Jump to content
Tuts 4 You

Malware Analysis

59 files

  1. BerBoToss Analysis

    By Teddy Rogers

    The threat of malicious software can easily be considered as the greatest threat to Internet security. Earlier, viruses were, more or less, the only form of malware. Nowadays, the threat has grown to include network-aware worms, trojans, DDoS agents, IRC Controlled bots, spyware, and so on. The infection vectors have also changed and grown and malicious agents now use techniques like email harvesting, browser exploits, operating system vulnerabilities, and P2P networks to spread. A relatively large percentage of the software that a normal internet user encounters in his online journeys is or can be malicious in some kind of way. Most of this malware is stopped by antivirus software, spyware removal tools and other similar tools. However, this protection is not always enough and there are times when a small, benign looking binary sneaks through all levels of protection and compromises user data. There may be many reasons for this breach, such as a user irregularly updating his AV signatures, a failure of AV heuristics, the introduction of new or low-profile malware which has not yet been discovered by AV vendors, and custom coded malware which cannot be detected by antivirus software. Though AV software is continually getting better, a small but very significant percentage of malware escapes the automated screening process and manages to enter and wreak havoc on networks. Unfortunately, this percentage is also growing everyday.

    It is essential for users and absolutely essential for administrators to be able to determine if a binary is harmful by examining it manually and without relying on the automated scanning engines. The level of information desired differs according to the user's needs. For instance, a normal user might only want to know if a binary is malicious or not, while an administrator might want to completely reverse engineer the binary for his purposes.

    Traditionally, malware analysis has been considered to be very complicated, and in fact some of the techniques are still very complicated and beyond a normal user's access. Nevertheless, looking at the current scenario, we can see that there is a clear need for people to learn how to analyze malware themselves. But the caveat is that the analysis techniques have to be simplified and the learning curve has to be made smaller for mass consumption among the general public. Unfortunately, there is not much organized information in the public domain dealing with easy to use malware analysis techniques. Besides the uses mentioned above, malware analysis is used for forensics, honeypot research, security vulnerability research, etc.

    77 downloads

    0 comments

    Submitted

  2. Boosting Scalability in Anomaly-based Packed Executable Filtering

    By Teddy Rogers

    During the last years, malware writers have been using several techniques to evade detection. One of the most common techniques employed by the anti-virus industry is signature scanning. This method requires the end-host to compare files against a database that should contain signatures for each malware sample. In order to allow their creations to bypass these protection systems, programmers use software encryption tools and code obfuscation techniques to hide the actual behaviour of their malicious programs. One of these techniques is packing, a method that encrypts the real code of the executable and places it as data in a new executable that contains an unpacking routine. In previous work, we designed and implemented an anomaly detector based on PE structural characteristics and heuristic values, and we were able to decide whether an executable was packed or not. We stated that this detection system could serve as a filtering step for a generic and time consuming unpacking phase. In this paper, we improve that system applying a data reduction algorithm to our representation of normality (i.e., not packed executables), finding similarities among executables and grouping them to form consistent clusters that reduce the amount of comparisons needed. We show that this improvement reduces drastically the processing time, while maintaining detection and false positive rates stable.

    68 downloads

    0 comments

    Submitted

  3. Bypass Antivirus Dynamic Analysis

    By Teddy Rogers

    Antivirus are easy to bypass. Antivirus are mandatory in defense in depth. This Cryptor is FUD are some of the sentence you hear when doing some researches on antivirus security. I asked myself, hey is it really that simple to bypass AV? After some research I came (like others) to the conclusion that bypassing Antivirus consists in two big steps:

    . Hide the code which may be recognized as malicious. This is generally done using encryption.
    . Code the decryption stub in such a way it is not detected as a virus nor bypassed by emulation/sandboxing.

    In this paper I will mainly focus on the last one, how to fool antivirus emulation/sandboxing systems.

    I've set myself a challenge to find half a dozen of ways to make a fully undetectable decryption stub (in fact I found way more than that). Here is a collection of methods. Some of those are very complex (and most "FUD cryptor" sellers use one of these). Others are so simple I don't understand why I've never seen these before. I am pretty sure underground and official virus writers are fully aware about these methods so I wanted to share these with the public.

    86 downloads

    0 comments

    Submitted

  4. Cold Boot Attacks on Encryption Keys

    By Teddy Rogers

    Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at room temperature and even if removed from a motherboard. Although DRAMs become less reliable when they are not refreshed, they are not immediately erased, and their contents persist sufficiently for malicious (or forensic) acquisition of usable full-system memory images. We show that this phenomenon limits the ability of an operating system to protect cryptographic key material from an attacker with physical access. We use cold reboots to mount successful attacks on popular disk encryption systems using no special devices or materials. We experimentally characterize the extent and predictability of memory remnant and report that remnant times can be increased dramatically with simple techniques. We offer new algorithms for finding cryptographic keys in memory images and for correcting errors caused by bit decay. Though we discuss several strategies for partially mitigating these risks, we know of no simple remedy that would eliminate them.

    66 downloads

    0 comments

    Submitted

  5. A State of Malware - Family Ties

    By Teddy Rogers

    When we think of families, the concept that comes to mind is that of closeness - a genetic bond through which certain traits are preserved. Those bonds carry information leading to similar body builds, facial features, hereditary diseases and a host of other commonalities. What makes up a family is the likeliness, of a similarity arising from that genetic connection or bond. A very straightforward analogy can be made in the world of malware.

    Malware has been classified into families for decades. Some malware families, like our early ancestors, have grown to have thousands of members (for instance, there are over six thousand Zbot executables (as detected by Microsoft) and over one thousand Sinowal samples 1). These are said to belong to a given family because of their close resemblance.

    In the case of malware the bond does not come from genes but from the executable make up or range of actions the malware embeds. A lot of research in recent years has gone into automatic classification of malware. The focus of some of this research revolves around taking executables and automatically discovering their family ties and deducting what the common functionality is.

    In this paper we plan to answer a few questions about malware families and malware classification. We want to know what causes malware authors to spin new versions of their binaries. Do they release new variants to evade detection? Is a new release feature related? Or, could it be more bug fix related? We ould also like to know of the major malware families that exist - SubSeven, Conficker, TDSS, Peacomm, PoisonIvy, Waledac - what, if any, "incest" there is. Do we see family A sharing functionality or code with family B? If so this could clue us into which authors communicate and talk to other malware authors. We will examine mass-malware and targeted malware, as well as rootkits.

    76 downloads

    0 comments

    Submitted

  6. A Symbolic Execution Framework For JavaScript

    By Teddy Rogers

    As AJAX applications gain popularity, client-side JavaScript code is becoming increasingly complex. However, few automated vulnerability analysis tools for JavaScript exist. In this paper, we describe the first system for exploring the execution space of JavaScript code using symbolic execution. To handle JavaScript code's complex use of string operations, we design a new language of string constraints and implement a solver for it. We build an automatic end-to-end tool, Kudzu, and apply it to the problem of finding client-side code injection vulnerabilities. In experiments on 18 live web applications, Kudzu automatically discovers 2 previously unknown vulnerabilities and 9 more that were previously found only with a manually-constructed test suite.

    65 downloads

    0 comments

    Submitted

  7. Abstract Stack Graph as a Representation to Detect Obfuscated Calls in Binaries

    By Teddy Rogers

    The highly interconnected world of computers ever poses the threat of malicious code. Such code can break into hosts using a variety of methods such as attacking known software flaws and vulnerabilities in regular programs. Hence detecting the presence of such malicious code on a given host is a problem of high concern. Whenever such hostile programs succeed in spreading over the internet, there is a significant loss to businesses. For example, mi2g website [1] quotes that within one quarter the NetSky worm and all it’s A - Q variants put together, had already caused between $35.8 billion and $43.8 billion of estimated economic damages worldwide. The website also quotes that, in March, combined loss due to the three worms Beagle, MyDoom, and NetSky crossed the $100 billion mark within a week.

    Programmers obfuscate their code with the intent of making it difficult to discern information from the code. Programs may be obfuscated to protect intellectual property and to increase security of code (by making it difficult for others to identify vulnerabilities) [14], [20], [33]. Programs may also be obfuscated to hide malicious behavior and to evade detection by anti-virus scanners [11], [22], [31]. Most malicious code writers add or rearrange code in malicious programs to make their detection difficult, if not impossible. Recent virus writing trends that employ obfuscating transformations to conceal their behavior are the most difficult to detect. These viruses are called metamorphic viruses.

    The primary goal of obfuscation is to increase the effort involved in manually or automatically analyzing a program. In the context of anti-virus scanning, the context of our study, automated analysis may be performed at the desktop, at quarantine servers in an enterprise, or on back-end machines of an anti-virus company's laboratory [27]. In contrast, manual analysis is performed by engineers in Emergency Response Teams of anti-virus companies and research laboratories. The goal of obfuscation in malicious programs ”virus, worms, Trojans, spy wares, backdoors” is to escape detection by automated analysis and significantly delay detection by manual analysis.

    A common obfuscation technique that is found in viruses, henceforth used generically to mean malicious programs, is that they obfuscate call instructions [31]. For instance, the call addr instruction may be replaced by two push instructions and a ret instruction, the firstpush pushing the address of instruction after the ret instruction, the secondpush pushing the address addr. The code may be further obfuscated by spreading the three instructions and by further splitting each instruction into multiple instructions.

    Obfuscation of call instructions breaks most static analysis based methods for detecting a virus since these methods depend on recognizing call instructions to (a) identify the kernel functions used by the program and (b) to identify procedures in the code. The obfuscation also takes away important cues that are used during manual analysis. We are then left only with dynamic analysis, i.e., running a suspect program in an emulator and observing the kernel calls it makes. Such analysis can easily be thwarted by what is termed as "picky virus” one that does not always execute its malicious payload. In addition dynamic analyzers must use some heuristic to determine when to stop analyzing a program, for it may not terminate without user input. Virus writers can bypass stopping heuristics by introducing a delay loop that simply wastes cycles. It is therefore important to detect obfuscated calls both for static and dynamic analysis of viruses.

    62 downloads

    0 comments

    Submitted

  8. A Method for Detecting Obfuscated Calls in Malicious Binaries

    By Teddy Rogers

    Information about calls to the operating system (or kernel libraries) made by a binary executable may be used to determine whether the binary is malicious. Being aware of this approach, malicious programmers hide this information by making such calls without using the call instruction. For instance, the call addr instruction may be replaced by two push instructions and a ret instruction, the first push pushes the address of instruction after the ret instruction, and the second push pushes the address addr. The code may be further obfuscated by spreading the three instructions and by splitting each instruction into multiple instructions. This work presents a method to statically detect obfuscated calls in binary code. The idea is to use abstract interpretation to detect where the normal call-ret convention is violated. These violations can be detected by what is called an abstract stack graph. An abstract stack graph is a concise representation of all potential abstract stacks at every point in a program. An abstract stack is used to associate each element in the stack to the instruction that pushes the element. An algorithm for constructing the abstract stack graph is also presented. Methods for using the abstract stack graph are shown to detect eight different obfuscations. The technique is demonstrated by implementing a prototype tool called DOC (Detector for Obfuscated Calls).

    77 downloads

    0 comments

    Submitted

  9. Practical COM Code Reconstruction

    By Teddy Rogers

    Right after finishing my COM reconstruction helpers, i present you today a movie, that aims to be a practical COM code reconstruction tutorial. The analysed function of this malware dumps the windows protected storage to steal account data like member site passes, outlook express accounts, autocomplete fields and so forth. And as it makes heavy use of the COM interface, it was the perfect candidate to show you how this nasty code can be restored to a far better readable code. Enjoy!

    76 downloads

    0 comments

    Submitted

×
×
  • Create New...