Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
Overviewonmalwareevolu.onandfeatureextrac.onformalwaredetec.on
SeminarsinDistributedSystems2015/2016April,29°2016Dr.DanieleUcci,[email protected]
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• OverviewonmalwareevoluFon
• MalwaredefiniFon• Dawnofmalware• MSWindowsmalware• Recentpastandpresent• Mobilemalware
• FeatureextracFonformalwaredetecFon• RecallondetecFonapproachesandtheirweaknesses• DatastructuresformalwaredetecFon• FeaturesformalwaredetecFon• MachineLearningalgorithmsformalwaredetecFon
Research Center for Cyber Intelligence and information Security
CIS Sapienza
MalwareDetec.onWherewele8off?
• Three main types of malware detecFonapproaches:• StaFcanalysis• Dynamicanalysis• Hybridanalysis
• EachapproachhasitsownlimitaFons
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Overviewonmalwareevolu.on
• MalwaredefiniFon• Dawnofmalware• MSWindowsmalware• Recentpastandpresent• Mobilemalware
• FeatureextracFonformalwaredetecFon• RecallondetecFonapproachesandtheirweaknesses• DatastructuresformalwaredetecFon• FeaturesformalwaredetecFon• MachineLearningalgorithmsformalwaredetecFon
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onMalware(Defini.on)
Amalware is amalicious so8ware that fulfillsthedeliberatelyharmfulintentofanaBacker*.Ingeneral,malwareisatermusedtorefertoavariety of forms of hos.le or intrusiveso8ware.
[*]NikolaMilosevic.“Historyofmalware”.In:CoRRabs/1302.5392(2013).URL:h`p://arxiv.org/abs/1302.5392.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onCurrentAVindustryscenario
ImageCopyright:IKARUSSobwareSecurityGmbH
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onDawnofmalware
MoFvaFonsbehindcreaFon:• proving that personal computers are notsecure
• annoy system users or worsen systemperformance
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onDawnofmalware-Famousexamples• Brain.A:• worm• firstmalwareforPC• replicatesitselfusingfloppydisksbyinfecFngthefloppydiskdrive
• Casino:• virus• detectedinearly90’s• copiesfileallocaFontabletomemoryanddeletesoriginalonethen,itprovidestotheuseraslotgame
• incasetheuserlosesthegame,thefileallocaFontableisdeletedfromthememory
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onMSWindowsmalware
MoFvaFonsbehindcreaFon:• annoy system users or worsen systemperformance
• recruit computers in a botnet in order toa`ackcompaniesandorganizaFons
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onMSWindowsmalware-Famousexamples• WinVir• firstMicrosobWindowsvirus• firsttoinfectPE(portableexecutable)files• replicatesitselfbyinfecFngotherPEfiles• deletesitselfaberreplicaFon
• Slammer• detectedin2003• takes advantage of vulnerabiliFes in MS SQLServerandMSDataEngine2000
• every applicaFon relying on these la`er wasa`acked
• in-memoryprocess• hugeamountofnetworktrafficgenerated
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.on0-dayexploitsandcross-plaPormmalwareMoFvaFonsbehindcreaFon:• virtualespionage• masssurveillance• a`acktargetedusers
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.on0-dayexploitsandcross-plaPorm
malware-Famousexamples
• Stuxnet:• supermalware• foundoutinJune2010• undetectedforaboutayear• designed to slow down the Iranian nuclearprograminfecFon
• spreadoverUSBsFcks• usesstealthstrategies• 4outof5exploitsonwhich itreliedonwere0-day
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.on0-dayexploitsandcross-plaPorm
malware-Famousexamples• Doqu:
• supermalware• similartoStuxnet• spiesinfectedpersonalcomputers
• Flame(supermalware):• supermalware• detectedin2012• mostcomplexmalwarethathasbeenseen• hotpluggingofnewmodules• spreadoverUSBportsandnetwork• stealthcapabiliFes• itisabletorecordaudio,video,Skypecalls,networkacFvity,
stealfilesfromharddisk• self-destructondetecFon
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onRecentpastandpresent
• Many enterprises start understandingthe importance of protecFng theirbusinessfromcyber-threats
• In2013:• McAfee reportedmore than 288,000 newpossiblemalicious samples to analyse perday*
[*]CruzBenjaminetal..McAfeeLabsThreatsReport:FourthQuarter2013.Tech.rep.McAfeeLabs,McAfee,2013.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onRecentpastandpresent
• Symantecobservedasuddenriseofzero-dayvulnerabiliFesexploits*:- anaverageof12vulnerabiliFesfoundoutperyearinthelastsevenyears- 23zero-dayvulnerabiliFeshavebeendiscovered
• SophosdiscoveredathousandofnewAndroidmalwaresamplesperday**
[*]WoodPauletal..2014InternetSecurityThreatReport,Volume19.Tech.rep.SymantecCorporaFon,2014.[**]VanjaSvajce.SophosMobileSecurityThreatReport.2014.URL:h`p://i.crn.com/bestoqreed/sophos-mobile-security-threat-report.pdf.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onMobilemalware
ImageCopyright:McAfeeMobileSecurityReport-February2014.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onMobilemalware
• Malware behavior is evolving from spyware and rooFngexploitstowards*:• datatheb• impersonaFon• premiumSMSforfinancialfrauds• downloaders and installers providing the a`acker remote
control(botnet)• surveillance
• MalverFsementthreats**:• adverFsements embeddingmalicious content (e.g. trojans)
orleadingtomaliciouswebsiteswhenclickedon• affectsbothAndroidandiOSdeviceusers
[*]VanjaSvajce.SophosMobileSecurityThreatReport.2014.URL:h`p://i.crn.com/bestoqreed/sophos-mobile-security-threat-report.pdf.[**]CaetanoL.MobileMalwarein2014.2014.URL:h`ps://blogs.mcafee.com/consumer/mobile-malware-2014.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Overviewonmalwareevolu.onMobilemalware-Famousexamples• MasterKey*:
• vulnerabilityinAndroidpackagesignatureverificaFon• patchedinJuly2013• a`ackercouldmodifyanexisFngsystemupdate• users would unknowingly be installing executablesfromthea`acker
• DownAPK**:• detectedin2014• Windows-basedmalware• usesAndroiddebuggingbridge to install fakebankingapptoAndroiddevicesconnectedtotheinfectedPC
[*]McAfee.WhatMasterKey?–AndroidSignatureBypassVulnerability.2013.URL:h`ps://blogs.mcafee.com/consumer/what-master-key-android-signature-bypass-vulnerability.[**]VanjaSvajce.SophosMobileSecurityThreatReport.2014.URL:h`p://i.crn.com/bestoqreed/sophos-mobile-security-threat-report.pdf.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• OverviewonmalwareevoluFon
• MalwaredefiniFon• Dawnofmalware• MSWindowsmalware• Recentpastandpresent• Mobilemalware
• Featureextrac.onformalwaredetec.on• RecallondetecFonapproachesandtheirweaknesses• DatastructuresformalwaredetecFon• FeaturesformalwaredetecFon• MachineLearningalgorithmsformalwaredetecFon
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onRecallondetec.onapproaches
• StaFcapproaches:• staFcally analyze the sample withoutexecuFngit
• Dynamicapproaches:• requirestheexecuFonofthesample• needforvirtualenvironmentsoremulators
• Hybridapproaches:• combineaboveapproaches
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onWeaknessesinsta.canddynamicanalysis*• StaFcanalysis:• signature computaFon is error-prone andFme-consuming
• not able to detect tailored malware andvariantsofthesamemaliciouscode
• non-negligiblenumberoffalseposiFves• Dynamicanalysis:• virtualenvironmentsaretoospecific• sophisFcateda`ackssFllgoundetected
[*]ManuelEgeleetal.“ASurveyonAutomatedDynamicMalware-analysisTechniquesandTools”.In:ACMComput.Surv.44.2(Mar.2008),6:1–6:42.ISSN:0360-0300.DOI:10.1145/2089125.2089126.URL:h`p://doi.acm.org/10.1145/2089125.2089126.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.on
Toolsproposedinliteraturefordynamicanalysis*
Anubis CWSandbox Ether
Cuckoo Hookfinder TQana
Panorama NormanSandbox QEMU
[*]ManuelEgeleetal.“ASurveyonAutomatedDynamicMalware-analysisTechniquesandTools”.In:ACMComput.Surv.44.2(Mar.2008),6:1–6:42.ISSN:0360-0300.DOI:10.1145/2089125.2089126.URL:h`p://doi.acm.org/10.1145/2089125.2089126.
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onPreliminaryno.ons
• Rawdata:• samplesandmetadata
• Feature:• measurable property extracted from rawsamplesandmetadata
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onPreliminaryno.ons
• ClassificaFon:• processofassigninganobservaFontoaspecificclassonthebasisofatrainingset
• Examples:- ObservaFon:sampleèClass:Benign/Malicious- ObservaFon:sampleèClass:Worm/NotWorm- ObservaFon:malwarevariantè Class:Family0/Family1/…/Familyk
• Clustering:• taskofgroupingsimilarobservaFons• Examples:
- ObservaFons:samplesèCluster:Families- ObservaFons:samplesèCluster:Similarsamples
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onDatastructures
• DetecFon techniques relies on specific datastructures to extract valuable informaFonfromrawdata
• Datastructurescanbecategorizedaccordingtothetypeofanalysiscarriedout:• staFc• dynamic• hybrid
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onDatastructuresforsta.canalysis
• Rawdata:• PEheader• PEpayloadèdisassemblycode• binarycode
• Extracteddatastructures:• n-grams• callgraphs• controlflowgraphs• dataflowgraphs
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onDatastructuresfordynamicanalysis
• Rawdata:• Networktraces• ExecuFontraces
- themajoritygeneratedbyVMsandsandboxes• AVs/Sandboxesreports
• Extracteddatastructures:• controlflowgraphs• API/systemcallgraphs• Markovchaingraphs• networkbehaviorgraphs
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onDatastructuresforhybridanalysis
• Input:• CombinaFon of staFc and dynamic analysisinput
• Extracteddatastructures:• CombinaFonsofdatastructurescomingfromstaFcanddynamic analysis (e.g. controlflowgraph+Markovchaingraph)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onExtractedfeatures
• StaFcanalysis:• opcode• bytesequences• funcFonlengthfrequency• …
• Dynamicanalysis:• networkflowfeatures(e.g.sourceIP)• API/systemcall• behavioralfeatures(e.g.exceuFonprofiles)• …
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Featureextrac.onformalwaredetec.onMachineLearningalgorithms
• DetecFon techniques based on MachineLearning algorithms does not depend onthetypeofanalysiscarriedout
• Someexamples:• SVM• decisiontreesandvariants• kNN• …