Post on 22-Feb-2016
description
transcript
INSPECTOR GADGET: AUTOMATED EXTRACTION OF
PROPRIETARY GADGETS FROM MALWARE BINARIES
Christopher KruegelUniversity of California
Engin KirdaInstitute Eurecom
Clemens Kolbitsch Thorsten HolzSecure Systems Lab
Vienna University of Technology
31st IEEE Symposium on Security & Privacy, 2010
Outline Introduction System Overview Automated Extraction Gadget Preparation and Replay Gadget Inversion Evaluation
Introduction Malware is the driving force behind
many of the attacks on the Internet today.
It now being increasingly deployed as software that can be remotely controlled.
How to analyze… Static analysis
Obfuscation, etc.
Dynamic analysisIt doesn’t support automatically extracting the
specific functionality from the malware.Ex: domain generation algorithm of samples that
use domain fluxEx: the decoding function
This paper aims… Presenting a novel approach to automatically
extract from a given malware the instructions that are responsible for a certain activity of the sample
First, INSPECTOR performs dynamic program slicing on the malware to extract a slicing with “interesting” behavior.
Second, it generates a stand-alone gadget base on the extracted slice.
Advantages of the extracted gadgets Reduce our exposure to the malicious
code Immediately carry out a certain
operation the malware performs Identify in-memory buffers that hold
decrypted data Some gadgets can be inverted.
System Overview
Automated Extraction Generating Activity Logs
Anubis[web] performs dynamic malware analysis base on a processor emulator(QEMU).○ Recording all executed instructions○ Marking each byte returned by a system call, and
using taint technique○ Record all memory accesses
Once an analyst has spotted an interesting behavior, she can instruct INSPECTOR to extract a gadget.
Automated Extraction (cont.) Selecting and Extracting Algorithms
An analyst has to select the relevant flow manually.○ In the HTTP download, she may select
WriteFile, or CreateFile.
Extract a slice○ Attempts to find all necessary data sources
required to calculate the parameters pass to the function call.
Selecting and Extracting Algorithms Forward Searching and Backward Slicing
The behavior selected by an analyst is not the intended endpoint.
The analyst should specify something as an endpoint where the forward searching stops.
Heuristics for Detecting Endpointstring comparison functions, or execution of code
containing string handling instructionsThe data has been processed by a list of
mathematical instructions.
Selecting and Extracting Algorithms (cont.) Closure Analysis
INSPECTOR can decide to deliberately exclude certain dependencies.○ Conditional jump○ A behavior is only triggered under a certain
condition
Gadget Preparation and Replay Gadget Format and Relocation
Dynamic loadable library (DLL)
All references to absolute code addresses are rewritten to use relative addressing
Extract all static memory areas into a data file
Gadget Preparation and Replay (cont.) Gadget Player
Memory Management○ Preinitialized memory areas
○ Provide the player with a complete view of the memory buffers accessible to the gadget.
Gadget Preparation and Replay (cont.) Execution Containment
Must isolate the gadget from the player’s memory
Some choice○ Emulation
Performance consideration○ Our approach
Memory management rewrites the memory accessesUsing a separate threadRedirect the API or system call to environment interface
○ Other approachSFI, Native Client[web]
Gadget Preparation and Replay (cont.) Environment Interface
During the gadget start-up, it registers a callback function inside the gadget○ Invoked by the gadget each time a system or
Windows API call○ The callback can be changed by the analyst
Gadget Preparation and Replay (cont.) Callback Handling
The gadget player can return fake information to the gadget
Gadget Inversion Main idea
First, extract the gadget that is responsible for stealing and encoding the data
Second, compute the input that leads to the output observed in the network dump
Use brute-force and the data dependencies
Gadget Inversion
oniiio
o
v
DiivvCIiiD
oIiOo
ni
,,| :inputs Candidateion depends o| :bytesinput Dependent
valueexpected theis bytesinput ofset thebe ,
bytesoutput ofset thebe ,
Gadget Inversion Implementation
Using taint tracking to get information Applicability
Base64:
○ 3 byte encode to 4 byte○ Depend on 2 byte
Gadget InversionXOR
○ Using constant key depend on 1 byte○ Using the content as key depend on 2 byte
Strong Encryption○ Ex: RSA○ Depend on all byte○ imposible
Gadget Inversion Possible Extensions
Extract algebraic formulae○ Constraint solver
Input parallelization○ Check multiple input candidates
Evaluation
Evaluation
Evaluation Fetching Binary Updates: Pushdo
Over a period of 16 daysChange IP for 3 C&C servers
Binary Update Decryption: PushdoPushdo client use random key to append on
URL in order to get encrypt file.Invere the program to find the key
Evaluation Binary Update Generation: Pushdo
Inverse the decrypt algorithmRedirect connection to our server140 bytes 44 seconds
Evaluation Template-based Spamming: Cutwail
XOR based encryptStore template in memory