Roberto Paleari, Universit`a degli Studi di Milano Lorenzo Martignoni, Universit`a degli Studi di UdineEmanuele Passerini, Universit`a degli Studi di MilanoDrew Davidson, University of WisconsinMatt Fredrikson, University of WisconsinJon Giffin, Georgia Institute of TechnologySomesh Jha University of Wisconsin

Automatic Generation of Remediation Procedures for

Malware Infections

2010 USENIX Security Symposium

2

3

4

Outline

IntroductionRelated WorkSystem OverviewSystem DetailsEvaluationDiscussionConclusion

5

Introduction

After infection, Format disk and re-install OS

Data backups Commercial anti-malware software

*TRIES TO* Revert the effects performed by malware Unstable, or even failed

6

Introduction

In this work… Given binary malware Automatically generate remediation procedures Do not require the information relating to the

infection 98% of the harmful effects reverted

http://pages.cs.wisc.edu/~mfredrik/remediate/

7

Related Work

Behavior-based malware analysis Dynamic analysis:

A layered architecture for detecting malicious behaviors, RAID 2008

Panorama: Capturing system-wide information flow for malware detection and analysis, ACM CCS 2007

Behavior-based detection Effective and efficient malware detection at the end host,

USENIX Security Symposium 2009 Clustering

Scalable, behavior-based malware clustering, NDSS 2009

8

Related Work

Execution of Untrusted Applications Back to the future: A framework for automatic

malware removal and system repair, ACSAC 2006 One-way isolation: An effective approach for realizing

safe execution environments, NDSS 2005

9

System Overview

10

System Overview

11

System Overview

High-Level Behavior Extraction Analyze the semantics of a program to produce a

sequence of meaningful behaviors

12

System Overview

Behavior Generalization Attempt to over-approximate existing paths, thus

encompassing future paths Cluster all instances of the same high-level behavior together Analyze each cluster to generalize the arguments

c:\windows\po[[:alpha:]]{3}.exe

13

System Overview

Remediation Procedure Generation Attempt to match each resource (file, process, or

registry key) on the system against the constraints associated with each generalized high-level behavior

c:\windows\po[[:alpha:]]{3}.exe

14

System Details

High-Level Behavior Extraction Use QEMU to monitor a malware for its system call

trace

15

System Details

Behavior Clustering

16

System Details

Comparison isomorphic( )

17

System Details

BehaviorGeneralization

Probabilistic finite-state automaton (PFSA) Simulated beam annealing algorithm

18

System Details

19

System Details

Generating Concrete Remediation Procedures Newly-created resources

DropAndAutostart(file,data,key,value,regdata )

DropAndAutostart(“c : \windows\po[[: alpha :]]{3}.exe”, data, “...Windows\CurrentVersion\Run”,“(vq|qv)”,“po[[:alpha:]]{3}.exe” )

20

System Details

Generating Concrete Remediation Procedures Infected Resources

Deleted Resources Not implemented

21

Evaluation

Over 200 malicious programsExecute a sample 3 times in 5 different

environments to collect trace dataInfect 25 test environments which are all

distinct from those used to collect tracesExecute the generated remediation

procedureCompare the remediated state to the original

state

22

Evaluation

23

Evaluation

False positives One sample: very general regular expression

*.exe Future work

Context-free grammars

24

Discussion

Limitation Finding all high-level malicious behaviors can not be

guaranteed. Specific environment is required Not enough generalizing traces

Evasion techniques

25

Conclusion

Automatically generating malware remediation procedures

Dynamic analysisBehavior generalizationEffectively remediate many possible

executionsGood performanceLow false rate