Beruflich Dokumente
Kultur Dokumente
1 / 14
Lecture Outline
Learning Outcomes
The exploit downloads and installs a malware sample, infecting the victim Week 1 Introduction Week 2 Static analysis and its limitations Week 3 Dynamic analysis and its limitations 1 Toward dynamic analysis 2 (a glimpse at) Dynamic analysis (part 1) 3 (a glimpse at) Dynamic analysis (part 2) 4 (a glimpse at) Limits of dynamic analysis 5 AccessMinersystem-centric models Week 4 Mobile malware Week 5 Cybercriminal underground economy Week 6 The cost of cybercrime
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 2 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Malicious code
3 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Malicious code
3 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Unpacking routine Malicious Malicious code code
3 / 14
Packing
Malicious code hidden by 1+ layers of compression/encryption Decompression/decryption performed at runtime Unpacking Unpacking Malicious routine routine code Malicious code
3 / 14
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the one included in the malware Use this routine to recover the original code The challenge is still open... 80% of the malware are packed 200 families of packers, 2000 variants for each family Backlog of 90 families
Source: Symantec, 2008
4 / 14
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the one included in the malware Use this routine to recover the original code The challenge is still open... 80% of the malware are packed 200 families of packers, 2000 variants for each family Backlog of 90 families
Source: Symantec, 2008
4 / 14
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the one Algorithmic unpacking included in the malware requires intimate knowledge of the packing algorithms used Use this routine to recover the original code Too many families challenge is still open... Symantec: from The 6 hours to 6 months per packer Multi-layer 80% of thepacking malware are packed Need of algorithmic-agnostic unpacking techniques 200 families of packers, 2000 variants for each family
Toward analysis. . . Backlog of dynamic 90 families
Source: Symantec, 2008
4 / 14
Mutation #1
Mutation #2
Mutation #3
Alter the packing routine in each malware sample Preserve the semantics
5 / 14
Mutation #1
Mutation #2
Mutation #3
Alter the packing routine in each malware sample Preserve the semantics
5 / 14
Mutation #1
Mutation #2
Mutation #3
Alter the packing routine in each malware sample Preserve the semantics
5 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
Mutation #1
Mutation #2
Mutation #3
6 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
1 2 3
How does it work? Analyze its own code Split the code in blocks Mutate each block separately
Malware Code
6 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
block1 block2
1 2 3
How does it work? Analyze its own code Split the code in blocks Mutate each block separately
6 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
block1 block2
1 2 3
How does it work? Analyze its own code Split the code in blocks Mutate each block separately
6 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
block1 block6
1 2 3
How does it work? Analyze its own code Split the code in blocks Mutate each block separately
6 / 14
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik) The whole payload of each sample diers from the others
block1 block2
1 2 3
How does it work? So, how are we doing? block3 block4 Analyze its own code (to be read with Buddy Valastro accent) Split the code in blocks Mutate each block separately
block5 block6 block7 block8
6 / 14
7 / 14
Unpacking
Algorithmic-agnostic Unpacking
Idea Dynamic analysis Emulation/tracing of the sample execution until the termination of the packing routine
9 / 14
Unpacking
Algorithmic-agnostic Unpacking
Idea Dynamic analysis Emulation/tracing of the sample execution until the termination of the packing routine
9 / 14
Unpacking
Algorithmic-agnostic Unpacking
Idea Dynamic analysis Emulation/tracing of the sample execution until the termination of the packing routine
9 / 14
Unpacking
Algorithmic-agnostic Unpacking
Idea Dynamic analysis Emulation/tracing of the sample execution until the termination of the packing routine
9 / 14
Unpacking
Algorithmic-agnostic Unpacking
Idea Dynamic analysis Emulation/tracing of the sample execution until the termination of the packing routine
9 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
10 / 14
Unpacking
OmniUnpack
Execution trace x (0) , w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Execution page 0
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2) , s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Writing page 2 W = W { 2}
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . s0 = NtOpenFile Page # 0 1 2 ... Access W WX
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1) , x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
Writing page 1 W = W { 1}
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1) , s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . s1 = NtOpenKey Page # 0 1 2 ... Access W WX
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2) , s2 , . . . .
Page # 0 1 2 ...
Access W WX
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . s2 = NtDeleteFile Page # 0 1 2 ... Access W WX
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , . . . .
Page # 0 1 2 ...
Access W WX
10 / 14
Unpacking
OmniUnpack
Execution trace x (0), w (2), s0 , w (1), x (1), s1 , x (2), s2 , .
Page Access # W WX 0and Safe Unpacking of Malware, Lorenzo OmniUnpack: Fast, Generic, Martignoni, Mihai Christodorescu, Somesh Jha. In Proceedings of the 23rd 1 Annual Computer Security Applications Conference (ACSAC), 2007 2 ...
10 / 14
Unpacking
Self-emulating malware
Heuristics to detect the end of the unpacking are based on the execution of previously written code
11 / 14
Unpacking
Self-emulating malware
mov xor inc int %ax, $0xcafe; %ebx, %ebx; %ecx; $0x2e; inst37 %r6 , $0xcafe; inst15 %r2 , %r2 ; inst24 %r11 ; inst4 $0x2e;
Untransformed Program
VM
Obfuscated Program
1 2 3
The code of the malware is transformed in bytecode Bytecode interpreted at run-time by a VM Bytecode mutated in each sample
11 / 14
Unpacking
Self-emulating malware
mov xor inc int %ax, $0xcafe; %ebx, %ebx; %ecx; $0x2e; inst37 %r6 , $0xcafe; inst15 %r2 , %r2 ; inst24 %r11 ; inst4 $0x2e;
Untransformed Program
VM
Obfuscated Program
1 2 3
The code of the malware is transformed in bytecode Bytecode interpreted at run-time by a VM Bytecode mutated in each sample
Dicult?
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14
Unpacking
Self-emulating malware
11 / 14
Unpacking
Self-emulating malware
It is unsafe to consider as malicious all programs protected with Themida (used also to protect benign programs)
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14
Unpacking
13 / 14
Unpacking
13 / 14
Unpacking
Malware are created at the speed of light (25,000 malware samples every day, seven days a week2008) Signatures generation takes time and resources Signatures database are becoming huge and hard to maintain and manage (e.g., ClamAV database contains 758,655 signatures and must be updated every hour) Malware protect their code to thwart signature detection
14 / 14