w3 w3-4 Limits
-
Upload
2013scribd001 -
Category
Documents
-
view
239 -
download
0
Transcript of w3 w3-4 Limits
-
7/29/2019 w3 w3-4 Limits
1/13
Malicious Software and its Underground EconomyTwo Sides to Every Story
(a glimpse at) Limits of Dynamic AnalysisLorenzo Cavallaro
Information Security GroupRoyal Holloway, University of London
Jul 1, 2013Week 3-4
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 1 / 9
-
7/29/2019 w3 w3-4 Limits
2/13
Limitations of sandboxes
Only the behaviors associated to the taken paths can be monitored
Forced multi-path exploration
Assumption: the behavior of the program depends on the output of
the syscalls it executes
Track dependencies between syscalls output and program variables
Detect untaken paths and force the execution of these paths by
computing new program states that satisfy the path conditions
http://www.ecsl.cs.sunysb.edu/tr/TR238.pdf
http://www.iseclab.org/papers/explore.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 2 / 9
http://www.ecsl.cs.sunysb.edu/tr/TR238.pdfhttp://www.iseclab.org/papers/explore.pdfhttp://www.iseclab.org/papers/explore.pdfhttp://www.ecsl.cs.sunysb.edu/tr/TR238.pdf -
7/29/2019 w3 w3-4 Limits
3/13
Limitations of sandboxes
Only the behaviors associated to the taken paths can be monitored
Forced multi-path exploration
Assumption: the behavior of the program depends on the output of
the syscalls it executes
Track dependencies between syscalls output and program variables
Detect untaken paths and force the execution of these paths by
computing new program states that satisfy the path conditions
http://www.ecsl.cs.sunysb.edu/tr/TR238.pdf
http://www.iseclab.org/papers/explore.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 2 / 9
http://www.ecsl.cs.sunysb.edu/tr/TR238.pdfhttp://www.iseclab.org/papers/explore.pdfhttp://www.iseclab.org/papers/explore.pdfhttp://www.ecsl.cs.sunysb.edu/tr/TR238.pdf -
7/29/2019 w3 w3-4 Limits
4/13
Limitations of sandboxesConditional Code Obfuscation
Historically, encryption, polymorphism and other obfuscation schemes
have been primarily employed to thwart anti-virus tools and static
analysis based approaches.
Dynamic analysis based approaches inherently overcome all anti-static
analysis obfuscations, but they only observe a single execution path.
Malware can exploit this limitation by employing trigger-based
behaviors such as time-bombs, logic-bombs, bot-command inputs,
and testing the presence of analyzers, to hide its intended behavior.
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 3 / 9
-
7/29/2019 w3 w3-4 Limits
5/13
Limitations of sandboxesConditional Code Obfuscation
Recent analyzers provide a powerful way to discover trigger basedmalicious behavior in arbitrary malicious programs
Exploration of multiple paths during execution of a malware
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 4 / 9
-
7/29/2019 w3 w3-4 Limits
6/13
Limitations of sandboxes (dynamic analysis)Conditional Code Obfuscation
Figure : General obfuscation mechanism.
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 5 / 9
-
7/29/2019 w3 w3-4 Limits
7/13
Limitations of sandboxesConditional Code Obfuscation
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 6 / 9
-
7/29/2019 w3 w3-4 Limits
8/13
Limitations of sandboxesConditional Code Obfuscation
Malware M. triggers Strong Med. Weak None
Slapper worm (P2P Engine) 28 - 28 - -Slapper worm (Backdoor) 1 1 - - -BotNET (An IRC Botnet Server) 52 52 - - -
passwd rookit 2 2 - - -login rootkit 3 2 - - 1top rootkit 2 - - - 2chsh rootkit 4 2 - 2 -
Table : Evaluation of the obfuscation scheme on automatically concealing
malicious triggers.
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 7 / 9
-
7/29/2019 w3 w3-4 Limits
9/13
Conditional Code Obfuscation: Analyzer Improvements
First, analyzers may be equipped with decryptor to reduce the search
space of keys by taking the input domain into account.
Another approach can be to move more towards input-aware analysis.
Rather than capturing binaries only, collection mechanisms shouldcapture interaction the binary with its environment if possible. In case
of bots, having related network traces.
Existing honeypots already have the capability to capture network
activity. Recording system interaction can provide more information
about the inputs required by the binary.
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 8 / 9
-
7/29/2019 w3 w3-4 Limits
10/13
Conditional Code Obfuscation: Analyzer Improvements
First, analyzers may be equipped with decryptor to reduce the search
space of keys by taking the input domain into account.
Another approach can be to move more towards input-aware analysis.
Rather than capturing binaries only, collection mechanisms should
capture interaction the binary with its environment if possible. In case
of bots, having related network traces.
Existing honeypots already have the capability to capture network
activity. Recording system interaction can provide more information
about the inputs required by the binary.
Andreas Moser, Christopher Kruegel, and Engin Kirda, Exploring
Multiple Execution Paths for Malware Analysis, Proceedings ofthe 2007 IEEE Symposium on Security and Privacy, 2007
Monirul Sharif, Andrea Lanzi, Jonathon Giffin and Wenke Lee,
Impeding Malware Analysis Using Conditional Code
Obfuscation, In the Proceedings of the 15th Annual Network andDistributed System Security Symposium (NDSS08), 2008
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 8 / 9
-
7/29/2019 w3 w3-4 Limits
11/13
Detecting sandboxes
Red-pill
A program capable of detecting if it is executed in an emulator
CPU EMU
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9 / 9
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdfhttp://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf -
7/29/2019 w3 w3-4 Limits
12/13
Detecting sandboxes
Red-pill
A program capable of detecting if it is executed in an emulator
void main() {
redpill = \x08\x7c\xe3\x04...;
if (((void (*)())redpill)()) {
// Executed on physical CPU
return CPU;
} else {
// Executed on emulated CPUreturn EMU;
}
}
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9 / 9
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdfhttp://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf -
7/29/2019 w3 w3-4 Limits
13/13
Detecting sandboxes
Red-pill
A program capable of detecting if it is executed in an emulator
Some numbers. . .
50 100 150 200 250 300 350 400 450 500 550
QEMU
Valgrind
Pin
BOCHS State differences:R M E
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf
(Week 3-4) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy Jul 1, 2013Week 3-4 9 / 9
http://www.usenix.org/events/woot09/tech/full_papers/paleari.pdfhttp://www.usenix.org/events/woot09/tech/full_papers/paleari.pdf