malware analysis
play

Malware Analysis Arun Lakhotia University of Louisiana at - PowerPoint PPT Presentation

Oct 09, 2022 •337 likes •805 views

Malware Analysis Arun Lakhotia University of Louisiana at Lafayette, USA Presented at ISSISP 2017, CNRS Gif Sur Yvette 7/18/2017 ISSISP 2017- (C) Lakhotia 1 Introduction Professor of Computer Science Founder, CEO 7/18/2017 ISSISP 2017-

  1. Malware Analysis Arun Lakhotia University of Louisiana at Lafayette, USA Presented at ISSISP 2017, CNRS Gif Sur Yvette 7/18/2017 ISSISP 2017- (C) Lakhotia 1

  2. Introduction Professor of Computer Science Founder, CEO 7/18/2017 ISSISP 2017- (C) Lakhotia 2

  3. Geolocation 7/18/2017 ISSISP 2017- (C) Lakhotia 3

  4. Plan of talk Malware detection in practice Binary Analysis Challenges in Binary Analysis 7/18/2017 ISSISP 2017- (C) Lakhotia 4

  5. Malware detection In Practice 7/18/2017 ISSISP 2017- (C) Lakhotia 5

  6. What is Malware? “Software that steals your data. Software that destroys your data. Software that abuses your machine.” @Pinkflawd 7/18/2017 ISSISP 2017- (C) Lakhotia 6

  7. Types of malware Ransomware Botnets Password Stealers Remote-Access-Trojans (RATs) Click-jackers (stealing ad clicks) Banking Trojans SCADA disruptors 7/18/2017 ISSISP 2017- (C) Lakhotia 7

  8. How to determine something is malware? Run it Observe if it steals or destroys your data abuses your machine 7/18/2017 ISSISP 2017- (C) Lakhotia 8

  9. Determining malware in practice Individually testing each program on every machine for maliciousness is not feasible In reality: Someone observes some unexpected activity Traces activity to a program Passes it on to a security expert Expert analyzes to confirm Creates a ‘profile’ of the program Uses the ‘profile’ to detect other occurrences of the malware 7/18/2017 ISSISP 2017- (C) Lakhotia 9

  10. Malware Detection Process (Theory) AV LAB Suspect Malicious: yes/no IN THE WILD Profile Malicious: yes/no File/Message Scanner 7/18/2017 ISSISP 2017- (C) Lakhotia 10

  11. Virus (Malware) Identification Virus Form - A Antivirus scanners use extracted patterns, or “signatures” to identify known malware. Anti-Virus Signature 7/18/2017 ISSISP 2017- (C) Lakhotia 11

  12. Static Signature Hex strings from virus variants 67 33 74 20 73 38 6D 35 20 76 37 61 67 36 74 20 73 32 6D 37 20 76 38 61 67 39 74 20 73 37 6D 33 20 76 36 61 Hex string for detecting virus 67 ?? 74 20 73 ?? 6D ?? 20 76 ?? 61 ?? = wildcard 7/18/2017 ISSISP 2017- (C) Lakhotia 12

  13. Dynamic Signature Monitor a running program to detect malicious behavior Examples Analyze audit trails Look at patterns of system calls Allows examination of only selected testcases 7/18/2017 ISSISP 2017- (C) Lakhotia 13

  14. Malware detection ecosystem has a lot of sharing End customers AV Vendor Malware Repositories VirusTotal End customers AV Vendor 7/18/2017 ISSISP 2017- (C) Lakhotia 14

  15. Suspect files, daily volume 7/18/2017 ISSISP 2017- (C) Lakhotia 15

  16. Multiple-Scanner Report 7/18/2017 ISSISP 2017- (C) Lakhotia 16

  17. Malware Detection Process (Practice) AV LAB Suspect Malicious: yes/no IN THE WILD Profile Malicious: yes/no File/Message Scanner 7/18/2017 ISSISP 2017- (C) Lakhotia 17

  18. Malware Definition: In practice X is a malware: if it creates a huge hue and cry if P out of S AV scanners (on VT) say it is malware if some customer report it as suspect and a security analyst confirms 7/18/2017 ISSISP 2017- (C) Lakhotia 18

  19. How to perform Community Voting Use Hash(X) instead of X. Hash(X) is malware if: if P out of S AV scanners (on VT) say it is malware Community Voting is very rigid. Cannot check for unseen malware. 7/18/2017 ISSISP 2017- (C) Lakhotia 19

  20. Other challenges related to Malware Determine the objective of a malware Determine the actors/creators Disrupt botnets 7/18/2017 ISSISP 2017- (C) Lakhotia 20

  21. BINARY ANALYSIS 7/18/2017 ISSISP 2017- (C) Lakhotia 21

  22. Learn about you Binary Analysis: Level of knowledge: Level 1-5 (low-high) How much do you care? Level 1-5 7/18/2017 ISSISP 2017- (C) Lakhotia 22

  23. Binary Analysis – Why? Debugging and Patching Legacy Migration Software Protection Protecting IP Software Cracking Malicious Detection Binary with undesired/unknown behavior 7/18/2017 ISSISP 2017- (C) Lakhotia 23

  24. Binary Analysis Tools STATIC DYNAMIC Hex editor Debugger PE/ELF editors Emulator Disassembler Run-time monitors Decompiler Network monitors Data/control flow Fuzzers Abstract interpreter Specialized checkers MIXED – CONCOLIC Buffer overflow Combination of dynamic and static Theorem provers 7/18/2017 ISSISP 2017- (C) Lakhotia 24

  25. History of analysis tools 50+ years of program analysis (PA) compilers, security analysis, … 25+ for reverse engineering (RE) design recovery, reengineering, evolution, … Fundamental theories, algorithms, methods program decomposition, abstraction disassembly, flow graphs liveness , dependence, dominance, … clustering, abstraction, visualization, comparison 7/18/2017 ISSISP 2017- (C) Lakhotia 25

  26. Compiler processing create control generate code parse & data flow object 7/18/2017 ISSISP 2017- (C) Lakhotia 26

  27. Binary analysis, adapted from source extract control verify extract disassemble & data flow property procedures result 7/18/2017 ISSISP 2017- (C) Lakhotia 27

  28. Decomposing binaries Disassembled Binary High Level Program main() { L01: PUSH 0xA Max(0xA, 0xB); L02: PUSH 0xB Max(0xC, 0xD); L03: CALL L08 } L04: PUSH 0xC L05: PUSH 0xD L06: CALL L08 Partition into Max(int x, int y) { L07: RET procedures? if (x > y) return 1; L08: MOV eax, [esp+4] return 0; L09: MOV ebx, [esp+8] } L10: CMP eax, ebx L12: JG L14 L13: MOV eax, 0 L14: RET Procedures are L15: MOV eax, 1 encapsulated L16: RET No syntactic boundary for procedures 28 7/18/2017 ISSISP 2017- (C) Lakhotia

  29. Analysis of Binary Disassembled Program Interprocedural CFG L01: PUSH 0xA PUSH 0xA L02: PUSH 0xB MOV eax, PUSH 0xB L03: CALL L08 [esp+4] CALL L08 L04: PUSH 0xC MOV ebx, L05: PUSH 0xD [esp+8] L06: CALL L08 CMP eax, ebx L07: RET JG L14 L08: MOV eax, [esp+4] L09: MOV ebx, [esp+8] PUSH 0xC MOV eax, 1 L10: CMP eax, ebx PUSH 0xD RET L12: JG L14 CALL L08 L13: MOV eax, 0 L14: RET MOV eax, 0 L15: MOV eax, 1 RET L16: RET RET Procedure 2 Procedure 1 7/18/2017 ISSISP 2017- (C) Lakhotia 29

  30. Binary Analysis - Challenges 7/18/2017 ISSISP 2017- (C) Lakhotia 30

  31. Typical analysis pipelines VIRUS DATABASE extract control verify extract disassemble & data flow property procedures certify / reject 7/18/2017 ISSISP 2017- (C) Lakhotia 31

  32. Problem: Not hardened DATABASE SILENT D I S A B L E D ! D I S A B L E D extract control verify extract disassemble FAILURE! & data flow property procedures certify / reject 7/18/2017 ISSISP 2017- (C) Lakhotia 32

  33. Typical analysis pipeline DATABASE extract control verify extract disassemble & data flow property procedures certify / reject 7/18/2017 ISSISP 2017- (C) Lakhotia 33

  34. Attack: Disassembly extract control verify extract disassemble & data flow property procedures decode machine instructions (byte seq) ORIG BYTES ASSEMBLY bad disassembly 401063: 401063: 5d pop %ebp 5d pop %ebp (no jump target) 401 401 0106 0106 064: 064: c3 c3 c3 c3 ret ret et et jump over junk 401 401 0106 0106 065: 065: 55 55 55 55 pus pus ush ush h % h % %ebp %ebp bp bp malicious func 401066: 401066: 89 e5 mov %esp,%ebp 89 e5 mov %esp,%ebp 401 401 0106 0106 068: 068: 83 e 83 83 83 e ec 0 ec 0 08 08 sub sub ub ub $ $ $0x8 $0x8 x8,% x8,% ,%esp ,%esp sp sp 401 401 0106 0106 06b: 06b: eb 0 eb eb eb 0 05 05 jmp jmp mp mp 0 0 0x40 0x40 4010 4010 1072 1072 401 401 0106 0106 06d: 06d: c7 e e8 e8 e c7 ee f ee f ff f ff f ff ff f ff f ff f e8 f 8 cal mov ov all l 0 $ 0x40 $0xe xe8f 4010 1060 8ffff ffff, f,%e %esi si 401073: 401072: e8 e9 ff ff ff call 0x401060 e9 ff ff ff c7 jmp 0xc8401077 401 401 0107 0107 077: 078: c7 4 45 c7 45 45 f fc 0 00 0 00 0 00 0 00 inc 00 mov nc ovl l $ % $0x0 %ebp bp x0,0 ,0xff fffff ffff ffc( c(%eb ebp) 401 401 0107 0107 07e: 079: 81 7 fc fc 81 7d f fc e e7 7 03 3 00 0 00 cld 00 cmp ld mpl l $ $0x3 x3e7 e7,0x 0xfff ffff ffff ffc(% (%ebp bp) 7/18/2017 ISSISP 2017- (C) Lakhotia 34

  35. M/o/vfusctor (by Chris Domas) 7/18/2017 ISSISP 2017- (C) Lakhotia 35

  36. 7/18/2017 ISSISP 2017- (C) Lakhotia 36

  37. Attack: Defeat CFG Construction 7/18/2017 ISSISP 2017- (C) Lakhotia 37

  38. Transform code to data 7/18/2017 ISSISP 2017- (C) Lakhotia 38

  39. Defeat signatures: Packer, with encryption 7/18/2017 ISSISP 2017- (C) Lakhotia 39

  40. Packer - Limitation Original code in clear text at some point 7/18/2017 ISSISP 2017- (C) Lakhotia 40

  41. Protectors – Virtual Machine Slip a VM under the program 7/18/2017 ISSISP 2017- (C) Lakhotia 41

  42. Variants vs Family Source: Symantec Corp 2006 Total Variants Total Family 12000 10000 8000 6000 4000 2000 0 03-I 03-II 04-I 04-II 05-I 05-II 06-I Total Variants 994 1702 4496 7360 10866 10992 6784 141 184 164 171 170 104 101 Total Family Half Year 42 7/18/2017 ISSISP 2017- (C) Lakhotia

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Boards Association August 14, 2015 Data Use for Accountability and Student Achievement From

Boards Association August 14, 2015 Data Use for Accountability and Student Achievement From

New York State School Boards Association August 14, 2015 Data Use for Accountability and Student Achievement From School Performance to Teacher Growth Scores Fred Cohen, Nassau BOCES Data Warehouse Specialist fcohen@mail.nasboces.org

848 views • 70 slides
Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela

Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela

Data Centric Security and Data Protection Manuela Cianfrone Bologna 29/10/2016 Speaker Manuela Cianfrone EMEA Solution Architect @ Protegrity USA Implement Data Centric Security Design Data Security Solutions Agenda Using Walls to

877 views • 34 slides
https://www.eur.nl/en/campus/university-library/erasmus-data-service-centre Outline Introduction

https://www.eur.nl/en/campus/university-library/erasmus-data-service-centre Outline Introduction

Erasmus Data Service Centre (EDSC): Your FAIR Research Data Solution Paul J Plaatsman Data- and Economics Librarian Erasmus University Rotterdam(EUR) The Netherlands https://www.eur.nl/en/campus/university-library/erasmus-data-service-centre

740 views • 20 slides
Adaptive Scheduling for Systems with Asymmetric Memory Hierarchies Po-An Tsai , Changping Chen,

Adaptive Scheduling for Systems with Asymmetric Memory Hierarchies Po-An Tsai , Changping Chen,

Adaptive Scheduling for Systems with Asymmetric Memory Hierarchies Po-An Tsai , Changping Chen, and Daniel Sanchez Die-stacking has enabled near-data processing Die-stacking has enabled near-data processing Conventional multicore processors use

1.32k views • 94 slides
Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie

Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie

Explicit Information Flow in the HiStar OS Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazires Too much trusted software Untrustworthy code a huge problem Users willingly run malicious software Malware, spyware,

986 views • 82 slides
COVID 19 and Cycling: Panel Discussion October 28, 2020 Mark Greve, MD Moderator Michael

COVID 19 and Cycling: Panel Discussion October 28, 2020 Mark Greve, MD Moderator Michael

COVID 19 and Cycling: Panel Discussion October 28, 2020 Mark Greve, MD Moderator Michael Roshon, MD/PhD Kevin Sprouse, MD Aaron Baggish, MD Agenda Virology of SARS CoV-2 Transmission Testing Clinical Course Cycling and Covid: Tales from

1k views • 40 slides
Data Warehouse and OLAP Data Warehouse and OLAP Week 5 1 Midterm I Midterm I Friday, March

Data Warehouse and OLAP Data Warehouse and OLAP Week 5 1 Midterm I Midterm I Friday, March

Data Warehouse and OLAP Data Warehouse and OLAP Week 5 1 Midterm I Midterm I Friday, March 4 Scope Homework assignments 1 4 Open book Team Homework Assignment #7 Team Homework Assignment #7 Read pp. 121 139, 146

609 views • 31 slides
OLAP and Data Warehousing Advanced Topics in Database Management (INFSCI 2711) Some materials are

OLAP and Data Warehousing Advanced Topics in Database Management (INFSCI 2711) Some materials are

OLAP and Data Warehousing Advanced Topics in Database Management (INFSCI 2711) Some materials are from Database Management Systems, R. Ramakrishnan and J. Gehrke and from https://www.kimballgroup.com/ Vladimir Zadorozhny, DINS, University of

414 views • 22 slides

More recommend