monirul sharif 1 andrea lanzi 2
play

Monirul Sharif 1 , Andrea Lanzi 2 , Jonathon Giffin 1 , Wenke Lee 1 1 - PowerPoint PPT Presentation

May 16, 2023 •215 likes •482 views

Monirul Sharif 1 , Andrea Lanzi 2 , Jonathon Giffin 1 , Wenke Lee 1 1 Georgia Institute of Technology 2 Universit`a degli Studi di Milano NDSS 2008 Introduction Introduction We need to understand malware Rootkits Keyloggers Viruses

  1. Monirul Sharif 1 , Andrea Lanzi 2 , Jonathon Giffin 1 , Wenke Lee 1 1 Georgia Institute of Technology 2 Universit`a degli Studi di Milano NDSS 2008

  2. Introduction Introduction We need to understand malware… Rootkits Keyloggers Viruses System-wide effects Malware Exploits Bots Worms Spyware Trojans Reverse engineering and Malware Analysis Propagation Control Capabilities Hundreds of new malware samples appear almost everyday… Malware Malware Malware Malware Malware Malware Malware Malware Malware Malware Malware Malware Automated analysis systems have become very important Obfuscations that are easily applicable on existing code can be a threat We present a Simple , Automated and Transparent Obfuscation against state-of-the-art malware analyzers NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 2

  3. Malware Analysis and Obfuscations Malware Analysis and Obfuscations Defense Offense Polymorphism, metamorphism, Static Analysis based approaches packing, opaque predicates, anti-disassembly response Trigger-based behavior Dynamic malware analysis (Logic bombs, time bombs, anti-debugging, anti-emulation, etc.) response Dynamic multipath exploration ? (Moser et al. 2007) Bitscope (Brumley et al. 2007) Conditional Code Obfuscation EXE (Cadar et al. 2006) Forced execution (Wilhelm et al. 2007) NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 3

  4. Rest of the Talk Rest of the Talk o Conditional Code Obfuscation o Principles o Static analysis based automation o Automatic applicability on existing malware without modification o Implications o Implications on Existing Analyzers o Measuring Obfuscation Strength o Prototype Implementation and Evaluation o Evaluation on malware o Weaknesses and Defense o How analysis can be improved to defender NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 4

  5. Principles of Our Attack Principles of Our Attack Malware Binary Inputs Condition Condition Unknown Trigger-based ? behavior Any static and dynamic analysis approach Input Oblivious Analyzer NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 5

  6. Principles of Our Attack Principles of Our Attack Malware Binary cmd = get_command(sock); if (strcmp(cmd, “logkeys”)==0)) { Condition LogKeys() Condition Condition Condition } Unknown Trigger-based Inputs behavior cmd = get_command(sock); if (Hash(cmd)== H)) { LogKeys() } NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 6

  7. Principles of Our Attack Principles of Our Attack Malware Binary cmd = get_command(sock); if (strcmp(cmd, “logkeys”)==0)) { LogKeys() Condition Condition } Unknown Trigger-based Trigger-based Inputs behavior behavior ( K ) cmd = get_command(sock); if (strcmp(cmd, “logkeys”)==0)) { decrypt(encr_LogKeys, K ); encr_LogKeys() } The key is inside the encr_LogKeys(){ program } NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 7

  8. Principles of Our Attack Principles of Our Attack Malware Binary cmd = get_command(sock); if (strcmp(cmd, “logkeys”)==0)) { LogKeys() Condition Condition Condition Condition } Unknown Trigger-based Trigger-based Inputs behavior behavior cmd = get_command(sock); if (Hash(cmd)== H)) { decrypt(encr_LogKeys, cmd); encr_LogKeys() } The key is no longer inside encr_LogKeys(){ the code } NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 8

  9. General Obfuscation Mechanism General Obfuscation Mechanism Original Code Obfuscated Code Hash(c) if ( X == c ) { if ( Hash(X) == H c ) { Decr(B E , X) Encr(B, c) B B E } } o Candidate Conditions - Conditions with equality o Hash function Properties: o The usual ‘==‘ operator o Pre-image resistance – Protects against reversing o String equality checks – strcmp, memcmp, strncmp etc. Hard to find c given H c o Conditions with ‘>’, ‘<‘, ‘!=‘ will not work o Conditional Code o Second pre-image resistance - Program correctness o Any code that executes only when condition is satisfied Hard to find another c’ where Hash(c’) = H c NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 9

  10. Automation Using Static Analysis Automation Using Static Analysis o Identify Candidate Conditions o Identify functions and create CFG for each function o Find blocks containing candidate conditions o Conditional code Identification o Intra-procedural - Basic blocks control dependen t on condition with true outcome o Inter-procedural - Set of all functions only reachable from selected basic blocks o Exclude functions reachable from default path o Conservative conditional code selection for function pointers NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 10

  11. Automation Using Static Analysis Automation Using Static Analysis Handling Common Conditional Code if if P Q P Q K P K Q K P K Q B B P B Q Encr(B, K P ) Encr(B, K Q ) • Two keys are used in two paths. Duplicate code • If one path is not candidate condition, no use in concealing the trigger code NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 11

  12. Automation Using Static Analysis Automation Using Static Analysis Handling Complex Conditions if ( X==a ) { if ( X==a && Y==b ) { if (Y==b ) { Attack() Attack() } } } Logical “and” if ( X==a ) if ( X==a || Y==b ) { Attack() Attack() } } else if (Y==b ) { Attack() } Logical “or” NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 12

  13. Automation Using Static Analysis Automation Using Static Analysis Handling Complex Conditions switch (cmd) { if (cmd==0) attack1(); case 0: attack1(); if (cmd==1) { break; recon(); attack2(); case 1: } recon(); if (cmd==2) case 2: attack2(); attack2(); } Switch Case NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 13

  14. Consequences to Existing Analyzers Consequences to Existing Analyzers • Multi-Path Exploration (Moser et al., Bitscope) o Constraints are built for each path o Hash functions are non-linear, so cannot find solution • Input Discovery (EXE) o Solves constraints to get inputs – symbolic execution o Same problem, cannot find derive input Hash(X)==H C Condition B Trigger-based behavior NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 14

  15. Consequences to Existing Analyzers Consequences to Existing Analyzers • Forced Execution o Without solving constraints, forces execution o Without key, program crashes • Static Analysis o Same as packed code, static analysis on trigger code is not possible Hash(X)==H C Condition B Trigger-based behavior NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 15

  16. Attacks on the Obfuscation Attacks on the Obfuscation o Attacks on Hash(X)=H c o Find possible X for satisfying the above o Input domain o Domain(X) – set of all possible values X may take o With time t for every hash computation, total time = Domain(X) t o For an integer I, Domain(I) = 2 32 o Brute Force attacks o Dictionary Attacks NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 16

  17. Prototype Implementation Prototype Implementation • Overview o Implemented for Linux o Takes malware C source code and outputs obfuscated ELF binaries • Analysis Level – both source code and binary levels required o Source and IR level – type information is essential o Binary level – decrypted code must be executable DynInst LLVM .c .o .o Binary Compiler Analysis/ Framework Instrumentation Malware Final obfuscated ELF Binary Source (c/c++) ELF Binary (x86) Find candidate conditions Encrypt marked (x86) conditional code and keys. Blocks with keys Perform transformation. remove keys Simplified architectural view of the automated obfuscation system NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 17

  18. Analysis and Transformation Phase Analysis and Transformation Phase • Candidate Code Replacement o Enc(X)/Dec(X) Encryption/Decryption – AES with 256 bit keys o Hash function – Hash(X) - SHA-256 o Different hash functions based on data type of X • Decryption Keys and Markers o Key generation – Key(X) = Hash(X|N), N is Nonce NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 18

  19. Encryption Phase Encryption Phase • DynInst based binary transformation tool o Finds Decipher(), and End_marker() and key (K c ) o Encrypts binary code with key o Removes marker and key from code NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 19

  20. Experimental Results Experimental Results • Evaluated by Obfuscating Malware Programs o Selected representative malware source programs for Linux with trigger based behavior • Evaluation Method o Manually identified malicious triggers in malware o Applied obfuscation, counted how many were completely obfuscated by the automated system o Considered three levels of obfuscation strength – Strong – strings Medium – integers Weak – booleans and return codes NDSS 2008 Impeding Malware Analysis Using Conditional Code Obfuscation 20

  21. Impeding Malware Analysis Using Conditional Code Obfuscation 21 Experimental Results Experimental Results NDSS 2008

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Research: Threat Intelligence &amp; Malware Infrastructures Andrea Lanzi: andrea.lanzi@unimi.it

Research: Threat Intelligence &amp; Malware Infrastructures Andrea Lanzi: andrea.lanzi@unimi.it

Malware Analysis Research: Threat Intelligence &amp; Malware Infrastructures Andrea Lanzi: andrea.lanzi@unimi.it May, 3 2017 Andrea Lanzi: andrea.lanzi@unimi.it Malware Analysis Malware Analysis Malicious Infrastruture Who am I? My

379 views • 18 slides
AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1

AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1

AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1 Christopher Kruegel 2 Mihai Christodorescu 3 Engin Kirda 1 1 Institute Eurecom 2 UC Santa Barbara 3 IBM T.J. Watson Research 17th ACM Conference on

545 views • 43 slides
Computer Security Security.di.unimi.it/sicurezza1314/ Chapter 1: 1 Info corso di Sicurezza

Computer Security Security.di.unimi.it/sicurezza1314/ Chapter 1: 1 Info corso di Sicurezza

Computer Security Security.di.unimi.it/sicurezza1314/ Chapter 1: 1 Info corso di Sicurezza Docente corso Andrea Lanzi: andrea.lanzi@unimi.it Pagina corso: http://security.di.unimi.it/sicurezza1314/ Orario di ricevimento su

425 views • 23 slides
Computer Security http://security.di.unimi.it/sicurezza1819 Chapter 1: 1 / Info corso di

Computer Security http://security.di.unimi.it/sicurezza1819 Chapter 1: 1 / Info corso di

Computer Security http://security.di.unimi.it/sicurezza1819 Chapter 1: 1 / Info corso di Sicurezza Docente corso Andrea Lanzi: andrea.lanzi@unimi.it Pagina corso: http://security.di.unimi.it/sicurezza1819/ Orario di ricevimento su

604 views • 25 slides
A Replay Attack in the TCG Specification and a Solution Danilo Bruschi Lorenzo Cavallaro Andrea

A Replay Attack in the TCG Specification and a Solution Danilo Bruschi Lorenzo Cavallaro Andrea

Trusted Computing Platforms Replay Attack Model Checking Proposed Solution Conclusion and Future Works A Replay Attack in the TCG Specification and a Solution Danilo Bruschi Lorenzo Cavallaro Andrea Lanzi Mattia Monga Universit` a degli

579 views • 38 slides
Climate Change and Urban Food Security Challenges for Dhaka Monirul Mirza Adaptation &amp;

Climate Change and Urban Food Security Challenges for Dhaka Monirul Mirza Adaptation &amp;

Climate Change and Urban Food Security Challenges for Dhaka Monirul Mirza Adaptation &amp; Impacts Research Section (AIRS), Environment Canada Bonn, May 13, 2012 The Three Questions What are the approaches to ensure UPAs greater

226 views • 9 slides
Patient-Defined Treatment Success and Preferences in Advanced Stage Lung Cancer KM Monirul

Patient-Defined Treatment Success and Preferences in Advanced Stage Lung Cancer KM Monirul

ANNUAL OCT. 31-NOV. 2, 2017 MEETING ARLINGTON, VA Patient-Defined Treatment Success and Preferences in Advanced Stage Lung Cancer KM Monirul Islam, MBBS/MD, PhD Associate Professor of Epidemiology June Ryan, BS, MPA Patient Advocate

507 views • 21 slides
Instruction Prefetcher Ali Ansari (Sharif) Fatemeh Golshan (Sharif) Pejman Lotfi-Kamran (IPM)

Instruction Prefetcher Ali Ansari (Sharif) Fatemeh Golshan (Sharif) Pejman Lotfi-Kamran (IPM)

MANA: Microarchitecting an Instruction Prefetcher Ali Ansari (Sharif) Fatemeh Golshan (Sharif) Pejman Lotfi-Kamran (IPM) Hamid Sarbazi-Azad (Sharif, IPM) Instruction Cache Misses Server applications o Multi-megabyte instruction footprint o

822 views • 18 slides
Ali Kamandi kamandi@ce.sharif.edu Fall 2007 Sharif University of Technology

Ali Kamandi kamandi@ce.sharif.edu Fall 2007 Sharif University of Technology

Ali Kamandi kamandi@ce.sharif.edu Fall 2007 Sharif University of Technology e X tensible M arkup L anguage Metalanguage - used to create other languages Has become a universal data-exchange format

348 views • 18 slides
Web Service Ali Kamandi kamandi@ce.sharif.edu Sharif University of Technology Internet

Web Service Ali Kamandi kamandi@ce.sharif.edu Sharif University of Technology Internet

Web Service Ali Kamandi kamandi@ce.sharif.edu Sharif University of Technology Internet Engineering (CE317) Spring 2007 Service Oriented Architecture (SOA) There is an increase trend for sharing resource/data both within companies and

1.19k views • 45 slides
PeerRush Mining for Unwanted P2P Traffic Babak Rahbarinia a ,

PeerRush Mining for Unwanted P2P Traffic Babak Rahbarinia a ,

PeerRush Mining for Unwanted P2P Traffic Babak Rahbarinia a , Roberto Perdisci a,b , Andrea Lanzi c , Kang Li a a University of Georgia b Georgia Tech

420 views • 21 slides
Electronic Commerce Ali Kamandi Sep. 2007 kamandi@sharif.edu Sharif University of Technology

Electronic Commerce Ali Kamandi Sep. 2007 kamandi@sharif.edu Sharif University of Technology

Electronic Commerce Ali Kamandi Sep. 2007 kamandi@sharif.edu Sharif University of Technology Outline (1) Part 1- Introduction to EC Chapters 1,2 An overview of todays business environment, fundamental of EC, EC Terminology

336 views • 8 slides
Ali Kamandi kamandi@ce.sharif.edu Spring 2007 Sharif University of Technology

Ali Kamandi kamandi@ce.sharif.edu Spring 2007 Sharif University of Technology

Ali Kamandi kamandi@ce.sharif.edu Spring 2007 Sharif University of Technology Part 1: XML and DTD SGML (Standard Generalized Markup Language) ISO Standard, 1986, for data storage &amp; exchange

1.15k views • 48 slides
Programming Instructor PanteA Zardoshti Department of Computer Engineering Sharif University of

Programming Instructor PanteA Zardoshti Department of Computer Engineering Sharif University of

Parallel Programming Instructor PanteA Zardoshti Department of Computer Engineering Sharif University of Technology e-mail: azad@sharif.edu Object Learn how to program numberical methods 2 Computational Mathematics, OpenMP , Sharif

868 views • 51 slides
Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu

Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu

Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu Spring 2007 Statistics In 1994, one of the first web search engines, the World Wide Web Worm (WWWW), had an index of 110,000 web pages and web

541 views • 40 slides
Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu

Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu

Internet Engineering: Search Ali Kamandi Sharif University of Technology kamandi@ce.sharif.edu Fall 2007 Statistics In 1994, one of the first web search engines, the World Wide Web Worm (WWWW), had an index of 110,000 web pages and web

1.05k views • 39 slides
B-physics trigger for the ATLAS detector at LHC: recent developments B. Epp, V.M. Ghete and D.

B-physics trigger for the ATLAS detector at LHC: recent developments B. Epp, V.M. Ghete and D.

B-physics trigger for the ATLAS detector at LHC: recent developments B. Epp, V.M. Ghete and D. Kuhn Institute for Experimental Physics, Innsbruck ur Bildung, Wissenschaft und Kultur, Arbeit unterst utzt vom Bundesministerium f

356 views • 17 slides
CPSC 481 Tutorial 7 More WPF Brennan Jones bdgjones@ucalgary.ca (based on tutorials by

CPSC 481 Tutorial 7 More WPF Brennan Jones bdgjones@ucalgary.ca (based on tutorials by

CPSC 481 Tutorial 7 More WPF Brennan Jones bdgjones@ucalgary.ca (based on tutorials by Alice Thudt, Fateme Rajabiyazdi, and David Ledo) Plan for Today More WPF material, examples, and coding exercises Mostly stuff that will be

1.43k views • 85 slides
Prr t rtt

Prr t rtt

Prr t rtt r rr r t tss r

692 views • 10 slides
PageSeer : Using Page Walks to Trigger Page Swaps in Hybrid Memory Systems Apostolos Kokolis ,

PageSeer : Using Page Walks to Trigger Page Swaps in Hybrid Memory Systems Apostolos Kokolis ,

PageSeer : Using Page Walks to Trigger Page Swaps in Hybrid Memory Systems Apostolos Kokolis , Dimitrios Skarlatos and Josep Torrellas University of Illinois at Urbana-Champaign http://iacoma.cs.uiuc.edu HPCA 2019, Feb 2019 Introduction

2.06k views • 42 slides
Enabling predictable parallelism in single-GPU systems with persistent CUDA threads P A O L O B

Enabling predictable parallelism in single-GPU systems with persistent CUDA threads P A O L O B

Enabling predictable parallelism in single-GPU systems with persistent CUDA threads P A O L O B U R G I O U N I V E R S I T Y O F M O D E N A , I T A L Y P A O L O . B U R G I O @ U N I M O R E . I T Toulouse, 6 july 2016 GP-GPUs /

220 views • 9 slides
Query Execu:on Declara:ve Query (SQL) We start from

Query Execu:on Declara:ve Query (SQL) We start from

SQL III The Query Language R &amp; G - Chapter 5 Based on Slides from UC Berkeley and book. Query Execu:on Declara:ve Query (SQL) We start from here

1.02k views • 64 slides
WDA waveform feeders ew2wda reads from EW waveform ring cs2wda reads from Comserv

WDA waveform feeders ew2wda reads from EW waveform ring cs2wda reads from Comserv

WDA waveform feeders ew2wda reads from EW waveform ring cs2wda reads from Comserv shared memory mcast2wda read from Comserv-style multicast RAD2 Realtime Amplitude Data time-domain estimation of amplitudes

371 views • 14 slides
Status of TDR studies NDK t0 reconstruction J. Soto DPPD consortium 12 th February 2019 Content

Status of TDR studies NDK t0 reconstruction J. Soto DPPD consortium 12 th February 2019 Content

Status of TDR studies NDK t0 reconstruction J. Soto DPPD consortium 12 th February 2019 Content Previous status of the analysis. Including MCTruth position. Background reduction. Matching process. Results. 2 J. Soto | TDR

387 views • 10 slides

More recommend