Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
description
Transcript of Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries
![Page 1: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/1.jpg)
INSPECTOR GADGET: AUTOMATED EXTRACTION OF
PROPRIETARY GADGETS FROM MALWARE BINARIES
Christopher KruegelUniversity of California
Engin KirdaInstitute Eurecom
Clemens Kolbitsch Thorsten HolzSecure Systems Lab
Vienna University of Technology
31st IEEE Symposium on Security & Privacy, 2010
![Page 2: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/2.jpg)
Outline Introduction System Overview Automated Extraction Gadget Preparation and Replay Gadget Inversion Evaluation
![Page 3: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/3.jpg)
Introduction Malware is the driving force behind
many of the attacks on the Internet today.
It now being increasingly deployed as software that can be remotely controlled.
![Page 4: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/4.jpg)
How to analyze… Static analysis
Obfuscation, etc.
Dynamic analysisIt doesn’t support automatically extracting the
specific functionality from the malware.Ex: domain generation algorithm of samples that
use domain fluxEx: the decoding function
![Page 5: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/5.jpg)
This paper aims… Presenting a novel approach to automatically
extract from a given malware the instructions that are responsible for a certain activity of the sample
First, INSPECTOR performs dynamic program slicing on the malware to extract a slicing with “interesting” behavior.
Second, it generates a stand-alone gadget base on the extracted slice.
![Page 6: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/6.jpg)
Advantages of the extracted gadgets Reduce our exposure to the malicious
code Immediately carry out a certain
operation the malware performs Identify in-memory buffers that hold
decrypted data Some gadgets can be inverted.
![Page 7: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/7.jpg)
System Overview
![Page 8: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/8.jpg)
Automated Extraction Generating Activity Logs
Anubis[web] performs dynamic malware analysis base on a processor emulator(QEMU).○ Recording all executed instructions○ Marking each byte returned by a system call, and
using taint technique○ Record all memory accesses
Once an analyst has spotted an interesting behavior, she can instruct INSPECTOR to extract a gadget.
![Page 9: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/9.jpg)
Automated Extraction (cont.) Selecting and Extracting Algorithms
An analyst has to select the relevant flow manually.○ In the HTTP download, she may select
WriteFile, or CreateFile.
Extract a slice○ Attempts to find all necessary data sources
required to calculate the parameters pass to the function call.
![Page 10: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/10.jpg)
Selecting and Extracting Algorithms Forward Searching and Backward Slicing
The behavior selected by an analyst is not the intended endpoint.
The analyst should specify something as an endpoint where the forward searching stops.
Heuristics for Detecting Endpointstring comparison functions, or execution of code
containing string handling instructionsThe data has been processed by a list of
mathematical instructions.
![Page 11: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/11.jpg)
Selecting and Extracting Algorithms (cont.) Closure Analysis
INSPECTOR can decide to deliberately exclude certain dependencies.○ Conditional jump○ A behavior is only triggered under a certain
condition
![Page 12: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/12.jpg)
Gadget Preparation and Replay Gadget Format and Relocation
Dynamic loadable library (DLL)
All references to absolute code addresses are rewritten to use relative addressing
Extract all static memory areas into a data file
![Page 13: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/13.jpg)
Gadget Preparation and Replay (cont.) Gadget Player
Memory Management○ Preinitialized memory areas
○ Provide the player with a complete view of the memory buffers accessible to the gadget.
![Page 14: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/14.jpg)
Gadget Preparation and Replay (cont.) Execution Containment
Must isolate the gadget from the player’s memory
Some choice○ Emulation
Performance consideration○ Our approach
Memory management rewrites the memory accessesUsing a separate threadRedirect the API or system call to environment interface
○ Other approachSFI, Native Client[web]
![Page 15: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/15.jpg)
Gadget Preparation and Replay (cont.) Environment Interface
During the gadget start-up, it registers a callback function inside the gadget○ Invoked by the gadget each time a system or
Windows API call○ The callback can be changed by the analyst
![Page 16: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/16.jpg)
Gadget Preparation and Replay (cont.) Callback Handling
The gadget player can return fake information to the gadget
![Page 17: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/17.jpg)
Gadget Inversion Main idea
First, extract the gadget that is responsible for stealing and encoding the data
Second, compute the input that leads to the output observed in the network dump
Use brute-force and the data dependencies
![Page 18: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/18.jpg)
Gadget Inversion
oniiio
o
v
DiivvCIiiD
oIiOo
ni
,,| :inputs Candidateion depends o| :bytesinput Dependent
valueexpected theis bytesinput ofset thebe ,
bytesoutput ofset thebe ,
![Page 19: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/19.jpg)
Gadget Inversion Implementation
Using taint tracking to get information Applicability
Base64:
○ 3 byte encode to 4 byte○ Depend on 2 byte
![Page 20: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/20.jpg)
Gadget InversionXOR
○ Using constant key depend on 1 byte○ Using the content as key depend on 2 byte
Strong Encryption○ Ex: RSA○ Depend on all byte○ imposible
![Page 21: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/21.jpg)
Gadget Inversion Possible Extensions
Extract algebraic formulae○ Constraint solver
Input parallelization○ Check multiple input candidates
![Page 22: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/22.jpg)
Evaluation
![Page 24: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/24.jpg)
Evaluation
![Page 25: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/25.jpg)
Evaluation Fetching Binary Updates: Pushdo
Over a period of 16 daysChange IP for 3 C&C servers
Binary Update Decryption: PushdoPushdo client use random key to append on
URL in order to get encrypt file.Invere the program to find the key
![Page 26: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/26.jpg)
Evaluation Binary Update Generation: Pushdo
Inverse the decrypt algorithmRedirect connection to our server140 bytes 44 seconds
![Page 27: Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries](https://reader033.fdocuments.us/reader033/viewer/2022051402/5681619d550346895dd1517b/html5/thumbnails/27.jpg)
Evaluation Template-based Spamming: Cutwail
XOR based encryptStore template in memory