lines of malicious code
play

Lines of Malicious Code: Insights Into the Malicious Software - PowerPoint PPT Presentation

Sep 29, 2023 •294 likes •566 views

Lines of Malicious Code: Insights Into the Malicious Software Industry Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna

  1. Lines of Malicious Code: 
 Insights Into the Malicious Software Industry � Martina Lindorfer Vienna University of Technology Alessandro Di Federico Politecnico di Milano Federico Maggi Politecnico di Milano Paolo Milani Comparetti Vienna University of Technology, Lastline Inc. Stefano Zanero Politecnico di Milano

  2. Annual Computer Security Applications Conference, December 2012 1

  3. State of Malware � • Underground economy of cybercrime: 
 spam, identity theft, DoS, Fake AV scams, … � • Malicious software industry � • Arms race against security researchers � • Overwhelming amount of samples � - > 70,000/day in 2011 (PandaLabs) � • Need for analysis automation � • Limits of static/dynamic analysis � • Incremental updates of functionality � • Focus manual analysis on novel functionality � Annual Computer Security Applications Conference, December 2012 2

  4. Approach (1/2) � • Identify focus of development effort of malware authors � • Take advantage of auto-update functionality in malware � • Collect subsequent updates of malware variants � • Identify code changes between versions � • Identify evolution of functional components � - e.g. spam, Fake AV � • Estimate development effort � • Highlight significant code changes for further analysis � � Annual Computer Security Applications Conference, December 2012 3 �

  5. Approach (2/2) � • Combination of static and dynamic analysis � • Builds upon R EANIMATOR (Oakland 2010) � - “Identifying Dormant Functionality in Malware Programs” � • Run samples in sandbox � • Let samples connect to the C&C server to update � • Find differences in binary code � • Map differences in binary code to behavior � • B EAGLE � - 16 malware samples from 11 families � - > 1,000 executions, 381 distinct binaries � Annual Computer Security Applications Conference, December 2012 4

  6. Outline � • B EAGLE � - Step 1: Execution Monitoring � - Step 2a: Binary Comparison � - Step 2b: Behavior Extraction � - Step 3: Semantic-Aware Comparison � • Experimental Results � • Conclusion � Annual Computer Security Applications Conference, December 2012 5

  7. B EAGLE � Execution 011 1 Monitoring 0000101 011 Binary Comparison 1000100 0000101 011 1100011 1000100 0000101 1100011 1000100 1100011 Code Changes 2 Unpacked Malware Semantic- Update Variants Evolutionary Aware Server changes 3 Comparison Behaviors x Behavior Extraction System-Level Activity Annual Computer Security Applications Conference, December 2012 6

  8. Step 1: Execution Monitoring � • Based on Anubis sandbox � - Logging of Native + Windows API, dynamic taint tracing � • Stateful analysis: � - Save analysis state (filesystem and registry changes) � - Restore analysis state � - Invoke persistence mechanism � • Logging of call stack for each API call � • Generic unpacker (dump memory) � • Output: � - Unpacked binaries � - System calls and taint dependencies � Annual Computer Security Applications Conference, December 2012 7

  9. Step 2a: Binary Comparison � • Input: � - Unpacked malware variants � • Preprocessing: Code whitelisting � - Generic unpacker dumps all memory � - Includes code injected into benign processes � - Includes DLLs loaded into malware’s address space � - Identify all code (EXE and DLL) from the clean image and ignore it � Annual Computer Security Applications Conference, December 2012 8

  10. Step 2a: Binary Comparison � • Refined techniques of Kruegel et al. (RAID 2005) � - “Polymorphic Worm Detection Using Structural Information of Executables” � • Color nodes in CFG based on classes of instructions � • Shared code = finding isomorphic k-node subgraphs � • Fingerprints = hash of normalized subgraphs � • Match fingerprints between malware versions � • Output: � - Shared/added/removed basic blocks � - Measure of code change (Jaccard Similarity): 
 # of shared BB over the total shared/added/removed BBs � Annual Computer Security Applications Conference, December 2012 9 �

  11. Step 2b: Behavior Extraction � • Input: � - System calls and taint dependencies from dynamic analysis � • Behavior = connected graph of system-level events � - Nodes = system calls � - Edges = data flow dependencies � • Define rules to detect high-level behaviors � - e.g. Download & Execute = data flow from network to a file that is later executed � - Unlabeled: no high-level meaning � - Labeled: behavior matches known patterns � • Output: � - List of behaviors with responsible code � Annual Computer Security Applications Conference, December 2012 10 �

  12. Step 3: Semantic-Aware Comparison � • Input: � - Labeled & unlabeled behaviors � - Shared/added/removed BBs � � • Map behavior to code � - Dynamic analysis at system call level � - Better scaling than instruction-level tracing � - Mapping at function-level granularity � - Locate function boundaries of addresses in call stack � Annual Computer Security Applications Conference, December 2012 11

  13. Step 3: Semantic-Aware Comparison � • Expansion of mapping: � - Statically identify code path between individual system calls � - Use call stack for each system call as landmark � • Dormant functionality: � - Locate fingerprints from active components in other executions � • Output: � - Evolutionary changes in functional components � Annual Computer Security Applications Conference, December 2012 12

  14. Outline � • B EAGLE � - Step 1: Execution Monitoring � - Step 2a: Binary Comparison � - Step 2b: Behavior Extraction � - Step 3: Semantic-Aware Comparison � • Experimental Results � • Conclusion � Annual Computer Security Applications Conference, December 2012 13

  15. Dataset (1/2) � • 16 samples (11 families, 6 ZeuS) � • Sources: � - ZeuS Tracker � - Anubis (download & execute heuristics) � - Top threats from Microsoft Malware Protection Center � � • September 2011 - April 2012 � • 15 minutes each, once a day � • 1,023 executions of 381 distinct binaries � Annual Computer Security Applications Conference, December 2012 14

  16. Dataset (2/2) � 1 ST DAY F AMILY N AME AND L ABEL S OURCE D AYS E XECUTIONS MD5 S Banload TrojanDownloader:Win32/Banload.ADE (1) 2012-01-31 87 78 3 Cycbot Backdoor:Win32/Cycbot.G (1) 2011-09-15 73 73 69 Dapato Worm:Win32/Cridex.B (2) 2012-02-24 65 62 25 Gamarue Worm:Win32/Gamarue.B (2) 2012-02-10 78 77 19 GenericDownloader TrojanDownloader:Win32/Banload.AHC (1) 2012-01-31 82 79 5 GenericTrojan Worm:Win32/Vobfus.gen!S (1) 2012-02-07 76 73 55 Graftor TrojanDownloader:Win32/Grobim.C (1) 2012-02-17 37 39 22 Kelihos TrojanDownloader:Win32/Waledac.C (2) 2012-03-03 56 38 8 Llac Worm:Win32/Vobfus.gen!N (1) 2012-02-07 32 33 82 OnlineGames Worm:Win32/Taterf.D (1) 2011-09-02 87 80 47 ZeuS PWS:Win32/Zbot.gen!AF 1be8884c7210e94fe43edb7edebaf15f (3) 2012-02-09 79 78 6 ZeuS PWS:Win32/Zbot 9926d2c0c44cf0a54b5312638c28dd37 (3) 2012-02-15 74 73 4 ZeuS PWS:Win32/Zbot.gen!AF * c9667edbbcf2c1d23a710bb097cddbcc (3) 2012-02-23 66 63 6 ZeuS PWS:Win32/Zbot.gen!AF * dbedfd28de176cbd95e1cacdc1287ea8 (3) 2012-02-09 79 78 4 ZeuS PWS:Win32/Zbot.gen!AF * e77797372fbe92aa727cca5df414fc27 (3) 2012-02-10 79 77 5 ZeuS PWS:Win32/Zbot.gen!AF * f579baf33f1c5a09db5b7e3244f3d96f (3) 2012-03-03 57 55 11 Annual Computer Security Applications Conference, December 2012 15

  17. Behaviors in Dataset � Annual Computer Security Applications Conference, December 2012 16

  18. Overall Code Changes � 1.0 1.0 0.8 0.8 0.6 0.6 CDF(X) CDF(X) 0.4 0.4 ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) ZeuS (2nd variant) Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue Gamarue 0.2 0.2 0.0 0.0 0.0 0.2 0.4 0.6 0.8 1.0 0.0 0.2 0.4 0.6 0.8 1.0 X = Fraction of added basic blocks X = Fraction of added basic blocks (a) t − 1 vs. t (b) t 0 vs. t Annual Computer Security Applications Conference, December 2012 18

  19. Code Changes: Zeus � 1 Added code Removed code Amount of code, normalized in [0,1] Shared code 0.8 0.6 0.4 0.2 0 Annual Computer Security Applications Conference, December 2012 19

  20. Code Changes: Zeus � 80000 New code 70000 60000 #Basic blocks 50000 40000 30000 20000 10000 0 02/18 02/25 03/03 03/10 03/17 03/24 03/31 04/07 04/14 04/21 04/28 05/05 Annual Computer Security Applications Conference, December 2012 20

  21. 21 Behavior Evolution: Gamarue � 1.0 ● ● ● ● ● ● 0.8 ● ● 0.6 Annual Computer Security Applications Conference, December 2012 0.4 0.2 0.0 ● ● ● ● ● DOWNLOAD_EXECUTE CHANGE_SECURITY_POLICIES UDP_TRAFFIC DISABLE_TASKMGR SPAM HTTP_REQUEST DOWNLOAD_FILE DNS_QUERY HIDE_STARTMENU HIDE_FILES UNPACKER AUTO_START

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 10 March 2005 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

1.16k views • 94 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006 What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, Code that breaks your security policy.

707 views • 69 slides
Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu

Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 29 March 2007 SYN Cookies (contd) SYN Cookies (contd) SYN cookies are particular choices of initial TCP sequence numbers

868 views • 62 slides
Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke

Malicious Code and Access Control in SDN SPRING14 , 31.7. 1.8.2014 Hans Christian Rpke Chair for System Security 1 Introduction 2 Malicious Code in SDN 3 Access Control in SDN 4 Conclusions Software-Defined Networks|Horst Grtz

418 views • 19 slides
MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs

MALWARE: VIRUSES CMSC 414 FEB 08 2018 MALWARE Malicious code that is stored on and runs on a victims system How does it get to run? Attacks a user- or network-facing vulnerable service Backdoor: Added by a malicious

1.02k views • 81 slides
Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads

2005-10-12 Malicious Code an Increasing Problem Malicious Code Karlstads universitet mCrowds: Anonymity for the mobile Internet Karlstads universitet DAV C19 Applied Security 2 Datavetenskap 2005-10-12 Datavetenskap 2005-10-12 Media

442 views • 7 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides
Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often

Viruses based on slides by Vitaly Shmatikov and Ninghui Li Malware Malicious code often masquerades as good software or attaches itself to good software Some malicious programs need host programs Trojan horses, logic bombs, viruses

624 views • 40 slides
Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011

Vulnerabilities: Malicious Code Class 10 P&P: Ch 3.3, 3.4 1 CIS-5372: 9.Nov.2011 Announcement Presence sheet Solution to Homework 2 is out Grades will follow 2 CIS-5372: 9.Nov.2011 What Did We Cover Before ?

1.02k views • 71 slides
Functions Functions A set of statements (lines of code) that can be run repeatedly

Functions Functions A set of statements (lines of code) that can be run repeatedly

Functions Functions A set of statements (lines of code) that can be run repeatedly Goals: Learning Python by Lutz and Ascher Code reuse Procedural decomposition Top-Down Design Break problem into subproblems Print HIHO

451 views • 20 slides
CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 8 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

638 views • 16 slides
CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and

CS 356 Lecture 9 Malicious Code Spring 2013 Review Chapter 1: Basic Concepts and Terminology Integrity, Confidentiality, Availability, Authentication, and Accountability Types of threats: active vs. passive, insider/outsider

347 views • 33 slides
Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal

Engineering Challenges in Immunizing Systems Against Malicious Code Craig Chamberlain Principal Technical Consultant Verdasys, Inc. Background Organizations are confronted with troubling developments the malware problem phenomenon

581 views • 27 slides
Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware

Pinkslipbot: A deep look at how malicious code adapts and evolves Guilherme Venere Malware Researcher Anti Malware Operation Team Know Your Enemy Server-side polymorphic worm. EXE and DLL modules First seen around 2007 Features

662 views • 19 slides
Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory

Adi Hayon Tomer Teller Why are we here? (one of many reasons) A malicious program: Allocates memory in a remote process (and write to it) Executes the code in that memory region Frees the code Memory dump taken at the end of

373 views • 22 slides
Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for

Outline Malicious Code Introduction CS 239 Viruses Trojan horses Security for Networks and Trap doors System Software Logic bombs May 12, 2002 Worms Examples Lecture 11 Lecture 11 Page 1 Page 2 CS 239,

234 views • 12 slides
Dynamic Time Warping Averaging of Time Series allows Faster and more Accurate Classification F.

Dynamic Time Warping Averaging of Time Series allows Faster and more Accurate Classification F.

Dynamic Time Warping Averaging of Time Series allows Faster and more Accurate Classification F. Petitjean G. Forestier G.I. Webb A.E. Nicholson Y. Chen E. Keogh Compute average The Ubiquity of Time Series Sensors on machines Stock prices Wearables

638 views • 30 slides
GRADUATE NYC! Academy for Leaders in the Field of College Transition Graduate NYC! Academy for

GRADUATE NYC! Academy for Leaders in the Field of College Transition Graduate NYC! Academy for

Graduate NYC! Academy for Leaders in the Field 5/23/2012 of College Transition GRADUATE NYC! Academy for Leaders in the Field of College Transition Graduate NYC! Academy for Leaders in the Field of College Transition 2 COLLECTING PARTICIPANT

664 views • 7 slides
Outcross Bulls & BDGP Overview Q: What is an outcross bull? Ans: A bull with a

Outcross Bulls & BDGP Overview Q: What is an outcross bull? Ans: A bull with a

Outcross Bulls & BDGP Overview Q: What is an outcross bull? Ans: A bull with a bloodline that has never been used here before. My Technical Definition: The AI bulls Sire, Sires Sire and Dams sire do not have AI Codes

441 views • 23 slides
BORN-DIGITAL PRESERVATION BASIC PRINCIPLES AND PRACTICES Classroom Building 215, University of

BORN-DIGITAL PRESERVATION BASIC PRINCIPLES AND PRACTICES Classroom Building 215, University of

BORN-DIGITAL PRESERVATION BASIC PRINCIPLES AND PRACTICES Classroom Building 215, University of Wyoming Tuesday, March 7 3:30 PM ahc.uwyo.edu Tyler G. Cline Digital Archivist and Head of Digital Programs UW American Heritage Center

840 views • 56 slides
SOCIAL DETERMINANTS OF HEALTH Yes, We Have a Role in Our Patients Social Determinants of Health

SOCIAL DETERMINANTS OF HEALTH Yes, We Have a Role in Our Patients Social Determinants of Health

SOCIAL DETERMINANTS OF HEALTH Yes, We Have a Role in Our Patients Social Determinants of Health Social Determinants of Health (SDOH) Social determinants of health are conditions in the environments in which people are born, live, learn,

613 views • 44 slides
How do financial correlations grow? How do financial correlations grow? C. Borghesi Borghesi

How do financial correlations grow? How do financial correlations grow? C. Borghesi Borghesi

How do financial correlations grow? How do financial correlations grow? C. Borghesi Borghesi (Paris), S. (Paris), S. Micciche Micciche (Palermo), MM (Trieste) (Palermo), MM (Trieste) C. Financial correlations Financial

607 views • 33 slides
The package David M. Jones American Mathematical Society Providence, Rhode Island

The package David M. Jones American Mathematical Society Providence, Rhode Island

The package David M. Jones American Mathematical Society Providence, Rhode Island Dedicated to the memory of Michael J. Downes 19582003

711 views • 45 slides
Upcoming GLR Learning Tuesdays Webinars: EMERGING INNOVATIONS SERIES Bridging the Early Years

Upcoming GLR Learning Tuesdays Webinars: EMERGING INNOVATIONS SERIES Bridging the Early Years

Upcoming GLR Learning Tuesdays Webinars: EMERGING INNOVATIONS SERIES Bridging the Early Years With the Early Grades: The Promising First 10 Model Tuesday, Oct. 8, 3 p.m. ET/12 p.m. PT PARENT/TEACHER PARTNERSHIP SERIES The Power of Family-School

678 views • 51 slides

More recommend