{"682009":{"#nid":"682009","#data":{"type":"news","title":"Spy vs. Spy: A New Automated Removal Tool Can Stop Most Remote-Controlled Malware","body":[{"value":"\u003Cp\u003E\u003Ca href=\u0022https:\/\/www.the-independent.com\/tech\/botnet-cyber-attack-fbi-wang-b2553696.html\u0022\u003ECyberattacks\u003C\/a\u003E can snare workflows, put vulnerable client information at risk, and cost corporations and governments millions of dollars. A botnet \u2014 a network infected by malware \u2014 can be particularly catastrophic. A new Georgia Tech tool automates the malware removal process, saving engineers hours of work and companies money.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EThe tool, ECHO, turns malware against itself by exploiting its built-in update mechanisms and preventing botnets from rebuilding. ECHO is 75% effective at removing botnets. Removing malware used to take days or weeks to fix, but can now be resolved in a few minutes. Once a security team realizes their system is compromised, they can now deploy ECHO, which works fast enough to prevent the botnet from taking down an entire network.\u003C\/p\u003E\u003Cp\u003E\u201cUnderstanding the behavior of the malware is usually very hard with little reward for the engineer, so we\u2019ve made an automatic solution,\u201d said \u003Ca href=\u0022https:\/\/runzezhang1995.github.io\/\u0022\u003ERunze Zhang\u003C\/a\u003E, a Ph.D. student in the \u003Ca href=\u0022https:\/\/scp.cc.gatech.edu\/\u0022\u003ESchool of Cybersecurity and Privacy\u003C\/a\u003E (SCP) and the \u003Ca href=\u0022https:\/\/ece.gatech.edu\/\u0022\u003ESchool of Electrical and Computer Engineering\u003C\/a\u003E.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EThe researchers presented the paper, \u201c\u003Ca href=\u0022https:\/\/www.ndss-symposium.org\/ndss-paper\/hitchhiking-vaccine-enhancing-botnet-remediation-with-remote-code-deployment-reuse\/\u0022\u003EHitchhiking Vaccine: Enhancing Botnet Remediation With Remote Code Deployment Reuse\u003C\/a\u003E,\u201d\u0026nbsp;at February\u2019s \u003Ca href=\u0022https:\/\/www.ndss-symposium.org\/\u0022\u003ENetwork and Distributed System Security \u0026nbsp;(NDSS) Symposium\u003C\/a\u003E. ECHO\u2019s\u003Ca href=\u0022https:\/\/github.com\/CyFI-Lab-Public\/ECHO\u0022\u003E open-source code\u003C\/a\u003E is available online.\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EBotnet Backstory\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003EBotnets have been a problem since the 1980s and have grown in potency recently. In 2019, for example, a vicious malware called Retadup \u003Ca href=\u0022https:\/\/decoded.avast.io\/janvojtesek\/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands\/\u0022\u003Ecompromised\u003C\/a\u003E Windows systems throughout Latin America. A Czech cybersecurity company, Avast, partnered with the French government to take down this bot. They reverse-engineered the malware, effectively creating a \u201cvaccine\u201d for it in the process. As effective as that solution was, it wasn\u2019t easily replicable.\u003C\/p\u003E\u003Cp\u003E\u003Ca href=\u0022https:\/\/saltaformaggio.ece.gatech.edu\/\u0022\u003EBrendan Saltaformaggio\u003C\/a\u003E saw an opportunity, though.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u201cThis is a really good approach, but it was extremely labor-intensive,\u201d said Saltaformaggio, an associate professor in SCP. \u201cSo, my group got together and realized we have the research to make this a scientific, systematic, reproducible technique, rather than a one-off, human-driven, miserable effort.\u201d\u003C\/p\u003E\u003Cp\u003E\u003Cstrong\u003EBotnet Breakdown\u003C\/strong\u003E\u003C\/p\u003E\u003Cp\u003EECHO eradicates malware in three stages. First, it determines how the malware deploys its malicious code. Then, ECHO identifies the capabilities of this deployment mechanism and discovers how they can be repurposed for remediation. Next, it builds a remediation code that leverages these same mechanisms to disable the malware. That code is then tested and eventually pushed out to the system. The team tested ECHO on 702 Android malware samples and successfully stopped malware in 523 of them.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003EThey hope ECHO\u2019s success will halt attackers in their tracks.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u201cA way we approach problems in our lab is to find the tradeoff between the attackers\u2019 effort versus our effort to fight them,\u201d Saltaformaggio said. \u201cWe can never achieve a perfect solution, but we can raise the bar high enough for an attacker that it wouldn\u0027t be worth it for them to use malware this way.\u201d\u003C\/p\u003E\u003Cp\u003EWith tools like ECHO, botnets can be removed before they cause economic and operational damage. Malware is ever-evolving, but Saltaformaggio and his team are improving their methods along with it. The next malware attack is imminent \u2014 but so is the solution.\u0026nbsp;\u003C\/p\u003E\u003Cp\u003E\u003Cem\u003EFunding from the Office of Naval Research, the Defense Advanced Research Projects Agency, and the National Science Foundation.\u003C\/em\u003E\u003C\/p\u003E","summary":"","format":"limited_html"}],"field_subtitle":"","field_summary":[{"value":"\u003Cp\u003E\u003Cstrong\u003EThis cybersecurity innovation from Georgia Tech turns malware against itself.\u0026nbsp;\u003C\/strong\u003E\u003C\/p\u003E","format":"limited_html"}],"field_summary_sentence":[{"value":"This cybersecurity innovation from Georgia Tech turns malware against itself. "}],"uid":"34541","created_gmt":"2025-04-24 17:34:13","changed_gmt":"2025-04-24 17:37:17","author":"Tess Malone","boilerplate_text":"","field_publication":"","field_article_url":"","location":"Atlanta, GA","dateline":{"date":"2025-04-24T00:00:00-04:00","iso_date":"2025-04-24T00:00:00-04:00","tz":"America\/New_York"},"extras":[],"hg_media":{"676931":{"id":"676931","type":"image","title":"Runze.jpg","body":"\u003Cp\u003ERunze Zhang presents at NDSS.\u003C\/p\u003E","created":"1745516208","gmt_created":"2025-04-24 17:36:48","changed":"1745516208","gmt_changed":"2025-04-24 17:36:48","alt":"Runze Zhang","file":{"fid":"260782","name":"Runze.jpg","image_path":"\/sites\/default\/files\/2025\/04\/24\/Runze_0.jpg","image_full_path":"http:\/\/hg.gatech.edu\/\/sites\/default\/files\/2025\/04\/24\/Runze_0.jpg","mime":"image\/jpeg","size":139796,"path_740":"http:\/\/hg.gatech.edu\/sites\/default\/files\/styles\/740xx_scale\/public\/2025\/04\/24\/Runze_0.jpg?itok=iAnC-5EF"}}},"media_ids":["676931"],"groups":[{"id":"1214","name":"News Room"},{"id":"1188","name":"Research Horizons"}],"categories":[{"id":"153","name":"Computer Science\/Information Technology and Security"}],"keywords":[{"id":"187915","name":"go-researchnews"}],"core_research_areas":[{"id":"145171","name":"Cybersecurity"}],"news_room_topics":[],"event_categories":[],"invited_audience":[],"affiliations":[],"classification":[],"areas_of_expertise":[],"news_and_recent_appearances":[],"phone":[],"contact":[{"value":"\u003Cp\u003ETess Malone, Senior Research Writer\/Editor\u003C\/p\u003E\u003Cp\u003Etess.malone@gatech.edu\u003C\/p\u003E","format":"limited_html"}],"email":[],"slides":[],"orientation":[],"userdata":""}}}