An Examination of the Operational Requirements of Weaponised Malware


Malware is often used in cyberconflict scenarios. Both nation-states and non-nation threat actor groups utilise malware to execute cyberattacks. The current study examines the general role of weaponised malware in cyber conflicts and outlines the operational requirements for such weaponisation of malware. Operational needs as well as ethical considerations, including target discrimination, are examined. One goal of this study is to propose a particular taxonomy for malware that is oriented to appropriate selection of weaponised malware for cyberwarfare scenarios.

A Preliminary Investigation into Malware Propagation on Australian ISP Networks using the mwcollect Malware Collector Daemon


This paper describes an initial investigation into the propagation of malicious software (malware) that allows for remote command and control of Internet connected machines using the Windows platform in the Australian ISP address space. The research as conducted utilised the mwcollect daemon which is a low interaction honeypot on the Linux platform, to collect the details about the activity. The program mwcollect works by emulation of vulnerable services on the target platform in this case Windows based computers. There were two collectors within the pilot collection system. The machines were running no other Internet services such as http or mail, and were not used by any person - they were simply connected to the Internet. The machines are located on two separate ISP networks and they both utilised high-speed ADSL connections connected to different segments of the Australian ISP network.

Malware-based Information Leakage over IPSec Tunnels


IPSec-based protocols are often presented by practitioners of information security as an efficient solution to prevent attacks against data exchange. More generally, use of encryption to protect communication channels or to seclude sensitive networks is seen as the ultimate defence. Unfortunately, this confidence is illusory since such “armoured” protocols can be manipulated or corrupted by an attacker to leak information whenever an access is managed with simple user’s permission. In this paper, we present how an attacker and/or a malware can subvert and bypass IPSec-like protocols to leak data from the system under attack. By using a covert channel, we show how to code the information to be stolen, how to insert it in the legitimate encrypted traffic and finally collect/decode the information on the attacker’s side. We first present how to exploit the covert channel and to steal sensitive data without triggering any alert. Subsequently, the detailed results of extensive experiments to validate the attack techniques on an operational level are given. Finally, some potential prevention and protection techniques are presented to limit such attacks. However, this analysis demonstrates that residual weaknesses are bound to remain unless the communication protocols involved are significantly modified.

Malware Analysis Framework from Static to Dynamic Analysis


Today, malicious software on networks is the major threat to internet security. Analysis of the malicious software is a multi-step process that can provide insight into its structure, functionality and behaviour that can be used to create an antidote. This paper focuses on how the analysis of malicious software can be used and how details of events gathered from an infected system can be used to detect a new infection. This strategy makes it possible to detect an infection on a honeypot that has been deployed to detect zero-day attacks. This paper demonstrates the steps taken in the analysis of malicious software from static to dynamic analysis, then the same methodology is used to analyse an infection on the honeypot. The paper concludes with an explanation of the difference between the static and dynamic analysis of malicious code. 

Establishment of Trust Factors in Social Networking Sites


While many individuals use social networking sites to connect and maintain contact, attackers may see social networks as a prime target for spreading malware, propaganda, or marketing. However, most users are keen to trust these sites without being aware of the potential dangers. This paper investigates the factors that lead users to trust these sites and specifically focuses on Facebook as an illustrative example. Survey data is presented to indicate some of these trust factors and to explore their impact on user behaviour. Finally, indicators of potentially deceptive agents and profiles are presented to help users decide whether and to what degree they interact with other users.

Antivirus False-Positive Alerts, Evading Malware Detection, and Cybersecurity Issues


The continuous development of evolving malware types creates a need to study and understand how antivirus products detect and alert users. This paper investigates today’s antivirus solutions and how their false-positive alerts affect software development and the distribution process. The authors discuss and demonstrate how antivirus detection deals with bespoke applications and how this can be reversed and manipulated to evade detection, allowing the process to be used by malicious software developers. The paper also demonstrates how an undetected malicious piece of software can be developed without using advanced hiding techniques, which will also be capable of overcoming reputation-based detection systems.

PrEP: A Framework for Malware & Cyber Weapons


The contemporary debate over cybersecurity rests on a set of linguistic artifacts that date from the Cold War. Attempting to glean a starting point for debate over use of terms such as ‘cyber attack’ or ‘cyber war’ is difficult, largely because there is little agreement on what constitutes a weapon in cyberspace. This paper proposes a new framework to classify malware and cyber weapons based on the different pieces of malicious code that constitute them, then evaluates competing definitions of cyber weapons, and concludes with implications for this approach.

How IAD Leverages Big Data for Anomaly and Malware Detection (v10.2)


Malware is growing increasingly sophisticated. Threats are becoming more targeted and moving to places where existing defenses have limited visibility. Proactively addressing these threats means leveraging insights gained from Big Data and the fusion of multiple sources of information. Operational Fusion and Analysis, OFA, an organization within the National Security Agency’s Information Assurance Directorate utilizes Big Data to provide battlespace awareness and critical intelligence on the attack lifecycles of intrusions to decision makers and network defenders. This is accomplished by performing qualitative and quantitative analysis, summarization, fusion, and trending of data across multiple networks, customers, and domains. The more insight the OFA gains into a network or series of networks, the more easily abnormal activity can be identified.

Fusion of Malware and Weapons Taxonomies for Analysis


This theoretical research uses forensic practices to support a likely resultant taxonomy for weaponized malware. Current malware taxonomies focus on behaviours, generations, and targets as part of their definitions. Naming and generational coding are often inherent in the taxonomical definition of a malware variant. In considering malware that may be weaponized, two core questions need to be answered. What makes a particular piece of malware a weapon, and is there such a thing? This research answers both questions and attempts to structure taxonomy. In this research, taxonomies of malware and weapons are considered for fusion in such a way as a taxonomical derivation will allow for discussion and evaluation of possible malware targets.

Journal of Information Warfare

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.


Quill Logo

The definitive publication for the best and latest research and analysis on information warfare, information operations, and cyber crime. Available in traditional hard copy or online.


Get in touch

  • Journal of Information Warfare
    114 Ballard Street
    Yorktown, VA
  • 757.234.6664