Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit - - PowerPoint PPT Presentation

windows api call sequences
SMART_READER_LITE
LIVE PREVIEW

Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit - - PowerPoint PPT Presentation

Sep 16, 2022 113 likes •362 views

SPACE - 2016 Malware Characterization using Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit Sharma Scientific Analysis Group DRDO Metcalfe House, Delhi 110054 AIM Extraction of run-time behaviour of Malware by monitoring

slide-1
SLIDE 1

Malware Characterization using Windows API Call Sequences

Sanchit Gupta, Sarvjeet Kaur and Harshit Sharma

SPACE - 2016

Scientific Analysis Group DRDO

Metcalfe House, Delhi – 110054

slide-2
SLIDE 2

AIM

  • Extraction of run-time behaviour of Malware by monitoring

system calls

  • Categorize unknown Malware

SCOPE

Operating System : Windows OS Category of Malware : Five Classes

SPACE-2016 : Malware Characterization using Windows API Call Sequences

  • 1. Worm
  • 2. Trojan-Downloader
  • 3. Trojan-Spy
  • 4. Trojan-Dropper
  • 5. Backdoor

2 of 20

slide-3
SLIDE 3

Windows-API

(Kernel32.dll, Advapi32.dll & other Windows DLL)

Kernel API Native API

(Ntdll.dll)

HARDWARE Operating System USER APPLICATION

User Level Kernel Level

SPACE-2016 : Malware Characterization using Windows API Call Sequences

Application Execution in Windows OS

3 of 20

slide-4
SLIDE 4

Windows-API

(Kernel32.dll, Advapi32.dll & other Windows DLL)

Kernel API Native API

(Ntdll.dll)

HARDWARE Operating System

User Level Kernel Level

SPACE-2016 : Malware Characterization using Windows API Call Sequences

Application Execution in Windows OS

MALWARE

4 of 20

slide-5
SLIDE 5

CreateFile(..) (Kernel32.dll)

NtCreateFile (SSDT)

NtCreateFile() (ntdll.dll)

DISK Write Operating System

User Level Kernel Level

SPACE-2016 : Malware Characterization using Windows API Call Sequences

Application Execution in Windows OS

Create a File

IRP_MJ_Write Driver

5 of 20

slide-6
SLIDE 6

CreateFile(..) (Kernel32.dll)

NtCreateFile (SSDT)

NtCreateFile() (ntdll.dll)

HARD DISK Operating System

User Level Kernel Level

SPACE-2016 : Malware Characterization using Windows API Call Sequences

Application Execution in Windows OS

Create a File

IRP_MJ_Write Driver

Well Documented Version Independent

Many Hooking Libraries

6 of 20

slide-7
SLIDE 7

Some Malicious Win-API Patterns

Malicious Activity API Pattern

Key Logger

(FindWindowA, ShowWindow, GetAsyncKeyState) (SetWindowsHookEx, RegisterHotKey, GetMessage,UnhookWindowsHookEx)

Screen Capture

(GetDC, GetWindowDC), CreateCompatibleDC, CreateCompatibleBitmap, SelectObject, BitBlt, WriteFile

Antidebugging

(IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugStringA, OutputDebugStringW)

Downloader

URLDownloadToFile, (WinExec,ShellExecute)

DLL Injection

OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread

Dropper

FindResource, LoadResource, SizeOfResource

For each Malicious Activity:

  • 1. Identification of such Win-API Call sequences
  • 2. Extraction of same

7 of 20

slide-8
SLIDE 8

Identification & Categorization of Win-APIs

SPACE-2016 : Malware Characterization using Windows API Call Sequences

1 2 3 4 ... 533 534 OpenFile WriteFile Send GetHostbyName … Connect GetSystemTime

534 Win –API Calls

A B C D E ... Y Z I/O Create I/O Open I/O Write I/O Find I/O Read … Win- Service System Info

26 Category

Win-APIs in ‘I/O create’ category is used to create I/O objects like file, folder, Stdin & Stdout. 8 of 20

slide-9
SLIDE 9

CATEGORY SOME EXAMPLES Code No. of API

1

I/O Create CreatefileA, CreatePipe

A 14 2

I/O Open OpenFile ,OpenFileMappingA

B 10 3

I/O Write WriteFile, WriteConsoleW, WriteFileEx

C 25 4

I/O Find FindFirstFileA, FindNextFileW

D 13 5

I/O Read ReadFile, ReadFileEx, ReadConsoleA

E 18 6

I/O Acces SetFileAttributesW, SetConsoleMode,

F 19 7

Loading Library LoadLibraryExW ,FreeLibrary

G 7 8

Registry Read RegOpenKeyExW, RegQueryValueA

H 15 9

Registry Write RegSetValueA, RegSetValueW,

I 13 …..

……….

22

Internet Open/ Read InternetOpenUrlA, InternetReadFile

V 13 23

Internet Write InternetWriteFile, TransactNamedPipe

W 2 24

Win-Service Create CreateServiceW, CreateServiceA

X 2 25

Win-Service Other StartServiceW, ChangeServiceConfigA

Y 11 26

System Information GetSystemDirectoryW, GetSystemTime

Z 35

TOTAL APIs 26 534

slide-10
SLIDE 10

Win-API Call Extraction of Malware

Host Machine: UBUNTU 14.01

APP-MON

Execute Malware

Win-API Call Sequence

Higher Level Category Sequence

SPACE-2016 : Malware Characterization using Windows API Call Sequences

520 for each Malware Class Total Sample: 2,600 Time Taken: 40 days Guest Machine : Win-XP SP2 10 of 20

slide-11
SLIDE 11

Tool Used: AntConc

N-gram Analysis of final Call sequence

SPACE-2016 : Malware Characterization using Windows API Call Sequences LIMITATION: Finds exactly same consecutive patterns

11 of 20

slide-12
SLIDE 12

ssdeep (Fuzzy Hash) Matches inputs that have homologies.

Properties:

  • Non-Propagation
  • Alignment Robustness and
  • Signature Matching Criteria

Analysis of sequence: ssdeep Analysis

SPACE-2016 : Malware Characterization using Windows API Call Sequences

12 of 20

slide-13
SLIDE 13

SPACE-2016 : Malware Characterization using Windows API Call Sequences SPACE-2016 : Malware Characterization using Windows API Call Sequences

FILE LENGTH : 26 KB

ssdeep Hash: 768:9tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPLJzOmu:9UY+iXnnKqhXEQPl3u

Analysis of sequence: ssdeep Analysis (2)

13 of 20

slide-14
SLIDE 14

CHANGE SSDEEP HASH

MATCH

Removed ‘Annual’ from first paragraph 768:8tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL JzOmu:8UY+iXnnKqhXEQPl3u

99

Replace 2016 with 2017 (15 replacements) 768:XtshU9EFMiEHv1bDtNKm2tlfl5DXhAfQPL JzObv:XUh+iinnK3hXEQPlCv

83

Replace cryptography with cryptology (25 replacements) 768:TtshG99FMiEHvcbDtNUq2twHl5DXhA9QVL JzOIu:TUu+ijnnUshXGQVlVu

79

Removes first 500 bytes 768:TtshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL JzOmu:TUY+iXnnKqhXEQPl3u

99

Removes first 1500 bytes and place them in end 768:1tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL JzOm3:1UY+iXnnKqhXEQPl33

96

Remove first 1500 bytes and place them in middle 768:1tshU99FMiEHvUbDtNKm2tWHl5DXhAfQPL JzOmu:1UY+i5nnKqhXEQPl3u

96

Remove 2000 bytes from middle 768:9tshU99FMA&&vIbDtNKm2tWHl5DXhAfQPL JzOmu:9UY+/&nnKqhXEQPl3u

96

Replace 800 bytes from middle with random string 768:9tshU99FM91HvIbDtNKm2tWHl5DXhAfQPL JzOmu:9UY+6n&nKqhXEQPl3u

97 SPACE-2016 : Malware Characterization using Windows API Call Sequences SPACE-2016 : Malware Characterization using Windows API Call Sequences

Analysis of sequence: ssdeep Analysis (3)

ssdeep Hash: 768:9tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPLJzOmu:9UY+iXnnKqhXEQPl3u

slide-15
SLIDE 15

Analysis of sequence : ssdeep Analysis (2)

SPACE-2016 : Malware Characterization using Windows API Call Sequences

matching score as malware classification criteria.

15 of 20

slide-16
SLIDE 16

Classification Results: Best Matching Class

SPACE-2016 : Malware Characterization using Windows API Call Sequences

MALWARE CLASS

Worm Backdoor Trojan - Dropper Trojan - Downloader Trojan - Spy Worm

109 1 6 3 1

Backdoor

1 98 6 5 10

Trojan - Dropper

6 6 101 4 3

Trojan - Downloader

3 5 4 108

Trojan - Spy

1 10 3 106

Training Data : 2000 Samples Testing Data : 120 samples per Malware Class

16 of 20

slide-17
SLIDE 17

Classification Results Comparison

Existing (Malware vs Benign) Our Model (One Malware Class vs All)

slide-18
SLIDE 18

Proposed Malware Classification Framework

18 of 20

SPACE-2016 : Malware Characterization using Windows API Call Sequences

slide-19
SLIDE 19

FUTURE DIRECTION

  • More number of samples
  • More Malware Categories like rootkit, botnet etc.
  • Other Operating systems like Linux, Android etc.

SPACE-2016 : Malware Characterization using Windows API Call Sequences

19 of 20

slide-20
SLIDE 20

References

SPACE-2016 : Malware Characterization using Windows API Call Sequences

  • 1. Shafiq, M.Z., Tabish, S.M., ,Mirza, F., Farroq, M.: Pe-Miner: Mining structural information

to detect malicious executable in real time. In: 12th international symposium on recent advances in intrusion detection (2009)

  • 2. Moskovitch, R. et al: Unknown Malcode Detection Using OPCODE Representation.

Intelligence and Security Informatics, Volume LNCS 5376, 204-215 (2008)

  • 3. Moskovitch, R. et al: Unknown Malcode Detection via text categorization and the imbalance

problem.In:IEEE International Conference on Intelligence and Security Informatics, 156- 161 (2008)

  • 4. Santos, I. et al.: Opcode sequences as representation of executables for data-mining based

unknown malware detection. Information Science. Vol 231. 64-82 (2013)

  • 5. Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A Survey on Automated Dynamic Malware

Analysis Techniques and Tools. ACM Computing Surveys, V. 44 n. 2,1-42 (2012)

  • 6. Santos, I. et al.: OPEM: A Static-Dynamic Approach for Machine-learning-based Malware
  • Detection. In: International Conference CISIS12-ICEUTE12, 189, 271-280 (2013)
  • 7. Ye,Y. et al.: SBMDS: an interpretable string based malware detection system using SVM

ensemble with bagging. Journal in Computer Virology. 5(4).283-293 (2009)

  • 8. Zolkipli, M.F., Jantan, A.: Approach for Malware Behavior Identification and Classification.

In: 3rd International Conference on Computer Research and Development, Shanghai, 191- 194 (2011)

  • 9. Islam, M.R., Tian, R., Batten, L., Versteeg, S.: Classification of malware based on integrated

static and dynamic features. Journal of Network and Computer Applications 36, 646–656 (2013)

  • 10. Gandotra, E. , Bansal, D., Sofat, S.: Malware Analysis and Classification: A Survey. Journal
  • f Information Security, 5, 56-64 (2014)
  • 11. Ranveer, S., Hiray, S.: Comparative Analysis of Feature Extraction Methods of Malware
  • Detection. International Journal of Computer Applications 120 (5),1-7 (2015)
  • 12. Youngjoon, K., Eunjin, K., HuyKang, K.: A Novel approach to detect Malware based on

API call sequence analysis. International Journal of Distributed Sensor Networks, Article

  • No. 4, (2015)
  • 13. Park, Y., Reeves, D., Mulukutla, V., Sundaravel,B.: Fast malware classification by

automated behavioural graph matching, In: Sixth Annual Workshop on Cyber Security and Information Intelligence Research (2010)

  • 14. Nari, S., Ghorbani, A.A.: Automated Malware Classification based on Network Behavior,

In: International Conference on Computing, Networking and Communications (ICNC) (2013).

  • 15. VxVault,http://www.vxvault.com
  • 16. Vxheaven, http://www.vxheaven.org
  • 17. VirusSign, http://www.virussign.com
  • 18. VirusTotal, http://www.virustotal.com
  • 19. Kornblum, J.: Identifying almost identical files using context triggered piecewise hashing.

Digital Investigation Journal, 91-97 (2006)

  • 20. Hunt, G., Brubacher, D.: Detours: Binary Interception of Win32 Functions. 3rd Conference
  • n USENIX Windows NT Symposium, 135-143 (1999)
  • 21. Firdausi, I. et al. : Analysis of Machine Learning Techniques used in Behavior-Based

Malware Detection. In: Second International Conference on Advances in Computing, Control and Telecommunication Technologies (ACT). IEEE. 201-203. (2010)

slide-21
SLIDE 21

Thank You

slide-22
SLIDE 22

CTPH: Workflow

slide-23
SLIDE 23

CTPH: Workflow

  • Output of FNV hash -> 6 bits (LSB)
  • BASE64 encoding -> [A..Z][a..z][0..9][+,/]
  • Rather then generating single hash of file,

hashes of different blocks of variable lengths are recorded.

slide-24
SLIDE 24

Worm

A worm is a type of malicious program that spreads copies of itself to other devices

  • ver a network.

Trojan-Downloader

This type of trojan secretly downloads malicious files from a remote server, then installs and executes the files.

Trojan-Spy

This type of trojan secretly installs spy programs and/or keylogger programs.

Trojan-Dropper

This type of trojan contains one or more malicious programs, which it will secretly install and execute.

Backdoor

A remote administration utility that bypasses normal security mechanisms to secretly control a program, computer or network.a