Date post: | 14-Apr-2018 |
Category: |
Documents |
Upload: | 2013scribd001 |
View: | 237 times |
Download: | 0 times |
of 45
7/29/2019 w3 w3-1 Packing
1/45
Malicious Software and its Underground EconomyTwo Sides to Every Story
Toward Dynamic AnalysisLorenzo Cavallaro
Information Security GroupRoyal Holloway, University of London
Jul 1, 2013Week 3-1
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 1 / 14
7/29/2019 w3 w3-1 Packing
2/45
Lecture OutlineLearning Outcomes
The exploit downloads and installs a malware sample, infecting the victim
Week 1 Introduction
Week 2 Static analysis and its limitations
Week 3 Dynamic analysis and its limitations1 Toward dynamic analysis2 (a glimpse at) Dynamic analysis (part 1)3 (a glimpse at) Dynamic analysis (part 2)4 (a glimpse at) Limits of dynamic analysis
5 AccessMinersystem-centric modelsWeek 4 Mobile malware
Week 5 Cybercriminal underground economy
Week 6 The cost of cybercrime
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 2 / 14
7/29/2019 w3 w3-1 Packing
3/45
Packing
Malicious code hidden by 1+ layers of compression/encryption
Decompression/decryption performed at runtime
Maliciouscode
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14
7/29/2019 w3 w3-1 Packing
4/45
Packing
Malicious code hidden by 1+ layers of compression/encryption
Decompression/decryption performed at runtime
Maliciouscode
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14
7/29/2019 w3 w3-1 Packing
5/45
Packing
Malicious code hidden by 1+ layers of compression/encryption
Decompression/decryption performed at runtime
Maliciouscode
Maliciouscode
Unpackingroutine
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14
7/29/2019 w3 w3-1 Packing
6/45
Packing
Malicious code hidden by 1+ layers of compression/encryption
Decompression/decryption performed at runtime
Maliciouscode
Maliciouscode
Unpackingroutine
Unpackingroutine
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14
7/29/2019 w3 w3-1 Packing
7/45
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the oneincluded in the malware
Use this routine to recover the original code
The challenge is still open...
80% of the malware are packed
200 families of packers, 2000 variants for each family
Backlog of 90 familiesSource: Symantec, 2008
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 4 / 14
7/29/2019 w3 w3-1 Packing
8/45
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the oneincluded in the malware
Use this routine to recover the original code
The challenge is still open...
80% of the malware are packed
200 families of packers, 2000 variants for each family
Backlog of 90 familiesSource: Symantec, 2008
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 4 / 14
7/29/2019 w3 w3-1 Packing
9/45
Algorithmic unpacking
Implement in the AV a routine semantically equivalent to the oneincluded in the malware
Use this routine to recover the original code
The challenge is still open...
80% of the malware are packed
200 families of packers, 2000 variants for each family
Backlog of 90 families
Source: Symantec, 2008
Algorithmic unpacking requires intimate knowledge of the packingalgorithms used
Too many families
Symantec: from 6 hours to 6 months per packer
Multi-layer packing
Need of algorithmic-agnostic unpacking techniques
Toward dynamic analysis. . .
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 4 / 14
7/29/2019 w3 w3-1 Packing
10/45
Packing & polymorphism
In case algorithmic unpacking were effective...
Mutation #1 Mutation #2 Mutation #3
Alter the packing routine in each malware sample
Preserve the semantics
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 5 / 14
7/29/2019 w3 w3-1 Packing
11/45
Packing & polymorphism
In case algorithmic unpacking were effective...
Mutation #1 Mutation #2 Mutation #3
Alter the packing routine in each malware sample
Preserve the semantics
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 5 / 14
7/29/2019 w3 w3-1 Packing
12/45
Packing & polymorphism
In case algorithmic unpacking were effective...
Mutation #1 Mutation #2 Mutation #3
Alter the packing routine in each malware sample
Preserve the semantics
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 5 / 14
7/29/2019 w3 w3-1 Packing
13/45
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others
Mutation #1 Mutation #2 Mutation #3
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14
7/29/2019 w3 w3-1 Packing
14/45
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others
How does it work?
1 Analyze its own code
2 Split the code in blocks
3 Mutate each block separately
MalwareCode
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14
7/29/2019 w3 w3-1 Packing
15/45
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others
How does it work?
1 Analyze its own code
2 Split the code in blocks
3 Mutate each block separately
block1
block2
block3
block4
block5
block6
block7
block8
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14
7/29/2019 w3 w3-1 Packing
16/45
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others
How does it work?
1 Analyze its own code
2 Split the code in blocks
3 Mutate each block separately
block1
block2
block3
block4
block5
block6
block7
block8
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14
7/29/2019 w3 w3-1 Packing
17/45
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others
How does it work?
1 Analyze its own code
2 Split the code in blocks
3 Mutate each block separately
block1
block6
block3
block9
block5
block2
block10
block8
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14
7/29/2019 w3 w3-1 Packing
18/45
Metamorphism
Metamorphics are body-polymorphics (Igor Muttik)
The whole payload of each sample differs from the others
How does it work?1 Analyze its own code
2 Split the code in blocks
3 Mutate each block separately
block1
block2
block3
block4
block5
block6
block7
block8
So, how are we doing?(to be read with Buddy Valastro accent)
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14
7/29/2019 w3 w3-1 Packing
19/45
How are we doing?
Source: IKARUS Security Software GmbH
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 7 / 14
7/29/2019 w3 w3-1 Packing
20/45
Towards Dynamic Analysis
Techniques
Unpacking
7/29/2019 w3 w3-1 Packing
21/45
Algorithmic-agnostic Unpacking
Idea
Dynamic analysis
Emulation/tracing of the sample execution until the termination ofthe packing routine
Packed codeUnpacked code
A few names
OmniUnpack
Justin
Renovo
PolyUnpack
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14
Unpacking
7/29/2019 w3 w3-1 Packing
22/45
Algorithmic-agnostic Unpacking
Idea
Dynamic analysis
Emulation/tracing of the sample execution until the termination ofthe packing routine
Packed codeUnpacked code
A few names
OmniUnpack
Justin
Renovo
PolyUnpack
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14
Unpacking
Al i h i i U ki
7/29/2019 w3 w3-1 Packing
23/45
Algorithmic-agnostic Unpacking
Idea
Dynamic analysis
Emulation/tracing of the sample execution until the termination ofthe packing routine
Packed codeUnpacked code
A few names
OmniUnpack
Justin
Renovo
PolyUnpack
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14
Unpacking
Al i h i i U ki
7/29/2019 w3 w3-1 Packing
24/45
Algorithmic-agnostic Unpacking
Idea
Dynamic analysis
Emulation/tracing of the sample execution until the termination ofthe packing routine
Packed codeUnpacked code
A few names
OmniUnpack
Justin
Renovo
PolyUnpack
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14
Unpacking
Al ith i ti U ki
7/29/2019 w3 w3-1 Packing
25/45
Algorithmic-agnostic Unpacking
Idea
Dynamic analysis
Emulation/tracing of the sample execution until the termination ofthe packing routine
Packed codeUnpacked code
A few names
OmniUnpack
Justin
Renovo
PolyUnpack
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14
Unpacking
O iU k
7/29/2019 w3 w3-1 Packing
26/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
.
Page Access
# W WX
012
. . .
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
O iU ack
7/29/2019 w3 w3-1 Packing
27/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
.
Page Access
# W WX
012
. . .
Execution page 0
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
28/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
.
Page Access
# W WX
012
. . .
Writing page 2W = W {2}
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
29/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
s0 = NtOpenFile
Page Access
# W WX012
. . .
Exec system call s0(non-dangerous and WX = )
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
30/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
.
Page Access
# W WX01 2
. . .
Writing page 1W = W {1}
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
31/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
.
Page Access
# W WX01 2
. . .
Exec page 1WX = WX {1} (written-then-executed pages)
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
32/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
s1 = NtOpenKey
Page Access
# W WX01 2
. . .
Exec system call s1 (non-dangerous)
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
33/45
OmniUnpack
Execution trace
x(0),
w(2),
s0,
w(1),
x(1),
s1,
x(2),
s2, . . .
.
Page Access
# W WX01 2
. . .
Exec page 2WX = WX {1}
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
34/45
OmniUnpack
Execution trace
x
(0), w
(2), s
0, w
(1), x
(1), s
1, x
(2), s
2, . . .
s2 = NtDeleteFile
Page Access
# W WX01 2
. . .
Exec system call s2 (dangerous)
Invocation malware detector to analyzepages in W
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
35/45
OmniUnpack
Execution trace
x
(0), w
(2), s
0, w
(1), x
(1), s
1, x
(2), s
2, . . .
.
Page Access
# W WX012
. . .
If its a benign process, W e WX are reset to and the execution resumes
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
OmniUnpack
7/29/2019 w3 w3-1 Packing
36/45
OmniUnpack
Execution trace
x
(0),w
(2),s
0,w
(1),x
(1),s
1,x
(2),s
2,
.
Page Access
# W WX012
. . .
OmniUnpack: Fast, Generic, and Safe Unpacking of Malware, LorenzoMartignoni, Mihai Christodorescu, Somesh Jha. In Proceedings of the 23rdAnnual Computer Security Applications Conference (ACSAC), 2007
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14
Unpacking
Self-emulating malware
7/29/2019 w3 w3-1 Packing
37/45
S g
Heuristics to detect the end of the unpacking are based on theexecution of previously written code
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14
Unpacking
Self-emulating malware
7/29/2019 w3 w3-1 Packing
38/45
g
mov %ax, $0xcafe;
xor %ebx, %ebx;inc %ecx;
int $0x2e;
Untransformed Program
inst37 %r6, $0xcafe;
inst15 %r2, %r2 ;inst24 %r11;
inst4 $0x2e;
VM
Obfuscated Program
1 The code of the malware is transformed in bytecode
2 Bytecode interpreted at run-time by a VM
3 Bytecode mutated in each sample
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14
Unpacking
Self-emulating malware
7/29/2019 w3 w3-1 Packing
39/45
g
mov %ax, $0xcafe;
xor %ebx, %ebx;inc %ecx;
int $0x2e;
Untransformed Program
inst37 %r6, $0xcafe;
inst15 %r2, %r2 ;inst24 %r11;
inst4 $0x2e;
VM
Obfuscated Program
1 The code of the malware is transformed in bytecode
2 Bytecode interpreted at run-time by a VM
3 Bytecode mutated in each sample
Difficult?
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14
Unpacking
Self-emulating malware
7/29/2019 w3 w3-1 Packing
40/45
g
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14
7/29/2019 w3 w3-1 Packing
41/45
7/29/2019 w3 w3-1 Packing
42/45
Well, do we really have many
variants?
Unpacking
Too many to count
7/29/2019 w3 w3-1 Packing
43/45
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 13 / 14
Unpacking
Too many to count
7/29/2019 w3 w3-1 Packing
44/45
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 13 / 14
Unpacking
Signature-based detection is not sufficient anymore
7/29/2019 w3 w3-1 Packing
45/45
Malware are created at the speed of light (25,000 malware samplesevery day, seven days a week2008)
Signatures generation takes time and resources
Signatures database are becoming huge and hard to maintain andmanage (e.g., ClamAV database contains 758,655 signatures andmust be updated every hour)
Malware protect their code to thwart signature detection
(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 14 / 14