prevalence and impact of low entropy packing schemes in
play

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware - PowerPoint PPT Presentation

Jan 29, 2024 •434 likes •686 views

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

  1. Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1

  2. Packing 2

  3. Scope / Packing Definition (Our definition of) packing implies ● Original code present, but NOT in an executable form (i.e., it is encrypted/compressed/encoded) ● Real code recovered at run-time We exclude from our study ● JIT compilers ● Droppers ● Emulators (Themida) ● Shellcode 3

  4. Packed or not packed: that is the question ● Fundamental in malware analysis ● Wrong classification ⇒ ○ costly and time-consuming dynamic analysis trying to unpack the sample ○ pollute the datasets used in many malware analysis studies ○ even worse, EVASION ● Our (false) friend: the entropy ○ compressed/encrypted data has high entropy levels Is it still a reliable metric? 4

  5. Our Agenda 1. The propagation of low-entropy packed samples 2. The adopted schemes 3. Current tools/approaches vs. low-entropy packed malware 5

  6. Dataset Do malware authors use low-entropy schemes to evade entropy checks? ● 50.000 Portable Executable files (excluding libraries and .Net applications) ● 2013 - 2019 ● Classified as malicious by more than 20 antivirus engines ● Entropy H < 7.0 ) 1 5 0 ( 2 e . m a s - t i g u n i n r B r o f , y o s x i t n t e S a m p l o t t i , c r o e a t h ○ entire file [1] a l z o f B y o , d r t u r e s e d n a l P d i e - u r t g i t g a n U l o A n : o c t i p e s i n e r k a c p p e e D ○ each section [2] e u l o d m n o t h P y ○ overlay data - - l e e f i p s b l e a u t e c x e P E o r r f z e l y n a a c a t i s t - e - y z a l n M a [1] Lyda and Hamrock. Using entropy analysis to find encrypted and packed malware (2007). 6 [2] Han and Lee. Packed PE file detection for malware forensics (2009).

  7. Packer Detector Two main purposes ● Build a ground truth ● Measure the low-entropy packed malware propagation in wild 7

  8. Packer Detector (1/5) PC ... Lists status 0x00001232 WL = [ ] xor eax, eax WXL = [ ] mov WORD PTR [0x2000], 0x9090 0x00001234 ... 0x00000000 0x00002000 0x00000000 0x00002004 ... 8

  9. Packer Detector (2/5) ... Lists status PC 0x00001232 WL = [ ] xor eax, eax WXL = [ ] mov WORD PTR [0x2000], 0x9090 0x00001234 ... 0x00000000 0x00002000 0x00000000 0x00002004 ... 9

  10. Packer Detector (3/5) ... Lists status 0x00001232 WL = [ xor eax, eax (0x1234,0x2000); (0x1234, 0x2001) mov WORD PTR [0x2000], 0x9090 PC 0x00001234 ] ... WXL = [ ] 0x00000000 0x00002000 0x00000000 0x00002004 ... Memory Write 10

  11. Packer Detector (4/5) ... Lists status 0x00001232 WL = [ xor eax, eax (0x1234,0x2000); (0x1234, 0x2001) mov WORD PTR [0x2000], 0x9090 0x00001234 ] ... WXL = [ ] PC 0x00009090 0x00002000 0x00000000 0x00002004 Not interesting instructions ... 11

  12. Packer Detector (5/5) ... Lists status 0x00001232 WL = [ xor eax, eax (0x1234,0x2000); (0x1234, 0x2001) mov WORD PTR [0x2000], 0x9090 0x00001234 ] ... WXL = [ (0x1234, 0x2000) ] 0x00009090 PC 0x00002000 0x00000000 0x00002004 ... 12

  13. Packer Detector - False Negatives ● False Negatives -- packed samples detected as not packed ○ unexpected crash ○ virtual environment detection ○ missing dependencies ○ incorrect command line arguments We discarded the samples that did not exhibit a sufficient runtime behavior ● ○ did not invoke at least 10 disk or network-related syscalls ○ samples whose executed instructions did not span at least five memory pages ● 50.000 - 3.705 = 46.295 13

  14. Hidden high-entropy data While packed with a high-entropy scheme, these samples are undetected by our set of filters PE header ● Packed data, but the data was Encrypted data ○ not stored in any of the section .text ○ nor in the overlay area Encrypted data ● 11.6% (5.386/46.295) .data ○ dominated by two families: hematite and hworld ● E.g., hematite ○ file infector ○ area created between the PE header and the first section 14

  15. Packer Detector - Results 31.5% (14.583/46.295) ⇒ entropy alone is a very poor metric to select packed samples Packed Not packed Hidden high- entropy data 15

  16. Schemes Taxonomy w.r.t. Entropy 1. Decreasing ○ Byte Padding ○ Encoding 2. Unchanged ○ Transposition ○ Monoalphabetic Substitution 3. Slightly Increasing ○ Polyalphabetic Substitution 16

  17. Scheme Classifier Relies on the output of Packer Detector ⇒ Written and eXecuted List [ WXL ] ● Every packing scheme needs to follow the same steps while unpacking ○ locate and access the source buffer that contains the packed data ○ perform operations on such data ○ write the unpacked data in the destination buffer ● We use PANDA to perform deterministic record and replay of a sample ○ ⟨ PCx , AWy ⟩ ∈ [ WXL ] ○ backward data-flow analysis to locate the source buffer ● Decision making based on the byte distribution of source and destination buffers 17

  18. Scheme Classifier - Results 18

  19. Case Study: Custom Encoding ( Emotet ) Two layers of packing ● The second layer uses a custom high-entropy encryption with an 8-bytes long key ● The first layer reduces the entropy from 7.63 to 6.57 ● Custom encoding + byte padding 19

  20. Signature and Rule-Based Packing Detection ● Detect It Easy (DIE) ○ signatures based on a scripting language ● PEiD ○ signatures only contain low-level byte patterns ● Manalyze ○ signatures ○ PE structure heuristics ■ unusual section names ■ sections WX ■ low number of imported functions ■ resources bigger than the file itself ■ sections with H > 7.0 20

  21. Signature and Rule-Based Packing Detection - Results ● DIE detects no well-known packer in our entire dataset ● PEiD and Manalyze generated a large number of false positives ○ detected the presence of packing more often in unpacked samples than in the packed group ● Manalyze alerts are based on sections names used by some off-the-shelf packers ○ why the malware authors used those names? ○ they could be fake clues used on purpose to deceive automated tools 21

  22. ML Packing Detection ● 15 approaches deal with this problem (SOTA) ● Several features categories ○ PE structure, heuristics, opcodes, n-grams, statistics, entropy ● Features vector ( W ): union of all features from previous studies ̃ ) ! ○ A separate features vector excluding the entropy ( W ● The most popular classifiers: SVM, RF, MLP ● Dataset: low entropy packed + not packed (~40K) 22

  23. ML Packing Detection - Results Considering H Not Considering H NO classifier was able to identify accurately low-entropy packed malware! 23

  24. Conclusions ● Low-entropy packing schemes are a real and widespread problem ● Existing static analysis techniques are unsuccessful against them Entropy ❌ ○ Signature and Rule-Based ❌ ○ Machine Learning ❌ ○ ● There is need for new solutions ● Low-entropy packing schemes must be considered in future experiments -- Thank you for your attention -- 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

256 views • 23 slides
- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

algorithmic composition dForm + IM WS2010 Inst. f. Arch. a. Media packing algorithms packing algorithms packing algorithms p a c k i n g packing algorithms packing algorithms algorithms packing packing algorithm 1 algorithms - -

39 views • 3 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar

Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar

Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar praveen@math.tifrbng.res.in Center for Applicable Mathematics Tata Institute of Fundamental Research Bangalore-560065, India http://cpraveen.github.io GIAN Course

1.25k views • 111 slides
KE and entropy stable schemes for compressible flows Praveen. C praveen@math.tifrbng.res.in

KE and entropy stable schemes for compressible flows Praveen. C praveen@math.tifrbng.res.in

KE and entropy stable schemes for compressible flows Praveen. C praveen@math.tifrbng.res.in Tata Institute of Fundamental Research Center for Applicable Mathematics Bangalore 560065 http://math.tifrbng.res.in/ praveen Indo-German Conference

520 views • 39 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy stable schemes for compressible flows on unstructured meshes Deep Ray Tata Institute of

Entropy stable schemes for compressible flows on unstructured meshes Deep Ray Tata Institute of

Entropy stable schemes for compressible flows on unstructured meshes Deep Ray Tata Institute of Fundamental Research Center for Applicable Mathematics Bangalore deep@math.tifrbng.res.in http://math.tifrbng.res.in/deep SCPDE-2014, Hong Kong

690 views • 52 slides
Screening, Prevalence, and the Impact on Kindergarten Readiness Elizabeth Anthony, PhD, Stephen

Screening, Prevalence, and the Impact on Kindergarten Readiness Elizabeth Anthony, PhD, Stephen

Early Childhood Lead Exposure in Cuyahoga County: Screening, Prevalence, and the Impact on Kindergarten Readiness Elizabeth Anthony, PhD, Stephen Steh, MA, Meghan Salas Atwell, PhD, and Rob Fischer, PhD Center on Urban Poverty and Community

379 views • 22 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Disclosures I have nothing to disclose New ALS diagnostics and Treatment Prevalence and Impact

Disclosures I have nothing to disclose New ALS diagnostics and Treatment Prevalence and Impact

2/13/2020 Disclosures I have nothing to disclose New ALS diagnostics and Treatment Prevalence and Impact on Patients and Caregivers Catherine Lomen-Hoerth, MD, PhD Professor of Clinical Neurology, UCSF Recent Advances in Neurology 2020 1 2

256 views • 8 slides
Packing patterns in restricted permutations Lara Pudwell faculty.valpo.edu/lpudwell Rutgers

Packing patterns in restricted permutations Lara Pudwell faculty.valpo.edu/lpudwell Rutgers

Introduction Packing with Classical Restrictions Packing in Alternating Permutations Wrapping up Packing patterns in restricted permutations Lara Pudwell faculty.valpo.edu/lpudwell Rutgers Experimental Math Seminar March 5, 2020 Packing

986 views • 79 slides
Atlas Refinement with Bounded Packing Efficiency Presented by Jerry Yin Packing efficiency

Atlas Refinement with Bounded Packing Efficiency Presented by Jerry Yin Packing efficiency

ACM Transactions on Graphics 2019 Hao-Yu Liu, Xiao-Ming Fu, Chunyang Ye, Shuangming Chai, Ligang Liu Atlas Refinement with Bounded Packing Efficiency Presented by Jerry Yin Packing efficiency Store high-frequency information in

388 views • 14 slides
Impact of Minihalos on Cosmic Reionization and Numerical Schemes behind It Kyungjin Ahn Chosun

Impact of Minihalos on Cosmic Reionization and Numerical Schemes behind It Kyungjin Ahn Chosun

Impact of Minihalos on Cosmic Reionization and Numerical Schemes behind It Kyungjin Ahn Chosun University Cosmic Radiative Transfer Comparison Project IV, Austin Dec 2012 w/ Paul Shapiro, Ilian Iliev, Garrelt Mellema, Ue-Li Pen, Yi Mao, Jun

442 views • 25 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU

New Kid on the Web: A Study on the Prevalence of WebAssembly in the Wild Marius Musch TU Braunschweig Together with Christian Wressnegger, Martin Johns, and Konrad Rieck The native Web Previous attempts at native performance Adobes

783 views • 18 slides
The Prevalence of COLA Adjustments in Public Sector Retirement Plans SIEPR Working Longer

The Prevalence of COLA Adjustments in Public Sector Retirement Plans SIEPR Working Longer

The Prevalence of COLA Adjustments in Public Sector Retirement Plans SIEPR Working Longer Conference October 2020 Maria D. Fitzpatrick, Cornell University &amp; NBER Gopi Shah Goda, Stanford University &amp; NBER Motivation Approx. 14% of

385 views • 20 slides
Transforming Health Benefits for First Nations in BC September 10, 2019 www.fnha.ca Opening

Transforming Health Benefits for First Nations in BC September 10, 2019 www.fnha.ca Opening

Transforming Health Benefits for First Nations in BC September 10, 2019 www.fnha.ca Opening Prayer &amp; Acknowledgements 2 www.fnha.ca Presenter Disclosure The following presenters have no current or past relationships with commercial

1.07k views • 49 slides
DEPARTMENTAL QUALITY IMPROVEMENT MEETING August 22, 2017 Mod 1 2.0 Page 1 T EAM STEPPS 05.2

DEPARTMENTAL QUALITY IMPROVEMENT MEETING August 22, 2017 Mod 1 2.0 Page 1 T EAM STEPPS 05.2

Introduction DEPARTMENTAL QUALITY IMPROVEMENT MEETING August 22, 2017 Mod 1 2.0 Page 1 T EAM STEPPS 05.2 Introduction DEPARTMENT ACUTE CARE PDSA: Hourly Rounding Aim: Beat our record of 50 days without a patient fall; Reduce call bell

819 views • 32 slides
Discrimination at the Extensive and Intensive Margin Utteeyo Dasgupta, Wagner College Subha

Discrimination at the Extensive and Intensive Margin Utteeyo Dasgupta, Wagner College Subha

Discrimination at the Extensive and Intensive Margin Utteeyo Dasgupta, Wagner College Subha Mani, Fordham University &amp; IZA Joseph Vecci, University of Gothenburg Tomas Zelinsky, Technical University of Kosice NCDE JUNE 2018

409 views • 20 slides
Current FC mCHP Prevalence and Customer Perce cepti tions George Carew-Jones Element Energy

Current FC mCHP Prevalence and Customer Perce cepti tions George Carew-Jones Element Energy

Current FC mCHP Prevalence and Customer Perce cepti tions George Carew-Jones Element Energy PACE project has received funding from the Fuel Cells and Hydrogen 2 Joint Undertaking under grant agreement No 700339. This Joint Undertaking

547 views • 15 slides
Objectives Discuss how to calculate basic infection rates Describe how this information is

Objectives Discuss how to calculate basic infection rates Describe how this information is

Infection Prevention Boot Camp I for the Novice January 16 17, 2020 Infection Preventionist Infection Prevention Data Submission and Analysis Linda R. Greene, RN, MPS,CIC,FAPIC Manager, Infection Prevention UR Highland Hospital Rochester,

425 views • 16 slides
I have no conflicts of interest to disclose Occupations and obesity? Objec Objectiv ives es

I have no conflicts of interest to disclose Occupations and obesity? Objec Objectiv ives es

2/27/2017 The Skinny on Work: obesity on the job Julia Buss I have no conflicts of interest to disclose Occupations and obesity? Objec Objectiv ives es Obesity on the job Identify the occupations with highest prevalence of obesity

441 views • 11 slides

More recommend