Software Analysis & Deobfuscation Engine
Page 2 Project Name: SADE Project Members: Faiza Khalid, Komal Babar and Abdul Wahab Project Supervisor –Internal: Aisha Khalid –External: Dr. Fauzan Mirza Project Scope
Page 3 Scope Statement Development of a software analysis toolkit for windows executables that will bypass obfuscations to make actual code available for further analysis. The toolkit will be for security analysts and novice users with a little training.
Page 4 Obfuscation Problem Malware analysis is necessary for information security: – Creating signatures – Understanding attacks Malware authors use code obfuscation techniques to hide their malicious code The time of security analysts is expensive. Individual samples can take hours to analyze. Obfuscation costs reverse-engineers time: –Complicates instruction sequences –Disrupts control flow –Makes algorithms difficult to understand Manual obfuscation removal is a tedious and error-prone process Need to automate the process of analysis to keep up.
Page 5 Deobfuscation Deobfuscated!
Page 6 The packing obfuscation is the process of compressing and/or encrypting a program and adding a runtime decryption routine to it, such that the behavior of the original program is preserved. Tools that perform packing are called packers. Packing is applied on legitimate software to reduce the size of executable files and to protect the intellectual property that is distributed with the code. Malware authors use packing to by-pass detection and thwart analysis –Packing hides the original malicious code –Packing hinders code analysis –Obfuscation hinders automation –Automation is key to rapid analysis Packing Obfuscation
Page 7 A Packed Malware Binary Address Space.loop lea eax, 0x4a0000 lea ebx, 0x load ecx, ptr [r1] xor ecx, 0xffffff store ptr[ecx], r2... jnz.x call ptr[edi].x add eax, 4 add ebx, 4 cmp eax, 0x4a1f88 jnz.loop jmp 0x Address Space Entry Point 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 73 1c a d8 6a d0 56 4b fe af 40 0c b6 f f5 07 b c 85 a5 94 2b 20 fd 5b 95 e7 c a d9 83 a1 37 1b 2f b c 22 8e Unpacking Loop JUMP Original BinaryPacked Binary Payload program is mostly unchanged Anti-Debugger Code Timing checks of various granularities Control flow obfuscation Code created in unpacking phase Control transfer to unpacked code Unpacking loop Packed code initially compressed or encrypted A binary is packed if some portion of its code is not present until runtime
Page 8 Anti-virus Tool Evasion 8 of 19 Unpack loop 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 Unpack loop 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 Signature Anti-Virus Tool Anti-virus tools recognize and unpack payloads of common packer tools Existing packers are modified to evade anti- virus tools at the rate of per month [1] 80% of malware in the world is packed [2][3] Unpack loop 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 Unpack loop 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 Signature [1] Virus Bulletin p , A. Stepan, 2006 [2] Press Release, McAfee Avert Labs, Nov [3] Malware Formation Stats, Panda Research, 2007 Unpack loop 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 Signature Unpack loop 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e c0 Signature Common Attacker Tactic: Take a known malware binary and pack it with 10 layers of potentially different or proprietary packers. Symantec knows about 1145 families of packers, each of which can have multiple versions and they claim they can recognize/unpack about 100 of them. Malware signature size keeps growing with no end in sight.
Page 9 Relevant Literature “Renovo: A Hidden Code Extractor for Packed Executables”, presented at 5th ACM Workshop on Recurring Malcode (WORM 2007) “Generic Unpacking How to handle modified or unknown PE Compression Engines” presented at Virus. Bulletin Conference “OmniUnpack: Fast, Generic, and Safe Unpacking of Malware”, presented at 23rd ACSAC (Annual Computer Security Applications Conference) in Miami Beach FL USA (2007) “PolyUnpack: Automating the Hidden-Code Extraction of Unpack- Executing Malware”, presented at 22nd ACSAC (2006)
Page 10 Justification for project The problem to generically unpack malware executables has been solved commercially but the competitive nature of the anti-virus software industry refrains them from publishing a solution. Lack of a publicly available generic unpackers that can handle obfuscated binaries without knowing the exact packer used to pack it. The growing epidemic of malware and the need to have more freely available tools to help in analyzing malware.
Page 11 Objectives Design and implementation of a technique to detect obfuscated windows executables and to dump their code without running the executable. –Objective measurable by testing the implemented technique on sample packed exes and comparing results with published statistics of existing unpackers. Design and develop a user-friendly interface to analyze the recovered executable code, the whole of the code might not be recovered and the recovered code might not necessarily be executable. –Objective measurable by feedback of toolkit from beta testers. Contribute to research in the domain of code obfuscation and malware analysis. –Objective measurable by publication of research.
Page 12 Scope of Project – Inclusions & Exclusions We will not be developing an entire disassembler or a debugger but only a technique that can either attach itself to an already memory mapped process to uncover any hidden code or to load a process in memory and bypass any obfuscations to get to the hidden code once it is unpacked in memory. The scope of the project only and only covers extracting the hidden code, any further analysis of the malware is future work left to security analysts. This program can not in any way be deemed an equivalent of a debugger which has many complex functionalities, we need to perform only a small sub-task that debuggers performs i.e. to load executables and extract any hidden code, we won’t provide an environment to run or single step into the executable, just make the hidden code section available for analysis. We intend to get the help of simple debugging tools and already published research in the field of obfuscated binaries and take a lead from already done work.
Page 13 A: Studying PE (Portable Executable file format) F: Algorithm design B: Implementing PE identifier (i.e. portable executable analyzer) G: implement modules C: Research already implemented generic Unpacking Techniques H: Test modules D: Manually unpack executables obfuscated with different packers I: Integrate modules E: Identify general trends in unpacking J: User manual Project Schedule – Gantt Chat
Page 14 Software Analysis toolkit: SADE Documentation –Project Scope Statement –Requirements Model, Analysis Model and Design Model –WBS, project schedule, software development plan, software Implementation plan, software test plan –Software Implementation description –Final Project Report –User Manual Deliverables
Page 15 THANK YOU! Any questions