inspector gadget
play

Inspector Gadget Automated Extraction of Proprietary Gadgets from - PowerPoint PPT Presentation

Nov 12, 2023 •214 likes •622 views

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

  1. Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int. Secure Systems Lab Vienna University of Technology, Institute Eurecom Sophia Antipolis, UC Santa Barbara

  2. Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging Inspector Gadget 2

  3. Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging • Looking at the inner workings of every samples has become infeasible – … due to various obfuscation techniques – … due to analysis resistance (e.g., anti-debugging techniques) – … due to the huge number of malware families / variants Inspector Gadget 3

  4. Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging 76 172 submissions Anubis 58 041 new samples Inspector Gadget 4

  5. Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging • Looking at the inner workings of every samples has become infeasible – … due to various obfuscation techniques – … due to analysis resistance (e.g., anti-debugging techniques) – … due to the huge number of malware families / variants • Results of dynamic analys is cluttered by other behavior sample is capable of Inspector Gadget 5

  6. Motivation Int. Secure Systems Lab Vienna University of Technology • Results of dynamic analys is cluttered by other behavior sample is capable of armzasn.net armzasn.net kevflnwroo.com kevflnwroo.com C & C dzqbpieiy.info C & C dzqbpieiy.info rqkixea.biz binary location binary rqkixea.biz location komug.net update komug.net vhiax.org update vhiax.org C & C C & C component communication component communication installation installation 220 mx.google.com 220 mx.google.com 250-google 250-google target 250-PIPELINING spam target 250-PIPELINING spam 250-SIZE 10240000 selection templating 250-SIZE 10240000 selection 250-VRFY templating 250-VRFY 250-STARTTLS 250-STARTTLS Inspector Gadget 6

  7. Motivation Int. Secure Systems Lab Vienna University of Technology • Results of dynamic analysis cluttered by other behavior sample is capable of • Dynamic analysis is very resource consuming... • … and only provides temporary snapshot – malicious behavior might dependent on • analysis date & time • analysis environment (e.g., username, host OS, …) • availability of remote resources (e.g., C&C hosts) – needs to be repeatedly performed on single sample • at different points in time • preferably on different systems • even more time/resource consuming Inspector Gadget 7

  8. Motivation – Inspector Int. Secure Systems Lab Vienna University of Technology Wouldn't it be cool if we were able to extract a single behavior into a standalone component and use this to re-invoke the behavior? • Removes clutter from analysis results • Independent of other malicious activity – can be executed without virtual environment • Easy to replay in a different situation such as – point in time – operating system Inspector Gadget 8

  9. Motivating Example Int. Secure Systems Lab Vienna University of Technology • Conficker Domain Generation Algorithm (DGA) – decides which remote host to contact for C&C – domain depends on current time – current time is fetched from a remote host (e.g., msn) Inspector Gadget 9

  10. Motivating Example Int. Secure Systems Lab Vienna University of Technology • Conficker Domain Generation Algorithm (DGA) armzasn.net – decides which remote host to contact for C&C armzasn.net armzasn.net armzasn.net kevflnwroo.com kevflnwroo.com kevflnwroo.com – domain depends on current time kevflnwroo.com C & C dzqbpieiy.info dzqbpieiy.info C & C dzqbpieiy.info dzqbpieiy.info rqkixea.biz binary rqkixea.biz location – current time is fetched from a remote host (e.g., msn) rqkixea.biz binary rqkixea.biz location komug.net komug.net update komug.net komug.net vhiax.org update vhiax.org vhiax.org vhiax.org C & C C & C component communication component communication installation installation 220 mx.google.com 220 mx.google.com 250-google 250-google target 250-PIPELINING spam target 250-PIPELINING spam 250-SIZE 10240000 selection templating 250-SIZE 10240000 selection 250-VRFY templating 250-VRFY 250-STARTTLS 250-STARTTLS Inspector Gadget 10

  11. Outline Int. Secure Systems Lab Vienna University of Technology • Motivation – dynamic analysis reveals limited, temporary behavior • Behavior analysis & extraction – storing identified behavior into gadget • Behavior re-invocation – gadget player – gadget inversion • So... again, why...? – benefit recap • Gadget examples Inspector Gadget 11

  12. Int. Secure Systems Lab Vienna University of Technology Behavior Analysis and Extraction Inspector Gadget 12

  13. Extraction Overview Int. Secure Systems Lab Vienna University of Technology 4 step process Inspector Gadget 13

  14. Extraction Overview Int. Secure Systems Lab Vienna University of Technology control flow & Anubis instructions API taint dependencies step 1: memory dynamic accesses analysis Find interesting behavior that Find interesting behavior that is to be extracted. is to be extracted. Example: Hm, to which domain Example: Hm, to which domain am I connecting here?? am I connecting here?? Inspector Gadget 14

  15. Extraction Overview Int. Secure Systems Lab Vienna University of Technology Anubis step 2: behavior identification Map selected behavior to analyzed control flow & process & thread, API accesses and instructions control flow. control flow. outcome: API call / flow position outcome: API call / flow position Inspector Gadget 15

  16. Extraction Overview Int. Secure Systems Lab Vienna University of Technology Anubis step 2.1: identification refinement Find and suggest data manipulating control flow & Find and suggest data manipulating instructions after chosen API call. instructions instructions after chosen API call. Possibly refine chosen position to Possibly refine chosen position to include the data processing. include the data processing. Inspector Gadget 16

  17. Extraction Overview Int. Secure Systems Lab Vienna University of Technology control flow & API taint API taint call func1 call func1 instructions call func1 call func1 dependencies dependencies add %esp add %esp add %esp add %esp memory memory ... ... ... ... accesses accesses call func2 call func2 call func2 call func2 step 3: add %esp add %esp add %esp add %esp backward call func3 call func3 call func3 call func3 program slicing call StartS call StartS call StartS call StartS pop %eax pop %eax pop %eax pop %eax push “abc” push “abc” push “abc” push “abc” call DnsQry call DnsQry call DnsQry call DnsQry StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W Inspector Gadget 17

  18. Extraction Overview Int. Secure Systems Lab Vienna University of Technology control flow & API taint API taint call func1 call func1 instructions call func1 call func1 dependencies dependencies add %esp add %esp ... add %esp add %esp ... memory memory ... ... call connect ... ... call connect accesses accesses call func2 call func2 jmp L_1 call func2 call func2 jmp L_1 step 3: add %esp add %esp L_0: add %esp add %esp L_0: backward call func3 call func3 call recv call func3 call func3 call recv program ... ... L_1: slicing call StartS call StartS L_1: call StartS call StartS test %eax pop %eax pop %eax test %eax pop %eax pop %eax je L_0 WSAStartup push “abc” push “abc” je L_0 WSAStartup push “abc” push “abc” call DnsQry call DnsQry call DnsQry call DnsQry connect connect StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W recv StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W recv Inspector Gadget 18

  19. Extraction Overview Int. Secure Systems Lab Vienna University of Technology step 4: gadget creation Inspector Gadget 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows

Inspector Gadget: A Framework for Custom Monitoring and Debugging of Distributed Dataflows Christopher Olston and Benjamin Reed Yahoo! Research Web Scale problems Lots of servers, users, and data Fun to have power at your fingertip

505 views • 33 slides
Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB

Kernel USB Gadget Configfs Interface Matt Porter Linaro Overview Prereqs: understand USB Linux USB Terminology Brief history of USB gadget subsystem Other filesystem-based gadget interfaces Using USB gadget configfs

439 views • 21 slides
Combating Organized Crime Inspector Dieter Boeheim Inspector Mike Slack Inspector Keith Merith

Combating Organized Crime Inspector Dieter Boeheim Inspector Mike Slack Inspector Keith Merith

Combating Organized Crime Inspector Dieter Boeheim Inspector Mike Slack Inspector Keith Merith April 22, 2015 Presentation Overview What is Organized Crime Intelligence Bureau Composition Partnerships Illicit Activities

373 views • 36 slides
Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020

Inspektor Gadget and traceloop Tracing containers syscalls using BPF FOSDEM | 1 Feb 2020 https://tinyurl.com/fosdem-gadget Hi, Im Alban Alban Crequy CTO, Kinvolk Github: alban Twitter: albcr Email: alban@kinvolk.io Kinvolk Driving

426 views • 30 slides
Office of the Inspector General Jess Womack Inspector General Budget, Facilities and Audit

Office of the Inspector General Jess Womack Inspector General Budget, Facilities and Audit

Office of the Inspector General Jess Womack Inspector General Budget, Facilities and Audit Committee January 24, 2012 Office of the Inspector General 2 Office of the Inspector General FY 2007/2008 Budget Current Year Budget $11.9

116 views • 7 slides
SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION: J. J. Crowley Deputy Inspector General for

SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION: J. J. Crowley Deputy Inspector General for

SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION: J. J. Crowley Deputy Inspector General for Investigations Office of Inspector General, TX HHSC SPECIAL INSPECTOR GENERAL FOR IRAQ RECONSTRUCTION (SIGIR) History SIGIR Investigative

336 views • 15 slides
Nancy Henry HSENI Inspector Lead Inspector for noise and vibration content What is the

Nancy Henry HSENI Inspector Lead Inspector for noise and vibration content What is the

Nancy Henry HSENI Inspector Lead Inspector for noise and vibration content What is the problem What are the health effects Sources of vibration Legal requirements Sources of information Solutions Questions Whats

666 views • 51 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Inspector Kevin Swaney Project Griffin Gatwick Airport Inspector Kevin Swinney Project Griffin

Inspector Kevin Swaney Project Griffin Gatwick Airport Inspector Kevin Swinney Project Griffin

Inspector Kevin Swaney Project Griffin Gatwick Airport Inspector Kevin Swinney Project Griffin Started life in 2004 City of London Police JP Morgan ACPO(TAM) International partnership fight against terrorism Benefit for both the business

244 views • 21 slides
Office of Inspector General NSF Grants Conference June 1-2, 2015 William J. Kilgallin Senior

Office of Inspector General NSF Grants Conference June 1-2, 2015 William J. Kilgallin Senior

Office of Inspector General NSF Grants Conference June 1-2, 2015 William J. Kilgallin Senior Advisor, Investigations Office of Inspector General National Science Foundation Who We Are Inspector General Assistant Inspector Assistant

548 views • 13 slides
T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr.

T.A.A.G Tamper Automated Alert Gadget Final Presentation Group 7 Funding Aiman Salih EE Dr. Yuan, Co-Director of MIST Daniel Gibney CpE research center at UCF. Leaphar Castro EE Motivation With the ever expanding use of IoT sensor

740 views • 46 slides
Topics in the Office of Inspector General Office of Inspector General, U.S. Department of

Topics in the Office of Inspector General Office of Inspector General, U.S. Department of

Topics in the Office of Inspector General Office of Inspector General, U.S. Department of Transportation Presented by: Tony Wysocki | Program Director, Surface Transportation Audits Mike Masoudian | Project Manager, Surface Transportation Audits

800 views • 44 slides
Urban Development Office of Inspector General Fort Worth, TX February 15, 2012 Presenters

Urban Development Office of Inspector General Fort Worth, TX February 15, 2012 Presenters

U.S. Department of Housing and Urban Development Office of Inspector General Fort Worth, TX February 15, 2012 Presenters Nikita N. Irons Regional Inspector General for Audit New Orleans, LA Tracey Carney Assistant Regional Inspector

509 views • 36 slides
Forensic Auditing Presented by William J. DiVello Assistant Inspector General for Audit

Forensic Auditing Presented by William J. DiVello Assistant Inspector General for Audit

Association of Inspectors General Certified Inspector General Auditor course Forensic Auditing Presented by William J. DiVello Assistant Inspector General for Audit District of Columbia Office of the Inspector General Governmental Auditing

497 views • 27 slides
October 2018 Adela Padilla RPh State Drug Inspector Kris Mossberg PharmD State Drug Inspector

October 2018 Adela Padilla RPh State Drug Inspector Kris Mossberg PharmD State Drug Inspector

October 2018 Adela Padilla RPh State Drug Inspector Kris Mossberg PharmD State Drug Inspector 1 CURRENT BOARD MEMBERS April 2018 Richard Mazzoni RPh Chairman NE Bill Lord RPh Hospital Neal Dungan RPh SE Joe Anderson RPh

1k views • 66 slides
Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes

Size Does Matter Why Using Gadget-Chain Length to Prevent Code-reuse Attacks is Hard Enes Gkta - Elias Athanasopoulos - Michalis Polychronakis Herbert Bos - Georgios Portokalidis presented by: Flora Karniavoura Katerina Karagiannaki

376 views • 23 slides
Advances in Machine Learning tools in High Energy Physics David Rousseau LAL-Orsay

Advances in Machine Learning tools in High Energy Physics David Rousseau LAL-Orsay

Advances in Machine Learning tools in High Energy Physics David Rousseau LAL-Orsay rousseau@lal.in2p3.fr LPSC Seminar, Tuesday 4th October 2016 Outline q Basics q ML software tools q ML techniques q ML in analysis q ML in

904 views • 73 slides
Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of

Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of

Institute of Software Technology tugraz Killing Bugs in a Black Box with Model-based Mutation Testing Bernhard K. Aichernig Institute of Software Technology Graz University of Technology, Austria MT CPS Workshop Vienna, 11 Apr 2016 B.K.

1.49k views • 111 slides
Morphosyntactic gambits (or: dont assume syntacticians will do your morphological washing)

Morphosyntactic gambits (or: dont assume syntacticians will do your morphological washing)

Morphosyntactic gambits (or: dont assume syntacticians will do your morphological washing) 1 Greville G. Corbett Surrey Morphology Group g.corbett@surrey.ac.uk Outline of the paper 1 The intellectual landscape 2 The issue 3

262 views • 15 slides
FroCoS13 Business Meeting LORIA & INRIA Nancy Grand Est September 19, 2013

FroCoS13 Business Meeting LORIA & INRIA Nancy Grand Est September 19, 2013

FroCoS13 Business Meeting LORIA & INRIA Nancy Grand Est September 19, 2013 (LORIA-UHP-INRIA) FroCoS13 Business Meeting 1 / 15 Context: Colocation with Tableaux { FroCoS , Tableaux } IJCAR12 FroCoS13?

336 views • 15 slides
Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling

Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling

Domain-specific front-end for virtual Domain-specific front-end for virtual system modeling Workshop on Graphical Modeling Language Development at ECMFA 2012 Janne Vatjus-Anttila, Jari Kreku, Kari Tiensyrj VTT Technical Research Centre of

320 views • 20 slides
Global Illumination CPSC 453 Fall 2018 Sonny Chan Outline for Today (and Thursday)

Global Illumination CPSC 453 Fall 2018 Sonny Chan Outline for Today (and Thursday)

Global Illumination CPSC 453 Fall 2018 Sonny Chan Outline for Today (and Thursday) Motivation Radiometry: foundations of physically-based rendering Surface reflectance The rendering equation Solutions to the rendering

886 views • 86 slides
The Yann Arthus-Bertrand project "Earth seen from the Sky" recorded a huge public

The Yann Arthus-Bertrand project "Earth seen from the Sky" recorded a huge public

The Yann Arthus-Bertrand project "Earth seen from the Sky" recorded a huge public success. Reveals wonderful symmetry and color. Scenes captured by the camera from unusual angles. "Earth seen from the Sky " is currently

668 views • 47 slides
Corruption and Enforcement in Transnational Business: The Legal Framework Lucinda A. Low

Corruption and Enforcement in Transnational Business: The Legal Framework Lucinda A. Low

Corruption and Enforcement in Transnational Business: The Legal Framework Lucinda A. Low Sturm College of Law Webinar Series on Corruption May 27, 2020 1 Presentation Topics Overview of the FCPA and Recent Enforcement Other U.S.

394 views • 25 slides

More recommend