Normalizing Metamorphic Malware Using Term Rewriting A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia Software Research Laboratory The University.

Slides:

Advertisements

Similar presentations

Smita Thaker 1 Polymorphic & Metamorphic Viruses Presented By : Smita Thaker Dated : Nov 18, 2003.

Advertisements

The Volcano/Cascades Query Optimization Framework

SMT Solvers for Malware Unpacking 8 July Authors and thanks 2 Ian Blumenfeld Roberta Faux Paul Li Work overseen by Mark Raugas – Director CyberPoint.

Mutating The Mutators Sean O'Toole. What is Borrowed From Metamorphism Metamorphic Shrinker\Expander Modules: Expander: An expander creates a “direct.

Dec 5, 2007University of Virginia1 Efficient Dynamic Tainting using Multiple Cores Yan Huang University of Virginia Dec

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Reversing Microsoft Patches to reveal Vulnerable code Harsimran Walia

1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.

University of Southern California Center for Systems and Software Engineering ©USC-CSSE1 Ray Madachy, Ricardo Valerdi USC Center for Systems and Software.

Arun Lakhotia, Professor Andrew Walenstein, Assistant Professor University of Louisiana at Lafayette AVAR (New Delhi)1.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

Accessing parameters from the stack and calling functions.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

0wning Antivirus Alex Wheeler Neel Mehta

No.24 Prerawat Denvutivorkarn M.2/2. Definition: "antivirus" is protective software designed to defend your computer against malicious software. Malicious.

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Automated malware classification based on network behavior

Silvio Cesare Ph.D. Candidate, Deakin University.

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Department of Computer Science Yasmine Kandissounon.

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

 a crime committed on a computer network, esp. the Internet.

CHAPTER 14 Viruses, Trojan Horses and Worms. INTRODUCTION Viruses, Trojan Horses and worm are malicious programs that can cause damage to information.

1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.

Virus Detection Mechanisms Final Year Project by Chaitanya kumar CH K.S. Karthik.

Automated Classification and Analysis of Internet Malware M. Bailey J. Oberheide J. Andersen Z. M. Mao F. Jahanian J. Nazario RAID 2007 Presented by Mike.

The Volcano Query Optimization Framework S. Sudarshan (based on description in Prasan Roy’s thesis Chapter 2)

Business Integration Technologies © 2006 IBM Corporation Zurich Research Laboratory - BIT Validation.

Statistical Tools for Linking Engine-generated Malware to its Engine Edna C. Milgo M.S. Student in Applied Computer Science TSYS School of Computer Science.

Biologically Inspired Defenses against Computer Viruses International Joint Conference on Artificial Intelligence 95’ J.O. Kephart et al.

Surprise Exception Handlers Peter Ferrie Senior Anti-virus Researcher 11 June,

Images Similarity by Relative Dynamic Programming M. Sc. thesis by Ady Ecker Supervisor: prof. Shimon Ullman.

CISC Machine Learning for Solving Systems Problems Presented by: Sandeep Dept of Computer & Information Sciences University of Delaware Detection.

Analyzing Memory Accesses in Obfuscated x86 Executables Michael Venable Mohamed R. Choucane Md. Enamul Karim Arun Lakhotia (Presenter) DIMVA 2005 Wien.

Sahar Mosleh California State University San MarcosPage 1 Nested Procedure calls and Flowcharts.

Using Engine Signature to Detect Metamorphic Malware Mohamed R. Chouchane and Arun Lakhotia Software Research Laboratory The University of Louisiana at.

Submitted By :- Neeraj Kumar Singh Branch :Electronics&communication Topic : computer Viruses Submitted to :- Ms. Veena Gupta.

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Forensic Analysis of Toolkit-Generated Malicious Programs Yasmine Kandissounon TSYS School of Computer Science Columbus State University 2009 ACM Mid-Southeast.

n Just as a human virus is passed from person from person, a computer virus is passed from computer to computer. n A virus can be attached to any file.

Computer virus Speaker : 蔡尚倫.  Introduction  Infection target  Infection techniques Outline.

Where’s the FEEB?: Effectiveness of Instruction Set Randomization Nora Sovarel, David Evans, Nate Paul University of Virginia Computer Science USENIX Security.

Compiler Construction Code Generation Activation Records

Superoptimization Venkatesh Karthik Srinivasan Guest Lecture in CS 701, Nov. 10, 2015.

All even numbers are divisible by 2 Even numbers are numbers that end with either 0, 2, 4, 6, or 8.

Evaluating C++ Design Pattern Miner Tools Lajos Jenő Fülöp 1, Tamás Gyovai 2 and Rudolf Ferenc 1 1 Department of Software Engineering University of Szeged,

1 3 Computing System Fundamentals 3.7 Utility Software.

Binary Context-Sensitive Recognizer (BCSR) Hong Pham December 4, 2007.

Correct RelocationMarch 20, 2016 Correct Relocation: Do You Trust a Mutated Binary? Drew Bernat

Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.

2014 Unsupervised Malware Classification: How Bad Software Can Find its own Kind Shannon Steinfadt, Ph.D., Juston Moore, Micah Yates Los Alamos National.

Detected by, M.Nitin kumar ( ) Sagar kumar sahu ( )

Paradyn Project Paradyn / Dyninst Week Madison, Wisconsin April 12-14, 2010 Paradyn Project Safe and Efficient Instrumentation Andrew Bernat.

Assembly Language Addressing Modes. Introduction CISC processors usually supports more addressing modes than RISC processors. –RISC processors use the.

Protecting Computers From Viruses and Similarly Programmed Threats Ryan Gray COSC 316.

Cosc 4765 Antivirus Approaches. In a Perfect world The best solution to viruses and worms to prevent infected the system –Generally considered impossible.

Automatic Extraction of Malicious Behaviors

Recitation 3: Procedures and the Stack

TriggerScope: Towards Detecting Logic Bombs in Android Applications

Techniques, Tools, and Research Issues

Techniques, Tools, and Research Issues

Techniques, Tools, and Research Issues

Emily Jacobson and Nathan Rosenblum

Chap 10 Malicious Software.

تحلیل ساختاری ویروس‌های کامپیوتری از تئوری تا کاربرد

Detecting Obfuscated Code Using Cosine Similarity

Chap 10 Malicious Software.

Normalizing Metamorphic Malware Using Term Rewriting

Computer Architecture and System Programming Laboratory

Presentation transcript:

Normalizing Metamorphic Malware Using Term Rewriting A. Walenstein, R. Mathur, M. R. Chouchane, and A. Lakhotia Software Research Laboratory The University of Louisiana at Lafayette Sixth IEEE International Workshop on Source Code Analysis and Manipulation 27th-29th September 2006 Philadelphia, PA, USA

SCAM'062 9/28/2006 About this Work The core of the paper's work formed the Master's thesis of Rachit Mathur. He has since graduated and is now working at McAfee.

SCAM'063 9/28/2006 Malware Identification Anti-Virus Signature Virus Form - A Malware are malicious programs such as viruses, worms, and Trojans. Antivirus scanners use extracted patterns, or “signatures” to identify known malware. Signature

SCAM'064 9/28/2006 Metamorphic Malware Virus Form - C M M Virus Form - A Form - B Metamorphic malware change as they propagate They create multiple variants of themselves

SCAM'065 9/28/2006 Metamorphic Malware Challenge Anti-Virus Signature Virus Form - C M M Virus Form - A Form - B Too many signatures challenge the AV Scanner Using different signatures for most variants cannot scale.

SCAM'066 9/28/2006 Proposed approach: normalizer Anti-Virus Signature NormalForm N N N Virus Form - A Virus Form - B Virus Form - C M M Normalizer Construction Problem: Reduce the number of signatures needed to detect all variants. Virus

SCAM'067 9/28/2006 mov [ebp - 3], eax push ecx mov ecx,ebp add ecx,33 push esi mov esi,ecx sub esi,34 mov [esi-2],eax pop esi pop ecx push ecx mov ecx, ebp push eax mov eax, 33 add ecx, eax pop eax push esi mov esi, ecx push edx mov edx, 34 sub esi, edx pop edx mov [esi - 2], eax pop esi pop ecx push ecx mov ecx, [ebp + 10] mov ecx, ebp push eax add eax, 2342 mov eax, 33 add ecx, eax pop eax mov eax, esi push eax mov esi, ecx push edx xor edx, 778f mov edx, 34 sub esi, edx pop edx mov [esi-2], eax pop esi pop ecx push ecx mov ecx,ebp add ecx,33 mov [ecx-36],eax pop ecx Inspiration: “undo” transformations

SCAM'068 9/28/2006 Problem 1: “naïve” undo is naïve mov eax, 0x04 push eax mov eax, 0x04 push eax push 0x04 mov eax, 0x04 push 0x04 mov edi, 0x04 3. mov eax, 0x04 push eax 2. push eax mov eax, 0x04 push 0x04 1. push ecx mov ecx, 0x04 mov edi, ecx pop ecx push eax

SCAM'069 9/28/2006 Problem 2: conditional transformations mov edi, 0x04 mov eax, 0x04 push eax mov eax, 0x04 push 0x04 push ecx mov ecx, 0x04 mov edi, ecx pop ecx push eax eax not live unconditional Q: how to reorient rules while guaranteeing termination? eax not live

SCAM'0610 9/28/2006 Term rewriting approach Adopted term-rewriting framework  Model the metamorphic engine as TRS  Modify it to create normalizing rule set and engine apply completion procedure, which reorients rules  Can guarantee needed properties (termination, confluence)

SCAM'0611 9/28/2006 mov eax, 0x04 push eax mov eax, 0x04 Completion procedure sketch mov eax, 0x04 push eax push 0x04 mov eax, 0x04 push 0x04 Critical Pairs

SCAM'0612 9/28/2006 mov eax, 0x04 push eax mov eax, 0x04 Completion procedure sketch mov eax, 0x04 push eax push 0x04 mov eax, 0x04 push 0x04 Reorient New Rule

SCAM'0613 9/28/2006 What to do when completion procedure fails? Successful completion guarantees a unique normal form for all variants:  The “perfect” normalizer but  Completion procedure may not terminate!  Number of rules in the normalizer may be too high to be practical  Does not take into account conditions  Need alternative scheme

SCAM'0614 9/28/2006 Priority Scheme Partition N into N U and N C Still Reducible? Input Program Normalize w.r.t N U HALT no Y N U – Unconditional rules N C – Conditional rules If possible, Apply a rule from N C yes 1.Simple 2.No Need for costly/imprecise condition evaluation 3.Improved through Ad-hoc completion

SCAM'0615 9/28/2006 Question: condition checking required? Conditional rules require checking of conditions  Can be expensive, or impossible  What is the practical penalty of incorrectly checking conditions? e.g., ignoring conditions completely?

SCAM'0616 9/28/2006 Case Study W32.Evol Virus can generate huge number of variants Tested the normalization schemes on 26 variants over 6 generations Manually Extracted rules used by W32.Evol  55 rules  84 overlaps TXL implementations:  Ordinary and priority-based evaluation

Results NormalizerGenerationEve23456 Avg. size of original Convergen t Avg. size of normal form 2173 Priority AC Avg. size of normal form 2166 Priority WC Avg. size of normal form Lines not in common % in common

SCAM'0618 9/28/2006 Contributions Applications for assisting malware scanners  Initial exploration of possibility of “perfect” normalization  Indications of usefulness of heuristic alternatives (priority scheme and ignoring conditions)

SCAM'0619 9/28/2006 Future Work Expanded scope and empirical study  Extensions for semantics-non-preserving metamorphic engines?  Localized normalization using term rewriting M. Chouchane and A. Lakhotia “Using Engine Signature to Detect Metamorphic Malware”, Workshop on Rapid Malcode, Fairfax, VA, Nov (to appear) More at

SCAM'0620 9/28/2006 Software Research Lab Center for Advanced Computer Studies University of Louisiana at Lafayette Arun Lakhotia Director Andrew Walenstein Research Scientist Michael Venable Software Engineer and Alumnus Ph.D. Students Mohamed R. Chouchane Md Enamul Karim M.S. Students Christopher Thompson Matthew Hayes Alumni Nitin Jyoti, Avertlabs Aditya Kapoor, McAfee Erik Uday Kumar, Authentium Rachit Mathur, McAfee Moinuddin Mohammed, Microsoft Prashant Pathak, Symantec Prabhat Singh, Symantec Funded by: Louisiana Governor’s IT Initiative