Malware Analysis Arun Lakhotia University of Louisiana at Lafayette, USA Presented at ISSISP 2017, CNRS Gif Sur Yvette 7/18/2017 ISSISP 2017- (C) Lakhotia 1
Introduction Professor of Computer Science Founder, CEO 7/18/2017 ISSISP 2017- (C) Lakhotia 2
Geolocation 7/18/2017 ISSISP 2017- (C) Lakhotia 3
Plan of talk Malware detection in practice Binary Analysis Challenges in Binary Analysis 7/18/2017 ISSISP 2017- (C) Lakhotia 4
Malware detection In Practice 7/18/2017 ISSISP 2017- (C) Lakhotia 5
What is Malware? “Software that steals your data. Software that destroys your data. Software that abuses your machine.” @Pinkflawd 7/18/2017 ISSISP 2017- (C) Lakhotia 6
Types of malware Ransomware Botnets Password Stealers Remote-Access-Trojans (RATs) Click-jackers (stealing ad clicks) Banking Trojans SCADA disruptors 7/18/2017 ISSISP 2017- (C) Lakhotia 7
How to determine something is malware? Run it Observe if it steals or destroys your data abuses your machine 7/18/2017 ISSISP 2017- (C) Lakhotia 8
Determining malware in practice Individually testing each program on every machine for maliciousness is not feasible In reality: Someone observes some unexpected activity Traces activity to a program Passes it on to a security expert Expert analyzes to confirm Creates a ‘profile’ of the program Uses the ‘profile’ to detect other occurrences of the malware 7/18/2017 ISSISP 2017- (C) Lakhotia 9
Malware Detection Process (Theory) AV LAB Suspect Malicious: yes/no IN THE WILD Profile Malicious: yes/no File/Message Scanner 7/18/2017 ISSISP 2017- (C) Lakhotia 10
Virus (Malware) Identification Virus Form - A Antivirus scanners use extracted patterns, or “signatures” to identify known malware. Anti-Virus Signature 7/18/2017 ISSISP 2017- (C) Lakhotia 11
Static Signature Hex strings from virus variants 67 33 74 20 73 38 6D 35 20 76 37 61 67 36 74 20 73 32 6D 37 20 76 38 61 67 39 74 20 73 37 6D 33 20 76 36 61 Hex string for detecting virus 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 ?? = wildcard 7/18/2017 ISSISP 2017- (C) Lakhotia 12
Dynamic Signature Monitor a running program to detect malicious behavior Examples Analyze audit trails Look at patterns of system calls Allows examination of only selected testcases 7/18/2017 ISSISP 2017- (C) Lakhotia 13
Malware detection ecosystem has a lot of sharing End customers AV Vendor Malware Repositories VirusTotal End customers AV Vendor 7/18/2017 ISSISP 2017- (C) Lakhotia 14
Suspect files, daily volume 7/18/2017 ISSISP 2017- (C) Lakhotia 15
Multiple-Scanner Report 7/18/2017 ISSISP 2017- (C) Lakhotia 16
Malware Detection Process (Practice) AV LAB Suspect Malicious: yes/no IN THE WILD Profile Malicious: yes/no File/Message Scanner 7/18/2017 ISSISP 2017- (C) Lakhotia 17
Malware Definition: In practice X is a malware: if it creates a huge hue and cry if P out of S AV scanners (on VT) say it is malware if some customer report it as suspect and a security analyst confirms 7/18/2017 ISSISP 2017- (C) Lakhotia 18
How to perform Community Voting Use Hash(X) instead of X. Hash(X) is malware if: if P out of S AV scanners (on VT) say it is malware Community Voting is very rigid. Cannot check for unseen malware. 7/18/2017 ISSISP 2017- (C) Lakhotia 19
Other challenges related to Malware Determine the objective of a malware Determine the actors/creators Disrupt botnets 7/18/2017 ISSISP 2017- (C) Lakhotia 20
BINARY ANALYSIS 7/18/2017 ISSISP 2017- (C) Lakhotia 21
Learn about you Binary Analysis: Level of knowledge: Level 1-5 (low-high) How much do you care? Level 1-5 7/18/2017 ISSISP 2017- (C) Lakhotia 22
Binary Analysis – Why? Debugging and Patching Legacy Migration Software Protection Protecting IP Software Cracking Malicious Detection Binary with undesired/unknown behavior 7/18/2017 ISSISP 2017- (C) Lakhotia 23
Binary Analysis Tools STATIC DYNAMIC Hex editor Debugger PE/ELF editors Emulator Disassembler Run-time monitors Decompiler Network monitors Data/control flow Fuzzers Abstract interpreter Specialized checkers MIXED – CONCOLIC Buffer overflow Combination of dynamic and static Theorem provers 7/18/2017 ISSISP 2017- (C) Lakhotia 24
History of analysis tools 50+ years of program analysis (PA) compilers, security analysis, … 25+ for reverse engineering (RE) design recovery, reengineering, evolution, … Fundamental theories, algorithms, methods program decomposition, abstraction disassembly, flow graphs liveness , dependence, dominance, … clustering, abstraction, visualization, comparison 7/18/2017 ISSISP 2017- (C) Lakhotia 25
Compiler processing create control generate code parse & data flow object 7/18/2017 ISSISP 2017- (C) Lakhotia 26
Binary analysis, adapted from source extract control verify extract disassemble & data flow property procedures result 7/18/2017 ISSISP 2017- (C) Lakhotia 27
Decomposing binaries Disassembled Binary High Level Program main() { L01: PUSH 0xA Max(0xA, 0xB); L02: PUSH 0xB Max(0xC, 0xD); L03: CALL L08 } L04: PUSH 0xC L05: PUSH 0xD L06: CALL L08 Partition into Max(int x, int y) { L07: RET procedures? if (x > y) return 1; L08: MOV eax, [esp+4] return 0; L09: MOV ebx, [esp+8] } L10: CMP eax, ebx L12: JG L14 L13: MOV eax, 0 L14: RET Procedures are L15: MOV eax, 1 encapsulated L16: RET No syntactic boundary for procedures 28 7/18/2017 ISSISP 2017- (C) Lakhotia
Analysis of Binary Disassembled Program Interprocedural CFG L01: PUSH 0xA PUSH 0xA L02: PUSH 0xB MOV eax, PUSH 0xB L03: CALL L08 [esp+4] CALL L08 L04: PUSH 0xC MOV ebx, L05: PUSH 0xD [esp+8] L06: CALL L08 CMP eax, ebx L07: RET JG L14 L08: MOV eax, [esp+4] L09: MOV ebx, [esp+8] PUSH 0xC MOV eax, 1 L10: CMP eax, ebx PUSH 0xD RET L12: JG L14 CALL L08 L13: MOV eax, 0 L14: RET MOV eax, 0 L15: MOV eax, 1 RET L16: RET RET Procedure 2 Procedure 1 7/18/2017 ISSISP 2017- (C) Lakhotia 29
Binary Analysis - Challenges 7/18/2017 ISSISP 2017- (C) Lakhotia 30
Typical analysis pipelines VIRUS DATABASE extract control verify extract disassemble & data flow property procedures certify / reject 7/18/2017 ISSISP 2017- (C) Lakhotia 31
Problem: Not hardened DATABASE SILENT D I S A B L E D ! D I S A B L E D extract control verify extract disassemble FAILURE! & data flow property procedures certify / reject 7/18/2017 ISSISP 2017- (C) Lakhotia 32
Typical analysis pipeline DATABASE extract control verify extract disassemble & data flow property procedures certify / reject 7/18/2017 ISSISP 2017- (C) Lakhotia 33
Attack: Disassembly extract control verify extract disassemble & data flow property procedures decode machine instructions (byte seq) ORIG BYTES ASSEMBLY bad disassembly 401063: 401063: 5d pop %ebp 5d pop %ebp (no jump target) 401 401 0106 0106 064: 064: c3 c3 c3 c3 ret ret et et jump over junk 401 401 0106 0106 065: 065: 55 55 55 55 pus pus ush ush h % h % %ebp %ebp bp bp malicious func 401066: 401066: 89 e5 mov %esp,%ebp 89 e5 mov %esp,%ebp 401 401 0106 0106 068: 068: 83 e 83 83 83 e ec 0 ec 0 08 08 sub sub ub ub $ $ $0x8 $0x8 x8,% x8,% ,%esp ,%esp sp sp 401 401 0106 0106 06b: 06b: eb 0 eb eb eb 0 05 05 jmp jmp mp mp 0 0 0x40 0x40 4010 4010 1072 1072 401 401 0106 0106 06d: 06d: c7 e e8 e8 e c7 ee f ee f ff f ff f ff ff f ff f ff f e8 f 8 cal mov ov all l 0 $ 0x40 $0xe xe8f 4010 1060 8ffff ffff, f,%e %esi si 401073: 401072: e8 e9 ff ff ff call 0x401060 e9 ff ff ff c7 jmp 0xc8401077 401 401 0107 0107 077: 078: c7 4 45 c7 45 45 f fc 0 00 0 00 0 00 0 00 inc 00 mov nc ovl l $ % $0x0 %ebp bp x0,0 ,0xff fffff ffff ffc( c(%eb ebp) 401 401 0107 0107 07e: 079: 81 7 fc fc 81 7d f fc e e7 7 03 3 00 0 00 cld 00 cmp ld mpl l $ $0x3 x3e7 e7,0x 0xfff ffff ffff ffc(% (%ebp bp) 7/18/2017 ISSISP 2017- (C) Lakhotia 34
M/o/vfusctor (by Chris Domas) 7/18/2017 ISSISP 2017- (C) Lakhotia 35
7/18/2017 ISSISP 2017- (C) Lakhotia 36
Attack: Defeat CFG Construction 7/18/2017 ISSISP 2017- (C) Lakhotia 37
Transform code to data 7/18/2017 ISSISP 2017- (C) Lakhotia 38
Defeat signatures: Packer, with encryption 7/18/2017 ISSISP 2017- (C) Lakhotia 39
Packer - Limitation Original code in clear text at some point 7/18/2017 ISSISP 2017- (C) Lakhotia 40
Protectors – Virtual Machine Slip a VM under the program 7/18/2017 ISSISP 2017- (C) Lakhotia 41
Variants vs Family Source: Symantec Corp 2006 Total Variants Total Family 12000 10000 8000 6000 4000 2000 0 03-I 03-II 04-I 04-II 05-I 05-II 06-I Total Variants 994 1702 4496 7360 10866 10992 6784 141 184 164 171 170 104 101 Total Family Half Year 42 7/18/2017 ISSISP 2017- (C) Lakhotia
Recommend
More recommend