7/29/2019 w3 w3-1 Packing

1/45

Malicious Software and its Underground EconomyTwo Sides to Every Story

Toward Dynamic AnalysisLorenzo Cavallaro

Information Security GroupRoyal Holloway, University of London

Jul 1, 2013Week 3-1

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 1 / 14

7/29/2019 w3 w3-1 Packing

2/45

Lecture OutlineLearning Outcomes

The exploit downloads and installs a malware sample, infecting the victim

Week 1 Introduction

Week 2 Static analysis and its limitations

Week 3 Dynamic analysis and its limitations1 Toward dynamic analysis2 (a glimpse at) Dynamic analysis (part 1)3 (a glimpse at) Dynamic analysis (part 2)4 (a glimpse at) Limits of dynamic analysis

5 AccessMinersystem-centric modelsWeek 4 Mobile malware

Week 5 Cybercriminal underground economy

Week 6 The cost of cybercrime

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 2 / 14

7/29/2019 w3 w3-1 Packing

3/45

Packing

Malicious code hidden by 1+ layers of compression/encryption

Decompression/decryption performed at runtime

Maliciouscode

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14

7/29/2019 w3 w3-1 Packing

4/45

Packing

Malicious code hidden by 1+ layers of compression/encryption

Decompression/decryption performed at runtime

Maliciouscode

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14

7/29/2019 w3 w3-1 Packing

5/45

Packing

Malicious code hidden by 1+ layers of compression/encryption

Decompression/decryption performed at runtime

Maliciouscode

Maliciouscode

Unpackingroutine

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14

7/29/2019 w3 w3-1 Packing

6/45

Packing

Malicious code hidden by 1+ layers of compression/encryption

Decompression/decryption performed at runtime

Maliciouscode

Maliciouscode

Unpackingroutine

Unpackingroutine

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 3 / 14

7/29/2019 w3 w3-1 Packing

7/45

Algorithmic unpacking

Implement in the AV a routine semantically equivalent to the oneincluded in the malware

Use this routine to recover the original code

The challenge is still open...

80% of the malware are packed

200 families of packers, 2000 variants for each family

Backlog of 90 familiesSource: Symantec, 2008

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 4 / 14

7/29/2019 w3 w3-1 Packing

8/45

Algorithmic unpacking

Implement in the AV a routine semantically equivalent to the oneincluded in the malware

Use this routine to recover the original code

The challenge is still open...

80% of the malware are packed

200 families of packers, 2000 variants for each family

Backlog of 90 familiesSource: Symantec, 2008

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 4 / 14

7/29/2019 w3 w3-1 Packing

9/45

Algorithmic unpacking

Implement in the AV a routine semantically equivalent to the oneincluded in the malware

Use this routine to recover the original code

The challenge is still open...

80% of the malware are packed

200 families of packers, 2000 variants for each family

Backlog of 90 families

Source: Symantec, 2008

Algorithmic unpacking requires intimate knowledge of the packingalgorithms used

Too many families

Symantec: from 6 hours to 6 months per packer

Multi-layer packing

Need of algorithmic-agnostic unpacking techniques

Toward dynamic analysis. . .

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 4 / 14

7/29/2019 w3 w3-1 Packing

10/45

Packing & polymorphism

In case algorithmic unpacking were effective...

Mutation #1 Mutation #2 Mutation #3

Alter the packing routine in each malware sample

Preserve the semantics

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 5 / 14

7/29/2019 w3 w3-1 Packing

11/45

Packing & polymorphism

In case algorithmic unpacking were effective...

Mutation #1 Mutation #2 Mutation #3

Alter the packing routine in each malware sample

Preserve the semantics

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 5 / 14

7/29/2019 w3 w3-1 Packing

12/45

Packing & polymorphism

In case algorithmic unpacking were effective...

Mutation #1 Mutation #2 Mutation #3

Alter the packing routine in each malware sample

Preserve the semantics

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 5 / 14

7/29/2019 w3 w3-1 Packing

13/45

Metamorphism

Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others

Mutation #1 Mutation #2 Mutation #3

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14

7/29/2019 w3 w3-1 Packing

14/45

Metamorphism

Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others

How does it work?

1 Analyze its own code

2 Split the code in blocks

3 Mutate each block separately

MalwareCode

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14

7/29/2019 w3 w3-1 Packing

15/45

Metamorphism

Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others

How does it work?

1 Analyze its own code

2 Split the code in blocks

3 Mutate each block separately

block1

block2

block3

block4

block5

block6

block7

block8

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14

7/29/2019 w3 w3-1 Packing

16/45

Metamorphism

Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others

How does it work?

1 Analyze its own code

2 Split the code in blocks

3 Mutate each block separately

block1

block2

block3

block4

block5

block6

block7

block8

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14

7/29/2019 w3 w3-1 Packing

17/45

Metamorphism

Metamorphics are body-polymorphics (Igor Muttik)The whole payload of each sample differs from the others

How does it work?

1 Analyze its own code

2 Split the code in blocks

3 Mutate each block separately

block1

block6

block3

block9

block5

block2

block10

block8

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14

7/29/2019 w3 w3-1 Packing

18/45

Metamorphism

Metamorphics are body-polymorphics (Igor Muttik)

The whole payload of each sample differs from the others

How does it work?1 Analyze its own code

2 Split the code in blocks

3 Mutate each block separately

block1

block2

block3

block4

block5

block6

block7

block8

So, how are we doing?(to be read with Buddy Valastro accent)

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 6 / 14

7/29/2019 w3 w3-1 Packing

19/45

How are we doing?

Source: IKARUS Security Software GmbH

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 7 / 14

7/29/2019 w3 w3-1 Packing

20/45

Towards Dynamic Analysis

Techniques

Unpacking

7/29/2019 w3 w3-1 Packing

21/45

Algorithmic-agnostic Unpacking

Idea

Dynamic analysis

Emulation/tracing of the sample execution until the termination ofthe packing routine

Packed codeUnpacked code

A few names

OmniUnpack

Justin

Renovo

PolyUnpack

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14

Unpacking

7/29/2019 w3 w3-1 Packing

22/45

Algorithmic-agnostic Unpacking

Idea

Dynamic analysis

Emulation/tracing of the sample execution until the termination ofthe packing routine

Packed codeUnpacked code

A few names

OmniUnpack

Justin

Renovo

PolyUnpack

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14

Unpacking

Al i h i i U ki

7/29/2019 w3 w3-1 Packing

23/45

Algorithmic-agnostic Unpacking

Idea

Dynamic analysis

Emulation/tracing of the sample execution until the termination ofthe packing routine

Packed codeUnpacked code

A few names

OmniUnpack

Justin

Renovo

PolyUnpack

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14

Unpacking

Al i h i i U ki

7/29/2019 w3 w3-1 Packing

24/45

Algorithmic-agnostic Unpacking

Idea

Dynamic analysis

Emulation/tracing of the sample execution until the termination ofthe packing routine

Packed codeUnpacked code

A few names

OmniUnpack

Justin

Renovo

PolyUnpack

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14

Unpacking

Al ith i ti U ki

7/29/2019 w3 w3-1 Packing

25/45

Algorithmic-agnostic Unpacking

Idea

Dynamic analysis

Emulation/tracing of the sample execution until the termination ofthe packing routine

Packed codeUnpacked code

A few names

OmniUnpack

Justin

Renovo

PolyUnpack

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 9 / 14

Unpacking

O iU k

7/29/2019 w3 w3-1 Packing

26/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

.

Page Access

# W WX

012

. . .

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

O iU ack

7/29/2019 w3 w3-1 Packing

27/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

.

Page Access

# W WX

012

. . .

Execution page 0

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

28/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

.

Page Access

# W WX

012

. . .

Writing page 2W = W {2}

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

29/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

s0 = NtOpenFile

Page Access

# W WX012

. . .

Exec system call s0(non-dangerous and WX = )

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

30/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

.

Page Access

# W WX01 2

. . .

Writing page 1W = W {1}

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

31/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

.

Page Access

# W WX01 2

. . .

Exec page 1WX = WX {1} (written-then-executed pages)

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

32/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

s1 = NtOpenKey

Page Access

# W WX01 2

. . .

Exec system call s1 (non-dangerous)

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

33/45

OmniUnpack

Execution trace

x(0),

w(2),

s0,

w(1),

x(1),

s1,

x(2),

s2, . . .

.

Page Access

# W WX01 2

. . .

Exec page 2WX = WX {1}

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

34/45

OmniUnpack

Execution trace

x

(0), w

(2), s

0, w

(1), x

(1), s

1, x

(2), s

2, . . .

s2 = NtDeleteFile

Page Access

# W WX01 2

. . .

Exec system call s2 (dangerous)

Invocation malware detector to analyzepages in W

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

35/45

OmniUnpack

Execution trace

x

(0), w

(2), s

0, w

(1), x

(1), s

1, x

(2), s

2, . . .

.

Page Access

# W WX012

. . .

If its a benign process, W e WX are reset to and the execution resumes

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

OmniUnpack

7/29/2019 w3 w3-1 Packing

36/45

OmniUnpack

Execution trace

x

(0),w

(2),s

0,w

(1),x

(1),s

1,x

(2),s

2,

.

Page Access

# W WX012

. . .

OmniUnpack: Fast, Generic, and Safe Unpacking of Malware, LorenzoMartignoni, Mihai Christodorescu, Somesh Jha. In Proceedings of the 23rdAnnual Computer Security Applications Conference (ACSAC), 2007

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 10 / 14

Unpacking

Self-emulating malware

7/29/2019 w3 w3-1 Packing

37/45

S g

Heuristics to detect the end of the unpacking are based on theexecution of previously written code

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14

Unpacking

Self-emulating malware

7/29/2019 w3 w3-1 Packing

38/45

g

mov %ax, $0xcafe;

xor %ebx, %ebx;inc %ecx;

int $0x2e;

Untransformed Program

inst37 %r6, $0xcafe;

inst15 %r2, %r2 ;inst24 %r11;

inst4 $0x2e;

VM

Obfuscated Program

1 The code of the malware is transformed in bytecode

2 Bytecode interpreted at run-time by a VM

3 Bytecode mutated in each sample

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14

Unpacking

Self-emulating malware

7/29/2019 w3 w3-1 Packing

39/45

g

mov %ax, $0xcafe;

xor %ebx, %ebx;inc %ecx;

int $0x2e;

Untransformed Program

inst37 %r6, $0xcafe;

inst15 %r2, %r2 ;inst24 %r11;

inst4 $0x2e;

VM

Obfuscated Program

1 The code of the malware is transformed in bytecode

2 Bytecode interpreted at run-time by a VM

3 Bytecode mutated in each sample

Difficult?

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14

Unpacking

Self-emulating malware

7/29/2019 w3 w3-1 Packing

40/45

g

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 11 / 14

7/29/2019 w3 w3-1 Packing

41/45

7/29/2019 w3 w3-1 Packing

42/45

Well, do we really have many

variants?

Unpacking

Too many to count

7/29/2019 w3 w3-1 Packing

43/45

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 13 / 14

Unpacking

Too many to count

7/29/2019 w3 w3-1 Packing

44/45

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 13 / 14

Unpacking

Signature-based detection is not sufficient anymore

7/29/2019 w3 w3-1 Packing

45/45

Malware are created at the speed of light (25,000 malware samplesevery day, seven days a week2008)

Signatures generation takes time and resources

Signatures database are becoming huge and hard to maintain andmanage (e.g., ClamAV database contains 758,655 signatures andmust be updated every hour)

Malware protect their code to thwart signature detection

(Week 3-1) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-1 14 / 14