goodware drugs for malware on the fly malware analysis
play

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND - PowerPoint PPT Presentation

May 20, 2023 •117 likes •398 views

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

  1. GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS

  2. AGENDA  Something about malware  Malware internals  Current analysis tools  Our idea: on-the-fly malware analysis  The Avatar architecture  DEMO  Conclusion Damiano Bolzoni 7/19/10

  3. SOMETHING ABOUT MALWARE  In the last half-decade malware has evolved into a business for cyber criminals  it is one of the most pressing security problems on the Internet  Symantec and its friends show impressive statistics of growing rate, mainly due to:  polymorphism  packers Damiano Bolzoni 7/19/10

  4. MALWARE INTERNALS  Malware writers first shipped “monoholitic” executables  difficult to “adapt” to any OS configuration  easier for an AV to spot  ~30% of current malware download additional components once running  a “spore” is responsible for “planting” the malware  downloaded components are used to collect username/ password, infect other EXEs, etc.  BOTnets are a classical example Damiano Bolzoni 7/19/10

  5. CURRENT ANALYSIS/DEFENSIVE TOOLS  Dynamic malware analysis (DMA)  malware samples are executed in a sandbox  every action performed is logged  some tools support clustering  detects a new sample from a known family  Anubis, CWSandbox, Malheur, Malnet  Signature- and “model”-based AVs  DMA analysis reports are used to update signatures/models Damiano Bolzoni 7/19/10

  6. PROBLEMS WITH DMA – 1  Malware writers know about DMA tools, and implement several countermeasures to avoid/slow down analysis  runs only when users are actually logged in  waits for a certain time frame before activating  checks for virtualization  checks for known registry keys  check for known IPs  A DMA tool lacks the execution context Damiano Bolzoni 7/19/10

  7. PROBLEMS WITH DMA – 2  DMA tools perform only post-mortem analysis  users submit their sample(s) and get a report back  limited support to monitor an internal network and protect end hosts  if you submit a sample, you already suspect it is malware…and your AV likely did not detect it (otherwise…why submit it for further analysis?)  No real-time protection, as analysis requires special instrumentation Damiano Bolzoni 7/19/10

  8. GOALS  G1 : Can we use dynamic analysis tools to perform on-the- fly malware analysis and containment at the end host without having to deploy any software component before hand ?  G2 : Can we create a NOC for malware ? We call this architecture Avatar ! Damiano Bolzoni 7/19/10

  9. THE IDEA  As malware downloads additional components, it requires some external “content providers” (usually early compromised web servers)  Because such providers are not always available, malware runs several download attempts  If we can detect one of these attempts, we can feed the malware with a crafted executable (we call it “red pill”) that:  will run some real-time analysis at the end host  on-the-fly malware analysis  can be instructed to terminate its parent process  effective containment Damiano Bolzoni 7/19/10

  10. AVATAR – MAIN COMPONENTS  We need at least 3 logical components  download detection engine (DDE)  detects failed download attempts  red pill generator (RPG)  packs the red pill and sends it back to the target  malware analysis engine (MAE)  receives information from the red pill, once this is executed Damiano Bolzoni 7/19/10

  11. AVATAR – GENERAL ARCHITECTURE Damiano Bolzoni 7/19/10

  12. IMPLEMENTATION – 1  For practical reasons, we have implemented the DDE and the RPG into a single Linux box  An iptables rule transparently re-route outgoing HTTP traffic to an Apache web server, working in proxy transparent mode. We developed an Apache module that:  uses an algorithm based on TWR to detect “too many” failed attempts  checks the requested filename  checks magic numbers in case a file is successfully fetched after several attempts  packs and sends the red pill when # attempts > threshold Damiano Bolzoni 7/19/10

  13. IMPLEMENTATION – 2A  When the red pill is executed on the target machine, it attempts to get control over its parent process by trying several access : 1. PROCESS_ALL_ACCESS  full control 2. TERMINATE_PROCESS | QUERY_INFO | READ 3. QUERY_INFO | READ 4. TERMINATE_PROCESS  least access rights  Depending on the access level, and the OS version (latest 64 bit Windows versions allow fewer interactions), the red pill can:  freeze the process  terminate the process Damiano Bolzoni 7/19/10

  14. IMPLEMENTATION – 2B  The red pill collects then several information about the parent process:  path to the exe  any module that was loaded (full paths to the modules)  window (if any is attached) information: handle, size, caption text  executable size  Collected information are sent back (encrypted) to the MAE, which determines whether to stop the red pill or perform deeper analysis  the red pill can send back to the MAE the original parent executable Damiano Bolzoni 7/19/10

  15. IMPLEMENTATION – 3  The MAE performs a thorough analysis  real box, no virtualization/emulation  avoid malware countermeasures against analysis tools (our goal is not to analyze as many samples as possible)  kernel driver  difficult to detect  can also interact with other dynamic analysis engines (Malheur) Damiano Bolzoni 7/19/10

  16. WORKING MODES – TRANSPARENT MODE 1. The DDE notifies the RPG about the failed attempts 2. ONLY if a file is successfully downloaded, then the red pill is shipped 3. Provided the requested file is an executable, it is “glued” to the red pill so that it is executed once the red pill has finished the analysis 4. The red pill does not freeze or terminate its parent process, runs the preliminary analysis and, based on it, could send back to the MAE a copy of the parent executable Damiano Bolzoni 7/19/10

  17. WORKING MODES – SEMI-TRANSPARENT MODE  The DDE notifies the RPG about the failed attempts  The RPG waits for the requested file to be pulled down, checks whether it is an executable, and ships the red pill with the original file  The red pill freezes its parent process, runs the preliminary analysis and, based on it, could send back to the MAE a copy of the parent executable  When the MAE sets a verdict about the parent process, the red pill releases or terminates it Damiano Bolzoni 7/19/10

  18. WORKING MODES – NON-TRANSPARENT MODE  The DDE notifies the RPG about the failed attempts  Provided the requested filename points to an executable, the RPG sends back a red pill right away  The red pill runs the usual checks, possibly sends the parent executable, and freezes the parent process  When the MAE sets a verdict about the parent process, the red pill releases or terminates it Damiano Bolzoni 7/19/10

  19. LIMITATIONS – 1 THERE ARE SOME LIMITATIONS TO OUR APPROACH  Because we use some statistics-based heuristics to detect failed download attempts, malware could initiate connections at a very low rate  this would slow down the infection though  Malware could apply some verification/encryption mechanisms to the downloaded components  this would make updates more difficult (keys/hashes would have to be known in advance) or could be broken as the malware become known Damiano Bolzoni 7/19/10

  20. LIMITATIONS – 2  Malware writers could use steganography to hide executables into other file formats (e.g., JPEG)  we could add some plug-ins to verify that format matches content  Malware could leverage the CreateThread function to execute its code into another process  this could mislead the information collected by the red pill about the parent executable Damiano Bolzoni 7/19/10

  21. TESTS  The Avatar approach has been tested against real-life malware samples  CWSandbox data set, available at Malheur’s web site  Everyday malware we all receive in our mailbox   Dataset A  ~10 malware families, huge collection (almost) publicly available from the authors of Malheur (2009)  75 samples  Dataset B  Everyday malware we received in our mailboxes during a week time (2010)  30 samples Damiano Bolzoni 7/19/10

  22. TEST RESULTS – DATASET A Damiano Bolzoni 7/19/10

  23. TEST RESULTS – DATASET B Damiano Bolzoni 7/19/10

  24. DISCUSSION  No “sanity| check is basically run on the downloaded file  malware executes it right away  The heuristics are usually enough to determine whether a running program is malware  ~50% of malware detected by the heuristics  Some samples did not execute the red pill  they act as bogus “download service”, leaving the last step of actually launching the malware up to the user Damiano Bolzoni 7/19/10

  25. DEMO  Show time! Damiano Bolzoni 7/19/10

  26. CONCLUSION  Avatar raises the bar of malware analysis  no software is required to run at the end host  Avatar delivers on-the-fly any component needed for analysis  heavy computations are off-loaded  we can stop a malicious process as soon as it is detected (to some extent, depending on the OS)  We know it can be avoided, but this will also make it more difficult for malware writers  no countermeasure has been observed so far in our tests Damiano Bolzoni 7/19/10

  27. QUESTIONS ? Damiano Bolzoni 7/19/10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User

Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User

Helping Johnny To Analyze Malware : A Usability-Optimized Decompiler and Malware Analysis User Study Khaled Yakdan Sergej Dechand Matthew Smith Elmar Gerhards-Padilla Fraunhofer FKIE University of Bonn University of Bonn University of Bonn

426 views • 19 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
LBL Pill Box cavity X O Y Mukti R Jana RF Meeting 4 -15 - 2013 2 Spark Distribution r

LBL Pill Box cavity X O Y Mukti R Jana RF Meeting 4 -15 - 2013 2 Spark Distribution r

Spark Damage Distribution on Pill Box Cavity Windows in r - plane Mukti R Jana Acknowledgment Moses Chung APC Fermilab 04-08-2013 LBL Pill Box cavity X O Y Mukti R Jana RF Meeting 4 -15 - 2013 2 Spark Distribution r Mukti R

297 views • 6 slides
The WLRK Proposal for 13(d) Reform: Market Protection or Corporate Entrenchment? Lucian Bebchuk

The WLRK Proposal for 13(d) Reform: Market Protection or Corporate Entrenchment? Lucian Bebchuk

The WLRK Proposal for 13(d) Reform: Market Protection or Corporate Entrenchment? Lucian Bebchuk The Conference Board, November 13, 2012 Debate with Martin Lipton Talk builds on: Bebchuk and Jackson (2012), The Law and Economics of

613 views • 13 slides
PNUTS: Yahoo!s Hosted Data Serving Platform Reading Review by: Alex Degtiar (adegtiar) 15-799

PNUTS: Yahoo!s Hosted Data Serving Platform Reading Review by: Alex Degtiar (adegtiar) 15-799

PNUTS: Yahoo!s Hosted Data Serving Platform Reading Review by: Alex Degtiar (adegtiar) 15-799 9/30/2013 What is PNUTS? Yahoos NoSQL database Motivated by web applications Massively parallel Geographically distributed

277 views • 26 slides
Data-Intensive Distributed Computing CS 431/631 451/651 (Fall 2019) Part 7: Mutable State (1/2)

Data-Intensive Distributed Computing CS 431/631 451/651 (Fall 2019) Part 7: Mutable State (1/2)

Data-Intensive Distributed Computing CS 431/631 451/651 (Fall 2019) Part 7: Mutable State (1/2) November 12, 2019 Ali Abedi These slides are available at https://www.student.cs.uwaterloo.ca/~cs451 This work is licensed under a Creative Commons

746 views • 59 slides
MODULE TWO You are an aspect of the cosmos What you are here to express? Your Intuition

MODULE TWO You are an aspect of the cosmos What you are here to express? Your Intuition

MODULE TWO You are an aspect of the cosmos What you are here to express? Your Intuition provides guidance when to stay and when to move The mind mimics the evolutionary impulse and drives you relentlessly Anxiety is never from the soul

184 views • 15 slides
Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives (SSDs) Carlo Meijer

Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives (SSDs) Carlo Meijer

Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives (SSDs) Carlo Meijer Bernard van Gastel Radboud University Nijmegen Radboud University Nijmegen Midnight Blue Labs Open University of the Netherlands whoami Carlo

1.44k views • 141 slides
IPv4 Comes to an End Cesar Diaz cesar@lacnic.net Addressing in the Internet Devices on

IPv4 Comes to an End Cesar Diaz cesar@lacnic.net Addressing in the Internet Devices on

IPv4 Comes to an End Cesar Diaz cesar@lacnic.net Addressing in the Internet Devices on the Internet need to have unique addresses in order to be reachable from each other We have long put up with NAT, which up to a point subverts

427 views • 30 slides
All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg,

All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg,

All Your IFCException Are Belong To Us C t lin Hri cu (joint work with Michael Greenberg, Ben Karel, Benjamin Pierce, Greg Morrisett, and more) 2012-11-05 -- WG 2.8 meeting in Annapolis Information Flow Control [Fenton, 1974] Static

326 views • 18 slides

More recommend