Inspector Gadget Automated Extraction of Proprietary Gadgets from - - PowerPoint PPT Presentation

inspector gadget
SMART_READER_LITE
LIVE PREVIEW

Inspector Gadget Automated Extraction of Proprietary Gadgets from - - PowerPoint PPT Presentation

Nov 12, 2023 214 likes •622 views

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

slide-1
SLIDE 1
  • Int. Secure Systems Lab

Vienna University of Technology

Inspector Gadget

Automated Extraction of Proprietary Gadgets from Malware Binaries

Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL

ck@iseclab.org

  • Int. Secure Systems Lab

Vienna University of Technology, Institute Eurecom Sophia Antipolis, UC Santa Barbara

slide-2
SLIDE 2

Inspector Gadget 2

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation

  • Analysis of malicious code is challenging
slide-3
SLIDE 3

Inspector Gadget 3

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation

  • Analysis of malicious code is challenging
  • Looking at the inner workings of every samples has

become infeasible

– … due to various obfuscation techniques – … due to analysis resistance (e.g., anti-debugging techniques) – … due to the huge number of malware families / variants

slide-4
SLIDE 4

Inspector Gadget 4

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation

  • Analysis of malicious code is challenging

76 172 submissions 58 041 new samples Anubis

slide-5
SLIDE 5

Inspector Gadget 5

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation

  • Analysis of malicious code is challenging
  • Looking at the inner workings of every samples has

become infeasible

– … due to various obfuscation techniques – … due to analysis resistance (e.g., anti-debugging techniques) – … due to the huge number of malware families / variants

  • Results of dynamic analys is cluttered by other

behavior sample is capable of

slide-6
SLIDE 6

Inspector Gadget 6

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation

  • Results of dynamic analys is cluttered by other

behavior sample is capable of

binary update binary update component installation component installation C & C communication C & C communication spam templating spam templating target selection target selection C & C location C & C location

220 mx.google.com 250-google 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-STARTTLS 220 mx.google.com 250-google 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-STARTTLS armzasn.net kevflnwroo.com dzqbpieiy.info rqkixea.biz komug.net vhiax.org armzasn.net kevflnwroo.com dzqbpieiy.info rqkixea.biz komug.net vhiax.org

slide-7
SLIDE 7

Inspector Gadget 7

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation

  • Results of dynamic analysis cluttered by other

behavior sample is capable of

  • Dynamic analysis is very resource consuming...
  • … and only provides temporary snapshot

– malicious behavior might dependent on

  • analysis date & time
  • analysis environment (e.g., username, host OS, …)
  • availability of remote resources (e.g., C&C hosts)

– needs to be repeatedly performed on single sample

  • at different points in time
  • preferably on different systems
  • even more time/resource consuming
slide-8
SLIDE 8

Inspector Gadget 8

  • Int. Secure Systems Lab

Vienna University of Technology

Motivation – Inspector

Wouldn't it be cool if we were able to extract a single behavior into a standalone component and use this to re-invoke the behavior?

  • Removes clutter from analysis results
  • Independent of other malicious activity

– can be executed without virtual environment

  • Easy to replay in a different situation such as

– point in time – operating system

slide-9
SLIDE 9

Inspector Gadget 9

  • Int. Secure Systems Lab

Vienna University of Technology

Motivating Example

  • Conficker Domain Generation Algorithm (DGA)

– decides which remote host to contact for C&C – domain depends on current time – current time is fetched from a remote host (e.g., msn)

slide-10
SLIDE 10

Inspector Gadget 10

  • Int. Secure Systems Lab

Vienna University of Technology

Motivating Example

  • Conficker Domain Generation Algorithm (DGA)

– decides which remote host to contact for C&C – domain depends on current time – current time is fetched from a remote host (e.g., msn)

binary update binary update component installation component installation C & C communication C & C communication spam templating spam templating target selection target selection C & C location C & C location

220 mx.google.com 250-google 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-STARTTLS 220 mx.google.com 250-google 250-PIPELINING 250-SIZE 10240000 250-VRFY 250-STARTTLS armzasn.net kevflnwroo.com dzqbpieiy.info rqkixea.biz komug.net vhiax.org armzasn.net kevflnwroo.com dzqbpieiy.info rqkixea.biz komug.net vhiax.org

armzasn.net kevflnwroo.com dzqbpieiy.info rqkixea.biz komug.net vhiax.org armzasn.net kevflnwroo.com dzqbpieiy.info rqkixea.biz komug.net vhiax.org

slide-11
SLIDE 11

Inspector Gadget 11

  • Int. Secure Systems Lab

Vienna University of Technology

Outline

  • Motivation

– dynamic analysis reveals limited, temporary behavior

  • Behavior analysis & extraction

– storing identified behavior into gadget

  • Behavior re-invocation

– gadget player – gadget inversion

  • So... again, why...?

– benefit recap

  • Gadget examples
slide-12
SLIDE 12

Inspector Gadget 12

  • Int. Secure Systems Lab

Vienna University of Technology

Behavior Analysis and Extraction

slide-13
SLIDE 13

Inspector Gadget 13

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

4 step process

slide-14
SLIDE 14

Inspector Gadget 14

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

Anubis

control flow & instructions API taint dependencies

step 1: dynamic analysis

memory accesses Find interesting behavior that is to be extracted. Example: Hm, to which domain am I connecting here?? Find interesting behavior that is to be extracted. Example: Hm, to which domain am I connecting here??

slide-15
SLIDE 15

Inspector Gadget 15

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

Anubis

step 2: behavior identification

control flow & instructions control flow.

  • utcome: API call / flow position

control flow.

  • utcome: API call / flow position

Map selected behavior to analyzed process & thread, API accesses and

slide-16
SLIDE 16

Inspector Gadget 16

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

Anubis

step 2.1: identification refinement

control flow & instructions Find and suggest data manipulating instructions after chosen API call. Possibly refine chosen position to include the data processing. Find and suggest data manipulating instructions after chosen API call. Possibly refine chosen position to include the data processing.

slide-17
SLIDE 17

Inspector Gadget 17

  • Int. Secure Systems Lab

Vienna University of Technology

API taint dependencies memory accesses

step 3: backward program slicing

control flow & instructions API taint dependencies memory accesses

Extraction Overview

call func1 add %esp ... call func2 add %esp call func3 call func1 add %esp ... call func2 add %esp call func3 DnsQuery_W DnsQuery_W call StartS pop %eax push “abc” call DnsQry call StartS pop %eax push “abc” call DnsQry StartService StartService DnsQuery_W DnsQuery_W call StartS pop %eax push “abc” call DnsQry call StartS pop %eax push “abc” call DnsQry StartService StartService DnsQuery_W DnsQuery_W call func1 add %esp ... call func2 add %esp call func3 call func1 add %esp ... call func2 add %esp call func3

slide-18
SLIDE 18

Inspector Gadget 18

  • Int. Secure Systems Lab

Vienna University of Technology

API taint dependencies memory accesses

step 3: backward program slicing

control flow & instructions API taint dependencies memory accesses

Extraction Overview

call func1 add %esp ... call func2 add %esp call func3 call func1 add %esp ... call func2 add %esp call func3 DnsQuery_W DnsQuery_W call StartS pop %eax push “abc” call DnsQry call StartS pop %eax push “abc” call DnsQry StartService StartService DnsQuery_W DnsQuery_W call StartS pop %eax push “abc” call DnsQry call StartS pop %eax push “abc” call DnsQry StartService StartService DnsQuery_W DnsQuery_W call func1 add %esp ... call func2 add %esp call func3 call func1 add %esp ... call func2 add %esp call func3 connect connect recv recv WSAStartup WSAStartup ... call connect jmp L_1 L_0: call recv ... L_1: test %eax je L_0 ... call connect jmp L_1 L_0: call recv ... L_1: test %eax je L_0

slide-19
SLIDE 19

Inspector Gadget 19

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

step 4: gadget creation

slide-20
SLIDE 20

Inspector Gadget 20

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

step 4: gadget creation

001E:1000 001E:1004 001E:1008 001E:100C 001E:1010 001E:1014 001E:1018 001E:101C 001E:1020 001E:1024 001E:1028 001E:102C 001E:1030 001E:1034 001E:1038 001E:103C 001E:1040 001E:1044

call <001E:1018> add %esp call <001E:103C> call connect call recv ... test %eax je <001E:101C> ... push “abc” call DnsQuery_W

func3 func2 main

001E:1000 001E:1004 001E:1008 001E:100C 001E:1010 001E:1014 001E:1018 001E:101C 001E:1020 001E:1024 001E:1028 001E:102C 001E:1030 001E:1034 001E:1038 001E:103C 001E:1040 001E:1044

call <001E:1018> add %esp call <001E:103C> call connect call recv ... test %eax je <001E:101C> ... push <0018:A704> call DnsQuery_W

func3 func2 main

001E:1000 001E:1004 001E:1008 001E:100C 001E:1010 001E:1014 001E:1018 001E:101C 001E:1020 001E:1024 001E:1028 001E:102C 001E:1030 001E:1034 001E:1038 001E:103C 001E:1040 001E:1044

call <001E:1018> add %esp call <001E:103C> call @hook-connect call @hook-recv ... test %eax je <001E:101C> ... push <0018:A704> call @hook-DnsQuery_W

func3 func2 main

slide-21
SLIDE 21

Inspector Gadget 21

  • Int. Secure Systems Lab

Vienna University of Technology

Extraction Overview

step 4: gadget creation step 4: gadget creation

Extract gadget (standalone Dll) that can be imported into any (binary) application offering environment hooks. Extract gadget (standalone Dll) that can be imported into any (binary) application offering environment hooks.

slide-22
SLIDE 22

Inspector Gadget 22

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Replay

slide-23
SLIDE 23

Inspector Gadget 23

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Player

  • As library, the gadget can be reused in many areas

– statically linked into the application – dynamically loadable

  • … but, application must confine gadget execution

– handle crashes (e.g., possible, invalid memory accesses) – one possibility: code emulation – here: separate, monitored thread with signal handling

  • … and mediate accesses to the host OS

– gadgets are guaranteed to contain no calls to system or API functionality directly – each access is done through environment hooks

slide-24
SLIDE 24

Inspector Gadget 24

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Player

  • Host OS accesses mediation: environment hooks

– every system / API call is redirected to the gadget player (using a multiplexor function) – player has the possibility to sanitize and/or manipulate call parameters – if player decides to allow the API invocation, call and parameters are forwarded to the actual implementation (e.g., in- side a Windows library)

Gadget player Gadget player

gadget thread environment interface

AdvAPI32

User32

slide-25
SLIDE 25

Inspector Gadget 25

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Inversion

  • Player can use gadget as transformation oracle

– input is transformed into output, depending on algorithm implemented by gadget – example: sample reads local data, obfuscates, and transmits to remote host

slide-26
SLIDE 26

Inspector Gadget 26

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Inversion

  • Player can use gadget as transformation oracle

– input is transformed into output, depending on algorithm implemented by gadget – example: sample reads local data, obfuscates, and transmits to remote host

  • In many scenarios, the inverse algorithm would be

interesting, however

– we capture obfuscated traffic and want the plain-text data that has was transmitted

slide-27
SLIDE 27

Inspector Gadget 27

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Inversion

  • Player can use gadget as transformation oracle

– input is transformed into output, depending on algorithm implemented by gadget – example: sample reads local data, obfuscates, and transmits to remote host

  • In many scenarios, the inverse algorithm would be

interesting, however

– we capture obfuscated traffic and want the plain-text data that has was transmitted

  • In the paper, we present basic inversion capabilities:

– detect (taint) dependencies between bytes in input and output – apply guided brute-force heuristics to invert algorithm contained in the gadget

slide-28
SLIDE 28

Inspector Gadget 28

  • Int. Secure Systems Lab

Vienna University of Technology

So … again, why...?

slide-29
SLIDE 29

Inspector Gadget 29

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget Benefits

  • … so why not simply execute it in a VM (over and over

again)?

– sleep timeouts: can be eliminated during gadget extraction – fast & lightweight analysis:

  • no virtual environment, snapshot restoring
  • we ran our analysis on Linux (under Wine)!

– precise, uncluttered behavior

  • bservation

– advanced monitoring: the player has access to the gadget's heap and stack regions! – environment tampering: all requests go through a single interface: tamper with date or time, registry settings, hostOS, remote hosts contacted, ...

Gadget player Gadget player

gadget thread environment interface

User32

slide-30
SLIDE 30

Inspector Gadget 30

  • Int. Secure Systems Lab

Vienna University of Technology

Gadget examples

slide-31
SLIDE 31

Inspector Gadget 31

  • Int. Secure Systems Lab

Vienna University of Technology

Conficker DGA

  • Conficker generates (pseudo) random domain names upon startup
  • Current time, fetched from remote site (e.g., msn.com), controls domain

generation randomization seed

  • Randomly selected domain name is used for contacting C&C host
  • Gadget:

– start extraction (slicing) from invocation of DnsQuery_W – extracts complete Domain Generation Algorithm (DGA) – see one domain on query invocation – find all domains on gadget heap

  • Possible environment tampering:

– manipulate remote site's reply to change DGA input (i.e., date for which domains are generated)

slide-32
SLIDE 32

Inspector Gadget 32

  • Int. Secure Systems Lab

Vienna University of Technology

Conficker DGA

  • P. Porras et al. “A Foray into Conficker's

Logic and Rendezvous Points Inspector Gadget control flow “debug output”

slide-33
SLIDE 33

Inspector Gadget 33

  • Int. Secure Systems Lab

Vienna University of Technology

Cutwail Spam Templating

  • Cutwail (mass-mailer) generates spam Emails from templates

downloaded from remote C&C hosts

  • Communication employs proprietary encryption algorithm
  • Template is not stored on file system

– content decrypted and handled solely in memory

  • Gadget:

– inspect download behavior – start extraction after download is complete – Inspector suggests to automatically refine extraction starting-point to end-of-decryption – extract complete template download & decryption algorithm

slide-34
SLIDE 34

Inspector Gadget 34

  • Int. Secure Systems Lab

Vienna University of Technology

Cutwail Spam Templating

"{_FIRSTNAME} {_LASTNAME}" <{MAIL_FROM}> Hello my new friend, I search a good man at other country...\n For me it to communicate for the first time with the person from other country, by Internet.\nAnd it ... {nReceived} Message-ID: <{DIGIT[10]}.{SYMBOL[8]} {DIGIT[6]} @{nHOST}> From: {TAGMAILFROM} To: <{MAIL_TO}> Subject: {SUBJECT} Date: {DATE} MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_{_nOutlook_Boundary}" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express {_nOutlookExpress_4} "{_FIRSTNAME} {_LASTNAME}" <{MAIL_FROM}> Hello my new friend, I search a good man at other country...\n For me it to communicate for the first time with the person from other country, by Internet.\nAnd it ... {nReceived} Message-ID: <{DIGIT[10]}.{SYMBOL[8]} {DIGIT[6]} @{nHOST}> From: {TAGMAILFROM} To: <{MAIL_TO}> Subject: {SUBJECT} Date: {DATE} MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_0006_{_nOutlook_Boundary}" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express {_nOutlookExpress_4}

slide-35
SLIDE 35

Inspector Gadget 35

  • Int. Secure Systems Lab

Vienna University of Technology

Cutwail Spam Templating

configver 194 addr 91.206.231.230 port 25 knockdelay 60 mxrecvtimeout 120 mxconntimeout 120 maxtrybadfrom 1 maxtryconn 5 configver 194 addr 91.206.231.230 port 25 knockdelay 60 mxrecvtimeout 120 mxconntimeout 120 maxtrybadfrom 1 maxtryconn 5

FIRSTNAME Christi Lea Staci Jodie Summer Katharine ... LASTNAME Schafer Stacy Grayson Ham Landers Mims Parham Pritchett ... name Lusia R., Texas Lusia R., New York Lusia R., Chicago Lusia R., Colorado Lusia R., Boston Lusia R., Washington Lusia R., Las Vegas Lusia R., Bellevue WA Lusia R., San Diego Amelia B., Chicago ... FIRSTNAME Christi Lea Staci Jodie Summer Katharine ... LASTNAME Schafer Stacy Grayson Ham Landers Mims Parham Pritchett ... name Lusia R., Texas Lusia R., New York Lusia R., Chicago Lusia R., Colorado Lusia R., Boston Lusia R., Washington Lusia R., Las Vegas Lusia R., Bellevue WA Lusia R., San Diego Amelia B., Chicago ...

nHOST {nChar[5-15]}.{nChar[5-15]} .{LET:ru,org,com,va,net,biz, info,tv,ua,su} nReceived Received: from [{nIP}] (helo={nHOST}) {N[1]}by {BOT_HOST} ... nHOST {nChar[5-15]}.{nChar[5-15]} .{LET:ru,org,com,va,net,biz, info,tv,ua,su} nReceived Received: from [{nIP}] (helo={nHOST}) {N[1]}by {BOT_HOST} ...

slide-36
SLIDE 36

Inspector Gadget 36

  • Int. Secure Systems Lab

Vienna University of Technology

URLZone Config Update

  • URLZone (BHO banking-trojan) sniffs and manipulates user

interaction with banking web-site

  • Steals credentials and hides previous (malicious) transactions

from user

  • Remote configuration through encrypted configuration files

– domains to attack – URLs to inspect – form content to modify

  • Gadget:

– extract complete template download & decrypt algorithm – similar to Cutwail gadget

slide-37
SLIDE 37

Inspector Gadget 37

  • Int. Secure Systems Lab

Vienna University of Technology

URLZone Config Update

  • ----------------- STATA ------------------

ITINJHOST=|my.hypovereinsbank.de|End ITINJPAGE=|/*?view=/*|End ... ITINJSTART=|Aktueller Kontosaldo</label>[*] <p class="right">|End ITINJEND=|</p>|End ITINJCODE=||End ITINJPASTE=|%HYPOBAL%+%AMOUNT%-%TRUEAMOUNT%|End ITINJPASTEMN=|<span class="negative-balance">%HYPOBAL%+%AMOUNT%- %TRUEAMOUNT%</span><span class="negative-balance">EUR</span>|End

  • ----------------- STATA ------------------

ITINJHOST=|my.hypovereinsbank.de|End ITINJPAGE=|/*?view=/*|End ... ITINJSTART=|Aktueller Kontosaldo</label>[*] <p class="right">|End ITINJEND=|</p>|End ITINJCODE=||End ITINJPASTE=|%HYPOBAL%+%AMOUNT%-%TRUEAMOUNT%|End ITINJPASTEMN=|<span class="negative-balance">%HYPOBAL%+%AMOUNT%- %TRUEAMOUNT%</span><span class="negative-balance">EUR</span>|End =======================POST======================= [ITBEGINBLOCKHOOK] ITHOST=|banking.postbank.de|End ITPAGE=|/app/login.d*|End ITMETHOD=|2|End ITIFINIT=|%DISP%|End ITREQMATH=|jsOn=*&accountNumber=*&pinNumber=*|End =======================POST======================= [ITBEGINBLOCKHOOK] ITHOST=|banking.postbank.de|End ITPAGE=|/app/login.d*|End ITMETHOD=|2|End ITIFINIT=|%DISP%|End ITREQMATH=|jsOn=*&accountNumber=*&pinNumber=*|End

slide-38
SLIDE 38

Inspector Gadget 38

  • Int. Secure Systems Lab

Vienna University of Technology

Summary

  • Dynamic analysis is resource consuming, results are

cluttered and limited to temporary snapshots of malicious behavior

  • Inspector allows to automatically extract behavior into

standalone gadgets

  • Gadgets can be reused in many scenarios and

– enhance information extraction – simplify repeated analysis of behavior

  • Evaluation shows that extraction is applicable to real

world, malicious programs

slide-39
SLIDE 39

Inspector Gadget 39

  • Int. Secure Systems Lab

Vienna University of Technology

Thanks for listening!