Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear...

15
Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System Tamas K. Lengyel @tklengyel [email protected]

Transcript of Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear...

Page 1: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Scalability, Fidelity and Stealth in the DRAKVUF Dynamic Malware Analysis System

Tamas K. Lengyel@[email protected]

Page 2: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Agenda

1. Motivation2. System design

a. Scalabilityb. Fidelityc. Stealth

3. Experimental results4. Conclusion

Page 3: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Motivation

● Large and continuously growing set of malware samples day-by-day

● Human analysts are expensive and limited

● Static analysis is thwarted by packers / metamorphic malware

● Malware is trying to stay under the radar

Page 4: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Motivation

● Dynamic analysis– Observe the execution of the sample in a sandbox– Collect behavioral characteristcs– Collect artifacts (PCAP, unpacked binaries, etc.)– Analyst can quickly find the outliers

● Linear hardware requirements● Rootkits● Sandbox detection

Page 5: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

System design

● Mitigate linear hardware requirements with on-demand resource allocation– Scalability

● Monitor execution of both user- and kernel-mode malware without the potential of tampering– Fidelity

● Hide monitoring environment from the executing malware– Stealth

Page 6: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution
Page 7: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution
Page 8: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Fidelity

Detect when● New process is scheduled, syscalls executed,

files accessed / created / deleted, etc.

Monitor guest OS execution and memory utilization with hardware virtualization extensions

● Breakpoint injection● Extended Page Tables (EPT) violations● Monitor Trap Flag (MTF) singlestepping● MOV-TO-CR trapping

Page 9: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Tamper resistance

Map OS without using heuristics● Use debug data to find internal kernel functions● FS/GS → _KPCR → Kernel!● Syscalls vs. internal functions● Allows monitoring kernel-mode rootkits as well

Monitor kernel heap allocations● Kernel meta-info about processes, files, threads,

mutexes, etc.● Direct state reconstruction without scanning!

Page 10: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution
Page 11: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution
Page 12: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution
Page 13: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution
Page 14: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Future work● DRAKVUF specific

– Multi-vCPU support– Linux support

● General dynamic malware analysis problems– Stalling code– Record & Replay– Branch exploration– Timing attacks

Page 15: Scalability, Fidelity and Stealth in the DRAKVUF Dynamic ... · System design Mitigate linear hardware requirements with on-demand resource allocation – Scalability Monitor execution

Conclusion● Dynamic analysis can aid in sorting through

large sets of malware● Existing tools are limited and can be tampered

with● DRAKVUF raises the bar

– Open source (GPLv2)– http://drakvuf.com

● Thanks! Questions?

http://drakvuf.com/

STEALTH TRACKER

STEALTH TRACKER

Analogues Stealth

Analogues Stealth

Stealth Antenna Farm - k5rmg.comk5rmg.com/wp-content/uploads/2015/08/Stealth-Antenna-Farm.pdf · Stealth Antenna Farm T.Apel 1. K5TRA Preliminary Considerations T.Apel 2 •Why stealth

Stealth Antenna Farm - k5rmg.comk5rmg.com/wp-content/uploads/2015/08/Stealth-Antenna-Farm.pdf · Stealth Antenna Farm T.Apel 1. K5TRA Preliminary Considerations T.Apel 2 •Why stealth

Stealth Productsheet

Stealth Productsheet

STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS · STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS. ... The Lockheed Martin F-117 stealth fighter ... to an ideal stealth shape.

STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS · STEALTH AIRCRAFTS DESIGN ASPECTS AND CONSIDERATIONS. ... The Lockheed Martin F-117 stealth fighter ... to an ideal stealth shape.

2020 Reverb Stealth C1 - SRAM · Product Identification - Reverb Stealth C1 Production versions of Reverb Stealth can be identified visually. Your Reverb Stealth C1 can be identified

2020 Reverb Stealth C1 - SRAM · Product Identification - Reverb Stealth C1 Production versions of Reverb Stealth can be identified visually. Your Reverb Stealth C1 can be identified

Stealth Key M500 & Stealth Key M550 Quick Start GuideStealth Key M500 & Stealth Key M550 Quick Start Guide 4 1 Introducing Stealth Key M500 & Stealth Key M550 Stealth™ Key M500 and

Stealth Key M500 & Stealth Key M550 Quick Start GuideStealth Key M500 & Stealth Key M550 Quick Start Guide 4 1 Introducing Stealth Key M500 & Stealth Key M550 Stealth™ Key M500 and

Stealth and Anti Stealth Technology

Stealth and Anti Stealth Technology

Stealth Warplanes

Stealth Warplanes

STEALTH TECHNOLOGY: A REVEALING An investigative study on stealth technology.

STEALTH TECHNOLOGY: A REVEALING An investigative study on stealth technology.

Stealth technology

Stealth technology

JABRA stealth - Sport headphones/media/Product Documentation/Jabra Stealth... · JaBRa stealth CONteNts 1. welCOM ... Say a command Voice on Voice off. 15 ENGLISH JaBRa stealth 7.

JABRA stealth - Sport headphones/media/Product Documentation/Jabra Stealth... · JaBRa stealth CONteNts 1. welCOM ... Say a command Voice on Voice off. 15 ENGLISH JaBRa stealth 7.

Stealth CAT’s

Stealth CAT’s

ReSpace / MAPLD 2011 - Scalability of Sustainable Self-Repair to … - Imran.pdf · Scalability of Sustainable Self-Repair to Mitigate Aging Induced Degradation in SRAM-based FPGA

ReSpace / MAPLD 2011 - Scalability of Sustainable Self-Repair to … - Imran.pdf · Scalability of Sustainable Self-Repair to Mitigate Aging Induced Degradation in SRAM-based FPGA

STEALTH OWNER'S MANUAL - Home - Stealth Trailers of Contents Stealth Enterprises LLC DBA Stealth Trailers Owner’s Manual – 1st Edition September 2010 Table of Contents Introduction

STEALTH OWNER'S MANUAL - Home - Stealth Trailers of Contents Stealth Enterprises LLC DBA Stealth Trailers Owner’s Manual – 1st Edition September 2010 Table of Contents Introduction

Stealth technology

Stealth technology

Stealth Virus

Stealth Virus

Low Observable Principles, Stealth Aircraft and Anti-Stealth ...

Low Observable Principles, Stealth Aircraft and Anti-Stealth ...

Stealth Key M500 & Stealth Key M550 Quick Start Guidemedia.kingston.com/support/ironkey/StealthM500_M550_Quick_Start_… · Stealth Key M500 & Stealth Key M550 Quick Start Guide 6

Stealth Key M500 & Stealth Key M550 Quick Start Guidemedia.kingston.com/support/ironkey/StealthM500_M550_Quick_Start_… · Stealth Key M500 & Stealth Key M550 Quick Start Guide 6

stealth _report

stealth _report