I am Ahmad Darki, a 4th year PhD candidate at the University of California, Riverside. I work under Dr. Michalis Faloutsos supervision. My research interest is in systems security, sandboxing, and binary analysis. I have received my B.Sc. in Computer Engineering from Amirkabir University of Technology, Tehran, Iran.
Darki, Ahmad, Chun-Yu Chuang, Michalis Faloutsos, Zhiyun Qian, and Heng Yin.
In Proceedings of Passive and Active Measurement Conference (PAM) 2018, Berlin, Germany.
Darki, Ahmad, Alexander Duff, Zhiyun Qian, Gaurav Naik, Spiros Mancoridis, and Michalis Faloutsos.
Proceedings of the 2016 ACM conference on CoNEXT student workshop, Irvine, USA.
How can we analyze and profile the behavior of a router malware? This is the motivating question behind our work focusing on router. Router-specific malware has emerged as a new vector for hackers, but has received relatively little attention compared to malware on other devices. A key challenge in analyzing router malware is getting it to activate, which is hampered by the diversity of firmware of various vendors and a plethora of different platforms. We propose, RARE, a systematic approach to analyze router malware and profile its behavior focusing on home-office routers. The key novelty is the intelligent augmented operation of our emulation that manages to fool malware binaries to activate irrespective of their target platform. This is achieved by leveraging two key capabilities: (a) a static level analysis that informs the dynamic execution, and (b) an iterative feedback loop across a series of dynamic executions, whose output informs the subsequent executions. From a practical point of view, RARE has the ability to: (a) instantiate an emulated router with or without malware, (b) replay arbitrary network traffic, (c) monitor and interact with the malware in a semi-automated way. We evaluate our approach using 221 routerspecific malware binaries. First, we show that our method works: we get 94% of the binaries to activate, including obfuscated ones, which is a nine-fold increase compared to the 10% success ratio of the baseline method. Second, we show that our method can extract useful information towards understanding and profiling the botnet behavior: (a) we identify 203 unique IP addresses of C&C servers, and (b) we observe an initial spike and an overall 50% increase in the number of system calls on infected routers.
Safeguarding one’s router has received very little attention despite a plethora of router-specific malware, which has emerged recently. Here, we propose a systematic approach to distinguish a router infected by malware from a healthy router. Our key novelty is that we analyze the behavior of the router, thus not relying on binary signatures (like anti-virus software for computers). Our contribution is two fold. First, we develop a non-trivial emulation capability, to observe the behavior of a router. This capability allows to instantiate a virtual router with or without malware and feed it a pre-recorded data trace. This setup monitors the behavior at multiple layers including: OS system calls, process information, and the network layer. Second, using the emulated environment, we provide initial evidence that a behavior-based method can distinguish between infected and healthy routers. We have collected 820 router-specific malware binaries and an initial set of real data traces. We find that infected routers exhibit: (a) an initial spike and an overall 50% increase in the number of system calls, (b) an initial spike and a modest increase in the number of active processes. Our preliminary work is a promising step towards understanding and securing routers against malware infections.
I love exploring SoCal! Hiking, food, beach, museums, etc.