Malware Analysis
59 files
-
Malware Analysis Training
By Teddy Rogers
Reverse engineering has evolved from a "dark art" traditionally restricted to the elite few, to a learnable methodology using public and commercial tools. Vulnerability researchers utilize the art to go beyond the reachable depth of traditional fuzzer technology and locate the more obscure finds. Because of advancements in today's malicious code, analysts can no longer rely solely on live-analysis techniques for mapping the internal workings of malware. In general, more and more researchers are finding the need to peek "under the hood". This class is meant to impart cutting-edge understanding of malicious code analysis upon attendees, ultimately taking them to an advanced level of reverse engineering skills applicable to other security domains.
What You Will Learn
This course was designed for students who have an introductory / basic understanding of x86 assembly and reverse engineering as well as more advanced students wishing to refresh their skills and learn new approaches to familiar problems. The course will cover the basics of x86 assembly and pattern recognition, Windows process memory layout, tools of the trade (such as IDA Pro and OllyDbg), the PE file format and basic exploitation methodologies abused by worms to penetrate a target system (stack/heap overflows). As this course is focused on malicious code analysis, students will be given real-world virus samples to reverse engineer. The details of executable packing, obfuscation methods, anti-debugging and anti-disassembling will be revealed and re-enforced with hands-on exercises.
Toward the end of the course more advanced reverse engineering techniques with applications to malicious code analysis will be taught—including:
Various approaches to automation Malware classification Applications of binary matching/diffing406 downloads
0 comments
Submitted
-
Portable Document Format Malware
By Teddy Rogers
Approximately two years ago a vulnerability in Adobe Reader's JavaScript API was discovered, and malware authors continue to produce malicious PDF files that exploit this flaw. This vulnerability has been patched, though a number of other vulnerabilities have been found and used in active exploits before being patched themselves.
There are numerous reasons why malware authors might use vulnerabilities in Adobe Reader and Acrobat as an attack vector. First, the PDF format is widely used throughout the world for sharing documents, and Adobe Reader is the most popular PDF viewer; many OEMs ship PCs with the software preinstalled. Second, the PDF file format specification and the properties of the viewer allow malware authors a significant degree of freedom when designing and developing a threat. Third, the nature of the PDF format provides malware authors with some useful tricks that help to avoid detection by AV scanners, and the support for JavaScript further extends this capability. Obfuscation, encryption, and misdirection are techniques often employed in a similar manner to how they may be seen in HTML and other environments that support JavaScript.
This paper aims to detail the different paths malware authors have taken and point out how attack techniques via PDF have evolved. It is hoped that it will aid AV vendors and PC users alike in better understanding the problems posed by malicious PDFs, as well as the importance of staying up-to-date with patches.
139 downloads
0 comments
Updated
-
Unleashing Mayhem on Binary Code
By Teddy Rogers
In this paper we present MAYHEM, a new system for automatically finding exploitable bugs in binary (i.e., executable) programs. Every bug reported by MAYHEM is accompanied by a working shell-spawning exploit. The working exploits ensure soundness and that each bug report is security critical and actionable. MAYHEM works on raw binary code without debugging information. To make exploit generation possible at the binary-level, MAYHEM addresses two major technical challenges: actively managing execution paths without exhausting memory, and reasoning about symbolic memory indices, where a load or a store address depends on user input. To this end, we propose two novel techniques:
1) hybrid symbolic execution for combining online and offline (concolic) execution to maximize the benefits of both techniques, and
2) index-based memory modeling, a technique that allows MAYHEM to efficiently reason about symbolic memory at the binary level.
We used MAYHEM to find and demonstrate 29 exploitable vulnerabilities in both Linux and Windows programs, 2 of which were previously undocumented.
85 downloads
0 comments
Submitted
-
Trends in Circumventing Web-Malware Detection
By Teddy Rogers
Malicious web sites that compromise vulnerable computers are an ever-present threat on the web. The purveyors of these sites are highly motivated and quickly adapt to technologies that try to protect users from their sites. This paper studies the resulting arms race between detection and evasion from the point of view of Google’s Safe Browsing infrastructure, an operational web-malware detection system that serves hundreds of millions of users. We analyze data collected over a four year period and study the most popular practices that challenge four of the most prevalent web-malware detection systems: Virtual Machine client honeypots, Browser Emulator client honeypots, Classification based on domain reputation, and Anti-Virus engines. Our results show that none of these systems are effective in isolation. In addition to describing specific methods that malicious web sites employ to evade detection, we study trends over time to measure the prevalence of evasion at scale. Our results indicate that exploit delivery mechanisms are becoming increasingly complex and evasive.
82 downloads
0 comments
Submitted
-
The Rise of PDF Malware
By Teddy Rogers
The PDF file format has become a popular file format since its release as an open standard. Its portable nature, extensive feature list, and availability of free tools to read and author them have made it a de-facto standard for printable documents on the Web. As it gained more popularity among general users, malware authors recognized the opportunity to use PDF's for malicious purposes. As with Microsoft Office documents in the past, the PDF file format has become a target for malware authors and is currently being widely exploited as a means to deposit malware onto computers.
In this paper we discuss the current PDF threat landscape, current vulnerabilities being exploited in PDF documents, methods employed by malware authors, trends seen in malicious PDF usage, outline Symantec's detection names and their meaning, and discuss various techniques that are being used by malware authors to make detection more difficult. We will also outline some preventative measures users can take to avoid infection.
110 downloads
0 comments
Submitted
-
The Evolution of TDL Conquering x64
By Teddy Rogers
It has been about two years since the Win32/Olmarik (also known as TDSS, TDL and Alureon) family of malware programs started to evolve. The authors of the rootkit implemented one of the most sophisticated and advanced mechanisms for bypassing various protective measures and security mechanisms embedded into the operating system. The fourth version of the TDL rootkit family is the first reliable and widely spread bootkit targeting x64 operating systems such as Windows Vista and Windows 7. The active spread of TDL4 started in August 2010 and since then several versions of the malware have been released. Comparing it with its predecessors, TDL4 is not just a modification of the previous versions, but new malware. There are several parts that have been changed, but the most radical changes were made to its mechanisms for self-embedding into the system and surviving reboot. One of the most striking features of TDL4 is its ability to load its kernel-mode driver on systems with an enforced kernel-mode code signing policy (64-bit versions of Microsoft Windows Vista and 7) and perform kernel-mode hooks with kernel-mode patch protection policy enabled. This makes TDL4 a powerful weapon in the hands of cybercriminals.
It is the abundance of references to TDL4 combined with an absence of a fully comprehensive source of essential TDL4 implementation detail that motivated us to start this research. In this report, we investigate the implementation details of the malware and the ways in which it is distributed, and consider the cybercriminals objectives. The report begins with information about the cybercrime group involved in distributing the malware. Afterwards we go deeper into the technical details of the bootkit implementation.
93 downloads
0 comments
Submitted
-
The Confiker Mystery
By Teddy Rogers
Network worms were supposed to be dead. Turns out they aren't.
In 2009 we saw the largest outbreak in years: The Conficker aka Downadup worm, infecting Windows workstations and servers around the world.
This worm infected several million computers worldwide - most of them in corporate networks. Overnight, it became as large an infection as the historical outbreaks of worms such as the Loveletter, Melissa, Blaster or Sasser.
Conficker is clever. In fact, it uses several new techniques that have never been seen before. One of these techniques is using Windows ACLs to make disinfection hard or impossible. Another is infecting USB drives with a technique that works *even* if you have USB Autorun disabled. Yet another is using Windows domain rights to create a remote jobs to infect machines over corporate networks.
Possibly to most clever part is the communication structure Conficker uses. It has an algorithm to create a unique list of 250 random domain names every day. By precalcuting one of these domain names and registering it, the gang behind Conficker could take over any or all of the millions of computers they had infected.
85 downloads
0 comments
Submitted
-
The Case of Trojan Downloader "TDL3TDL3"
By Teddy Rogers
Current trends in the Threat Landscape dictate that a malware's functionality grow in number, perform more stealthily and increase in complexity. This continuous evolution is a known fact in the industry as Operating Systems improve and Network security tightens.
Naturally, a malware analyst who regularly encounters a malware family will be able to observe the changes between an old variant and a new one, and so note the increase and changes in behaviors. Commonly observed changes seen in more recent malwares are: the addition of code polymorphism, implementation of process hooks and injections; experimentation with new ways to gain privilege escalation; and using rootkit functionalities.
There are however some malware that go a step further. In early 2008, a first-of-its-kind malware was seen.
Mebroot (http://www.f-secure.com/weblog/archives/vb2008_kasslin_florio.pdf), which incorporated some of the most advanced techniques seen in a malware. The aspect with the greatest potential for impacting the threat landscape is the underlying concept the Mebroot malware family represents; a framework or foundation, which we may call a Malware Operating System (in reference to a MaOS text string found in the malware).
TDL3, so named by the malware authors themselves, adopts some characteristics of Mebroot malware family in terms of disk infection and surviving reboot operations. Although it does not rank as the most complicated malware seen, TDL3's distinctive features stealthy infection mechanisms and tricky removal - should not be overlooked. Moreover, TDL3 is just a framework for further system compromise.
In few simple words, TDL3 is a "Means to an End".
100 downloads
0 comments
Submitted
-
System-Centric CUDA Threat Modeling with CUBAR
By Teddy Rogers
Heterogeneous computing has definitely arrived, and graphics processing units (GPUs) in the millions are employed worldwide. History has shown newly programmable domains to be rapidly subjected (and often found vulnerable) to attacks of the past. We enumerate a system-centric threat model using Microsoft's STRIDE process [23]. We then describe an active general purpose programming system, NVIDIA's Compute Unified Device Architecture (CUDA) 1, and explore the threat space. We derive and describe previously-undisclosed memory protection and translation processes in CUDA, successfully mount several attacks on the CUDA system, and identify numerous directions for future work. Our CUBAR suite of tools, especially cudash (the CUDA Shell), form a solid platform for research to come.
86 downloads
0 comments
Submitted
-
Swimming Into Hostile Code
By Teddy Rogers
Trojan-GameThief.Win32.Magania, according to Kaspersky naming convention, monitors the user activities trying to obtain valuable information from the affected user, especially about gaming login accounts. From a functional point of view you can check this post also:
http://evilcodecave.blogspot.com/2009/08/how-fastly-bypass-hostile-code-for.html
Where you can find also files and registry entries to Remove Megania.
In this paper we will analyse more deeply the structure of this malware, especially the polymorphic part that represents a typical sample of hostile code.
100 downloads
0 comments
Submitted
-
Return Oriented Programming without Returns
By Teddy Rogers
We show that on the x86 it is possible to mount a return-oriented programming attack without using any return instructions. Our new attack instead makes use of certain instruction sequences that behave like a return; we show that these sequences occur with sufficient frequency in large Linux libraries to allow creation of a Turing-complete gadget set.
Because it does not make use of return instructions, our new attack has negative implications for two recently proposed classes of defense against return-oriented programming: those that detect the too-frequent use of returns in the instruction stream, and those that detect violations of the last-in-first-out invariant that is normally maintained for the return-address stack.
88 downloads
0 comments
Submitted
-
Proactive Detection of Computer Worms Using Model Checking
By Teddy Rogers
Although recent estimates are speaking of 200,000 different viruses, worms, and Trojan horses, the majority of them are variants of previously existing malware. As these variants mostly differ in their binary representation rather than their functionality, they can be recognized by analyzing the program behavior, even though they are not covered by the signature databases of current anti-virus tools. Proactive malware detectors mitigate this risk by detection procedures which use a single signature to detect whole classes of functionally related malware without signature updates. It is evident that the quality of proactive detection procedures depends on their ability to analyze the semantics of the binary.
In this paper, we propose the use of model checking a well established software verification technique for proactive malware detection. We describe a tool which extracts an annotated control flow graph from the binary and automatically verifies it against a formal malware specification. To this end, we introduce the new specification language CTPL, which balances the high expressive power needed for malware signatures with efficient model checking algorithms. Our experiments demonstrate that our technique indeed is able to recognize variants of existing malware with a low risk of false positives.
86 downloads
0 comments
Submitted
-
Remote Buffer OverFlow Exploits
By Teddy Rogers
In this paper I will try to explain the concepts of Remote Buffer overflow exploits from a practical perspective. This paper does not explain the concepts of O.S and Processor that are very necessary to understand the exploit development process, doesn't matter that you are messing with a complex application or a simple application. So it is assumed that readers have some background knowledge about exploits.
90 downloads
0 comments
Submitted
-
Safety Checking of Machine Code
By Teddy Rogers
We show how to determine statically whether it is safe for untrusted machine code to be loaded into a trusted host system.
Our safety-checking technique operates directly on the untrusted machine-code program, requiring only that the initial inputs to the untrusted program be annotated with type-state possibility of being able to code produced by any compiler from any source language, which gives the code producers more freedom in choosing the language in which they write their programs. It eliminates the dependence of safety on the correctness of the compiler because the final product of the compiler is checked. It leads to the decoupling of the safety policy from the language in the untrusted code is written, and consequently, makes it possible for safety checking to be performed with respect to an extensible set of safety properties that are specified on the host side.
We have implemented a prototype safety checker for SPARC machine-language programs, and applied the safety checker to several examples. The safety checker was able to either prove that an example met the necessary safety conditions, or identify the places where the safety conditions were violated. The checking times ranged from less than a second to 14 seconds on an UltraSPARC machine.
76 downloads
0 comments
Submitted
-
Securing The Kernel via Static Binary Rewriting and Program Shepherding
By Teddy Rogers
Recent Microsoft security bulletins show that kernel vulnerabilities are becoming more and more important security threats. Despite the pretty extensive security mitigations many of the kernel vulnerabilities are still exploitable. Successful kernel exploitation typically grants the attacker maximum privilege level and results in total machine compromise.
To protect against kernel exploitation, we have developed a tool which statically rewrites the Microsoft Windows kernel as well as other kernel level modules. Such rewritten binary files allow us to monitor control flow transfers during operating system execution. At this point we are able to detect whether selected control transfer flow is valid or should be considered as an attack attempt.
Our solution is especially directed towards preventing remote kernel exploitation attempts. Additionally, many of the local privilege escalation attacks are also blocked (also due to additional mitigation techniques we have implemented). Our tool was tested with Microsoft Windows XP, Windows Vista and Windows 7 (under both virtual and physical machines) on IA-32 compatible processors. Our apparatus is also completely standalone and does not require any third party software.
76 downloads
0 comments
Submitted
-
SubVirt Implementing Malware with Virtual Machines
By Teddy Rogers
Attackers and defenders of computer systems both strive to gain complete control over the system. To maximize their control, both attackers and defenders have migrated to low-level, operating system code. In this paper, we assume the perspective of the attacker, who is trying to run malicious software and avoid detection. By assuming this perspective, we hope to help defenders understand and defend against the threat posed by a new class of rootkits.
We evaluate a new type of malicious software that gains qualitatively more control over a system. This new type of malware, which we call a virtual-machine based rootkit (VMBR), installs a virtual-machine monitor underneath an existing operating system and hoists the original operating system into a virtual machine.
Virtual-machine based rootkits are hard to detect and remove because their state cannot be accessed by software running in the target system. Further, VMBRs support general-purpose malicious services by allowing such services to run in a separate operating system that is protected from the target system. We evaluate this new threat by implementing two proof-of-concept VMBRs. We use our proof-of-concept VMBRs to subvert Windows XP and Linux target systems, and we implement four example malicious services using the VMBR platform. Last, we use what we learn from our proof-of-concept VMBRs to explore ways to defend against this new threat. We discuss possible ways to detect and prevent VMBRs, and we implement a defense strategy suitable for protecting systems against this threat.
74 downloads
0 comments
Submitted
-
Supervised Learning for Provenance-Similarity of Binaries
By Teddy Rogers
Understanding, measuring, and leveraging the similarity of binaries (executable code) is a foundational challenge in software engineering. We present a notion of similarity based on provenance two binaries are similar if they are compiled from the same (or very similar) source code with the same (or similar) compilers. Empirical evidence suggests that provenance-similarity accounts for a significant portion of variation in existing binaries, particularly in malware. We propose and evaluate the applicability of classification to detect provenance-similarity. We evaluate a variety of classifiers, and different types of attributes and similarity labeling schemes, on two benchmarks derived from open-source software and malware respectively. We present encouraging results indicating that classification is a viable approach for automated provenance-similarity detection, and as an aid for malware analysts in particular.
73 downloads
0 comments
Submitted
-
On the Semantics of Self-Unpacking Malware Code
By Teddy Rogers
The rapid increase in attacks on software systems via malware such as viruses, worms, trojans, etc., has made it imperative to develop effective techniques for detecting and analyzing malware binaries. Such binaries are usually transmitted in packed or encrypted form, with the executable payload decrypted dynamically and then executed. In order to reason formally about their execution behaviour, therefore, we need semantic descriptions that can capture this self-modifying aspect of their code. However, current approaches to the semantics of programs usually assume that the program code is immutable, which makes them inapplicable to self-unpacking malware code. This paper takes a step towards addressing this problem by describing a formal semantics for self-modifying code. We use our semantics to show how the execution of self-unpacking code can be divided naturally into a sequence of phases, and uses this to show how the behaviour of a program can be characterized statically in terms of a program evolution graph. We discuss several applications of our work, including static unpacking and deobfuscation of encrypted malware and static cross-phase code analysis.
90 downloads
0 comments
Submitted
-
On the Analysis of the Zeus Botnet Crimeware Toolkit
By Teddy Rogers
In this paper, we present our reverse engineering results for the Zeus crimeware toolkit which is one of the recent and powerful crimeware tools that emerged in the Internet underground community to control botnets. Zeus has reportedly infected over 3.6 million computers in the United States. Our analysis aims at uncovering the various obfuscation levels and shedding the light on the resulting code. Accordingly, we explain the bot building and installation/infection processes. In addition, we detail a method to extract the encryption key from the malware binary and use that to decrypt the network communications and the botnet configuration information. The reverse engineering insights, together with network traffic analysis, allow for a better understanding of the technologies and behaviors of such modern HTTP botnet crimeware toolkits and opens an opportunity to inject falsified information into the botnet communications which can be used to defame this crimeware toolkit.
82 downloads
0 comments
Submitted
-
Memory Behavior Based Automatic Malware Unpacking in Stealth Debugging Environment
By Teddy Rogers
Malware analysts have to first extract hidden original code from a packed executable to analyze malware because most recent malware is obfuscated by a packer in order to disrupt analysis by debuggers and disassemblers. There are several studies on automatic extraction of hidden original code, which executes malware in an isolated environment, monitors write memory accesses and instruction fetches at runtime, determines if the code under execution is newly generated, then dumps specific memory areas into a file as candidates for the original code. However, the conventional techniques output many dump files as candidates for the original code when experiments are conducted on malware in the wild. Thus, manual identification of the true original code is needed. In this paper, we present "memory behavior-based unpacking, an algorithm that automatically identifies the true original code from among many candidates depending on the change in the trend of accessed memory addresses before and after the dumping points. To achieve this algorithm, we have implemented Stealth Debugger, a virtual machine monitor for debugging and monitoring all memory accesses of a process without interruption by any anti-debug functions of the malware. We have evaluated our proposed system by using malware obfuscated by various common packers. The results show that our proposed system successfully finds the original entry points and obtains the original code of the malware.
80 downloads
0 comments
Submitted
-
Mass Malware - A Do-It-Yourself Kit
By Teddy Rogers
This paper outlines the relevant steps to build up a customizable automated malware analysis station by using only freely available components with the exception of the target OS (Windows XP) itself. Further a special focus lies in handling a huge amount of malware samples and the actual implementation at CERT.at. As primary goal the reader of this paper should be able to build up her own specific installation and configuration while being free in her decision which components to use.
The first part of this document will cover all the theoretical, strategic and methodological aspects. The second part is focusing on the practical aspects by diving into CERT.at automated malware analysis station closing with an easy to follow step-by-step tutorial, how to build up CERT.at implementation for your own use. So feel free to skip parts.
101 downloads
0 comments
Submitted
-
Malicious Code Detection Technologies
By Teddy Rogers
Just like every other type of technology, malicious code has grown increasingly sophisticated and complex. The antivirus industry must try to stay one step ahead, especially since it is often easier to produce malicious code than it is to detect it. This white paper provides an overview of the evolving combat tactics used in the antivirus battle, giving both simplified explanations of technological approaches as well as a broad chronological perspective.
Many of the technologies and principles discussed in the paper are still current today, not only in the antivirus world, but also in the wider context of computer security systems. The early malicious code detection technology was based on signatures segments of code that act as unique identifiers for individual malicious programs. Using signatures is a relatively primitive and repetitive technology which requires little explanation and is widely understood.
As viruses have evolved, the defence technologies also had to evolve. Now they involve the use of more advanced approaches, such as heuristics and behavior analyzers, that we collectively refer to as "nonsignature" detection methods. This paper focuses primarily on these nonsignature technologies. It will define terms such as heuristic, proactive detection, behavioural detection, and HIPS it will explain how they are related; and identify some of the advantages and disadvantages of each. Some of the technologies currently used by the antivirus industry “such as unpacking packed programs and streaming signature detection" were intentionally not included in this paper to allow for a more in-depth discussion of nonsignature detection methods.
This paper was developed for readers who have a very basic understanding of antivirus technologies, but who are not experts in the field. Its aim is to systematically and objectively examine issues surrounding the use of malicious programs and the defence techniques that are essential for protection from them.
109 downloads
0 comments
Submitted
-
Lessons Learned from an Investigation into the Analysis Avoidance
By Teddy Rogers
This paper outlines a number of key lessons learned from an investigation into the techniques malicious executable software can employ to hinder digital forensic examination. Malware signature detection has been recognised by researchers to be far less than ideal. Thus, the forensic analyst may be required to manually analyse suspicious files. However, in order to hinder the forensic analyst, hide its true intent and to avoid detection, modern malware can be wrapped with packers or protectors, and layered with a plethora of anti-analysis techniques. This necessitates the forensic analyst to develop static and dynamic analysis skills tailored to navigate a hostile environment. To this end, the analyst must understand the anti-analysis techniques that can be employed and how to mitigate them, the limitations of existing tools and how to extend them, and how to employ an appropriate analysis methodology to uncover the intent of the malware.
75 downloads
0 comments
Submitted
-
Inference and Analysis of Formal Models of Botnet Command and Control Protocols
By Teddy Rogers
We propose a novel approach to infer complete protocol state machines in realistic high-latency network setting, and apply it to the analysis of botnet C&C protocols. Our proposed techniques enable an order of magnitude reduction in the number of queries and time needed to learn a botnet C&C protocol than classic algorithms (from days to hours for inferring MegaD C&C protocol). We also show that the computed complete protocol state machines enable powerful analysis for botnet defense, including finding weakest links in a protocol, uncovering protocol design flaws, inferring the existence of unobservable communication back-channels among botnet servers, and finding deviations of protocol implementations which can be used for fingerprinting. Our experimental results on MegaD demonstrate that our technology offers invaluable novel insights to existing problems on botnet C&C and provides a powerful weapon for botnet defense.
66 downloads
0 comments
Submitted
-
Kernel Malware - The Attack from Within
By Teddy Rogers
The Kernel is the heart of modern operating systems. Code executing in kernel mode has full access to all memory including the kernel itself, all CPU instructions, and all hardware. For this obvious reason only the most trusted software should be allowed to run in kernel mode.
Today, we are facing an emerging threat in the form of kernel-mode malware. By kernel-mode malware we mean malicious software that executes as part of the operating system having full access to the computer's resources. To the end-user this means malware that can bypass software firewalls and can be almost impossible to detect or remove even if the best anti-virus solutions are being used.
This paper will examine the most important malware cases utilizing kernel-mode techniques over the last few years. The research will be limited to malware running on Windows NT and later operating system versions. It will look at the possible motives for the malware authors to move their creations to kernel mode. A detailed analysis of the key techniques making their existence possible will be covered.
79 downloads
0 comments
Submitted
-
Download Statistics