Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

Slides:

Advertisements

Similar presentations

Saumya Debray The University of Arizona Tucson, AZ

Advertisements

Global MP3 Geoffrey Beers Deborah Ford Mike Quinn Mark Ridao.

R2: An application-level kernel for record and replay Z. Guo, X. Wang, J. Tang, X. Liu, Z. Xu, M. Wu, M. F. Kaashoek, Z. Zhang, (MSR Asia, Tsinghua, MIT),

TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection Tielei Wang 1, Tao Wei 1, Guofei Gu 2, Wei Zou 1 1 Peking.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

Differential Slicing: Identifying Causal Execution Differences for Security Applications Noah M. Johnson 1, Juan Caballero 2, Kevin Zhijie Chen 1, Stephen.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Authored by: Rachit Rastogi Computer Science & Engineering Deptt., College of Technology, G.B.P.U.A. & T., Pantnagar.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Panorama: Capturing System-wide Information Flow for Malware Detection and Analysis Authors: Heng Yin, Dawn Song, Manuel Egele, Christoper Kruegel, and.

Yin, H., Song, D., Egele, M., Kruegel, C., Kirda, E. In Proc. of the 14th ACM conference on Computer and communications security, October /9/31.

Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

Vulnerability-Specific Execution Filtering (VSEF) for Exploit Prevention on Commodity Software Authors: James Newsome, James Newsome, David Brumley, David.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Heng Yin, Dawn Song, Manuel Egele, Christopher Kruegel, and Engin Kirda Presentation by Mridula Menon N.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.

CISC105 General Computer Science Class 1 – 6/5/2006.

CSCI 6962: Server-side Design and Programming Web Services.

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Implementing a Port Knocking System in C Honors Thesis Defense by Matt Doyle.

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

AccessMiner Using System- Centric Models for Malware Protection Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu and Engin Kirda.

Automatically Generating Models for Botnet Detection Presenter: 葉倚任 Authors: Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel,

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,

Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.

Client Call Back Client Call Back is useful for multiple clients to keep up to date about changes on the server Example: One auction server and several.

MICHALIS POLYCHRONAKIS(COLUMBIA UNIVERSITY,USA), KOSTAS G. ANAGNOSTAKIS(NIOMETRICS, SINGAPORE), EVANGELOS P. MARKATOS(FORTH-ICS, GREECE) ACSAC,2010 Comprehensive.

TaintScope Presented by: Hector M Lugo-Cordero, MS CAP 6135 April 12, 2011.

1 MSCS 237 Overview of web technologies (A specific type of distributed systems)

RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.

Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,

2012 IEEE/IPSJ 12 th International Symposium on Applications and the Internet 陳盈妤 1/10.

Homework tar file Download your course tarball from web page – Named using your PSU ID – Chapter labeled for each binary.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

©2016 Check Point Software Technologies Ltd. 1 Latest threats…. Rolando Panez | Security Engineer RANSOMWARE.

Week-14 (Lecture-1) Malicious software and antivirus: 1. Malware A user can be tricked or forced into downloading malware comes in many forms, Ex. viruses,

Brett Stone-GrossBrett Stone-Gross, Christopher Kruegel, Kevin AlmerothChristopher KruegelKevin Almeroth University of California, Santa Barbara Andreas.

On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.

Heat-seeking Honeypots: Design and Experience John P. John, Fang Yu, Yinglian Xie, Arvind Krishnamurthy and Martin Abadi WWW 2011 Presented by Elias P.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

A Framework For Trusted Instruction Execution Via Basic Block Signature Verification Milena Milenković, Aleksandar Milenković, and Emil Jovanov Electrical.

11 DEPLOYING AN UPDATE MANAGEMENT INFRASTRUCTURE Chapter 6.

Sung-Dong Kim, Dept. of Computer Engineering, Hansung University Java - Introduction.

TriggerScope: Towards Detecting Logic Bombs in Android Applications

Malware Detection XUTONG CHEN & Xin zhou.

Automatic Network Protocol Analysis

Malware Reverse Engineering Process

Chapter 1. Basic Static Techniques

CS 1308 Exam I Review.

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Malware Reverse Engineering Process

Presented by Xiaohui (Amy) Lin

All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.

Following Malware Execution in IDA

When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.

Presentation transcript:

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology 31st IEEE Symposium on Security & Privacy, 2010

Outline  Introduction  System Overview  Automated Extraction  Gadget Preparation and Replay  Gadget Inversion  Evaluation

Introduction  Malware is the driving force behind many of the attacks on the Internet today.  It now being increasingly deployed as software that can be remotely controlled.

How to analyze…  Static analysis Obfuscation, etc.  Dynamic analysis It doesn’t support automatically extracting the specific functionality from the malware. Ex: domain generation algorithm of samples that use domain flux Ex: the decoding function

This paper aims…  Presenting a novel approach to automatically extract from a given malware the instructions that are responsible for a certain activity of the sample  First, INSPECTOR performs dynamic program slicing on the malware to extract a slicing with “interesting” behavior.  Second, it generates a stand-alone gadget base on the extracted slice.

Advantages of the extracted gadgets  Reduce our exposure to the malicious code  Immediately carry out a certain operation the malware performs  Identify in-memory buffers that hold decrypted data  Some gadgets can be inverted.

System Overview

Automated Extraction  Generating Activity Logs Anubis[web] performs dynamic malware analysis base on a processor emulator(QEMU).web ○ Recording all executed instructions ○ Marking each byte returned by a system call, and using taint technique ○ Record all memory accesses Once an analyst has spotted an interesting behavior, she can instruct INSPECTOR to extract a gadget.

Automated Extraction (cont.)  Selecting and Extracting Algorithms An analyst has to select the relevant flow manually. ○ In the HTTP download, she may select WriteFile, or CreateFile. Extract a slice ○ Attempts to find all necessary data sources required to calculate the parameters pass to the function call.

Selecting and Extracting Algorithms  Forward Searching and Backward Slicing The behavior selected by an analyst is not the intended endpoint. The analyst should specify something as an endpoint where the forward searching stops.  Heuristics for Detecting Endpoint string comparison functions, or execution of code containing string handling instructions The data has been processed by a list of mathematical instructions.

Selecting and Extracting Algorithms (cont.)  Closure Analysis INSPECTOR can decide to deliberately exclude certain dependencies. ○ Conditional jump ○ A behavior is only triggered under a certain condition

Gadget Preparation and Replay  Gadget Format and Relocation Dynamic loadable library (DLL) All references to absolute code addresses are rewritten to use relative addressing Extract all static memory areas into a data file

Gadget Preparation and Replay (cont.)  Gadget Player Memory Management ○ Preinitialized memory areas ○ Provide the player with a complete view of the memory buffers accessible to the gadget.

Gadget Preparation and Replay (cont.)  Execution Containment Must isolate the gadget from the player’s memory Some choice ○ Emulation Performance consideration ○ Our approach Memory management rewrites the memory accesses Using a separate thread Redirect the API or system call to environment interface ○ Other approach SFI, Native Client[web]web

Gadget Preparation and Replay (cont.)  Environment Interface During the gadget start-up, it registers a callback function inside the gadget ○ Invoked by the gadget each time a system or Windows API call ○ The callback can be changed by the analyst

Gadget Preparation and Replay (cont.)  Callback Handling The gadget player can return fake information to the gadget

Gadget Inversion  Main idea First, extract the gadget that is responsible for stealing and encoding the data Second, compute the input that leads to the output observed in the network dump  Use brute-force and the data dependencies

Gadget Inversion

 Implementation Using taint tracking to get information  Applicability Base64: ○ 3 byte encode to 4 byte ○ Depend on 2 byte

Gadget Inversion XOR ○ Using constant key  depend on 1 byte ○ Using the content as key  depend on 2 byte Strong Encryption ○ Ex: RSA ○ Depend on all byte ○  imposible

Gadget Inversion  Possible Extensions Extract algebraic formulae ○ Constraint solver Input parallelization ○ Check multiple input candidates

Evaluation

 Domain Flux: Conficker[web]web

Evaluation

 Fetching Binary Updates: Pushdo Over a period of 16 days Change IP for 3 C&C servers  Binary Update Decryption: Pushdo Pushdo client use random key to append on URL in order to get encrypt file. Invere the program to find the key

Evaluation  Binary Update Generation: Pushdo Inverse the decrypt algorithm Redirect connection to our server 140 bytes  44 seconds

Evaluation  Template-based Spamming: Cutwail XOR based encrypt Store template in memory