a survey on automated dynamic malware analysis evasion
play

A Survey On Automated Dynamic Malware Analysis Evasion and - PowerPoint PPT Presentation

Oct 28, 2022 •336 likes •684 views

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

  1. A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Bülent Yener River Loop Security Rensselaer Polytechnic Institute (RPI)

  2. Introduction Automated dynamic malware analysis is essential to keep up ● with modern malware (and potentially malicious software) ● Problem: malware can detect and evade analysis ● Solution: detect or mitigate anti-analysis

  3. Scope Survey of ~200 works on evasive malware ● techniques, detection, mitigation, and case studies Mostly academic works, with a few industry ● talks and publications ● In this presentation - focus on PC-based malware experimentation, more discussion than survey

  4. Dynamic Automated Analysis Systems a.k.a: “malware sandboxes” “detonation chambers”

  5. Takeaways Evasive malware and defenders continually evolve to counter ● one another The fight between malware and analysis systems is likely to ● continue long into the future There are immense challenges to experimental evaluation and ● the ability to establish ground truth

  6. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

  7. Offense - Detecting Analysis Systems Fingerprint Classes ● bool beingAnalyzed = DetectAnalysis(); ○ Environmental Artifacts if(beingAnalyzed) ○ Timing { CPU Virtualization ○ BehaveBenignly(); Process Introspection ○ } ○ Reverse Turing Tests else ○ Network Artifacts { Mobile Sensors ○ InfectSystem(); } Browser Specific ○

  8. Environmental Artifacts & Timing Unique distinguishing Timing discrepancies in analysis ● ● characteristics of the analysis systems environment itself ● Sources: Usernames Emulation / virtualization overhead ○ ○ ○ System settings ○ Analysis instrumentation overhead Date Overhead of physical hardware ○ ○ ○ Installed software instrumentation (potentially) Files on disk Challenging to mitigate ○ ● ○ Running processes ○ Garfinkle et al: “extreme engineering Number of CPUs ○ hardship and huge runtime ○ Amount of RAM overhead”

  9. CPU Virtualization & Process Introspection CPU “Red Pills” Discrepancies in internal state ● ● ● Discrepancies in CPU behavior ○ Memory or register contents Function hooks ○ introduced by virtualization ○ Injected libraries Erroneously accepted/rejected ○ Page permission eccentricities ○ instructions ● Commonly used in anti-DBI Incorrect exception behavior ○ ○ Flag edge cases MSRs ○ ○ CPUID/SIDT/SGDT/etc discrepancy Particularly applicable for ● emulators

  10. Reverse Turing Tests & Network Artifacts ● Computer decides if it is ● Fixed IP address interacting with computer or Network isolation ● human ● Incorrectly emulated network ● Passive: mouse movement, typing devices or protocols cadence, process churn, scrolling ● Unusually fast internet service Active: user must click a dialogue ● box ● Wear-and-Tear: evidence of human use, copy-paste clipboard, “recently opened” file lists, web history, phone camera photos

  11. Detection - Discussion Variety of sources: underlying technologies facilitating analysis, system ● configuration, analysis instrumentation Easy to use = easy to mitigate ● Difficult to use = difficult to mitigate ● ● Reverse Turing Tests seem to be growing in relevance, and are extremely difficult to mitigate against

  12. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

  13. Detecting Malware Evasion Detecting that malware exhibits evasive behavior under dynamic analysis, ● but not mitigating evasion ○ Comparatively fewer works relative to mitigation work ● Early work - detecting known anti-analysis-techniques ○ 2008: Lau et al.’s DSD-Tracer ● Most works use multi-system execution ○ Run malware in multiple systems and compare behavior offline - discrepancies may indicate evasion in one or more of these systems

  14. Multi-System Execution ● Instruction-level (2009: Kang et al.) ○ Too low level, prone to detect spurious differences ● System call-level (2010: Balzarotti et al. / 2015: Kirat & Vigna - MalGene) ○ Higher level than just instructions ○ MalGene uses algorithms taken from bioinformatics work in protein alignment Persistent changes to system state (2011: Lindorfer et al. - Disarm) ● ○ Jaccard distance-based comparisons ● Behavioral profiling (2014: Kirat et al. - BareCloud) ○ What malware did vs. how it did it, “hierarchical similarity” algorithms from computer vision and text similarity research

  15. Evasion Detection - Discussion Multi-system execution is a common solution for evasion detection ● ● Offline algorithms do not detect evasion in real time Evolution over time to increasingly complex algorithmic approaches, ● working over increasingly abstracted execution traces Detection does not solve the main challenge of evasion, so there is less ● work in the field compared to mitigation research

  16. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

  17. Defense - Mitigating Evasion Mitigating evasive behavior in malware so that analysis can proceed ● unhindered Early approaches ● ○ Binary Modification ○ Hiding Environment Artifacts ○ State Modification ○ Multi-Platform Record and Replay ● Path Exploration ● Hypervisor-based Analysis ● Bare Metal Analysis & SMM-based Analysis Discussion ●

  18. Early Approaches ● Binary Modification ● State Modification ○ 2006: Vasudevan et al. - Cobra ○ 2009: Kang et al. ○ Emulate code in blocks like QEMU ■ Builds upon detection work “dynamic state modification” (DSM), ■ Remove or rewrite malware ■ modifications to state force instructions that could be used for malware execution down alternative detection paths ● Hiding Environmental Artifacts ● Multi-Platform Record and Replay 2007: Willems et al. - CWSandbox ○ 2012: Yan et al. - V2E ○ ■ In system kernel driver hides ■ Kang et al.’s DSMs are not scalable environmental artifacts for multiple anti-analysis checks ○ Oberheide later demonstrated several ■ Don’t mitigate individual detection techniques against CWSandbox occurrences of evasion, make evasion irrelevant because systems are inherently transparent

  19. Path Exploration 2007: Moser et al. ● ○ Looks broadly at code coverage and analyzing trigger-based malware Track when input is used to make control flow decisions, change it to force execution down ○ different code paths 2008: Brumley et al. - MineSweeper ● ○ Trigger-based malware focused Represents inputs to potential triggers symbolically, while other code is executed concretely ○

  20. Hypervisor-based Analysis 2008: Dinaburg et al. - Ether ● ○ Catch system calls and context switches from Xen Despite extensive efforts to make analysis transparent, Pék et al. created nEther and were ○ able to detect Ether ● 2009: Nguyen et al. - MAVMM ○ AMD SVM with custom hypervisor ○ Thompson et al. subsequently demonstrated timing attacks that can be used to detect MAVMM and other hypervisor based systems ● 2014: Lengyel et al. - DRAKVUF Xen-based, instruments code with injected breakpoints ○

  21. Bare Metal Analysis ● 2011, 2014: Kirat et al. - BareBox & ● SMM-based analysis: all the transparency BareCloud benefits of bare metal, while restoring ○ BareBox - in-system kernel driver introspection BareCloud - post-run disk forensics ○ Full access to system memory, protection ○ from modification, high speed, protection ● 2012: Willems et al. from introspection ○ Hardware-based branch tracing features ● 2013 & 2015: Zhang et al. - Spectre, MalT ○ Analyzed evasive PDFs ○ Spectre: SMM-based analysis, 100x faster than VMM based introspection ● 2016: Spensky et al. - LO-PHI ○ MalT - SMM-based debugging ○ Instrument physical hardware ○ Capture RAM and disk activity at the ● 2016: Leach et al. - Hops hardware level ○ SMM memory snapshotting and PCI-based ○ Scriptable user keyboard/mouse instrumentation interaction with USB-connected Arduinos

  22. Mitigation - Discussion Two broad categories: active and passive mitigation ● ○ Active - detect-then-mitigate Passive - build inherent transparency ○ Passive approaches have been more prevalent ● ○ Hypervisors, bare metal, etc Bare metal is the cutting edge in academic research, but it may not be ● scalable to industry applications ○ Promising, but not a panacea against any class of attacks other than CPU-based

  23. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware

When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware

When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware Detectors Charles Smutz Angelos Stavrou George Mason University Motivation Machine learning used ubiquitously to improve information security

814 views • 30 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University Department of Computer Science Committee: Xinyuan Wang, Hakan Aydin, Songqing Chen, Brian Mark Where Innovation Is Tradition April 24, 2015

611 views • 59 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universitt Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San

344 views • 22 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware

Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware

Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware + = Softicious X Software Tien Phan Malware Manipulation 2019-08-26 3 Reverse Engineering More time consuming Dynamic Analysis

555 views • 22 slides
Towards a syntactically motivated analysis of modifiers in German Ines Rehbein & Hagen

Towards a syntactically motivated analysis of modifiers in German Ines Rehbein & Hagen

Tagset Annotation Experiment Parsing Experiments Towards a syntactically motivated analysis of modifiers in German Ines Rehbein & Hagen Hirschmann KONVENS 2014 October 8, 2014 Tagset Annotation Experiment Parsing Experiments Modifying

592 views • 36 slides
Good Morning and Welcome Back! We trust you have a productive and an enjoyable time here in

Good Morning and Welcome Back! We trust you have a productive and an enjoyable time here in

ITS Research IT Good Morning and Welcome Back! We trust you have a productive and an enjoyable time here in Utrecht! Let's collaborate! Ton Smeele ITS/ResearchIT, Utrecht University ITS Research IT Agenda University Utrecht's use

891 views • 19 slides
A Brief and Friendly Introduction to Computational Psycholinguistics Roger Levy UC San Diego

A Brief and Friendly Introduction to Computational Psycholinguistics Roger Levy UC San Diego

A Brief and Friendly Introduction to Computational Psycholinguistics Roger Levy UC San Diego Department of Linguistics COGS 1 guest lecture February 2, 2010 What is computational psycholinguistics? Inherently, linguistic

826 views • 82 slides
Divided America: Politics and Polarization Direction of Country Right Direction Wrong Track

Divided America: Politics and Polarization Direction of Country Right Direction Wrong Track

Divided America: Politics and Polarization Direction of Country Right Direction Wrong Track 100 90 80 70 60 50 40 30 20 10 0 Washington Post/ABC News polls, 2004-2015 Trust in Our Institutions GREAT DEAL/QUITE A LOT 100 90 74

593 views • 34 slides
Incremental Parsing in Bounded Memory William Schuler Department of Linguistics The Ohio State

Incremental Parsing in Bounded Memory William Schuler Department of Linguistics The Ohio State

Incremental Parsing in Bounded Memory William Schuler Department of Linguistics The Ohio State University September 16, 2010 William Schuler Incremental Parsing in Bounded Memory Motivation Goal: simple processing model, matches observations

1.27k views • 80 slides
Learning Effective and Interpretable Semantic Models using Non-Negative Sparse Embedding (NNSE)

Learning Effective and Interpretable Semantic Models using Non-Negative Sparse Embedding (NNSE)

1 Learning Effective and Interpretable Semantic Models using Non-Negative Sparse Embedding (NNSE) Brian Murphy, Partha Talukdar, Tom Mitchell Machine Learning Department Carnegie Mellon University 2 Distributional Semantic Modeling 2

1.03k views • 86 slides
On the (Im)possibility of Privately Outsourcing Linear Programming 26.10.13 1 / 25 Linear

On the (Im)possibility of Privately Outsourcing Linear Programming 26.10.13 1 / 25 Linear

On the (Im)possibility of Privately Outsourcing Linear Programming 26.10.13 1 / 25 Linear programming Suppose a brewery produces ale and beer . It uses three type of resources: corn , hops , and malt . Each beverage requires

592 views • 44 slides
T H E L LV M PA S S M A N AG E R PA RT 2 F R O M T H E P R E V I O U S TA L K : A pass

T H E L LV M PA S S M A N AG E R PA RT 2 F R O M T H E P R E V I O U S TA L K : A pass

C H A N D L E R CA R R U T H L LV M D E V M TG 2 0 1 4 T H E L LV M PA S S M A N AG E R PA RT 2 F R O M T H E P R E V I O U S TA L K : A pass operates on some unit of IR (Function, Module, ) Generally to transform it

666 views • 52 slides

More recommend