Upload File

malware analysis: a hybrid approach

19
HYBRID ANALYSIS OF MALWARE www.intertel.co.za

Upload: intertelinvestigations

Post on 21-Apr-2017

160 views

Category:

Internet


1 download

Report

TRANSCRIPT

Page 1: Malware Analysis: A Hybrid Approach

HYBRID ANALYSIS OF

MALWAREwww.intertel.co.za

Page 2: Malware Analysis: A Hybrid Approach

OUTLINE

• INTRODUCTION• TECHNICAL OVERVIEW

• PARSING• DYNAMIC CAPTURE• RESPONSE TO OVERWRITTEN CODE• SIGNAL- AND EXCEPTION-HANDLER ANALYSIS

• EXPERIMENTAL RESULTS• CONCLUSION

www.intertel.co.za

Page 3: Malware Analysis: A Hybrid Approach

INTRODUCTION

• MALWARE SOFTWARE INFECTS COMPUTER SYSTEMS AT AN ALARMING RATE, CAUSING ECONOMIC DAMAGES THAT ARE ESTIMATED AT MORE THAN BILLON DOLLARS PER YEAR.

• A PRIMARY GOAL OF MALWARE AUTHORS IS TO MAKE THESE TASKS AS DIFFICULT AND RESOURCE INTENSIVE AS POSSIBLE. THIS EXPLAIN WHY 90% OF MALWARE BINARY EMPLOY ANALYSTS-RESISTANCE TECHNIQUE, THE MOST PREVALENT OF WHICH ARE THE RUN-TIME MODIFICATIONS TO EXISTING CODE, AND OBFUSCATIONS OF CONTROL TRANSFER IN THE CODE.

www.intertel.co.za

Page 4: Malware Analysis: A Hybrid Approach

• THE GOAL OF THE RESEARCH IS TO SIMPLIFY MALWARE ANALYSIS BY ENABLING A RETURN TO THE TRADITIONAL ANALYZE-THEN-EXECUTE MODEL.

• WE ADDRESS THESE THESE GOALS BY COMBINING STATIC AND DYNAMIC TECHNIQUES TO CONSTRUCT AND MAINTAIN THE CONTROL- AND DATA-FLOW ANALYSES THAT FORM THE INTERFACE THROUGH WHICH THE ANALYST UNDER STANDS AND INSTRUMENTS THE CODE

www.intertel.co.za

Page 5: Malware Analysis: A Hybrid Approach

• THE WORK MAKES THE FOLLOWING CONTRIBUTIONS:1. PRE-EXECUTION ANALYSIS AND INSTRUMENTATION MAKES

IT POSSIBLE FOR THE ANALYST TO CONTROL THE EXECUTION OF MALICIOUS CODE.

2. WE GIVE THE ANALYST THE ABILITY TO INSTRUMENT MALWARE INTUITIVELY AND EFFICIENTLY BY PROVIDING DATA-FLOW ANALYSIS CAPABILITIES AND A CONTROL FLOW GRAPH (CFG) AS AN INTERFACE TO THE CODE.

3. THE STRUCTURAL ANALYSIS ALLOWS ANALYSTS TO BE SELECTIVE IN THE COMPONENTS THEY MONITOR, THE OPERATIONS IN THOSE COMPONENTS THAT THEY SELECT, AND IN THE GRANULARITY OF DATA THEY COLLECT

4. BY COMBINING STATIC AND DYNAMIC TECHNIQUES WE ALLOW THE ANALYST TO FIND AND ANALYZE CODE THAT IS BEYOND THE REACH OF EITHER STATIC AND DYNAMIC ANALYSIS ALONE.www.intertel.co.za

Page 6: Malware Analysis: A Hybrid Approach

TECHNICAL OVERVIEWPARSING

DYNAMIC CAPTURERESPONSE TO OVERWRITTEN CODE

SIGNAL- AND EXCEPTION-HANDLER ANALYSIS

www.intertel.co.za

Page 7: Malware Analysis: A Hybrid Approach

PARSINGPARSING ALLOWS US TO FIND AND ANALYZE BINARY CODE BY TRAVERSING STATICALLY

ANALYZABLE CONTROL FLOW STARTING FROM KNOWN ENTRY POINTS INTO THE CODE. OUR INITIAL ANALYSIS OF THE CODE MAY BE INCOMPLETE, BUT WE CAN FALL BACK ON OUR DYNAMIC CAPTURE TECHNIQUES TO FIND NEW ENTRY POINTS INTO THE CODE AND USE THEM TO RESEED

OUR PARSING ALGORITHM.

www.intertel.co.za

Page 8: Malware Analysis: A Hybrid Approach

• THE PURPOSE OF OUR PARSING ALGORITHM IS TO ACCURATELY IDENTIFY BINARY CODE AND ANALYZE THE PROGRAM’S STRUCTURE PRODUCING AN INTERPROCEDURAL CONTROL FLOW GRAPH OF THE PROGRAM.

• THE COMPLETING GOAL OF GOOD COVERAGE IS RELATIVELY LESS IMPORTANT, BECAUSE OUR DYNAMIC TECHNIQUES COMPENSATE FOR LAPSES IN COVERAGE BY CAPTURING STATICALLY UN-ANALYZABLE CODE AT RUN-TIME AND TRIGGERING ADDITIONAL PARSING.

www.intertel.co.za

Page 9: Malware Analysis: A Hybrid Approach

• CONTROL-FLOW TRAVERSAL PARSING IS THE BASIS FOR MOST ACCURATE PARSING TECHNIQUES, BUT MAKE THREE UNSAFE ASSUMPTIONS ABOUT CONTROL FLOW THAT CAN REDUCE ITS ACCURACY.

1. IT ASSUMES THAT FUNCTION-CALL SITES ARE ALWAYS FOLLOWED BY VALID CODE SEQUENCE.

2. THE ALGORITHM ASSUMES THAT CONTROL FLOW IS ONLY REDIRECTED BY CONTROL TRANSFER INSTRUCTIONS.

3. THE ALGORITHM ASSUMES THAT BOTH TARGETS OF CONDITIONAL BRANCH INSTRUCTIONS CAN BE TAKEN AND THEREFORE CONTAIN VALID CODE

www.intertel.co.za

Page 10: Malware Analysis: A Hybrid Approach

DYNAMIC CAPTUREDYNAMIC CAPTURE TECHNIQUES ALLOW US TO FIND AND ANALYZE CODE

THAT IS MISSED BY STATIC ANALYSIS EITHER BECAUSE IT IS NOT GENERATED UNTIL RUN-TIME OR BECAUSE IT IS NOT REACHABLE THROUGH STATICALLY

ANALYZABLE CONTROL FLOW.

www.intertel.co.za

Page 11: Malware Analysis: A Hybrid Approach

• CONTROL TRANSFER INSTRUCTIONS THAT USE REGISTERS OR MEMORY VALUES TO DETERMINE THEIR TARGETS

• RETURN INSTRUCTIONS OF POSSIBLY NON-RETURNING FUNCTIONS

• CONTROL TRANSFER INSTRUCTIONS INTO INVALID OR UNINITIALIZED MEMORY REGIONS

• INSTRUCTIONS THAT TERMINATE A CODE SEQUENCE BY REACHING THE END OF INITIALIZED MEMORY

www.intertel.co.za

Page 12: Malware Analysis: A Hybrid Approach

RESPONSE TO OVERWRITTEN CODECODE OVERWRITES INVALIDATE PORTIONS OF AN EXISTING CODE ANALYSIS AND INTRODUCE NEW CODE THAT HAS NOT YET BEEN ANALYZED. WE ADAPT DIOTA’S

MECHANISM FOR DETECTING CODE OVERWRITES BY WRITE-PROTECTING MEMORY PAGES THAT CONTAIN CODE AND HANDLING THE SIGNALS THAT RESULT FROM WRITE ATTEMPTS.

www.intertel.co.za

Page 13: Malware Analysis: A Hybrid Approach

• CODE OVERWRITES CAUSE SIGNIFICANT PROBLEMS FOR BINARY ANALYSIS. MOST ANALYSIS TOOLS CANNOT ANALYZE OVERWRITTEN CODE BECAUSE THEY RELY ON STATIC CFG REPRESENTATIONS OF THE CODE. CODE OVERWRITES CAUSE PROBLEMS FOR CFGS BY SIMULTANEOUSLY INVALIDATING PORTIONS OF THE CFG AND INTRODUCING NEW CODE THAT HAS YET TO BE ANALYZED. WE HAVE DEVELOPED TECHNIQUES TO ADDRESS THIS PROBLEM BY UPDATING THE PROGRAM’S CFG AND ANALYZING OVERWRITTEN CODE BEFORE IT EXECUTES.

www.intertel.co.za

Page 14: Malware Analysis: A Hybrid Approach

SIGNAL- AND EXCEPTION-HANDLER ANALYSISWE USE DYNAMIC ANALYSIS TO RESOLVE SIGNAL- AND EXCEPTION-BASED CONTROL TRANSFER OBFUSCATIONS. WE DETECT SIGNAL- AND EXCEPTION-RAISING INSTRUCTIONS AND FIND THEIR

DYNAMICALLY REGISTERED HANDLERS THROUGH STANDARD TECHNIQUES, AND THEN ADD THE HANDLERS TO OUR ANALYSIS AND INSTRUMENT THEM TO CONTROL THEIR EXECUTION.

www.intertel.co.za

Page 15: Malware Analysis: A Hybrid Approach

• ANALYSIS-RESISTANT PROGRAMS ARE OFTEN OBFUSCATED BY SIGNAL- AND EXCEPTION-BASED CONTROL FLOW. STATIC ANALYSES CANNOT RELIABLY DETERMINE WHICH INSTRUCTIONS WILL RAISE SIGNALS OR EXCEPTIONS, AND HAVE DIFFICULTY FINDING SIGNAL AND EXCEPTION HANDLERS, AS THEY ARE USUALLY REGISTERED AT RUN-TIME

• SIGNAL AND EXCEPTION HANDLERS CAN FURTHER OBFUSCATE THE PROGRAM BY REDIRECTING CONTROL FLOW. WHEN A SIGNAL OR EXCEPTION IS RAISED, THE OPERATING SYSTEM GIVES THE HANDLER CONTEXT INFORMATION ABOUT THE FAULT, INCLUDING THE PROGRAM COUNTER VALUE. THE HANDLER CAN MODIFY THIS SAVED PC VALUE TO CAUSE THE OS TO RESUME THE PROGRAM’S EXECUTION AT A DIFFERENT ADDRESS. THE HANDLER OVERWRITES THE SAVED PC VALUE WITH THE ADDRESS OF THE PROGRAM’S ORIGINAL ENTRY POINT (OEP) , CAUSING THE OS TO RESUME THE PROGRAM’S EXECUTION AT ITS OEP.

www.intertel.co.za

Page 16: Malware Analysis: A Hybrid Approach

ALGORITHM FOR BINARY CODE DISCOVERY, ANALYSIS, AND INSTRUMENTATION1. LOAD THE PROGRAM INTO MEMORY, PAUSED AT ITS ENTRY

POINT2. REMOVE DEBUGGING ARTIFACTS3. PARSE FROM KNOWN ENTRY POINTS4. INSTRUMENT NEWLY DISCOVERED CODE5. RESUME EXECUTION OF THE PROGRAM6. HANDLE CODE DISCOVERY EVENT, ADDING NEW ENTRY

POINTS7. GOTO 3

• THE KEY FEATURE OF THIS ALGORITHM IS THAT IT ALLOWS ALL OF THE PROGRAM’S CODE TO BE ANALYZED AND INSTRUMENTED BEFORE IT EXECUTES.

www.intertel.co.za

Page 17: Malware Analysis: A Hybrid Approach

EXPERIMENTAL RESULTS

www.intertel.co.za

Page 18: Malware Analysis: A Hybrid Approach

MALWARE ANALYSIS

• WE SET UP OUR MALWARE ANALYSIS FACTORY ON AN AIR-GAPPED SYSTEM WITH A 32-BIT INTEL-X86 PROCESSOR RUNNING WINDOWS XP WITH SERVICE PACK 2 INSIDE OF VMWARE SERVER. WE THEN ANALYZED 200 MALWARE SAMPLES. OUR TOOL DETECTED CODE UNPACKING IN 27% OF THE SAMPLES, CODE OVERWRITES IN 16%, AND SIGNAL-BASED CONTROL FLOW IN 10%. 33% OF THE MALICIOUS CODE ANALYZED BY OUR HYBRID TECHNIQUES WAS NOT PART OF THE DYNAMIC EXECUTION TRACE AND WOULD NOT HAVE BEEN IDENTIFIED BY DYNAMIC ANALYSIS.

www.intertel.co.za

Page 19: Malware Analysis: A Hybrid Approach

CONCLUSIONWE CREATE A HYBRID ANALYSIS ALGORITHM THAT MAKES IT

POSSIBLE TO ANALYZE AND CONTROL THE EXECUTION OF MALICIOUS PROGRAM BINARIES IN A WAY THAT IS BOTH MORE

INTUITIVE AND MORE EFFICIENT THAN EXISTING METHODSwww.intertel.co.za


Process Coloring: an Information Flow-Preserving Approach to Malware Investigation

Program ID #22: Hybrid Approach

StealthWare – Social Engineering Malware...5 Jul 2015 4 StealthWare – Social Engineering Malware Research Approach Networking Reachability Detection Conclusion Introduction Having

A Hybrid Cloud Approach for Secure Authorized · PDF fileduplication constructions supporting authorized duplicate check in a hybrid cloud architecture. ... A Hybrid Cloud Approach

Towards Building an Intelligent Anti-Malware …Towards Building an Intelligent Anti-Malware System: A Deep Learning Approach using Support Vector Machine (SVM) for Malware Classification

Hybrid Analysis - NextGen Technology for Advanced Malware

Malware Task Identification: A Data Driven Approach - … · Malware Task Identification: A Data Driven Approach ... security expert’s own particular background. ... is only relevant

A Hybrid Line Thinning Approach

AI approach to malware similarity analysis: Maping the malware genome with a deep neural network

Research Article A Novel Approach to Detect Malware Based ...downloads.hindawi.com/journals/ijdsn/2015/659101.pdf · Malware Analysis. Malware analysis has made its advancesasshowninFigure

An effective approach for classification of advanced ... · An effective approach for classification of advanced malware with high accuracy ... malware attacks against mobile devices

JSDC: A Hybrid Approach for JavaScript Malware Detection and Classification · 2019-05-10 · JSDC: A Hybrid Approach for JavaScript Malware Detection and Classification Junjie

Hybrid Analysis and Control of Malware

BLADE : An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

A Hybrid Cloud Approach For Secure Authorized De-Duplication Hybrid... · A Hybrid Cloud Approach For Secure Authorized De-Duplication _____ _____ JOSEPH’S JOURNAL OF MULTIDISCIPLINARY

Linux malware detection by hybrid analysis · Thesis title: Linux malware detection by hybrid analysis Thesis supervisor: Dr. Sandeep Shukla Month and year of thesis submission: O

Clustering for hybrid malware analysis and multi … for hybrid malware analysis and multi-path execution A thesis submitted in partial ful lment of the requirements for the degree

ResearchArticle Hybrid Localization Approach for

A Hybrid Linear/Nonlinear Approach to Channel …papers.nips.cc/paper/673-a-hybrid-linearnonlinear-approach-to...A Hybrid Linear/Nonlinear Approach to Channel Equalization Problems

Promoting the hybrid socio-technical approach for ... · Promoting the hybrid socio-technical approach for effective disaster risk reduction in ... hybrid socio-technical system,

Hybroid: A Novel Hybrid Android Malware Detection Framework

Malware Analysis Machine Learning Approach - DeepSec · Malware Analysis Machine Learning Approach ... malware activities Memory Analysis the act of analyzing a dumped memory image

A Semantics-based Approach to Malware Detection

BLADE, An Attack-Agnostic Approach for Preventing Drive-By Malware Infections

Securing Web Applications from malware attacks …eprints.rclis.org/33271/1/1219.pdfSecuring Web Applications from malware attacks using hybrid feature extraction Subramaniyaswamy

A Hybrid Framework to Analyze Web and OS Malware

A Hybrid Solution Approach for Ready-Mixed Concrete …ms79/publications/070826concrete_ms.pdf · A Hybrid Solution Approach for Ready-Mixed Concrete ... hybrid approach, variable

HDM-Analyser: a hybrid analysis approach based on data ... · intelligent malware detection system is required to deal with new malware threats. Most of intelligent detection systems

A Unique Approach to Threat Analysis Mapping: A Malware ... · PDF fileA Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology for Better Understanding the Adversary

A Unique Approach to Threat Analysis Mapping: A Malware-Centric Methodology

Intelligent Malware Detection Based on Hybrid Learning of ...isyou.info/jisis/vol9/no4/jisis-2019-vol9-no4-03.pdf · Intelligent Malware Detection Based on Hybrid Learning of API

Clustering for hybrid malware analysis and multi-path execution...Manual malware analysis is not ffit due to the huge number of such cases. As a result automated yet ffit malware analysis

Hybrid Approach

DyHAP: Dynamic Hybrid ANFIS-PSO Approach for Predicting ... · tion 2), research methodology ... Dynamic Hybrid ANFIS-PSO Approach for Predicting Mobile Malware ... Dynamic Hybrid

Hybrid Delivery Approach for OTT Contents