w3 w3-1 Packing

Malicious Software and its Underground Economy
Two Sides to Every Story
Toward Dynamic Analysis

Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
Jul 1, 2013Week 3-1
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)
Malware and its Underground Economy
Jul 1, 2013Week 3-1
1 / 14
Lecture Outline
Learning Outcomes
The exploit downloads and installs a malware sample, infecting the victim Week 1 Introduction Week 2 Static analysis and its limitations Week 3 Dynamic analysis and its limitations 1 Toward dynamic analysis 2 (a glimpse at) Dynamic analysis (part 1) 3 (a glimpse at) Dynamic analysis (part 2) 4 (a glimpse at) Limits of dynamic analysis 5 AccessMinersystem-centric models Week 4 Mobile malware Week 5 Cybercriminal underground economy Week 6 The cost of cybercrime
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 2 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Malicious code
Jul 1, 2013Week 3-1
3 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Malicious code
Jul 1, 2013Week 3-1
3 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Unpacking routine Malicious Malicious code code
Jul 1, 2013Week 3-1
3 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Unpacking Unpacking Malicious routine routine code Malicious code
Jul 1, 2013Week 3-1
3 / 14
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the one included in the malware Use this routine to recover the original code The challenge is still open... 80% of the malware are packed 200 families of packers, 2000 variants for each family Backlog of 90 families
Source: Symantec, 2008
Jul 1, 2013Week 3-1
4 / 14
Implement in the AV a routine semantically equivalent to the one included in the malware Use this routine to recover the original code The challenge is still open... 80% of the malware are packed 200 families of packers, 2000 variants for each family Backlog of 90 families
Jul 1, 2013Week 3-1
4 / 14
Implement in the AV a routine semantically equivalent to the one Algorithmic unpacking included in the malware requires intimate knowledge of the packing algorithms used Use this routine to recover the original code Too many families challenge is still open... Symantec: from The 6 hours to 6 months per packer Multi-layer 80% of thepacking malware are packed Need of algorithmic-agnostic unpacking techniques 200 families of packers, 2000 variants for each family
Toward analysis. . . Backlog of dynamic 90 families
Jul 1, 2013Week 3-1
4 / 14
Packing & polymorphism
In case algorithmic unpacking were eective...
Mutation #1
Mutation #2
Mutation #3
Alter the packing routine in each malware sample Preserve the semantics
Jul 1, 2013Week 3-1
5 / 14
Mutation #1
Mutation #2
Mutation #3
Jul 1, 2013Week 3-1
5 / 14
Mutation #1
Mutation #2
Mutation #3
Jul 1, 2013Week 3-1
5 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
Mutation #1
Mutation #2
Mutation #3
Jul 1, 2013Week 3-1
6 / 14
Metamorphism
1 2 3
How does it work? Analyze its own code Split the code in blocks Mutate each block separately
Malware Code
Jul 1, 2013Week 3-1
6 / 14
Metamorphism
block1 block2
1 2 3
block3 block4 block5 block6 block7 block8
Jul 1, 2013Week 3-1
6 / 14
Metamorphism
block1 block2
1 2 3
Jul 1, 2013Week 3-1
6 / 14
Metamorphism
block1 block6
1 2 3
Jul 1, 2013Week 3-1
6 / 14
Metamorphism
block1 block2
1 2 3
How does it work? So, how are we doing? block3 block4 Analyze its own code (to be read with Buddy Valastro accent) Split the code in blocks Mutate each block separately
block5 block6 block7 block8
Jul 1, 2013Week 3-1
6 / 14
How are we doing?
Source: IKARUS Security Software GmbH
Jul 1, 2013Week 3-1
7 / 14
Towards Dynamic Analysis Techniques
Unpacking
Algorithmic-agnostic Unpacking
Idea Dynamic analysis Emulation/tracing of the sample execution until the termination of the packing routine
Unpacked code Packed code
A few names OmniUnpack Justin Renovo PolyUnpack
Jul 1, 2013Week 3-1
9 / 14
Unpacking
Jul 1, 2013Week 3-1
9 / 14
Unpacking
Jul 1, 2013Week 3-1
9 / 14
Unpacking
Jul 1, 2013Week 3-1
9 / 14
Unpacking
Jul 1, 2013Week 3-1
9 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0) , w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Execution page 0
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2) , s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Writing page 2 W = W { 2}
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . s0 = NtOpenFile Page # 0 1 2 ... Access W WX
Exec system call s0 (non-dangerous and WX = )
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1) , x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Writing page 1 W = W { 1}
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1) , s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Exec page 1 WX = WX {1} (written-then-executed pages)
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . s1 = NtOpenKey Page # 0 1 2 ... Access W WX
Exec system call s1 (non-dangerous)
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2) , s2 , . . . .
Page # 0 1 2 ...
Access W WX
Exec page 2 WX = WX {1}
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . s2 = NtDeleteFile Page # 0 1 2 ... Access W WX
Exec system call s2 (dangerous) Invocation malware detector to analyze pages in W

Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
If its a benign process, W e WX are reset to and the execution resumes
Jul 1, 2013Week 3-1
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , .
Page Access # W WX 0and Safe Unpacking of Malware, Lorenzo OmniUnpack: Fast, Generic, Martignoni, Mihai Christodorescu, Somesh Jha. In Proceedings of the 23rd 1 Annual Computer Security Applications Conference (ACSAC), 2007 2 ...
Jul 1, 2013Week 3-1
10 / 14
Unpacking
Self-emulating malware
Heuristics to detect the end of the unpacking are based on the execution of previously written code
Jul 1, 2013Week 3-1
11 / 14
Unpacking
mov xor inc int %ax, $0xcafe; %ebx, %ebx; %ecx; $0x2e; inst37 %r6 , $0xcafe; inst15 %r2 , %r2 ; inst24 %r11 ; inst4 $0x2e;
Untransformed Program
VM
Obfuscated Program
1 2 3
The code of the malware is transformed in bytecode Bytecode interpreted at run-time by a VM Bytecode mutated in each sample
Jul 1, 2013Week 3-1
11 / 14
Unpacking
mov xor inc int %ax, $0xcafe; %ebx, %ebx; %ecx; $0x2e; inst37 %r6 , $0xcafe; inst15 %r2 , %r2 ; inst24 %r11 ; inst4 $0x2e;
Untransformed Program
VM
Obfuscated Program
1 2 3
The code of the malware is transformed in bytecode Bytecode interpreted at run-time by a VM Bytecode mutated in each sample
Dicult?
Unpacking
Jul 1, 2013Week 3-1
11 / 14
Unpacking
It is unsafe to consider as malicious all programs protected with Themida (used also to protect benign programs)
Well, do we really have many variants?
Unpacking
Too many to count
Jul 1, 2013Week 3-1
13 / 14
Unpacking
Too many to count
Jul 1, 2013Week 3-1
13 / 14
Unpacking
Signature-based detection is not sucient anymore
Malware are created at the speed of light (25,000 malware samples every day, seven days a week2008) Signatures generation takes time and resources Signatures database are becoming huge and hard to maintain and manage (e.g., ClamAV database contains 758,655 signatures and must be updated every hour) Malware protect their code to thwart signature detection
Jul 1, 2013Week 3-1
14 / 14

w3 w3-1 Packing

Hochgeladen von

Dokumentinformationen

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

w3 w3-1 Packing

Hochgeladen von

Copyright:

Verfügbare Formate

Malicious Software and its Underground Economy

Two Sides to Every Story

Toward Dynamic Analysis

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

Packing & polymorphism

In case algorithmic unpacking were eective...

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

Packing & polymorphism

In case algorithmic unpacking were eective...

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

Packing & polymorphism

In case algorithmic unpacking were eective...

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

block3 block4 block5 block6 block7 block8

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

block3 block4 block5 block6 block7 block8

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

block3 block9 block5 block2 block10 block8

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL)

Malware and its Underground Economy

Jul 1, 2013Week 3-1