Malware 1 Malware Malware 2 Malicious Software  Malware is not new…  Fred Cohen’s initial virus work in 1980’s o Used viruses to break MLS systems.

Slides:



Advertisements
Similar presentations
Higher Computing Computer Systems S. McCrossan Higher Grade Computing Studies 8. Supporting Software 1 Software Compatibility Whether you are doing a fresh.
Advertisements

Thank you to IT Training at Indiana University Computer Malware.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Lecture: Malicious Code CIS 3360 Ratan K. Guha. Malicious Code2 Overview and Reading Assignments Defining malicious logic Types Action by Viruses Reading.
CSE331: Introduction to Networks and Security Lecture 32 Fall 2002.
1 Anti Virus vs virus System i-Specific Anti-Virus Product Ali ameen al said.
Chapter 3 (Part 1) Network Security
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
 Population: N=100,000  Scan rate  = 4000/sec, Initially infected: I 0 =10  Monitored IP space 2 20, Monitoring interval:  = 1 second Infected hosts.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Metamorphic Malware Research
METAMORPHIC SOFTWARE FOR GOOD AND EVIL Wing Wong & Mark Stamp November 20, 2006.
HUNTING FOR METAMORPHIC ENGINES Mark Stamp & Wing Wong August 5, 2006.
Profile Hidden Markov Models PHMM 1 Mark Stamp. Hidden Markov Models  Here, we assume you know about HMMs o If not, see “A revealing introduction to.
Pairwise Alignment of Metamorphic Computer Viruses Student:Scott McGhee Advisor:Dr. Mark Stamp Committee:Dr. David Taylor Dr. Teng Moh.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Henric Johnson1 Chapter 10 Malicious Software Henric Johnson Blekinge Institute of Technology, Sweden
Introduction to Profile Hidden Markov Models
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Masquerade Detection Mark Stamp 1Masquerade Detection.
Malicious Code Brian E. Brzezicki. Malicious Code (from Chapter 13 and 11)
Malware  Viruses  Virus  Worms  Trojan Horses  Spyware –Keystroke Loggers  Adware.
Network Security Introduction Some of these slides have been modified from slides of Michael I. Shamos COPYRIGHT © 2003 MICHAEL I. SHAMOS.
 a crime committed on a computer network, esp. the Internet.
Chapter 11 Software flaws and malware
Lecture 14 Overview. Program Flaws Taxonomy of flaws: – how (genesis) – when (time) – where (location) the flaw was introduced into the system 2 CS 450/650.
Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.
A virus is software that spreads from program to program, or from disk to disk, and uses each infected program or disk to make copies of itself. Basically.
1 Higher Computing Topic 8: Supporting Software Updated
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
Week 6 - Wednesday.  What did we talk about last time?  Exam 1  Before that?  Program security  Non-malicious flaws.
Administrative: Objective: –Tutorial on Risks –Phoenix recovery Outline for today.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Malicious Code By Diana Peng. What is Malicious Code? Unanticipated or undesired effects in programs/program parts, caused by an agent with damaging intentions.
Chapter 10 Malicious software. Viruses and ” Malicious Programs Computer “ Viruses ” and related programs have the ability to replicate themselves on.
Hunting for Metamorphic Engines Wing Wong Mark Stamp Hunting for Metamorphic Engines 1.
IEEE Communications Surveys & Tutorials 1st Quarter 2008.
Hidden Markov Models for Software Piracy Detection Shabana Kazi Mark Stamp HMMs for Piracy Detection 1.
Computer Viruses and Worms By: Monika Gupta Monika Gupta.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
PHMMs for Metamorphic Detection Mark Stamp 1PHMMs for Metamorphic Detection.
©Ian Sommerville 2004Software Engineering Case Studies Slide 1 The Internet Worm Compromising the availability and reliability of systems through security.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Viruses a piece of self-replicating code attached to some other code – cf biological virus both propagates itself & carries a payload – carries code to.
n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.
Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.
Intrusion Detection Systems Paper written detailing importance of audit data in detecting misuse + user behavior 1984-SRI int’l develop method of.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Computer Security By Duncan Hall.
W elcome to our Presentation. Presentation Topic Virus.
Types of Computer Malware. The first macro virus was written for Microsoft Word and was discovered in August Today, there are thousands of macro.
INTRODUCTION TO COMPUTER & NETWORK SECURITY INSTRUCTOR: DANIA ALOMAR.
Page 1 Viruses. Page 2 What Is a Virus A virus is basically a computer program that has been written to perform a specific set of tasks. Unfortunately,
By Thomas Pantone Cosc 380.  A virus is a type of malware that self replicates after being executed and inserts itself into other programs, data files,
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.
SAMET KARTAL No one wants to share own information with unknown person. Sometimes while sharing something with someone people wants to keep.
Giảng viên hướng dẫn : Sinh viên : Hoàng Xuân Nhật Huy Nguyễn Nam Tiệp.
Profile Hidden Markov Models PHMM 1 Mark Stamp. Hidden Markov Models  Here, we assume you know about HMMs o If not, see “A revealing introduction to.
Botnets A collection of compromised machines
Viruses and Other Malicious Content
Botnets A collection of compromised machines
Chap 10 Malicious Software.
Security.
Chap 10 Malicious Software.
Operating System Concepts
Introduction to Internet Worm
Presentation transcript:

Malware 1 Malware

Malware 2 Malicious Software  Malware is not new…  Fred Cohen’s initial virus work in 1980’s o Used viruses to break MLS systems  Types of malware (lots of overlap) o Virus  passive propagation o Worm  active propagation o Trojan horse  unexpected functionality o Trapdoor/backdoor  unauthorized access o Rabbit  exhaust system resources

Malware 3 Where do Viruses Live?  Just about anywhere…  Boot sector o Take control before anything else  Memory resident o Stays in memory  Applications, macros, data, etc.  Library routines  Compilers, debuggers, virus checker, etc. o These would be particularly nasty!

Malware 4 Malware Timeline  Preliminary work by Cohen (early 80’s)  Brain virus (1986)  Morris worm (1988)  Code Red (2001)  SQL Slammer (2004)  Future of malware?

Malware 5 Brain q First appeared in 1986 q More annoying than harmful q A prototype for later viruses q Not much reaction by users q What it did 1. Placed itself in boot sector (and other places) 2. Screened disk calls to avoid detection 3. Each disk read, checked boot sector to see if boot sector infected; if not, goto 1 q Brain did nothing malicious

Malware 6 Morris Worm  First appeared in 1988  What it tried to do o Determine where it could spread o Spread its infection o Remain undiscovered  Morris claimed his worm had a bug…  Morris worm tried to re-infect systems o Led to resource exhaustion o Adverse effect was like a so-called rabbit

Malware 7 Morris Worm  How to spread its infection?  Tried to obtain access to machine by… o User account password guessing o Exploited buffer overflow in fingerd o Exploited trapdoor in sendmail  Flaws in fingerd and sendmail were well- known at the time, but not widely patched

Malware 8 Morris Worm  Once access had been obtained to machine…  “Bootstrap loader” sent to victim o Consisted of 99 lines of C code  Victim machine compiled and executed code  Bootstrap loader fetched the rest of worm  Victim even authenticated the sender! o Trudy doesn’t want user to get a bad worm…

Malware 9 Morris Worm  How to remain undetected?  If transmission of the worm was interrupted, all code was deleted  Code encrypted when downloaded  Code deleted after decrypting and compiling  When running, the worm regularly changed its name and process identifier (PID)

Malware 10 Result of Morris Worm  Shocked the Internet community of 1988 o Internet of 1988 much different than today  Internet designed to withstand nuclear war o Yet it was brought down by a graduate student! o At the time, Morris’ father worked at NSA… o …which added a conspiratorial overtone  Could have been much worse  not malicious  As a result, CERT, more security awareness o But limited actions to improve security

Malware 11 Code Red Worm  Appeared in July 2001  Infected more than 250,000 systems in about 15 hours  Eventually infected about 750,000 out of about 6,000,000 susceptible systems  To gain access, exploited buffer overflow in Microsoft IIS server software o Then monitored traffic on port 80, looking for other susceptible servers

Malware 12 Code Red Worm  What it did o Day 1 to 19 of month: tried to spread infection o Day 20 to 27: distributed denial of service attack on  Later versions (several variants) o Included trapdoor for remote access o Rebooted to flush worm, leaving only trapdoor  Some claimed Code Red was “beta test for information warfare”

Malware 13 SQL Slammer  Infected 250,000 systems in 10 minutes!  Code Red took 15 hours to do what Slammer did in 10 minutes  At its peak, Slammer infections doubled every 8.5 seconds  Slammer spread “too fast”…  …and “burned out” available bandwidth

Malware 14 SQL Slammer  Why was Slammer so successful? o Worm fit in one 376-byte UDP packet o Firewalls often let small packet thru, assuming it could do no harm by itself  Then firewall monitors the “connection” o Expectation was that much more data would be required for an attack o Slammer defied assumptions of “experts”

Malware 15 Malware Detection  Three common methods o Signature detection o Change detection o Anomaly detection  We briefly discuss each of these o And consider advantages and disadvantages of each

Malware 16 Signature Detection  A signature is a string of bits found in software (or could be a hash value)  Suppose that a virus has signature 0xd7e5ce3d47f2a5d1d ed83 o That is, this string of bits appears in virus  We can search for this signature in all files  If we find signature, have we found virus? o No, same signature could appear in innocent files o But at random, chance is 1/2 128 o Software is not random, so probability is higher

Malware 17 Signature Detection  Advantages o Effective on “traditional” malware o Minimal burden for users/administrators  Disadvantages o Signature file can be large (10,000’s)… o …making scanning slow o Signature files must be kept up to date o Cannot detect unknown viruses o Cannot detect some types of malware  By far the most popular detection method

Malware 18 Change Detection  Viruses must live somewhere on system  If we detect that a file has changed, it may have been infected  How to detect changes? o Hash files and (securely) store hash values o Recompute hashes and compare o If hash value changes, it might be infected

Malware 19 Change Detection  Advantages o Virtually no false negatives o Can even detect previously unknown malware  Disadvantages o Many files change  and often o Many false alarms (false positives) o Heavy burden on users/administrators o If suspicious change detected, then what? o Might fall back to signature-based system

Malware 20 Anomaly Detection  Monitor system for anything “unusual” or “virus-like” or potentially malicious or ???  What is unusual? o Files change in some unusual way o System misbehaves in some way o Unusual network activity o Unusual file access, etc., etc., etc.  But must first define “normal” o Normal can (and must) change over time!

Malware 21 Anomaly Detection  Advantages o Chance of detecting unknown malware  Disadvantages o No proven track record o Trudy can make abnormal look normal (go slow) o Must be combined with another method (usually, signature detection)  Also popular in intrusion detection (IDS)  A difficult unsolved (unsolvable?) problem o An AI problem?

Malware 22 Future of Malware  Trends o Encrypted, polymorphic, metamorphic malware  Fast replication/Warhol worms  Flash worms, Slow worms, etc.  Future is bright for malware o Good news for the bad guys… o …bad news for the good guys  Future of malware detection?

Malware 23 Encrypted Viruses  Virus writers know that signature detection is king  So, how to evade signature detection?  Encrypting the virus is a good idea o Looks like random bits o Different key, different “random” bits o Different copies have different signatures  Encryption is often used today in viruses

Malware 24 Encrypted Viruses  How to detect encrypted viruses?  Search for the decryptor code o Standard signature detection problem  Why not encrypt the decryptor code? o Then encrypt the encryptor of the encryptor code (and so on…)  Encryption is of limited value o Makes signature detection a bit more difficult

Malware 25 Polymorphic Malware  Polymorphic worm o Body of worm is encrypted o Decryptor is “mutated” o Goal is no common signature o Like an encrypted worm on steroids…  Q: How to detect?  A: Emulation o Slow, but effective

Malware 26 Metamorphic Malware  A metamorphic worm “mutates” when infecting a new system o Sometimes called “body polymorphic”  Such a worm can, in principle, avoid signature-based detection systems  Mutated worm must function the same o And be “different enough” to avoid detection  Detection is a current research problem

Malware 27 Metamorphic Malware  Metamorphic generator o Standalone app that generates metamorphic code o Source of endless “new” malware  Metamorphic virus that “carries its own generator” o Much more difficult to construct

Malware 28 Metamorphic Worm  One approach to metamorphic replication… o Disassemble the worm o Worm stripped to a base form o Random variations inserted into code (permute the code, insert dead code, etc., etc.) o Assemble the resulting code  Goal is worm with same functionality as original, but different signature

Malware 29 Warhol Worm  “In the future everybody will be world- famous for 15 minutes”  Andy Warhol  A Warhol Worm is designed to infect the entire Internet in 15 minutes  Slammer infected 250,000 in 10 minutes o “Burned out” bandwidth o Slammer could not have infected all of Internet in 15 minutes  too bandwidth intensive  Can a worm do “better” than Slammer?

Malware 30 A Possible Warhol Worm  Seed worm with an initial hit list containing a set of vulnerable IP addresses o List depends on the particular exploit… o Tools exist for identifying vulnerable systems  Each successful initial infection would attack selected part of IP address space  No worm this sophisticated has yet been seen in the wild (as of 2008) o Even slammer generated random IP addresses  Could infect entire Internet in 15 minutes!

Malware 31 Flash Worm  Possible to do “better” than Warhol worm?  Infect entire Internet in less than 15 minutes?  Searching for vulnerable IP addresses is the slow part of any worm attack  Searching might be bandwidth limited o Like Slammer  Flash worm designed to infect entire Internet almost instantly

Malware 32 Flash Worm  Predetermine all vulnerable IP addresses o Depends on details of the particular attack  Embed all known vulnerable addresses in worm(s)  Results in huge worm(s) (perhaps 400KB)  Whenever the worm replicates, it splits  Virtually no wasted time or bandwidth! Original worm(s) 1st generation 2nd generation

Malware 33 Flash Worm  Estimated that ideal flash worm could infect the entire Internet in 15 seconds!  Much faster than humans could respond  A conjectured defense against flash worms o Deploy many “personal IDSs” o Master IDS watches over the personal IDSs o When master IDS detects unusual activity, lets it proceed on a few nodes, blocks it elsewhere o If sacrificial nodes adversely affected, attack is prevented almost everywhere

Malware 34 Botnets  Today, “botnets” are often portrayed as biggest malware threat o Many compromised machines (zombies) under control of botmaster (bot-herder)  Why botnets? o Spamming o Distributed DoS attacks o Other “anonymous” malicious attacks

Malware 35 Botnets  Usually, controlled via IRC o But this is possible weakness o Shut down IRC server  Today, much interest in P2P botnets o More robust, harder to shut down o But, much harder to design and control  A good (but difficult) research topic

Malware 36 Whatever Happened to…  Since Slammer (2004), appears that there are few “fast” worms  Few new metamorphics since early 2000s  So, whatever happened to flash worms, metamorphic worms, etc.? o Difficult to develop? o Better detection? o Botnets?  Maybe just a lull before the storm?

Malware 37 Metamorphic Viruses

Malware 38 Metamorphic Viruses  Some interesting questions… Q: How metamorphic are existing “metamorphic” generators? Q: How to detect metamorphic viruses? Q: How to build a “better” metamorphic generator?

Malware 39 Hunting for Metamorphic Generators…  First, how to compare X.exe and Y.exe?  Disassemble and extract opcodes o x 1,x 2,…,x n from X and y 1,y 2,…,y m from Y o Compare all subsequences of length 3 o They match if opcodes match (in any order) o If (x i,x i+1,x i+2 ) matches (y j,y j+1,y j+2 ) then plot a point in x,y-plane at (i,j)  Reduce “noise” in resulting picture by requiring 5 consecutive matches

Malware 40 Comparing Executables  The process…

Malware 41 Comparing Executables  Compute a score based on picture as follows  Increment count for each opcode that is “covered” by a line segment o Do this for both x axis and y axis  Divide total count by (n + m) o Identical programs yield solid line on diagonal and (symmetric) noise, with score of 1.0 o Similar code has line segments parallel to diagonal and often scores greater than 0.5 o Unrelated programs have some random matches

Malware 42 Comparing Code to Itself  Note: “noise” not removed from this example  Here, score is 1.0

Malware 43 Comparing Metamorphic Code  Two files from “VCL32” generator  Score 0.60

Malware 44 Comparing Metamorphic Code  Files from “MPCGEN” generator  Score 0.57

Malware 45 Comparing Metamorphic Code  Files from “G2” generator  Score 0.75

Malware 46 Comparing Metamorphic Code  Files from “NGVCK” generator  Score 0.12

Malware 47 Comparing Normal Code  Randomly selected “normal” files o Cygwin utilities  Score 0.35

Malware 48 Metamorphic Generators  Metamorphic generators & normal files

Malware 49 Conclusion?  With 1 exception, metamorphic generators tested are not good o Only NGVCK is better than “normal” Q: Why so few good generators? A: Generating metamorphic code is a lot harder than it seems…

Malware 50 Detecting Metamorphic  We use Hidden Markov Models (HMMs) o A type of “machine learning” o Like neural nets, but not as sexy… o …but, arguably, easier and more informative  Assume there is some Markov process which is hidden  We are only able to observe some (indirect) effect of the Markov process

Malware 51 HMM  Markov process “behind the scenes” o Here, X 0  X 1  X 2  … (matrix A)  We only get to see observations, O i o The O i are related to X i via matrix B

Malware 52 HMM Example  Suppose tree growth ring sizes are related to average annual temperature o We cannot go back in time and measure temperature o But we can measure tree growth rings  With HMM, can obtain info about (hidden) temp, based on observed tree ring sizes

Malware 53 HMM Example  We assume temperature determined by a (hidden) Markov process… o …and we can observe tree growth rings  Suppose year-to-year temp (hot or cold), determined by:  And temperature related to growth rings according to:

Malware 54 HMM Example  Then we can define HMM as (A,B,  ) where  A is matrix for the (hidden) Markov process  B relates hidden state to observations   gives initial probabilities

Malware 55 HMM Example  Suppose for some 4-year period we observe tree ring sizes (S,M,S,L) o Where S,M,L are small, medium, large, respectively Q: What were “most likely” temps? A: Depends on what you mean by “most likely”  Dynamic programming (DP) finds best “path”  HMM maximizes expected number of correct states (expectation maximization)

Malware 56 HMM Example  Let’s use 0,1,2 for S,M,L, respectively  Then what is most likely state sequence given observation (0,1,0,2)? o Where “most likely” is in the HMM sense  Notation: A = {a ij } where  Notation: B = {b j (k)} where

Malware 57 HMM Example  Let X = (x 0,x 1,x 2,x 3 ) be state sequence o In our example, each x i is either H or C  And, for any such X,  For example, given observation sequence (O 0,O 1,O 2,O 3 ) = (0,1,0,2),

Malware 58 HMM Example  For observation sequence (0,1,0,2) we find   So, most likely state sequence is…  CCCH

Malware 59 HMMs  Real strength of HMMs due to existence of efficient algorithms  Efficient HMM algorithms exist for 1. Given a model, score an observation sequence 2. Find “most likely” hidden states 3. Generate a model from “training” data  Note: generating a model (number 3) is the sense that HMM is “machine learning” o Only specify N, number of hidden states

Malware 60 Uses for HMMs  Speech recognition o Train a model based on features (observations) extracted from speech o When someone speaks, extract same observations and score against the model o If score is high, it’s probably original speaker  DNA sequencing/protein modeling  Martian studying English text  Metamorphic virus detection…

Malware 61 Martians and English Text?  Martian knows nothing about English…  …but gets a lot of English text  Of course, decides to use HMMs to analyze the text o Remove all punctuation, make letters lower-case o Then 27 different symbols can be observed o Start with 2 hidden states…

Malware 62 HMM and English Text  Choose N = 2  Then A matrix is 2 x 2  And B matrix is 2 x 27  Train on about 50,000 letters of text, gives B matrix on next slide…  What happens for N = 3, N = 4, … ?

Malware 63

Malware 64 For More Info on HMMs  A revealing introduction to HMMs, Stamp A revealing introduction to HMMs o Of course, this is the best source…  A tutorial on HMMs and selected applications in speech recognition, Rabiner A tutorial on HMMs and selected applications in speech recognition o The standard reference

Malware 65 HMM-Based Detection  Assuming we have many metamorphic viruses from same generator  Extract opcodes and append o Yields one long opcode sequence  Train HMM model using opcode sequence  Then given an unknown file… o Extract its opcode sequence o Score its opcode sequence against the model o High score, then likely virus from same “family”

Malware 66 Training, Testing, Scoring  With 200 NGVCK files…

Malware 67 Detection Results  NGVCK vs normal files

Malware 68 More Detection Results  NGVCK, normal, and VCL32

Malware 69 HMM-Based Detection  Highly effective o And HMM only requires 2 or 3 hidden states  In fact, so effective, it should be patented o But it’s not (long story…)  Did I mention that it’s effective?  However, this method is not (yet) practical o Need to extract opcodes from “scanned” files  Ongoing student project will change that…

Malware 70 More Info  For more info on HMM-based detection of metamorphic malware, Hunting for metamorphic enginesHunting for metamorphic engines, Wing Wong and Mark Stamp, Journal in Computer Virology, December 2006 o Complete, thorough, readable, etc.

Malware 71 Profile HMM  “Profile” HMMs widely used in bioinformatics  Standard HMM does not take into account positional information o Markov process does not “know” (or care) where it is within observation sequence  In bioinformatics, position within the sequence is often critical o Profile HMMs developed for such problems

Malware 72 PHMMs  “Usual” picture of PHMM  Includes “insert” and “delete” states o To allow for gaps and incorrect symbols

Malware 73 PHMM vs Standard HMM  For PHMMs…  Different B matrix for each step, that is, positional dependence o New B for each step: B t  Insertions and deletions allowed  Algorithms much more complex  Initial “alignment” of sequences is a separate problem from PHMM training

Malware 74 PHMMs for Metamorphic Detection?  Might PHMM be better than HMM? o Possibly, stronger model if positional info taken into account o Analogy to biology: metamorphics “mutate”  Might PHMM be worse than HMM? o More complex o Positional info not useful

Malware 75 PHMM-Based Detection  Two students worked on this problem o One developed initial alignments o Other developed PHMM for this problem  Both did excellent work o PHMM had the bigger “wow” factor o Student who did initial alignment caught some undeserved grief

Malware 76 PHMM Detection Results  VCL32  Good results

Malware 77 PHMM Detection Results  NGVCK  Good, but not as impressive as HMM

Malware 78 PHMM Bottom Line  Interesting idea…  Very effective on certain types of metamorphism…  …not so effective against others o What morphing is hard for PHMM?  Overall, not as effective as HMM

Malware 79 More Info  Standard reference on PHMM o Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids, Durbin, et. al. Biological Sequence Analysis: Probabilistic Models of Proteins and Nucleic Acids  Paper on PHMM-based detection o Profile hidden Markov models and metamorphic virus detection, Attaluri, McGhee, Stamp, Journal in Computer Virology, May 2009 Profile hidden Markov models and metamorphic virus detection

Malware 80 Undetectable Metamorphic?  Goal is to create metamorphic generator that will o Evade signature detection o And evade HMM-based detection  How to accomplish this? o Code must be highly metamorphic (to evade signature detection) o Code must look “normal” (to evade HMM/statistcal/heuristic-based detection)

Malware 81 Metamorphic Generator I  First attempt…  Generator is only moderately metamorphic  So, we iterated it several times o After 9 iterations, code is very metamorphic o But, code grows a lot due to junk insertion  What about detection?  See next slides…

Malware 82 Metamorphic Generator I  Trained HMM on 9th generation files  Scores vs normal files

Malware 83 Metamorphic Generator I  Graph of 9th gen. scores vs normal files

Malware 84 Metamorphic Generator II  Second attempt…  Appears to be much more successful  Better metamorphic generator  Junk code is taken from normal files o Entire subroutine o Or a few lines of code with jumps  See next slide…

Malware 85 Metamorphic Generator II  Not sure which generator…

Malware 86 More Info  Coming soon…

Malware 87 Ongoing Related Projects  Use HMM to detect “provably undetectable” viruses  Practical HMM-based detection o “Approximate disassembly”  Virus with built-in buffer overflow o Sneaky way to reach “dead” code

Malware 88 Backdoor.Hacarmy.D  Analysis of botnet code

Malware 89 Unpacking

Malware 90 Unpacking

Malware 91 Unpacking

Malware 92 Unpacking  Blah

Malware 93 Dumpbin  Blah

Malware 94 Dumpbin  Blah

Malware 95 Dumpbin  Blah

Malware 96 Dumpbin  Blah

Malware 97 Initial Impressions

Malware 98 Installation

Malware 99 Installation  Blah

Malware 100 Installation  Blah

Malware 101 Installation  Blah

Malware 102 Installation  Blah

Malware 103 Installation  Blah

Malware 104 Initializing Communication

Malware 105 Network Connection  Blah

Malware 106 Connect to Server

Malware 107 Connect to Server  Blah

Malware 108 Connect to Server  Blah

Malware 109 Connect to Server  Blah

Malware 110 Connect to Server  Blah

Malware 111 Joining the Channel

Malware 112 Joining the Channel  Blah

Malware 113 Communicate with Backdoor

Malware 114 Communication  Blah

Malware 115 Communication  Blah

Malware 116 Communication  Blah

Malware 117 Communication  Blah

Malware 118 Communication

Malware 119 Running SOCKS4 Server

Malware 120 Clearing Crime Scene

Malware 121 Clearing Crime Scene  Blah

Malware 122 Hacarmy Commands

Malware 123 Hacarmy Commands

Malware 124 Hacarmy Commands

Malware 125 Conclusions