This paper presents MalMax, a novel system to detect server-side malware that routinely employs sophisticated polymorphic evasive runtime code generation techniques. When MalMax encounters an execution point that presents multiple possible execution paths (e.g., via predicates and/or dynamic code), it explores these paths through counterfactual execution of code sandboxed within an isolated execution environment. Furthermore, a unique feature of MalMax is its cooperative isolated execution model in which unresolved artifacts (e.g., variables, functions, and classes) within one execution context can be concretized using values from other execution contexts. Such cooperation dramatically amplifies the reach of counterfactual execution. As an example, for WordPress, cooperation results in 63% additional code coverage. The combination of counterfactual execution and cooperative isolated execution enables MalMax to accurately and effectively identify malicious behavior. Using a large (1 terabyte) real-world dataset of PHP web applications collected from a commercial web hosting company, we performed an extensive evaluation of MalMax. We evaluated the effectiveness of MalMax by comparing its ability to detect malware against VirusTotal, a malware detector that aggregates many diverse scanners. Our evaluation results show that MalMax is highly effective in exposing malicious behavior in complicated polymorphic malware. MalMax was also able to identify 1,485 malware samples that are not detected by any existing state-of-the-art tool, even after 7 months in the wild.​

Internet connectivity of electronic devices has brought us the ease of centralized management, and these days more and more devices are connected to this globally accessible network. At the same time, this landscape has opened new doors for malicious actors. While internet connectivity is a built-in feature for desktop and mobile devices, Industrial Control Systems (ICS) lag behind. Traditionally, ICS networks have been air-gapped and as a result, many ICS devices are not well-equipped to be connected to the internet. The absence of proper authentication and other security mechanisms is commonly observed on these devices.

​

In response to the new threats of connected ICS systems, various ICS honeypots have been developed during the past decade. These honeypots are used to collect information on the attack landscape of ICS systems. In this research, we show that ICS honeypots should be designed more carefully and existing honeypots can fairly easily be fingerprinted by the attackers.

​

We systematically study the categories of often overlooked behaviors that make ICS honeypots fingerprintable. Moreover, to demonstrate the impact of these flaws, we perform a large-scale analysis over the internet to detect GasPot honeypots that emulate automatic tank gauges (ATG). We were able to find 17 existing honeypot instances which is more than the number of discovered GasPots by Shodan. Finally, we released our ICS honeypot scanner and our ATG honeypot, which provides full protocol support and fixes the existing flaws within GasPot that make it detectable.

​​