formal avenue for chasing metamorphic malware
play

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda - PowerPoint PPT Presentation

Sep 13, 2022 •183 likes •705 views

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy Joint work with Roberto Giacobazzi, Saumya Debray, Arun Lakhotia presented by Isabella Mastroeni CREST, May 30th 2013 Dalla Preda (CREST 2013) Chasing

  1. Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy Joint work with Roberto Giacobazzi, Saumya Debray, Arun Lakhotia presented by Isabella Mastroeni CREST, May 30th 2013 Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 1 / 25

  2. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  3. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Malware detector Is a program D that determines whether a program P is malicious � true if D determines that P is malicious D ( P ) = false otherwise Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  4. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Malware detector Is a program D that determines whether a program P is malicious � true if D determines that P is malicious D ( P ) = false otherwise An ideal malware detector is sound and complete: S OUND = no false positives (no false alarms) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  5. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Malware detector Is a program D that determines whether a program P is malicious � true if D determines that P is malicious D ( P ) = false otherwise An ideal malware detector is sound and complete: S OUND = no false positives (no false alarms) C OMPLETE = no false negatives (no missed alarms) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  6. Introduction Metamorphism M ALWARE DETECTION Standard malware detectors: Signature Checking Identify a sequence of instructions which is unique to a malware (virus signature) then scan programs for signatures Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 3 / 25

  7. Introduction Metamorphism M ALWARE DETECTION Standard malware detectors: Signature Checking Identify a sequence of instructions which is unique to a malware (virus signature) then scan programs for signatures Low false positive rate, easy to use Cumbersome, difficult to extract automatically, easy to foil How can we escape signature checking? Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 3 / 25

  8. Introduction Metamorphism M ALWARE DETECTION Standard malware detectors: Signature Checking Identify a sequence of instructions which is unique to a malware (virus signature) then scan programs for signatures Low false positive rate, easy to use Cumbersome, difficult to extract automatically, easy to foil How can we escape signature checking? B Y DYNAMICALLY MODIFYING MALWARE STRUCTURE ! Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 3 / 25

  9. Introduction Metamorphism E SCAPE S IGNATURE C HECKING Polymorphic malware The malware code is encrypted and contains a decryption routine that decrypts the code and then executes it. Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 4 / 25

  10. Introduction Metamorphism E SCAPE S IGNATURE C HECKING Polymorphic malware The malware code is encrypted and contains a decryption routine that decrypts the code and then executes it. Metamorphic malware The malware applies semantics-preserving transformations (e.g. obfuscations) to mutate its own code as it propagates. Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 4 / 25

  11. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES E QUIVALENT CODE REPLACEMENT MOV EAX , [ X ] XOR EAX , EAX MOV EBX , [ Y ] ADD EAX , [ X ] ADD EAX , EBX ADD EAX , [ Y ] MOV [ X ], EAX MOV [ X ], EAX Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 5 / 25

  12. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES E QUIVALENT CODE REPLACEMENT MOV EAX , [ X ] XOR EAX , EAX MOV EBX , [ Y ] ADD EAX , [ X ] ADD EAX , EBX ADD EAX , [ Y ] MOV [ X ], EAX MOV [ X ], EAX R EGISTER RENAMING MOV EAX , [ X ] MOV ECX , [ X ] MOV EBX , [ Y ] MOV EAX , [ Y ] ADD EAX , EBX ADD ECX , EAX MOV [ X ], EAX MOV [ X ], ECX Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 5 / 25

  13. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES C ODE REORDERING MOV EAX , [ X ] MOV EBX , [ Y ] MOV EBX , [ Y ] MOV EAX , [ X ] ADD EAX , EBX ADD EAX , EBX MOV [ X ], EAX MOV [ X ], EAX Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 6 / 25

  14. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES C ODE REORDERING MOV EAX , [ X ] MOV EBX , [ Y ] MOV EBX , [ Y ] MOV EAX , [ X ] ADD EAX , EBX ADD EAX , EBX MOV [ X ], EAX MOV [ X ], EAX G ARBAGE INSERTION MOV EAX , [ X ] MOV EAX , [ X ] MOV EBX , [ Y ] MOV EBX , [ Y ] ADD EAX , EBX ADD EAX , EBX MOV [ X ], EAX PUSH , ESI MOV [ X ], EAX POP ESI Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 6 / 25

  15. Motivation The Problem Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 7 / 25

  16. Motivation The Problem C HASING M ETAMORPHISM In order to detect metamorphic malware variants malware detector should be based on SEMANTIC program features. Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 8 / 25

  17. Motivation The Problem C HASING M ETAMORPHISM In order to detect metamorphic malware variants malware detector should be based on SEMANTIC program features. Abstract models of malware that ideally capture the essence of being malicious while abstracting from the details that are modified by metamorphism; system call, symbolic names, automata, cfg, rewriting rules towards normal forms, model checking.... Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 8 / 25

  18. Motivation The Problem C HASING M ETAMORPHISM In order to detect metamorphic malware variants malware detector should be based on SEMANTIC program features. Abstract models of malware that ideally capture the essence of being malicious while abstracting from the details that are modified by metamorphism; system call, symbolic names, automata, cfg, rewriting rules towards normal forms, model checking.... A PRIORI KNOWLEDGE OF THE METAMORPHIC TRANSFORMATIONS Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 8 / 25

  19. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  20. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Metamorphic signature is a characterization of the set L of the possible code variants generated by a metamorphic malware Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  21. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Metamorphic signature is a characterization of the set L of the possible code variants generated by a metamorphic malware σ IS A METAMORPHIC VARIANT ⇒ σ ∈ L Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  22. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Metamorphic signature is a characterization of the set L of the possible code variants generated by a metamorphic malware σ IS A METAMORPHIC VARIANT ⇒ σ ∈ L T HE P ROBLEM Is there a way for systematically extracting a metamorphic signature without a priori knowledge of the metamorphic transformations used? Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  23. Motivation The Problem I DEALLY . . . Program Evolution Graph A precise description of the evolution of the code during execution Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 10 / 25

  24. Motivation The Problem I DEALLY . . . Program Evolution Graph A precise description of the evolution of the code during execution Given a self-modifying program P 0 we would like to generate its program evolution graph (or a sound approximation) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 10 / 25

  25. Other State Program Info The Idea T HE I DEA The ME is part of the code of the metamorphic malware Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

  26. Other State Program Info The Idea T HE I DEA The ME is part of the code of the metamorphic malware ⇒ The description of the metamorphic behaviour – code evolution – is inside the trace semantics of the metamorphic malware Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

  27. The Idea T HE I DEA The ME is part of the code of the metamorphic malware ⇒ The description of the metamorphic behaviour – code evolution – is inside the trace semantics of the metamorphic malware The state contains a description of the program that is executed Other State Program Info Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

  28. The Idea T HE I DEA The ME is part of the code of the metamorphic malware ⇒ The description of the metamorphic behaviour – code evolution – is inside the trace semantics of the metamorphic malware The state contains a description of the program that is executed Other State Program Info We use Abstract Interpretation! Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

New approaches for chasing metamorphic malware Isabella Mastroeni University of Verona, Italy

New approaches for chasing metamorphic malware Isabella Mastroeni University of Verona, Italy

New approaches for chasing metamorphic malware Isabella Mastroeni University of Verona, Italy Joint work with Roberto Giacobazzi, Neil Jones, Mila Dalla Preda 30 May 2013 Mastroeni (CREST 2013) Chasing malware 30 May 2013 1 / 29

690 views • 68 slides
RUXCON Courtesy of google images Metamorphic template with

RUXCON Courtesy of google images Metamorphic template with

Oct, 2016 Senior Malware Scientist ,Trend Micro spark@trendmicro.com RUXCON Courtesy of google images Metamorphic template with parameters #1 Original Code

701 views • 43 slides
Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7

Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7

Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7 Context Cover project. Verification of real Haskell programs. Haskell non-strict partial and infinite values relatively common. Chasing Bottoms

555 views • 7 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition Metamorphic rock is the result of the transformation of an existing rock type, the protolith ( parent rock ) , in a process called metamorphism, which means

804 views • 23 slides
The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0

683 views • 50 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4 Objectives Metamorphism changes one kind of rock into another kind of rock. Several ways that heat and pressure change rocks. Metamorphic

277 views • 16 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Franciss Algorithm as a Core-Chasing Algorithm David S. Watkins Department of Mathematics

Franciss Algorithm as a Core-Chasing Algorithm David S. Watkins Department of Mathematics

Franciss Algorithm as a Core-Chasing Algorithm David S. Watkins Department of Mathematics Washington State University PNWNAS, November 12, 2016 David S. Watkins Core-Chasing Algorithm Todays Topic David S. Watkins Core-Chasing

2.53k views • 189 slides
Key Themes from Supervision Andrew Kermode Colin Manley www.aicp.im Financial Services

Key Themes from Supervision Andrew Kermode Colin Manley www.aicp.im Financial Services

Key Themes from Supervision Andrew Kermode Colin Manley www.aicp.im Financial Services Authority Supervisory Update A n d r e w K e r m o d e & C o l i n M a n l e y Agenda Key Supervisory Observations Risk Management & AML/CFT

557 views • 32 slides
Software Component Protocol Inference Tao Xie General Examination Presentation Dept. of

Software Component Protocol Inference Tao Xie General Examination Presentation Dept. of

Software Component Protocol Inference Tao Xie General Examination Presentation Dept. of Computer Science and Engineering University of Washington 6 June 2003 1 Outline Background Overview of protocol inference Dynamic protocol

810 views • 52 slides
Sustaining Your Research Credit Cost Allocations: Making the Most of What You Have William A.

Sustaining Your Research Credit Cost Allocations: Making the Most of What You Have William A.

Sustaining Your Research Credit Cost Allocations: Making the Most of What You Have William A. Schmalzl, Chicago, IL March 14, 2017 wschmalzl@mayerbrown.com Michael Kaupa, Chicago, IL mkaupa@mayerbrown.com Mayer Brown is a global legal

882 views • 37 slides
Formal Languages Philippe de Groote 2018-2019 Philippe de Groote Formal Languages 2018-2019 1

Formal Languages Philippe de Groote 2018-2019 Philippe de Groote Formal Languages 2018-2019 1

Formal Languages Philippe de Groote 2018-2019 Philippe de Groote Formal Languages 2018-2019 1 / 28 Outline Regular expressions and regular languages 3 Definition Some algebraic properties From regular expressions to FSA From FSA to

1.01k views • 83 slides
Efforts to Secure Efforts to Secure Electronic Financial Transactions Electronic Financial

Efforts to Secure Efforts to Secure Electronic Financial Transactions Electronic Financial

- Case Study - - Case Study - Efforts to Secure Efforts to Secure Electronic Financial Transactions Electronic Financial Transactions in Korea in Korea 2008. 6. 27 2008. 6. 27 20 th FIRST Annual Conference 20 th FIRST Annual Conference

651 views • 27 slides
Extracting semi-Dyck words from fsa using the CYK algorithm Thomas Ruprecht November 30, 2018

Extracting semi-Dyck words from fsa using the CYK algorithm Thomas Ruprecht November 30, 2018

Extracting semi-Dyck words from fsa using the CYK algorithm Thomas Ruprecht November 30, 2018 Outline Motivation Finding appropriate restrictions CYK algorithm for extraction of semi-Dyck words goal: extract semi-Dyck words from reg.

891 views • 48 slides
On the Upward/Downward Closures of Petri Nets Mohammed Faouzi Atig 1 , Roland Meyer 2 , Sebastian

On the Upward/Downward Closures of Petri Nets Mohammed Faouzi Atig 1 , Roland Meyer 2 , Sebastian

Prakash Saivasan 2 August 25, MFCS 2017, Aalborg 1 Uppsala University, Sweden mohamed_faouzi.atig@it.uu.se 2 TU Braunschweig, Germany {roland.meyer, s.muskalla, p.saivasan}@tu-bs.de On the Upward/Downward Closures of Petri Nets Mohammed

1.59k views • 121 slides
recursion, divide & conquer, text processing Yves Lesprance Adapted from Peter

recursion, divide & conquer, text processing Yves Lesprance Adapted from Peter

recursion, divide & conquer, text processing Yves Lesprance Adapted from Peter Roosen-Runge CSE 3401 F 2012 1 finite state automata a finite state automaton ( , S, s 0 , , F) is a representation of a machine as a - finite set

489 views • 20 slides

More recommend