new approaches for chasing metamorphic malware
play

New approaches for chasing metamorphic malware Isabella Mastroeni - PowerPoint PPT Presentation

Jul 08, 2023 •10 likes •690 views

New approaches for chasing metamorphic malware Isabella Mastroeni University of Verona, Italy Joint work with Roberto Giacobazzi, Neil Jones, Mila Dalla Preda 30 May 2013 Mastroeni (CREST 2013) Chasing malware 30 May 2013 1 / 29

  1. New approaches for chasing metamorphic malware Isabella Mastroeni University of Verona, Italy Joint work with Roberto Giacobazzi, Neil Jones, Mila Dalla Preda 30 May 2013 Mastroeni (CREST 2013) Chasing malware 30 May 2013 1 / 29

  2. Introduction M ETAMORPHISM E SCAPE S IGNATURE C HECKING Polymorphic malware The malware code is encrypted and contains a decryption routine that decrypts the code and then executes it. Mastroeni (CREST 2013) Chasing malware 30 May 2013 2 / 29

  3. Introduction M ETAMORPHISM E SCAPE S IGNATURE C HECKING Polymorphic malware The malware code is encrypted and contains a decryption routine that decrypts the code and then executes it. Metamorphic malware The malware applies semantics-preserving transformations (e.g. obfuscations) to mutate its own code as it propagates. Mastroeni (CREST 2013) Chasing malware 30 May 2013 2 / 29

  4. Introduction M ETAMORPHISM A TTACKING METAMORPHISM Our research directions Metamorphism is mainly based on obfuscation techniques: We can study obfuscation techniques We can extract behavioural malware characterizations Mastroeni (CREST 2013) Chasing malware 30 May 2013 3 / 29

  5. Introduction M ETAMORPHISM A TTACKING METAMORPHISM Our research directions Metamorphism is mainly based on obfuscation techniques: We can study obfuscation techniques Different from reverse engineering: we are not interested in the original code, we look for properties characterizing semantic invariants; We can extract behavioural malware characterizations Mastroeni (CREST 2013) Chasing malware 30 May 2013 3 / 29

  6. Introduction M ETAMORPHISM A TTACKING METAMORPHISM Our research directions Metamorphism is mainly based on obfuscation techniques: We can study obfuscation techniques Different from reverse engineering: we are not interested in the original code, we look for properties characterizing semantic invariants; We can extract behavioural malware characterizations We can use higher-order (abstract) non-interference properties for characterizing the interaction of malware with the environment; Further application: We can study how to defeat anti-emulation techniques. Mastroeni (CREST 2013) Chasing malware 30 May 2013 3 / 29

  7. Defeating program obfuscation P ROGRAM OBFUSCATION E XAMPLE (Pseudo-)Code: mov eax, [edx+0Ch] push ebx push [eax] call ReleaseLock Mastroeni (CREST 2013) Chasing malware 30 May 2013 4 / 29

  8. Defeating program obfuscation P ROGRAM OBFUSCATION E XAMPLE (Pseudo-)Code: Obfuscated code (junk): mov eax, [edx+0Ch] mov eax, [edx+0Ch] push ebx inc eax push [eax] push ebx call ReleaseLock dec eax push [eax] call ReleaseLock Mastroeni (CREST 2013) Chasing malware 30 May 2013 4 / 29

  9. Defeating program obfuscation P ROGRAM OBFUSCATION E XAMPLE (Pseudo-)Code: Obfuscated code (junk + reordering): mov eax, [edx+0Ch] mov eax, [edx+0Ch] jmp +3 push ebx push ebx push [eax] dec eax call ReleaseLock jmp +4 inc eax jmp -3 call ReleaseLock jmp +2 push [eax] jmp -2 Mastroeni (CREST 2013) Chasing malware 30 May 2013 4 / 29

  10. Defeating program obfuscation P ROGRAM OBFUSCATION P ROTECTION BY OBSCURITY O : P → P is a code obfuscator if it is an obfuscating compiler: ➪ It is potent: O( P ) is more complex (ideally unintelligible) than P ; ➪ It preserves the observational behaviour of programs � O( P ) � = � P � [C. Collberg et al. ’97, ’98] The limit. Obfuscating programs is (im)possible: Even under restrictive hypothesis a general purpose obfuscator generating perfectly unintelligible code (virtual black-box) does not exist! [Barak et al. ’01] The challenge. Design obfuscators that work against specific attacks Extensional properties of programs are undecidable [Rice ’53] ....so formal methods and static analysis are born! Mastroeni (CREST 2013) Chasing malware 30 May 2013 5 / 29

  11. Defeating program obfuscation P ROGRAM OBFUSCATION A PPROXIMATION VS OBSCURITY ➪ Because of undecidability we need approximation ➪ Even if decidable, it is typically too complex to trace/analyze/understand (500kC ∼ 600 mY) so we need approximation ➪ Approximation is pervasive in computing and code understanding There are only approximated interpretations of programs ➪ Making obscure is making the approximated interpreter blind! ➪ Potent obscure transformations correspond to hardly improvable approximations How can we formalize all this? Mastroeni (CREST 2013) Chasing malware 30 May 2013 6 / 29

  12. Defeating program obfuscation P ROGRAM OBFUSCATION W HY ABSTRACT INTERPRETATION ? Abstract Interpretation (1977) is the a general model for the (static or dynamic) approximation of semantics of discrete dynamic systems ➪ Including: Static program analysis, dynamic analysis, profiling, debugging, tracing, compilation, de-compilation, type checking and type inference, model checking and predicate abstraction, trajectory evaluation, testing, proof systems, etc. ⊤ ) ) Mastroeni (CREST 2013) Chasing malware 30 May 2013 7 / 29 ) ⊥

  13. Defeating program obfuscation P ROGRAM OBFUSCATION A BSTRACT INTERPRETATION Design approximate semantics of programs [Cousot & Cousot ’77, ’79]. ⊤ ⊤ γ γ ( α ( x )) α Abstract α x Concrete Galois Connection: � C , α, γ, A � , A and C are complete lattices. Closures: � uco ( C ) , ⊑� set of all possible abstract domains, A 1 ⊑ A 2 if A 1 is more concrete than A 2 Mastroeni (CREST 2013) Chasing malware 30 May 2013 8 / 29

  14. Defeating program obfuscation P ROGRAM OBFUSCATION A BSTRACT INTERPRETATION Design approximate semantics of programs [Cousot & Cousot ’77, ’79]. ⊤ γ ( α ( x )) Abstract x γ ◦ α ∈ uco ( C ) Concrete Galois Connection: � C , α, γ, A � , A and C are complete lattices. Closures: � uco ( C ) , ⊑� set of all possible abstract domains, A 1 ⊑ A 2 if A 1 is more concrete than A 2 Mastroeni (CREST 2013) Chasing malware 30 May 2013 8 / 29

  15. Defeating program obfuscation P ROGRAM OBFUSCATION A PPROXIMATING INTERPRETATION : BCA G is a sound approximation of F if α ◦ F ◦ γ ⊑ G Mastroeni (CREST 2013) Chasing malware 30 May 2013 9 / 29

  16. Defeating program obfuscation P ROGRAM OBFUSCATION S OUNDNESS AND COMPLETENESS [Cousot & Cousot ’79] ➪ A program P ∈ P and a domain of computation C ➪ An interpreter: � · � : P × C − → C ➪ (Approximate) observable properties: ρ = γ ◦ α ∈ uco ( C ) ➪ D ERIVE A SOUND APPROXIMATE SPECIFICATION � P � ♯ ρ ( � P � ( x )) ≤ � P � ♯ ( x ) ➪ T HE LIMIT CASE : C OMPLETENESS ρ ( � P � ( x )) = � P � ♯ ( x ) iff ρ ( � P � ( x )) = ρ ( � P � ( ρ ( x ))) Mastroeni (CREST 2013) Chasing malware 30 May 2013 10 / 29

  17. Defeating program obfuscation P ROGRAM OBFUSCATION S OUNDNESS AND COMPLETENESS ➪ WhichChess : Img − → ℘ ( Chess ) returns the type of chess on the chessboard. ➪ � � ρ : Img − → Img such that: ρ = ➪ η : ℘ ( Chess ) − → [ 0, 12 ] counts the number of different types of chess � � � ��� � � �� WhichChess = WhichChess η ρ η = 12 � � �� WhichChess ≥ η = 7 Mastroeni (CREST 2013) Chasing malware 30 May 2013 10 / 29

  18. Defeating program obfuscation P ROGRAM OBFUSCATION C OMPLETENESS IN ABSTRACT INTERPRETATION ➪ B ACKWARD S OUNDNESS : NO INFORMATION IS LOST BY APPROXIMATING THE INPUT / OUTPUT ➪ ρ ◦ f ≤ ρ ◦ f ◦ ρ Abstract f ♯ ( ρ ( x )) ρ ( f ( ρ ( x ))) ρ ( f ( x )) ρ f f ( x ) Mastroeni (CREST 2013) Chasing malware 30 May 2013 11 / 29

  19. Defeating program obfuscation P ROGRAM OBFUSCATION C OMPLETENESS IN ABSTRACT INTERPRETATION ➪ B ACKWARD C OMPLETENESS : NO LOSS OF PRECISION IS ACCUMULATED BY APPROXIMATING THE INPUT ➪ ρ ◦ f = ρ ◦ f ◦ ρ Abstract f ♯ ( ρ ( x )) ρ ( f ( x )) ρ ( f ( ρ ( x ))) = ρ f f ( x ) Mastroeni (CREST 2013) Chasing malware 30 May 2013 11 / 29

  20. Defeating program obfuscation P ROGRAM OBFUSCATION C OMPLETENESS IN ABSTRACT INTERPRETATION ➪ F ORWARD C OMPLETENESS : NO INFORMATION IS LOST BY APPROXIMATING THE OUTPUT ➪ f ◦ ρ ≤ ρ ◦ f ◦ ρ Abstract f ♯ ( ρ ( x )) ρ ( f ( ρ ( x ))) ρ f ( ρ ( x )) f ρ f f ( x ) Mastroeni (CREST 2013) Chasing malware 30 May 2013 11 / 29

  21. Defeating program obfuscation P ROGRAM OBFUSCATION C OMPLETENESS IN ABSTRACT INTERPRETATION ➪ F ORWARD C OMPLETENESS : NO INFORMATION IS LOST BY APPROXIMATING THE OUTPUT ➪ f ◦ ρ = ρ ◦ f ◦ ρ Abstract f ♯ ( ρ ( x )) ρ f ( ρ ( x )) ρ ( f ( ρ ( x ))) = f ρ f f ( x ) Mastroeni (CREST 2013) Chasing malware 30 May 2013 11 / 29

  22. Defeating program obfuscation O BSCURITY AS INCOMPLETENESS O BSCURITY AS INCOMPLETENESS Failing precision means failing completeness! Obfuscating programs is making abstract interpreters incomplete ➪ Let ρ ∈ uco ( Σ ) with Σ semantic objects (data, traces etc) ➪ A program transformation τ : P → P such that � P � = � τ ( P ) � . ➪ ρ B -complete for � · � if ρ ( � P � ) = � P � ρ τ obfuscates P if � P � ρ ❁ � τ ( P ) � ρ � P � ρ ❁ � τ ( P ) � ρ ⇐ ⇒ ρ ( � τ ( P ) � ) ❁ � τ ( P ) � ρ Mastroeni (CREST 2013) Chasing malware 30 May 2013 12 / 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy Joint work with Roberto Giacobazzi, Saumya Debray, Arun Lakhotia presented by Isabella Mastroeni CREST, May 30th 2013 Dalla Preda (CREST 2013) Chasing

705 views • 51 slides
RUXCON Courtesy of google images Metamorphic template with

RUXCON Courtesy of google images Metamorphic template with

Oct, 2016 Senior Malware Scientist ,Trend Micro spark@trendmicro.com RUXCON Courtesy of google images Metamorphic template with parameters #1 Original Code

701 views • 43 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7

Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7

Chasing Bottoms Nils Anders Danielsson Patrik Jansson Chalmers Chasing Bottoms p.1/7 Context Cover project. Verification of real Haskell programs. Haskell non-strict partial and infinite values relatively common. Chasing Bottoms

555 views • 7 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition

Engineering Geology Metamorphic Rocks Hussien Al - deeky 1 Engineering Geology Definition Metamorphic rock is the result of the transformation of an existing rock type, the protolith ( parent rock ) , in a process called metamorphism, which means

804 views • 23 slides
The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro

The Remote Metamorphic Engine Detecting, Evading, Attacking the AI and Reverse Engineering Amro Abdelgawad / REcon 2016 line46_1: mov ecx, [esp] nop nop mov dl, 0xe9 test edx, edx mov byte [ecx], dl The Remote Metamorphic Engine xor eax, 0

683 views • 50 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4

Metamorphic Rocks Basement of Parashant Geological Adventures at Parashant Lesson 4 Objectives Metamorphism changes one kind of rock into another kind of rock. Several ways that heat and pressure change rocks. Metamorphic

277 views • 16 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Time Series Forecasting With a Learning Algorithm: An Approximate Dynamic Programming Approach

Time Series Forecasting With a Learning Algorithm: An Approximate Dynamic Programming Approach

Time Series Forecasting With a Learning Algorithm: An Approximate Dynamic Programming Approach Ricardo Collado 1 an Creamer 1 Germ 1 School of Business Stevens Institute of Technology Hoboken, New Jersey R. Collado (Stevens) Learning Time

891 views • 71 slides
Dynamic Synthetic Environments for Defence A Service Based Approach Andrew Churchward

Dynamic Synthetic Environments for Defence A Service Based Approach Andrew Churchward

IT 2 EC 2020 IT 2 EC Extended Abstract Template Presentation/Panel Dynamic Synthetic Environments for Defence A Service Based Approach Andrew Churchward Principal Engineer XPI Simulation Ltd, UK Abstract The provision of a dynamic and

312 views • 3 slides
CS626 Data Analysis and Simulation Instructor: Peter Kemper R 104A, phone 221-3462,

CS626 Data Analysis and Simulation Instructor: Peter Kemper R 104A, phone 221-3462,

CS626 Data Analysis and Simulation Instructor: Peter Kemper R 104A, phone 221-3462, email:kemper@cs.wm.edu Today: Trace Driven Simulation Reference: Law/Kelton, Simulation Modeling and Analysis, Ch 5.6. 1 What is trace-driven simulation?

634 views • 9 slides
dynamic spatial proteomic experiments European Bioconductor conference 2019 Mis-localisation is

dynamic spatial proteomic experiments European Bioconductor conference 2019 Mis-localisation is

Uncertainty quantification for dynamic spatial proteomic experiments European Bioconductor conference 2019 Mis-localisation is phenotypic in AP-4 deficiency syndrome Healthy Control AP-4 Deficiency A.K. Davies et al. Nat. Comms . 2018

312 views • 14 slides
Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA

Sminaire VERIMAG Grenoble, 21/02/2020 Compiler Fuzzing: How Much Does It Matter? ~ research published at the SPLASH19 OOPSLA conference ~ *Michal Marcozzi 1 *Qiyi Tang 2 Alastair F. Donaldson 3,1 Cristian Cadar 1 * The presented experimental

894 views • 73 slides
Sophisticated Approaches to Penetrate Highly Secured Systems Claes Adam Wendelin April 20, 2017

Sophisticated Approaches to Penetrate Highly Secured Systems Claes Adam Wendelin April 20, 2017

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Sophisticated Approaches to Penetrate Highly Secured Systems Claes Adam Wendelin April 20, 2017 Chair of Network Architectures and Services

704 views • 23 slides
Sub-topics Chemical characterization Sorption-Desorption (Contaminant Transport in Porous

Sub-topics Chemical characterization Sorption-Desorption (Contaminant Transport in Porous

Geomaterial Characterization Sub-topics Chemical characterization Sorption-Desorption (Contaminant Transport in Porous Media) Thermal Characterization Electrical Characterization Dispersion (thinning out/scattering/spreading) The

463 views • 10 slides
Hydrodynamic transport in electron systems Andy Mackenzie Max Planck Ins,tute for Chemical

Hydrodynamic transport in electron systems Andy Mackenzie Max Planck Ins,tute for Chemical

Max Planck Institute for Chemical Physics of Solids Hydrodynamic transport in electron systems Andy Mackenzie Max Planck Ins,tute for Chemical Physics of Solids, Dresden, Germany School of Physics & Astronomy, University of St Andrews,

697 views • 51 slides

More recommend