seeing are relationships between samples from the old Chinese nation-state APT1 malware set provided by @snowfl0w / @Mandiant (fireeye.com/content/dam/fi…). The clusters are samples that appear to share C2, based on the kinds of relationships shown in the image here:
3/ In graph vocab, the object above is known as a "bipartite graph", which has the following structure: there are two sets of nodes, malware samples and domains, and nodes in either set can only connect directly to the *other* set.
Read 10 tweets
Profile picture
Joshua Saxe
@joshua_saxe
Thread on cognitive biases in cybersecurity I've noticed:

Maginot Line: you got breached by an impersonation attack, so you go buy an anti-impersonation solution and assume you're much safer. Sort of like checking people's shoes at the airport.
Survivorship/reporting bias: You treat statistics on breaches that have been reported publicly as representative of the threat landscape, when the most successful breaches go undetected.
Just-world bias / moral luck bias: you believe org X's security failings are uniquely terrible because they got publicly breached, even while other orgs with similar postures (including yours) haven't been breached, simply due to luck.
Read 9 tweets

Related threads

Profile picture
Chris Ihidero
@Chrisihidero
#Random
General answers to a question I get asked all the time:
How do you write a great film story?

a) Create a constantly fascinating character that has a weakness he/she is unaware of. That's your HERO
b) Create another even more constantly fascinating character with a...
a determined view on how the world should be. This view should be in contrast with how your HERO sees the world. This is your VILLAIN, or OPPONENT, as I prefer to call him/her.
c) Create a support cast of characters, make each one the hero of their story.
d) Place all of them in a unique STORY WORLD. This world must be like no other. Your story must seem like it can only exist in this world.
e) Let all of them fight for their beliefs.
f) Fuck shit up consistently with all of them, but your HERO more than any other character.
Read 7 tweets
Profile picture
Enrico Ferraris
@ebobferraris
⚠️ MALWARE VIA PEC ⚠️

Falso messaggio PEC che simula la trasmissione di una fattura elettronica proveniente da un reale indirizzo certificato @Arubait pec.it con allegato malevolo. Massima attenzione!
#malware #PEC #fatturaelettronica

Dettagli ⤵️ 1/
- Il mittente è un reale indirizzo pec.it: il messaggio arriva senza anomalie e la firma risulta valida;
- l’oggetto e il testo riprendono (quasi) esattamente quelli delle PEC del SDI;
- in allegato viene trasmesso un file .zip contenente un .pdf e un .vbs;
2/
- è presente la dicitura “mail priva di virus - avast.com” con tanto di logo caricato come contenuto remoto dal sito Avast legittimo.
Il messaggio PEC è molto simile a quello con cui vengono effettivamente trasmesse le fatture, salvo alcuni dettagli (v. foto).
3/
Read 8 tweets
Profile picture
Chris Buskirk
@thechrisbuskirk
Fact: There are more privately owned guns in the United States than ever before and the number of murders has been at or near a multigenerational low for several years. More guns, less crime? 1/n
Fact: There were 387 deaths from mass shootings in US in 2018 (defined as 4 or more shot - not killed - at one time). Of those most were regular criminals like gang-related drive-bys & bar fights. About 100 were of the random, psycho-killer variety. 2/n
Fact: There were 660 murdered in Chicago in 2017. That’s nearly twice the number from mass shootings in the whole country and 6x-7x the number murdered by random psychos mass shooters. Chicago has some of the strictest gun control in the country. Maybe it’s not the guns. 3/n
Read 5 tweets
Profile picture
Sotiri Dimpinoudis ❁‏
@sotiridi
#Fact: Did you know that In January, February and March of 2019, 8,493 people were murdered in #Mexico, they say that this is the most violent first quarter on record that is a jump of 9% above the start of 2018, which was a record at the time.
They also say that the City of "Mexico City" experienced a 46% increase in the number of homicide victims compared to the first quarter of 2018 with that of 2019. #Mexico
I also made a news article on the crime increases in Tijuana the border city to the #US! That 14 people got killed in a 24 hour mark in #Tijuana. sotiridi.com/world/14-peopl…
Read 4 tweets
Profile picture
Eric Electron
@ericelectron2
#Fact 1 - The Wage Gap is real. People who says it's not haven't read the data.

However, in places like the USA, the wage gap is *not* mostly due to sexism like many #femnist #WomenInScience are claiming it is today. Disparate outcomes doesn't imply disparate treatment.
Women typically choose fields that are lower paying; even in the #STEM fields. To attribute that to sexism only or even mostly is a very dishonest way of deriving an answer for this complex disparity.

Sources:

cew.georgetown.edu/wp-content/upl…

npr.org/sections/money…
When the US Department of Labor Statistics took into consideration personal choices, non-wage benefits, hours worked, experience, education, and other variables that contributes to the wage gap the percentage of earnings decreases to approximately 3%.

shrm.org/hr-today/publi…
Read 12 tweets

Trending hashtags

#smeard #Quarterbacks #FisaBringsDownTheHouse #SHADOWBAN #impeachment #opensource #EgyptStation #unroll #HUSH #QThreaf #DianeAugat #adware #GOP #phishing #DeepStateInPanic #me #Legendary #broken #OWNED #PeakTV #cunt #Protest #Love #request #WeFightAsOne
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!