SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary

Research Center for Cyber Intelligence and information Security

CIS SapienzaResearch Center for Cyber Intelligence

and information Security

CIS Sapienza

MalwareAnalysis

SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]


CIS Sapienza

Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns


CIS Sapienza

Whatisamalware?Softwareintentionallymalicious§ Causedamagestoasoftwaresystem§ Breaksoftwareservice§ Stealelectronicdata§ Getaccesstoprivatesystems§ …

Infectionvectors§Emailattachments(socialengineering)

§Pendrives§Websites(drive-bydownload)

§…


CIS Sapienza

Somestatistics

Totalnumberofmalwaresamplesinthelast10years(source:AV-TEST)


CIS Sapienza

Somestatistics

“CostofCyberCrimeStudy:Global”,Ponemon,2015


CIS Sapienza

CostofdatabreachesinItalyin2014(fromastudybyPonemon InstituteLLC,sponsoredbyIBM)

Ponemon Institute©ResearchReport,«2015CostofDataBreachStudy:Italy”

• 22organizationsfrom12differentsectorsinvolved• Totalcost:1.98million€(+2.6%wrt 2013)• Averagecostpercompromisedrecord:105€(+3.4%)• Compromisedrecordsperdatabreach– Average:~19K– Minimum:~4.5K– Maximum:~74K


CIS Sapienza



CIS Sapienza

Lessonsfromthepast(«HowMalwareworksandwhy»,FireEye2014)

• Thenumberofnewmalwareandthecorrespondingeconomicdamageincreaseyearbyyear

• Understandinghowanattackerworksiffundamental– Whatareherguidelines?– Whatherpriorities?

• Acriticalanalysisofpastattackscanshedsomelight…


CIS Sapienza

LessonsfromthepastMattBishop,“AnalysisoftheILOVEYOUWorm”,2000

https://en.wikipedia.org/wiki/ILOVEYOU

• ILOVEYOU- 2000– Emailhavingsubject«ILOVEYOU»– Usertemptedtoopentheattached«loveletter»– ActuallyitisaVisualBasicscriptwhich• Forwardsthesameemailtoallvictim’scontacts(onMSOutlook)• Downloadsandinstallsatrojan tostealpasswords

– Effects• 50millioninfectionsin10days• 5.5-8.7billionUS$damages• Estimatedremovalcosts:15billionUS$


CIS Sapienza

Lessonsfromthepast

• ILOVEYOU- 2000

Beyondtechnicaldetails,themostinterestingaspectregardsthewayusershavebeentemptedtoopenthemaliciousattachment

Lesson#1Blesstheuser


CIS Sapienza

Lessonsfromthepasthttps://www.sans.org/reading-room/whitepapers/malicious/nimda-worm-different-98

https://en.wikipedia.org/wiki/Nimda

• Nimda - 2001– Itspreadsthrough• Email:.exeattachmentautomaticallyexecutedwhentheemailisopened(client->client)• Sharedfolders:replication(client->client)• BackdoorsonIIS/PWSservers:itexploitsthosecreatedbyotherworms(e.g.,CodeRedII,sadmind/IIS),copiesitselfamongwebcontentsprovidedbytheserver(client->server)• Compromisedservers:malwaredownloadedviaweb(server->client)


CIS Sapienza

Lessonsfromthepasthttp://www.computereconomics.com/article.cfm?id=133

• Nimda - 2001– Itenablesanattackertotakecontrolofinfectedmachine• CreatesadministrativeshareofdiskC(enablesanadministratorusertoremotelyaccess)

• CreatesaGuestuseradaddsittoAdministratorgroup– Economiceffects:635millionUS$


CIS Sapienza

Lessonsfromthepast

• Nimda - 2001

Provedthefeasibility(andconvenience)ofattackingaserverindirectly

throughitsclients

Lesson#2Don’tneedtotargettheserver


CIS Sapienza

LessonsfromthepastMoore,Paxson,Savage,Shannon,Staniford,Weaver,“InsidetheSlammerWorm”, IEEESecurityandPrivacy 1,42003

https://en.wikipedia.org/wiki/SQL_Slammer

• SQLSlammer- 2003– Itexploitsabuffer-overflowvulnerabilityofMSSQLServerandMSDE(ondesktopcomputers)

– 376bytesofcodeinmemory• Nomaliciouscontent• ItgeneratesrandomIPaddressandsendsitselfthroughUDPonport1434

– Morethan75Kmachinesinfectedintenminutes


CIS Sapienza

Lessonsfromthepasthttp://www.securityfocus.com/news/2186

http://www.cnet.com/news/counting-the-cost-of-slammer/

• SQLSlammer- 2003– Generationofveryhighratetraffic

• Someroutersbecomeunresponsive• Theothersstartcommunicatingtoupdatetheirroutingtables• Thisgeneratesfurthertrafficwhichmakesadditionalrouterscrash• Rebootedroutersgenerateevenmoretraffictoupdateroutingtablesagain…

– Damagesrelatedtoserviceinterruption• Washington’s911serviceterminals• BankofAmerica’sATMs• ContinentalAirlines’onlineticketsellingservice

London-basedmarketintelligencefirmMi2gsaidthatthewormcausedbetween$950millionand$1.2billioninlostproductivityinitsfirstfivedaysworldwide


CIS Sapienza

Lessonsfromthepast

• SQLSlammer- 2003

Thepossibilitytoexploitdesktopmachinesallowsattackerstoamplifytheeffect

Lesson#3ThereisalwayssomethingavailableontheClient


CIS Sapienza

Lessonsfromthepasthttps://en.wikipedia.org/wiki/Blaster_(computer_worm)

Bailey,Cooke,Jahanian,Watson,"TheBlasterWorm:ThenandNow,"in Security&Privacy,IEEE ,vol.3,no.4,2005

• Blaster- 2003– July,16:Microsoftbulletin

• VulnerabilityofWindowsRPCinterfacewhichenablesexecutingarbitrarycode• Correspondingpatchreleased

– July,26:exploitpubliclyavailable– August,11:Blasterbeginsspreading– August,15:423Kmachinesinfected– August,16:SYNfloodonport80towindowsupdate.com


CIS Sapienza

Lessonsfromthepasthttp://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/financial_costs.html

• Blaster- 2003

Thewormspreadeventhoughthepatchwasalreadyavailable

foralmostamonth

Lesson#4TimetoMarketisimportant

AccordingtotheInformationTechnologySystemsandServices(ITSS)departmentatStanford,theMSBlasterwormattacksinSummer2003costanestimated $1.5millionmeasuredintimespentindisinfectingcomputers


CIS Sapienza

LessonsfromthepastLaboratoryofCryptographyandSystemSecurity(CrySyS Lab),

DepartmentofTelecommunicationsofBudapestUniversityofTechnologyandEconomics,«sKyWIper (a.k.a.Flamea.k.a.Flamer):Acomplexmalwarefortargetedattacks”,technicalreport2015

• Flame- 2012– 20MB,allowstoloadadditionalmodules– Fivedistinctencryptionmethods– SQLiteDBtokeepstructuredinformation– Morethan50domainsforC&C– SpreadingthroughLANandpendrives– Canrecordaudio,keyboardactivities,networktraffic,Skypecalls

– Evidencesaboutithasbeendevelopedforespionage


CIS Sapienza

Lessonsfromthepasthttp://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/financial_costs.html

• Blaster- 2003

Reuseofcodeofothermalware,modularandextensiblearchitecture,

generalpurposefunctionalities

Lesson#5ROIinmalwaredevelopment


CIS Sapienza



CIS Sapienza

Malwaredetection

Processtodecidewhetheragivensampleisamalware

inthefollowingweonlyconsiderWindowsexecutablesassamples


CIS Sapienza

Malwareanalysis

Studyofagivensampletoacquireknowledgeaboutits

possiblemaliciousnature


CIS Sapienza

DetectionvsAnalysis

• Malwaredetectionisaspecifictypeofmalwareanalysis• Ingeneral,malwareanalysisoutputscanbeusedtomalwaredetection• Malwareanalysisusuallyleveragessomeexistingknowledgebase


CIS Sapienza

MalwarefamiliesandvariantsV.Ghanaei,C.S.Iliopoulos,R.E.Overill."AStatisticalApproachforDiscoveringCritical

MaliciousPatternsinMalwareFamilies".PATTERNS2015

•AmalwareXisavariant ofanothermalwareYifXcanbeobtainedfromYbyapplyingsomemutations– MalwareXandYshareconsiderableportionsofcriticalcode

– Variantsofasamemalwarebelongtothesamefamily

• ClusteringmalwareinfamiliesisAV-dependent


CIS Sapienza

Othertypesofmalwareanalysis

• Variantsdetection:givenamalwareM,–WhichmalwarearevariantofM?variantselection–WhichfamilyMbelongsto?familyselection

• Categorydetection (trojan horse,worm,virus,…)• Noveltyandsimilaritydetection– Recognizewhatisnoveltoanalyzeitinmoredetail– Recognizewhatisalreadyknowntoavoidanalyzeitagain


CIS Sapienza

Othertypesofmalwareanalysis

• DevelopmentdetectionM.Graziano,D.Canali,L.Bilge,A.Lanzi,D.Balzarotti.“Needlesinahaystack:Mininginformationfrompublicdynamicanalysissandboxesformalwareintelligence”.USENIXSecurity15

– Onlinetoolsusedbymalwaredeveloperstotestnewmalware– Theanalysisofsubmissionstothesetoolscanallowtodetect

«worksinprogress»• Attribution

– Whodevelopedagivenmalware?– Worequestedthedevelopmentofagivenmalware?

• Triage:givemalwareapriority


CIS Sapienza



CIS Sapienza

StaticapproachesMoser,Kruegel,Kirda,"LimitsofStaticAnalysisforMalwareDetection“,

inComputerSecurityApplicationsConference,2007

• Don’trequiremalwareexecution,onlyitscontentisanalyzed• Signature-basedtechniques– Databaseofregularexpressionsspecifyingthesequencesofbytes/instructionsconsideredasmalicious

– Noteffectiveagainstpolymorphicmalware…• Polymorphicmalware– Malwareappearanceischangedby• Encryption• Appending/pre-pendingdata


CIS Sapienza

Staticapproaches• LimitsofPolymorphicmalware– Decryptedcoderemainsthesame– Signature-basedtechniquesondatainmemory

• Allowtheirdetection• Noteffectiveagainstmetamorphicmalware…

• Metamorphicmalware– Recodeitselfeverytimetheyre-propagates

• AddavariablenumberofNOP• Permutationofusedregisters• Insertionofisolatedcodesections(neverexecuted)• Shufflingoffunctionsanddatastructures


CIS Sapienza

StaticapproachesChristodorescu,Jha,Seshia,Song,Bryant,

"Semantics-awaremalwaredetection,"inSecurityandPrivacy2005

• LimitsofMetamorphicmalware– Malwaresemanticremainsthesame– Semantic-awaremalwaredetector

• Checkifasoftwareissemanticallysimilartoaknownmalware• Template:representsamaliciousbehavior

– Decryptinginpolymorphicmalware– Searchforemailaddresses– …

• Matchingoftemplatestocodesectionsofthesampletoanalyze– Basedontheeffectsinmemory


CIS Sapienza



CIS Sapienza

DynamicapproachesM.Egele,T.Scholte,E.Kirda,C.Kruegel,"Asurveyonautomateddynamic

malware-analysistechniquesandtools",ACMComput.Surv.2012

• Requiremalwareexecutiontoanalyzeitsactualbehavior• Severalapproaches,complementarytoeachother– Monitoringoffunctioncalls– Analysisofparameterspassedtofunctions– Tracingofinformationflows– Tracingofexecutedinstructions– MonitoringofAutoStart ExtensibilityPoints


CIS Sapienza

Dynamicapproaches• Monitoringoffunctioncalls– Allowstoobtainahigh-levelviewoftherealbehavior– Functioncallsinterceptedthroughhooking– Malwareexecutinginkernel-modecanbypasshooks– Analysisoffunctioncallstrace

• Representedasagraph– Nodesarefunctions– Edgesarefunctioncalls

• Matchingtoknownmalwarebasedongraphdistance– i.e.,editdistance


CIS Sapienza

Dynamicapproaches• Analysisofparameterspassedtofunctions– Focusonrealvaluespassedwhenafunctionisinvoked– Tracingthevaluesofparametersandreturnedresultallowstolinkdistinctfunctioncalls

– Example• open() returnsthedescriptorofthefilejustopened• read() requiresfiledescriptorasparameter• Ifdescriptorsarethesame,thelinkisobvious


CIS Sapienza

Dynamicapproaches• Tracingofinformationflows– Goal:understandinghowdataofinterestpropagateassoftwarecomputethem

– Datatobemonitoredaremarkedwithlabels• Theselabelspropagatetogetherwithmarkeddataandenabletracing

• Trivialexample» X:datumofinterestmarkedwithlabelL1» Instruction:Y = X» L1 ispropagatedtoY


CIS Sapienza

Dynamicapproaches• Tracingofinformationflows– Aspectstotakeintoaccount

• Directdependenciesbetweendata» A = A + X» IfbothA andX arelabeled,howtopropagatethelabel?

• Addressdependencies» Read/writeaddressesderivedfromlabeleddata» A = X[10] whereX islabeled» B = C[Y] whereY islabeled


CIS Sapienza

Dynamicapproaches• Tracingofexecutedinstructions– Sequenceofassemblyinstructions– Canincludeadditionalusefulinformation

• Example:reportonsystemcallsandfunctioncalls• MonitoringofAutoStart ExtensibilityPoints– ASEP:mechanismsallowingapplicationstobeexecutedatstartuporwhenanotherspecificapplicationstarts

– Oftenusedbymalwaretobecomepersistent– Canprovideinformationusefulfordetectionpurposes


CIS Sapienza



CIS Sapienza

•Malwarearedeliveredwithincampaigns– Usersforced/luredtoclickmalevolentlinksoropenmaliciousattachments

– Attackersuseasmartdeliveryinfrastructure• DomainsandIPaddressesarechangedfrequently• Canavoiddetectionmechanismsbasedonblacklists

– e.g.,GoogleSafeBrowsing• Isitpossibletocharacterizethewaymalwarearedownloadedsoastoidentifydistinguishingpatterns?

ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,

"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013


CIS Sapienza

•AMICOAccurateMalwareIdentificationviaClassificationoflivenetworktrafficObservations– Trafficmonitoringtoextractinformationondownloadedfiles– MachineLearningtechniquestoclassifyfilesinmaliciousorbenign




CIS Sapienza

•Typesofusedfeatures– Infoonpastdownloads(howmanytimesithasbeendownloaded,…)

– Infoondomains(howmanymalwaredownloadedfromthatdomain,…)

– InfoonserverIP (howmanymalwaredownloadedfromthatIP,…)

– InfoonURLstructure (howmanymalwaredownloadedfromsimilarURLs,…)

– Infoonthedownload(fileextension,presenceofreferer,…)




CIS Sapienza

•Classification:givenasamplejustdownloaded,decidewhetheritisamalwarebyanalyzingitsprovenance– Computeabooleanfunctionf({feature values})–MachineLearningtolearntocomputesuchafunctionhavingatdisposalatrainingset• Setofelements[{feature values},f({feature values})]• Agroundtruthisrequiredtocreatethetrainingset– AMICOusesVirusTotal (https://www.virustotal.com/)




CIS Sapienza

•Experimentalresultsverypromising– 90%truepositive– 0.1%falsepositive– Zeroday malwaredetected!!!

•Veryfastclassification– Itisnotrequiredtoanalyzesamplecontentorbehavior

•Limitation– Featurecomputationrequirestocollectstatisticsover2/3

monthsofdownloadsØ Bootstrapof2/3monthsrequired!!!



Documents

SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary