now you see me, now you don't: chasing evasive malware - giovanni vigna
DESCRIPTION
As sophisticated tools that combine static and dynamic analysis become more ubiquitous, cybercriminals are developing increasingly-evasive malware components that actively counteract analysis and behavior identification. Is this another arms race? Or is it possible to define, quantify, and identify "evasiveness" and use it as a way to detect malicious intent? This talk presents an overview of the problem and how it's been attacked from both industry and academia.TRANSCRIPT
Now You See Me, Now You Don’t:Chasing Evasive Malware
Giovanni VignaCTO @ Lastline, Inc.
andProfessor @ Department of Computer Science
University of California Santa Barbara
Who am I?
• Co-founder and CTO at Lastline, Inc.– Lastline offers protection against zero-day threats and advanced
malware
• Professor of Computer Science at the University of California in Santa Barbara– Many system security papers in academic conferences– Started malware research around 2004, focusing on evasive
malware– Built and made available to the public practical systems (Anubis,
Wepawet, Revolver, …)– Lead Shellphish, the longest-running hacking team at DefCon’s CTF
Malware Evolution
Targeted Attacksand Cyberwarfare
!!!
Time
$$ Damage
Millions
Hundreds of Thousands
Thousands
Hundreds
Billions
Cybercrime
$$$Cybervandalism
#@!
AV Can’t Keep Up
Arms Race(s)
MaliciousBinary
ObfuscatedPolymorphic
MaliciousBinary Behavior-based
Anti-malware
sandboxEvasive
MaliciousBinary Signature-based
Anti-virus
MaliciousJavaScript
ObfuscatedPolymorphic
MaliciousJavaScript Behavior-based
Anti-malware
honeyclientEvasive
MaliciousJavaScriptSignature-based
Web Gateways
An Evasion Framework
Artifact,Provenance
Producer Consumer
Analysis System
TargetSystem
KnownMaliciousArtifacts,
Provenance
KnownBenign
Artifacts,Provenance
Activates
Executes/DisplaysLabels/Blocks
An Evasion Framework
Analysis System Target System Consumer
SPAM X N/A N/APhishing X N/A XSocial Engineering N/A N/A X
Malware Installs N/A (*) N/A XMalicious Documents X X X
Malicious Web Pages X X N/A
Malicious Binaries X N/A N/A
(*) First downloader
Evading Static Analysis
• Static analysis techniques can be evaded by making the (relevant) code unavailable– Packing/encrypting– Delaying the inclusion of code
• Static analysis techniques can be evaded by exploiting differences in the parsing capabilities of the target system vs. analysis system– Parsing the executable (the target is the OS)– Parsing the document (the target is the Office application)
• Static analysis techniques can be foiled by making certain operations depend on values known only at run-time– Table lookups based on user-provided input
Evading Static Analysis
• The code is stored encoded in the registry and executed using an intricate command line:
rundll32.exe "javascript:\..\mshtml,RunHTMLApplication ;document.write(\74script language=jscript.encode>+(new%20ActiveXObject(WScript.Shell)).RegRead(HKCU\\software\\microsoft\\windows\\currentversion\\run\\)+\74/script>)"
Evading Dynamic Analysis
• Dynamic analysis techniques can be evaded by fingerprinting the environment (and not execute)– Detection of modified environment
• Instrumented libs• Auxiliary processes/services
– Detection of specific HW/SW configurations• Devices• Users• File names
Evading Dynamic Analysis
Evading Dynamic Analysis
• Dynamic analysis techniques can be evaded by exploiting differences in the execution capabilities of the target system vs. analysis system– Semantics (virtualization/emulation introduces
differences)– Speed (analysis systems are usually slower)– Available resources (analysis has a finite, limited time)
• Sleeping• Stalling loops
Evading Dynamic Analysis
Evading Dynamic Analysis
• Dynamic analysis can be evaded by checking for the presence of a human (“reverse Turing test”)– Keyboard/mouse is attached– Mouse moves
• These activities cannot be too obvious or the user will become suspicious
Visibility Matters
Traditional Sandboxes
Important behaviors and evasion happen here
Full-System Emulation
What Needs to Be Done (Now)
• Use the evasive behavior as a signal for detection– Detect fingerprinting– Detect failures to execute
• Rely on binary-level program analysis techniques to identify stalling – Characterize program evolution– Identify loops and push through
What’s Next? (Threat-wise)
• As evasion detection improves, cybercriminals will be forced into mimicry
• Mimicry is the process of creating malware that mimics the behavior of benign applications (until the analysis is completed)
What’s Next? (Protection-wise)
• The next approach is eliciting– Elicit: verb
evoke or draw out (a reaction, answer, or fact) from someone."I tried to elicit a smile from Joanna”synonyms:obtain, bring out, draw out, extract, evoke, bring about, bring forth, induce, excite, give rise to, call forth, prompt, generate, engender, spark off, trigger, kindle;
• Identify dormant code• Introduce the honey-user
C&C Site
Exploit Site
Conclusions
• Malware is (and will always be) in continuous evolution
• Evasion is a process, not a phase• It is important to create countermeasures that
require major efforts/resources from the attacker• Visibility is key
– Traditional anti-malware is based on simple microscopes– We need electronic (malware) microscopes
Questions?
VS.
Backup Slides
The Golden Standard: Bare Metal
• Comparison of execution in bare metal with execution on various types of analysis platforms
• BareCloud: Bare-metal Analysis-based Evasive Malware Detection Dhilung Kirat, Chris Kruegel, and Giovanni VignaProceedings of the USENIX Security Symposium, 2014
BareCloud Results
• Collected 110,005 samples from Anubis that had interesting behavior– Samples with little or no activity– Samples with different combinations of filesystem and network
activity
• Compared profiles using hierarchical similarity• Identified 5,835 evasive samples
Detecting Evasive Web Malware
• State-of-the-art in honeyclients– High-interaction honeyclients visit web pages and record
modifications to the underlying system (file system, registry, processes)
– Unexpected changes are attributed to attacks
• Limitations– Defenders need to know in advance the components that will
be targeted by attacks– Configuration can be complex and incomplete
• Some of the vulnerable components are incompatible with each other
– Limited explanatory power
Revolver: Detecting Evasions in Web-based Malware
• Providing an oracle available to the public has drawbacks– Malware can be tested before deployment
• Exploitation of discrepancies leads to failed detection• Can we use this against the bad guys?
– Revolver: An Automated Approach to the Detection of Evasive Web-based MalwareA. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, G. Vigna in Proceedings of the USENIX Security Symposium Washington, D.C. August 2013
Evasion: Liberal Configuration
var nop="%uyt9yt2yt9yt2";var nop=(nop.replace(/yt/g,""));var sc0="%ud5db%uc9c9%u87cd...";var sc1="%"+"yutianu"+"ByutianD"+ ...;var sc1=(sc1.replace(/yutian/g,""));var sc2="%"+"u"+"54"+"FF"+
"%u"+"BE"+...+"A"+"8"+"E"+"E";var sc2=(sc2.replace(/yutian/g,""));var sc=unescape(nop+sc0+sc1+sc2);
try { new ActiveXObject("yutian");} catch (e) { var nop="%uyt9yt2yt9yt2"; var nop=(nop.replace(/yt/g,"")); var sc0="%ud5db%uc9c9%u87cd..."; var sc1="%"+"yutianu"+"ByutianD"+ ...; var sc1=(sc1.replace(/yutian/g,"")); var sc2="%"+"u"+"54"+"FF"+ "%u"+"BE"+...+"A"+"8"+"E"+"E"; var sc2=(sc2.replace(/yutian/g,"")); var sc=unescape(nop+sc0+sc1+sc2);}
Revolver
IF
VAR <= NUM
…OracleWeb
IF
VAR <= NUM
…
Similaritycomputation {bi, mj}
Malicious evolutionData-dependencyJavaScript infectionsEvasions
Pages ASTs Candidate pairs
…
…
Evaluation: Evasion
• Collected 6,468,623 pages, of which 265,692 malicious• Extracted 20,732,766 benign scripts, and 186,032 malicious
scripts• Derived 705,472 unique ASTs and 55,701 malicious ASTs• For each benign AST, found ~70 malicious neighbors• Computed 208K candidate pairs
– 6,996 Injections (701 classes)– 101,039 Data dependencies (475 classes)– 4,147 Evasions (155 classes)– 2, 490 Evolutions (273 classes)
http://revolver.cs.ucsb.edu