usa 2012
play

USA 2012 Scientific but Not Academical Overview of Malware - PowerPoint PPT Presentation

Feb 14, 2023 •246 likes •757 views

USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies Rodrigo Rubira Branco (@BSDaemon) Rodrigo Rubira Branco (@BSDaemon) Gabriel Negreira Barbosa (@gabrielnb) Gabriel Negr eira

  1. USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies Rodrigo Rubira Branco (@BSDaemon) Rodrigo Rubira Branco (@BSDaemon) Gabriel Negreira Barbosa (@gabrielnb) Gabriel Negr eira Barbosa (@gabrielnb) Pedr Pedro Drimel Neto (@pdrimel) o Drimel Neto (@pdrimel)

  2. Were we live… 2 � BLACK HAT USA 2012

  3. Nah, we live actually here… BLACK HAT USA 2012

  4. São Paulo BLACK HAT USA 2012

  5. Agenda l Introduction / Motivation l Objectives l Methodology l Dissect || PE Project l Executive Summary l Techniques l Resources l Conclusions 5 � BLACK HAT USA 2012

  6. Introduc)on ¡/ ¡Mo)va)on ¡ l Hundreds of thousands of new samples every week l Still, automation is about single tasks or single analysis l Presentations still pointing tens of thousands in tests (what about the millions of samples?) l Companies promote research which uses words such as ‘many’ instead of X number BLACK HAT USA 2012

  7. Before ¡con)nue, ¡some ¡defini)ons ¡... ¡ l Anti-Debugging Techniques to compromise debuggers and/or the debugging process l l Anti-Disassembly Techniques to compromise disassemblers and/or the disassembling process l l Obfuscation Techniques to make the signatures creation more difficult and the disassembled l code harder to be analyzed by a professional l Anti-VM: Techniques to detect and/or compromise virtual machines l BLACK HAT USA 2012

  8. Objec)ves ¡ l Analyze millions of malware samples l Share the current results related to: Anti-Debugging l Anti-Disassembly l Obfuscation l Anti-VM l l Keep sharing more and better results in our portal (www.dissect.pe): New malware samples are always being analyzed l Detection algorithms are constantly being improved l The system does not analyze only anti-RE things l BLACK HAT USA 2012

  9. Dissect ¡|| ¡PE ¡Project ¡ l Scalable and flexible automated malware analysis system l Receives malware from trusted partners l Portal available for partners, researchers and general media with analysis data BLACK HAT USA 2012

  10. Dissect ¡|| ¡PE ¡– ¡Overview ¡ l Free research malware analysis system for the community Open architecture l Works with plugins l l 10 dedicated machines distributed in 3 sites: 2 sites in Brazil (São Paulo and Bauru cities) l 1 site in Germany l l Some numbers: Receives more than 150 GB of malwares per day l More than 30 million unique samples l BLACK HAT USA 2012

  11. Dissect ¡|| ¡PE ¡– ¡Partners ¡ BLACK HAT USA 2012

  12. Dissect ¡|| ¡PE ¡– ¡Backend ¡ l Each backend downloads samples scheduled for analysis (our scheduler algorithms are documented in a IEEE Malware2011 paper) l Analyze samples Both static and dynamic analysis currently supported l l Analysis results accessible from the portal Sync'ed back from the backend l l Some characteristics: Plugins l Network traffic l Unpacked version of the malware l BLACK HAT USA 2012

  13. Dissect ¡|| ¡PE ¡– ¡Plugins ¡ l Samples are analyzed by independent applications named “plugins” l Easy to add and/or remove plugins Just a matter of copy and remove their files l l Language independent l Easy to write new plugins: Needed information come as arguments l - We usually create handlers so the researcher does not need to change his actual code Simply print the result to stdout l - The backend takes care of parsing it accordingly BLACK HAT USA 2012

  14. Dissect ¡|| ¡PE ¡– ¡Plugin ¡Examples ¡ l Python print “My plugin result.” l C #include <stdio.h> int main(int argc, char **argv) { printf(“My plugin result.\n”); return 1; } BLACK HAT USA 2012

  15. Dissect ¡|| ¡PE ¡– ¡Plugin ¡Types ¡ l Static: Usually executed outside of the VM (we already have an exception for the l unpacking plugin) Failsafe: errors do not compromise the system l Might get executed in one of two different situations depending on where we l copied the plugin: - Before the malware is executed - After the malware was executed l Dynamic: Executed inside a Windows system (for now the only supported OS, soon others) l BLACK HAT USA 2012

  16. Dissect ¡|| ¡PE ¡– ¡Network ¡Traffic ¡ l During dynamic analysis all the network traffic is captured l Pcap available at the portal l Dissectors: Analyze the pcap and print the contents in a user-friendly way l Supporting IRC, P2P, HTTP, DNS and other protocols l SSL inspection (pre-loaded keys) l BLACK HAT USA 2012

  17. Methodology ¡ l Used a total of 72 cores and 100 GB of memory l Analyzed only 32-bit PE samples l Packed samples: Different samples using the same packer were counted as 1 unique l sample - So, each sample was analyzed once Analyzed all packers present among the 4 million samples l l Unpacked samples: Avoided samples bigger than 3,9 MB for performance reasons (with some l exceptions such as the Flame Malware) BLACK HAT USA 2012

  18. Methodology ¡ l Static analysis: Main focus of this presentation l Improves the throughput (with well-written code) l Not detectable by malwares l l Dynamic counter-part: It is not viable to statically detect everything l Already developed and deployed, but is not covered by this presentation l - The related results can be found at https://www.dissect.pe BLACK HAT USA 2012

  19. Methodology ¡ l Malware protection techniques in this work: State-of-the-art papers/journals l Malwares in the wild l Some techniques we documented are not yet covered by our system: l - The system is constantly being updated All techniques were implemented even when there were no public examples of it l (github) l Our testbed comprises 883 samples to: Detect bugs l Performance measurement l Technique coverage l BLACK HAT USA 2012

  20. Methodology ¡ l Possible techniques detection results: Detected: l - Current detection algorithms detected the malware protection technique Not detected: l - Current detection algorithms did not detect the malware protection technique Evidence detected: l - Current detection algorithms could not deterministically detect the protection technique, but some evidences were found BLACK HAT USA 2012

  21. Methodology ¡ l Analysis rely on executable sections and in the entrypoint one Decreases the probability to analyze data as code l Improves even more the analysis time l For now we miss non-executable areas, even if they are referred by analyzed l sections (future work will cover this) l Disassembly-related analysis framework: Facilitates the development of disassembly analysis code l Speeds up the disassembly process for plugins l Calls-back the plugins for specific instruction types l Disassembly once, analyze all l Care must be taken to avoid disassembly attacks l BLACK HAT USA 2012

  22. Execu)ve ¡Summary ¡ BLACK HAT USA 2012

  23. Packed ¡vs ¡Not ¡Packed ¡ BLACK HAT USA 2012

  24. Top ¡Packers ¡ BLACK HAT USA 2012

  25. Malware ¡Targe)ng ¡Brazilian ¡Banks ¡ BLACK HAT USA 2012

  26. Protec)ng ¡Mechanisms ¡of ¡Packers ¡ Paper (yes, we wrote one...) BLACK HAT USA 2012

  27. Protected ¡Samples ¡ BLACK HAT USA 2012

  28. An)-­‑RE ¡Categories ¡ BLACK HAT USA 2012

  29. An)-­‑Disassembly ¡ BLACK HAT USA 2012

  30. An)-­‑Debugging ¡ BLACK HAT USA 2012

  31. Obfusca)on ¡ BLACK HAT USA 2012

  32. An)-­‑VM ¡ BLACK HAT USA 2012

  33. An)-­‑Debugging ¡Techniques ¡ l Studied and documented 33 techniques l Currently scanning samples for 30 techniques Detected: Marked in green l Evidence: Marked in yellow l Not covered: Marked in black l BLACK HAT USA 2012

  34. An)-­‑Debugging ¡Techniques ¡ PEB NtGlobalFlag (Section 3.1) l IsDebuggerPresent (Section 3.2) l CheckRemoteDebuggerPresent (Section 3.3) l Heap flags (Section 3.4) l NtQueryInformationProcess – ProcessDebugPort (Section 3.5) l Debug Objects – ProcessDebugObjectHandle Class (Section 3.6) l Debug Objects – ProcessDebugFlags Class [1] (Section 3.7) l NtQuerySystemInformation – SystemKernelDebuggerInformation (Section 3.8) l OpenProcess – SeDebugPrivilege (Section 3.9) l Alternative Desktop (Section 3.10) l BLACK HAT USA 2012

  35. An)-­‑Debugging ¡Techniques ¡ Self-Debugging (Section 3.11) l RtlQueryProcessDebugInformation (Section 3.12) l Hardware Breakpoints (Section 3.13) l OutputDebugString (Section 3.14) l BlockInput (Section 3.15) l Parent Process (Section 3.16) l Device Names (Section 3.17) l OllyDbg – OutputDebugString (Section 3.18) l FindWindow (Section 3.19) l SuspendThread (Section 3.20) l BLACK HAT USA 2012

  36. An)-­‑Debugging ¡Techniques ¡ SoftICE – Interrupt 1 (Section 3.21) l SS register (Section 3.22) l UnhandledExceptionFilter (Section 3.23) l Guard Pages (Section 3.24) l Execution Timing (Section 3.25) l Software Breakpoint Detection (Section 3.26) l Thread Hiding (Section 3.27) l NtSetDebugFilterState (Section 3.28) l Instruction Counting (Section 3.29) l Header Entrypoint (Section 3.30) l Self-Execution (Section 3.31) l BLACK HAT USA 2012

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02 11 2012 Source: Wijewantha (1964); Fox (1977); Basuki (1981); Peries &amp; Liyanage (1983) 3 02 11 2012 Source: Situmorang,

381 views • 13 slides
12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health

12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health

12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health effects (besides those mentioned in this slide) e.g. laxation, gut functioning and other types of cancer. This presentation will focus on healthy

696 views • 30 slides
2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission

2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission

CENTER FOR I NVASI VE PLANT MANAGEMENT Liz Galli-Noble, CI PM Director 2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission To promote ecologically sound management of invasive plants in western North

600 views • 18 slides
Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians

Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians

2/21/2012 How Natural Forces Affected Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians Mesopotamians 3 2/21/2012 Pyramids(118) of Egypt Acropolis, Athens Persepolis, Iran 4 2/21/2012 The roots of

1.05k views • 59 slides
(1) Adjudication! 3 October 2012 (2) Estidama! 4 October 2012 2 October 2012 (3) The

(1) Adjudication! 3 October 2012 (2) Estidama! 4 October 2012 2 October 2012 (3) The

October 2012 Can Adjudication assist Abu Dhabi in achieving its Sustainability (Estidama) goals for the construction industry? Presentation by: Paul Straker FCInstCES, FRICS, FICE, MCIArb October 2012 1 October 2012 Credit to Others

492 views • 36 slides
New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012

New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012

New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 February 2012 Preliminary Results 2011 1 Recently upgraded facilities on New Britain 2 Introduction New Britain Palm Oil Ltd 2012 Record

686 views • 44 slides
H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011

H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011

Reykjavk, 30 August 2012 H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011 2011 2010 Net interest income 18,573 16,849 10,020 8,553 9,704 7,145 32,649 24,685 Profit after taxes 11,877

419 views • 17 slides
Timeline May 7, 2012 Reviewed Scenarios A and B May 14, 15 &amp; 16, 2012 Held

Timeline May 7, 2012 Reviewed Scenarios A and B May 14, 15 &amp; 16, 2012 Held

10/18/2012 August 15, 2011 Began discussion of the California Voting Rights Act and its impacts on RUSD February 6, 2012 Board of Education adopted legal and local preference demographical criteria to be used in

324 views • 8 slides
2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results - Review Angus Cockburn Chief Financial Officer 4 2012 Results Pre-Exceptional 2011 2012 Movement m m As reported Underlying Revenue 1,583

442 views • 21 slides
Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3

Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3

Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3 2012 Henkel Analyst &amp; Investor Meeting Disclaimer This information contains forward-looking statements which are based on current estimates

932 views • 33 slides
2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012

2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012

2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012 l Fabienne Lecorvaisier l Chief Financial Officer 2012 H1 Performance Paris, July 30, 2012 Soft growth in Q2 Performance preserved Strong cash

811 views • 52 slides
2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August

2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August

10/15/2012 2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August 9, 2012 | Madison, WI September 20, 2012 | Denver, CO Diep Nguyen, Ph.D. NorthEastern Illinois University n-nguyen8@neiu.edu

555 views • 14 slides
2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial

2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial

2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial Review Angus Cockburn Finance Director 2012 Interim Results 2012 2011 Movement m m As reported Underlying Revenue 734 637 15% 16%

400 views • 23 slides
Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological

Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological

iGEM 2012 iGEM 2012 Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological drugs Advantages Specific Safe OUR SURVEY OF HEPATITIS C PATIENTS Effective None 12% Drawbacks Strong 37%

823 views • 42 slides
Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this

Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this

Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this presentation are unaudited. On 18 April 2012, BNP Paribas issued a restatement of its quarterly results for 2011 reflecting, in particular, an

1.23k views • 73 slides
Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this

Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this

Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this presentation are unaudited. On 18 April 2012, BNP Paribas issued a restatement of its quarterly results for 2011 reflecting, in particular, an

935 views • 77 slides
MCY 66 MCY 70 MCY 76 A TRIBUTE TO LIGHT July 6th - Trieste, Italy VISION IS DIRECTION:

MCY 66 MCY 70 MCY 76 A TRIBUTE TO LIGHT July 6th - Trieste, Italy VISION IS DIRECTION:

MCY 66 MCY 70 MCY 76 A TRIBUTE TO LIGHT July 6th - Trieste, Italy VISION IS DIRECTION: Innovation alongside continuity is how we intend to keep evolving Monte Carlo Yachts' Collection. A VISION THAT VALUES THE UNIQUE RELATIONSHIP BETWEEN

219 views • 9 slides
Young Womens and Young Mens Leadership Academies in GPISD Mission of YWLA and YMLA The

Young Womens and Young Mens Leadership Academies in GPISD Mission of YWLA and YMLA The

Young Womens and Young Mens Leadership Academies in GPISD Mission of YWLA and YMLA The YWLA and YMLA offer 6th-8th grade girls and boys a dynamic learning experience that encourages critical thinking, inspires confidence and nurtures the

421 views • 16 slides
I dentification of protected corals Project: DOC0 9 3 0 5 / I NT2 0 0 8 -0 2 Di Tracey Corals

I dentification of protected corals Project: DOC0 9 3 0 5 / I NT2 0 0 8 -0 2 Di Tracey Corals

I dentification of protected corals Project: DOC0 9 3 0 5 / I NT2 0 0 8 -0 2 Di Tracey Corals - Cnidaria Shallow warm water corals of Kermadec Islands &amp; Great Barrier Reef Deepsea corals in NZ region Corals - Cnidaria

861 views • 37 slides
Background Background Background Background In terms of section 9 of the B-BBEE Act, the

Background Background Background Background In terms of section 9 of the B-BBEE Act, the

10/11/2018 Presentation to the B Presentation to the B Presentation to the B Presentation to the B- - - -BBEE BBEE BBEE BBEE Codes of Good Practice Codes of Good Practice Codes of Good Practice Codes of Good Practice 10 October 2018

206 views • 17 slides
SFUSD, #YesWeCode, and Computer Science/Blended Learning Opportunities Matt Haney 2 San

SFUSD, #YesWeCode, and Computer Science/Blended Learning Opportunities Matt Haney 2 San

SFUSD, #YesWeCode, and Computer Science/Blended Learning Opportunities Matt Haney 2 San Francisco City is booming, and key challenges must be 2 addressed for all residents to thrive Challenges Positive economic trends 4.0% job growth

382 views • 19 slides
The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact.

The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact.

The Flag Known as Big Red All of the evidence presented in this report is sourced, proven fact. The issues: 1. Is the Big Red flag in question the same flag that posted on Morris Island on 9 Jan 1861? 2. What is the link between Cpl Bakers

515 views • 22 slides
Santa Monica Santa Monica Housing Authority Housing Authority Code for America Community

Santa Monica Santa Monica Housing Authority Housing Authority Code for America Community

Santa Monica Santa Monica Housing Authority Housing Authority Code for America Community Fellowship June - November 2019 2 TEAM TEAM Marie-Aime Brajeux - Project Manager Maile Malin - UX Designer Barbara Collins -

418 views • 40 slides
PERSI Comm Commitment Code Blue Communication Comp Competenc nce Kelly Cross and Mike

PERSI Comm Commitment Code Blue Communication Comp Competenc nce Kelly Cross and Mike

PERSI Comm Commitment Code Blue Communication Comp Competenc nce Kelly Cross and Mike Hampton Idaho PERSI Character Character NCPERS 2016 Public Safety P&amp;B Conference October 24, 2016 PERSI PERSI About Idaho PERSI $15 Billion DB

566 views • 7 slides

More recommend