ses2017 - malware analysismalware-analysis techniques and tools", acm comput. surv. 2012...
TRANSCRIPT
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
MalwareAnalysis
SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Whatisamalware?Softwareintentionallymalicious§ Causedamagestoasoftwaresystem§ Breaksoftwareservice§ Stealelectronicdata§ Getaccesstoprivatesystems§ …
Infectionvectors§Emailattachments(socialengineering)
§Pendrives§Websites(drive-bydownload)
§…
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Somestatistics
Totalnumberofmalwaresamplesinthelast10years(source:AV-TEST)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Somestatistics
“CostofCyberCrimeStudy:Global”,Ponemon,2015
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CostofdatabreachesinItalyin2014(fromastudybyPonemon InstituteLLC,sponsoredbyIBM)
Ponemon Institute©ResearchReport,«2015CostofDataBreachStudy:Italy”
• 22organizationsfrom12differentsectorsinvolved• Totalcost:1.98million€(+2.6%wrt 2013)• Averagecostpercompromisedrecord:105€(+3.4%)• Compromisedrecordsperdatabreach– Average:~19K– Minimum:~4.5K– Maximum:~74K
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast(«HowMalwareworksandwhy»,FireEye2014)
• Thenumberofnewmalwareandthecorrespondingeconomicdamageincreaseyearbyyear
• Understandinghowanattackerworksiffundamental– Whatareherguidelines?– Whatherpriorities?
• Acriticalanalysisofpastattackscanshedsomelight…
Research Center for Cyber Intelligence and information Security
CIS Sapienza
LessonsfromthepastMattBishop,“AnalysisoftheILOVEYOUWorm”,2000
https://en.wikipedia.org/wiki/ILOVEYOU
• ILOVEYOU- 2000– Emailhavingsubject«ILOVEYOU»– Usertemptedtoopentheattached«loveletter»– ActuallyitisaVisualBasicscriptwhich• Forwardsthesameemailtoallvictim’scontacts(onMSOutlook)• Downloadsandinstallsatrojan tostealpasswords
– Effects• 50millioninfectionsin10days• 5.5-8.7billionUS$damages• Estimatedremovalcosts:15billionUS$
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast
• ILOVEYOU- 2000
Beyondtechnicaldetails,themostinterestingaspectregardsthewayusershavebeentemptedtoopenthemaliciousattachment
Lesson#1Blesstheuser
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttps://www.sans.org/reading-room/whitepapers/malicious/nimda-worm-different-98
https://en.wikipedia.org/wiki/Nimda
• Nimda - 2001– Itspreadsthrough• Email:.exeattachmentautomaticallyexecutedwhentheemailisopened(client->client)• Sharedfolders:replication(client->client)• BackdoorsonIIS/PWSservers:itexploitsthosecreatedbyotherworms(e.g.,CodeRedII,sadmind/IIS),copiesitselfamongwebcontentsprovidedbytheserver(client->server)• Compromisedservers:malwaredownloadedviaweb(server->client)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://www.computereconomics.com/article.cfm?id=133
• Nimda - 2001– Itenablesanattackertotakecontrolofinfectedmachine• CreatesadministrativeshareofdiskC(enablesanadministratorusertoremotelyaccess)
• CreatesaGuestuseradaddsittoAdministratorgroup– Economiceffects:635millionUS$
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast
• Nimda - 2001
Provedthefeasibility(andconvenience)ofattackingaserverindirectly
throughitsclients
Lesson#2Don’tneedtotargettheserver
Research Center for Cyber Intelligence and information Security
CIS Sapienza
LessonsfromthepastMoore,Paxson,Savage,Shannon,Staniford,Weaver,“InsidetheSlammerWorm”, IEEESecurityandPrivacy 1,42003
https://en.wikipedia.org/wiki/SQL_Slammer
• SQLSlammer- 2003– Itexploitsabuffer-overflowvulnerabilityofMSSQLServerandMSDE(ondesktopcomputers)
– 376bytesofcodeinmemory• Nomaliciouscontent• ItgeneratesrandomIPaddressandsendsitselfthroughUDPonport1434
– Morethan75Kmachinesinfectedintenminutes
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://www.securityfocus.com/news/2186
http://www.cnet.com/news/counting-the-cost-of-slammer/
• SQLSlammer- 2003– Generationofveryhighratetraffic
• Someroutersbecomeunresponsive• Theothersstartcommunicatingtoupdatetheirroutingtables• Thisgeneratesfurthertrafficwhichmakesadditionalrouterscrash• Rebootedroutersgenerateevenmoretraffictoupdateroutingtablesagain…
– Damagesrelatedtoserviceinterruption• Washington’s911serviceterminals• BankofAmerica’sATMs• ContinentalAirlines’onlineticketsellingservice
London-basedmarketintelligencefirmMi2gsaidthatthewormcausedbetween$950millionand$1.2billioninlostproductivityinitsfirstfivedaysworldwide
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast
• SQLSlammer- 2003
Thepossibilitytoexploitdesktopmachinesallowsattackerstoamplifytheeffect
Lesson#3ThereisalwayssomethingavailableontheClient
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttps://en.wikipedia.org/wiki/Blaster_(computer_worm)
Bailey,Cooke,Jahanian,Watson,"TheBlasterWorm:ThenandNow,"in Security&Privacy,IEEE ,vol.3,no.4,2005
• Blaster- 2003– July,16:Microsoftbulletin
• VulnerabilityofWindowsRPCinterfacewhichenablesexecutingarbitrarycode• Correspondingpatchreleased
– July,26:exploitpubliclyavailable– August,11:Blasterbeginsspreading– August,15:423Kmachinesinfected– August,16:SYNfloodonport80towindowsupdate.com
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/financial_costs.html
• Blaster- 2003
Thewormspreadeventhoughthepatchwasalreadyavailable
foralmostamonth
Lesson#4TimetoMarketisimportant
AccordingtotheInformationTechnologySystemsandServices(ITSS)departmentatStanford,theMSBlasterwormattacksinSummer2003costanestimated $1.5millionmeasuredintimespentindisinfectingcomputers
Research Center for Cyber Intelligence and information Security
CIS Sapienza
LessonsfromthepastLaboratoryofCryptographyandSystemSecurity(CrySyS Lab),
DepartmentofTelecommunicationsofBudapestUniversityofTechnologyandEconomics,«sKyWIper (a.k.a.Flamea.k.a.Flamer):Acomplexmalwarefortargetedattacks”,technicalreport2015
• Flame- 2012– 20MB,allowstoloadadditionalmodules– Fivedistinctencryptionmethods– SQLiteDBtokeepstructuredinformation– Morethan50domainsforC&C– SpreadingthroughLANandpendrives– Canrecordaudio,keyboardactivities,networktraffic,Skypecalls
– Evidencesaboutithasbeendevelopedforespionage
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/financial_costs.html
• Blaster- 2003
Reuseofcodeofothermalware,modularandextensiblearchitecture,
generalpurposefunctionalities
Lesson#5ROIinmalwaredevelopment
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Malwaredetection
Processtodecidewhetheragivensampleisamalware
inthefollowingweonlyconsiderWindowsexecutablesassamples
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Malwareanalysis
Studyofagivensampletoacquireknowledgeaboutits
possiblemaliciousnature
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DetectionvsAnalysis
• Malwaredetectionisaspecifictypeofmalwareanalysis• Ingeneral,malwareanalysisoutputscanbeusedtomalwaredetection• Malwareanalysisusuallyleveragessomeexistingknowledgebase
Research Center for Cyber Intelligence and information Security
CIS Sapienza
MalwarefamiliesandvariantsV.Ghanaei,C.S.Iliopoulos,R.E.Overill."AStatisticalApproachforDiscoveringCritical
MaliciousPatternsinMalwareFamilies".PATTERNS2015
•AmalwareXisavariant ofanothermalwareYifXcanbeobtainedfromYbyapplyingsomemutations– MalwareXandYshareconsiderableportionsofcriticalcode
– Variantsofasamemalwarebelongtothesamefamily
• ClusteringmalwareinfamiliesisAV-dependent
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Othertypesofmalwareanalysis
• Variantsdetection:givenamalwareM,–WhichmalwarearevariantofM?variantselection–WhichfamilyMbelongsto?familyselection
• Categorydetection (trojan horse,worm,virus,…)• Noveltyandsimilaritydetection– Recognizewhatisnoveltoanalyzeitinmoredetail– Recognizewhatisalreadyknowntoavoidanalyzeitagain
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Othertypesofmalwareanalysis
• DevelopmentdetectionM.Graziano,D.Canali,L.Bilge,A.Lanzi,D.Balzarotti.“Needlesinahaystack:Mininginformationfrompublicdynamicanalysissandboxesformalwareintelligence”.USENIXSecurity15
– Onlinetoolsusedbymalwaredeveloperstotestnewmalware– Theanalysisofsubmissionstothesetoolscanallowtodetect
«worksinprogress»• Attribution
– Whodevelopedagivenmalware?– Worequestedthedevelopmentofagivenmalware?
• Triage:givemalwareapriority
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
Research Center for Cyber Intelligence and information Security
CIS Sapienza
StaticapproachesMoser,Kruegel,Kirda,"LimitsofStaticAnalysisforMalwareDetection“,
inComputerSecurityApplicationsConference,2007
• Don’trequiremalwareexecution,onlyitscontentisanalyzed• Signature-basedtechniques– Databaseofregularexpressionsspecifyingthesequencesofbytes/instructionsconsideredasmalicious
– Noteffectiveagainstpolymorphicmalware…• Polymorphicmalware– Malwareappearanceischangedby• Encryption• Appending/pre-pendingdata
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Staticapproaches• LimitsofPolymorphicmalware– Decryptedcoderemainsthesame– Signature-basedtechniquesondatainmemory
• Allowtheirdetection• Noteffectiveagainstmetamorphicmalware…
• Metamorphicmalware– Recodeitselfeverytimetheyre-propagates
• AddavariablenumberofNOP• Permutationofusedregisters• Insertionofisolatedcodesections(neverexecuted)• Shufflingoffunctionsanddatastructures
Research Center for Cyber Intelligence and information Security
CIS Sapienza
StaticapproachesChristodorescu,Jha,Seshia,Song,Bryant,
"Semantics-awaremalwaredetection,"inSecurityandPrivacy2005
• LimitsofMetamorphicmalware– Malwaresemanticremainsthesame– Semantic-awaremalwaredetector
• Checkifasoftwareissemanticallysimilartoaknownmalware• Template:representsamaliciousbehavior
– Decryptinginpolymorphicmalware– Searchforemailaddresses– …
• Matchingoftemplatestocodesectionsofthesampletoanalyze– Basedontheeffectsinmemory
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DynamicapproachesM.Egele,T.Scholte,E.Kirda,C.Kruegel,"Asurveyonautomateddynamic
malware-analysistechniquesandtools",ACMComput.Surv.2012
• Requiremalwareexecutiontoanalyzeitsactualbehavior• Severalapproaches,complementarytoeachother– Monitoringoffunctioncalls– Analysisofparameterspassedtofunctions– Tracingofinformationflows– Tracingofexecutedinstructions– MonitoringofAutoStart ExtensibilityPoints
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Monitoringoffunctioncalls– Allowstoobtainahigh-levelviewoftherealbehavior– Functioncallsinterceptedthroughhooking– Malwareexecutinginkernel-modecanbypasshooks– Analysisoffunctioncallstrace
• Representedasagraph– Nodesarefunctions– Edgesarefunctioncalls
• Matchingtoknownmalwarebasedongraphdistance– i.e.,editdistance
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Analysisofparameterspassedtofunctions– Focusonrealvaluespassedwhenafunctionisinvoked– Tracingthevaluesofparametersandreturnedresultallowstolinkdistinctfunctioncalls
– Example• open() returnsthedescriptorofthefilejustopened• read() requiresfiledescriptorasparameter• Ifdescriptorsarethesame,thelinkisobvious
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Tracingofinformationflows– Goal:understandinghowdataofinterestpropagateassoftwarecomputethem
– Datatobemonitoredaremarkedwithlabels• Theselabelspropagatetogetherwithmarkeddataandenabletracing
• Trivialexample» X:datumofinterestmarkedwithlabelL1» Instruction:Y = X» L1 ispropagatedtoY
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Tracingofinformationflows– Aspectstotakeintoaccount
• Directdependenciesbetweendata» A = A + X» IfbothA andX arelabeled,howtopropagatethelabel?
• Addressdependencies» Read/writeaddressesderivedfromlabeleddata» A = X[10] whereX islabeled» B = C[Y] whereY islabeled
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Tracingofexecutedinstructions– Sequenceofassemblyinstructions– Canincludeadditionalusefulinformation
• Example:reportonsystemcallsandfunctioncalls• MonitoringofAutoStart ExtensibilityPoints– ASEP:mechanismsallowingapplicationstobeexecutedatstartuporwhenanotherspecificapplicationstarts
– Oftenusedbymalwaretobecomepersistent– Canprovideinformationusefulfordetectionpurposes
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Malwarearedeliveredwithincampaigns– Usersforced/luredtoclickmalevolentlinksoropenmaliciousattachments
– Attackersuseasmartdeliveryinfrastructure• DomainsandIPaddressesarechangedfrequently• Canavoiddetectionmechanismsbasedonblacklists
– e.g.,GoogleSafeBrowsing• Isitpossibletocharacterizethewaymalwarearedownloadedsoastoidentifydistinguishingpatterns?
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•AMICOAccurateMalwareIdentificationviaClassificationoflivenetworktrafficObservations– Trafficmonitoringtoextractinformationondownloadedfiles– MachineLearningtechniquestoclassifyfilesinmaliciousorbenign
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Typesofusedfeatures– Infoonpastdownloads(howmanytimesithasbeendownloaded,…)
– Infoondomains(howmanymalwaredownloadedfromthatdomain,…)
– InfoonserverIP (howmanymalwaredownloadedfromthatIP,…)
– InfoonURLstructure (howmanymalwaredownloadedfromsimilarURLs,…)
– Infoonthedownload(fileextension,presenceofreferer,…)
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Classification:givenasamplejustdownloaded,decidewhetheritisamalwarebyanalyzingitsprovenance– Computeabooleanfunctionf({feature values})–MachineLearningtolearntocomputesuchafunctionhavingatdisposalatrainingset• Setofelements[{feature values},f({feature values})]• Agroundtruthisrequiredtocreatethetrainingset– AMICOusesVirusTotal (https://www.virustotal.com/)
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Experimentalresultsverypromising– 90%truepositive– 0.1%falsepositive– Zeroday malwaredetected!!!
•Veryfastclassification– Itisnotrequiredtoanalyzesamplecontentorbehavior
•Limitation– Featurecomputationrequirestocollectstatisticsover2/3
monthsofdownloadsØ Bootstrapof2/3monthsrequired!!!
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013