MAEC 4.1 Proposals - Round 1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

MAEC 4.1 Proposals - Round 1

Kirillov, Ivan A.

All,

 

Below are three proposals for additions to MAEC for the upcoming 4.1 minor release. We would greatly welcome your feedback, thoughts and comments on these! We plan on closing comments for these items in a week, on January 31st.

                                                                  

·        Add Support for Capturing Malware Configuration Parameters

·        Add Support for Labeling Malware Subjects with Common Terms

·        Expand MAEC Action Name Vocabularies

 

Regards,

Ivan Kirillov

MITRE

Reply | Threaded
Open this post in threaded view
|

Re: MAEC 4.1 Proposals - Round 1

Terry MacDonald
Hi Ivan,

In the absence of other comments I thought I'd add mine. Please note I haven't spent much time reviewing MAEC (as can be seen in my comments :)). My background is not in reversing malware, so I may not be best placed for expert advice, but I'll give it a go :).

  1. Does it make sense to add such a capability to MAEC?
    [Terry] - Definitely. As mentioned in the suggestion it is becoming more common for malware to contain a config file. We need a way of showing this. 
  2. Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
    [Terry] - Does this structure cope with the possible case that a configuration file is encoded and encrypted multiple times to make it harder to reverse? Maybe 'MalwareConfigurationObfuscationDetailsType' should be 0-N with some kind of ordinal to identify which the sequence the encryption or encoding has taken place.
  3. Are there any values we should add to the `MalwareConfigurationParameterEnum-1.0' enumeration?
    [Terry] - No idea sorry. No enough experience with configuration parameters to comment.


  1. Would it be useful to label Malware Subjects with common terms in order to associate each with capabilities?
    [Terry] - Yes. I think its a great idea that could be leveraged in other protocols such as CybOX.
  2. Are there any other labels that we should consider adding to this vocabulary?
    [Terry] - What about Spam generator? War dialler? Premium SMSer? SPITer? Premium phone caller? What about something like the mobile component of Zeus that answers OTP transaction passwords?


  1. Do the additions to these vocabularies and their descriptions make sense?
    [Terry] - Yep. All look useful. And from reading this a lot of what I talked about in point 2 under "Add Support for Labeling Malware Subjects with Common Terms" is covered by this functionality. 
  2. Are there any other Action names that we should consider adding to these or any other MAEC Action name vocabularies?
    [Terry] - None that I can think of.

Cheers

Terry MacDonald


On 25 January 2014 10:28, Kirillov, Ivan A. <[hidden email]> wrote:

All,

 

Below are three proposals for additions to MAEC for the upcoming 4.1 minor release. We would greatly welcome your feedback, thoughts and comments on these! We plan on closing comments for these items in a week, on January 31st.

                                                                  

·        Add Support for Capturing Malware Configuration Parameters

·        Add Support for Labeling Malware Subjects with Common Terms

·        Expand MAEC Action Name Vocabularies

 

Regards,

Ivan Kirillov

MITRE


JA
Reply | Threaded
Open this post in threaded view
|

Re: MAEC 4.1 Proposals - Round 1

JA
Depending of the level of details we want, in terms of Configuration
elements, maybe we could evaluate and reuse CCE mechanisms.

For Data Marking, is the term "Label" the more appropriate? would it
be Tags or controlled categories Vocabularies?
Something allowing mapping between different taxonomies would be
interesting (see the concept of Alternate Terms in CAPEC for example)


2014-01-28 Terry MacDonald <[hidden email]>:

> Hi Ivan,
>
> In the absence of other comments I thought I'd add mine. Please note I
> haven't spent much time reviewing MAEC (as can be seen in my comments :)).
> My background is not in reversing malware, so I may not be best placed for
> expert advice, but I'll give it a go :).
>
>  Add Support for Capturing Malware Configuration Parameters
>
> Does it make sense to add such a capability to MAEC?
> [Terry] - Definitely. As mentioned in the suggestion it is becoming more
> common for malware to contain a config file. We need a way of showing this.
> Do the defined types, their child properties, and their datatypes makes
> sense? Should they be changed in any way?
> [Terry] - Does this structure cope with the possible case that a
> configuration file is encoded and encrypted multiple times to make it harder
> to reverse? Maybe 'MalwareConfigurationObfuscationDetailsType' should be 0-N
> with some kind of ordinal to identify which the sequence the encryption or
> encoding has taken place.
> Are there any values we should add to the
> `MalwareConfigurationParameterEnum-1.0' enumeration?
> [Terry] - No idea sorry. No enough experience with configuration parameters
> to comment.
>
>
> Add Support for Labeling Malware Subjects with Common Terms
>
> Would it be useful to label Malware Subjects with common terms in order to
> associate each with capabilities?
> [Terry] - Yes. I think its a great idea that could be leveraged in other
> protocols such as CybOX.
> Are there any other labels that we should consider adding to this
> vocabulary?
> [Terry] - What about Spam generator? War dialler? Premium SMSer? SPITer?
> Premium phone caller? What about something like the mobile component of Zeus
> that answers OTP transaction passwords?
>
>
> Expand MAEC Action Name Vocabularies
>
> Do the additions to these vocabularies and their descriptions make sense?
> [Terry] - Yep. All look useful. And from reading this a lot of what I talked
> about in point 2 under "Add Support for Labeling Malware Subjects with
> Common Terms" is covered by this functionality.
> Are there any other Action names that we should consider adding to these or
> any other MAEC Action name vocabularies?
> [Terry] - None that I can think of.
>
>
> Cheers
>
> Terry MacDonald
>
>
> On 25 January 2014 10:28, Kirillov, Ivan A. <[hidden email]> wrote:
>>
>> All,
>>
>>
>>
>> Below are three proposals for additions to MAEC for the upcoming 4.1 minor
>> release. We would greatly welcome your feedback, thoughts and comments on
>> these! We plan on closing comments for these items in a week, on January
>> 31st.
>>
>>
>>
>> ·        Add Support for Capturing Malware Configuration Parameters
>>
>> ·        Add Support for Labeling Malware Subjects with Common Terms
>>
>> ·        Expand MAEC Action Name Vocabularies
>>
>>
>>
>> Regards,
>>
>> Ivan Kirillov
>>
>> MITRE
>
>
Reply | Threaded
Open this post in threaded view
|

RE: MAEC 4.1 Proposals - Round 1

Kirillov, Ivan A.
In reply to this post by Terry MacDonald

Good input, Terry. Some replies inline below with [Ivan].

 

Regards,

Ivan Kirillov
MAEC Project

MITRE

 

From: Terry MacDonald [mailto:[hidden email]]
Sent: Tuesday, January 28, 2014 3:11 AM
To: Kirillov, Ivan A.
Cc: maec-discussion-list Malware Attribute Enumeration Discussion
Subject: Re: MAEC 4.1 Proposals - Round 1

 

Hi Ivan,

 

In the absence of other comments I thought I'd add mine. Please note I haven't spent much time reviewing MAEC (as can be seen in my comments :)). My background is not in reversing malware, so I may not be best placed for expert advice, but I'll give it a go :).

 

1.     Does it make sense to add such a capability to MAEC?
[Terry] - Definitely. As mentioned in the suggestion it is becoming more common for malware to contain a config file. We need a way of showing this. 

2.     Do the defined types, their child properties, and their datatypes makes sense? Should they be changed in any way?
[Terry] - Does this structure cope with the possible case that a configuration file is encoded and encrypted multiple times to make it harder to reverse? Maybe '
MalwareConfigurationObfuscationDetailsType' should be 0-N with some kind of ordinal to identify which the sequence the encryption or encoding has taken place.

[Ivan] Actually, the Algorithm_Details field in the MalwareConfigurationObfuscationDetailsType has a multiplicity of 0-N to allow for the capture of layered encryption performed on configuration files. I agree that adding some ordinal to explicitly capture the sequence of encryption might be useful though.

3.     Are there any values we should add to the `MalwareConfigurationParameterEnum-1.0' enumeration?
[Terry] - No idea sorry. No enough experience with configuration parameters to comment.

 

 

1.     Would it be useful to label Malware Subjects with common terms in order to associate each with capabilities?
[Terry] - Yes. I think its a great idea that could be leveraged in other protocols such as CybOX.

2.     Are there any other labels that we should consider adding to this vocabulary?
[Terry] - What about Spam generator? War dialler? Premium SMSer? SPITer? Premium phone caller? What about something like the mobile component of Zeus that answers OTP transaction passwords?

[Ivan] Yup, there’s probably a whole slew of labels we could add, though part of our intent here was to add those that are fairly prevalent and commonly understood. I think we could definitely add “War Dialer” and “Premium Caller/SMSer”; “spam generator” would be covered by the existing “mass-mailer” lablel, I think. Would SPITer refer to an IP Telephony Spammer? I think the Zeus OTP could perhaps be characterized as a “password stealer”, which we also already have?

 

 

1.     Do the additions to these vocabularies and their descriptions make sense?
[Terry] - Yep. All look useful. And from reading this a lot of what I talked about in point 2 under "Add Support for Labeling Malware Subjects with Common Terms" is covered by this functionality. 

2.     Are there any other Action names that we should consider adding to these or any other MAEC Action name vocabularies?
[Terry] - None that I can think of.

 

Cheers


Terry MacDonald

 

On 25 January 2014 10:28, Kirillov, Ivan A. <[hidden email]> wrote:

All,

 

Below are three proposals for additions to MAEC for the upcoming 4.1 minor release. We would greatly welcome your feedback, thoughts and comments on these! We plan on closing comments for these items in a week, on January 31st.

                                                                  

·        Add Support for Capturing Malware Configuration Parameters

·        Add Support for Labeling Malware Subjects with Common Terms

·        Expand MAEC Action Name Vocabularies

 

Regards,

Ivan Kirillov

MITRE