Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi.

Slides:



Advertisements
Similar presentations
Saumya Debray The University of Arizona Tucson, AZ
Advertisements

1 3 Computing System Fundamentals 3.5 Data Representation.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
B. Childers, M. L. Soffa, J. Beaver, L. Ber, K. Cammarata, J. Litman, J. Misurda Presented by: Priyanka Puri SOFTTEST: A FRAMEWORK FOR SOFTWARE.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Catriel Beeri Pls/Winter 2004/5 environment1 1 The Environment Model  Introduction and overview  A look at the execution model  Dynamic scoping  Static.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.
Module 8: Monitoring SQL Server for Performance. Overview Why to Monitor SQL Server Performance Monitoring and Tuning Tools for Monitoring SQL Server.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.
Towards Network Containment in Malware Analysis Systems Authors: Mariano Graziano, Corrado Leita, Davide Balzarotti Source: Annual Computer Security Applications.
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.
Eureka: A Framework for Enabling Static Analysis on Malware
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.
Computer Viruses Preetha Annamalai Niranjan Potnis.
D2Taint: Differentiated and Dynamic Information Flow Tracking on Smartphones for Numerous Data Sources Boxuan Gu, Xinfeng Li, Gang Li, Adam C. Champion,
CIS Computer Programming Logic
Paradyn Project Dyninst/MRNet Users’ Meeting Madison, Wisconsin August 7, 2014 The Evolution of Dyninst in Support of Cyber Security Emily Gember-Jacobson.
A genda for Today What is memory management Source code to execution Address binding Logical and physical address spaces Dynamic loading, dynamic linking,
Behavior-based Spyware Detection By Engin Kirda and Christopher Kruegel Secure Systems Lab Technical University Vienna Greg Banks, Giovanni Vigna, and.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Malgram Malware Analysis: Malware Unpacking Static Analysis Code Deobfuscation Decompilation Phillip Porras and Hassen Saidi Computer Science Lab SRI International.
1 Chap 10 Virus. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on an ever increasing.
10/11/2015 Computer virus By Al-janabi Rana J 1. 10/11/2015 A computer virus is a computer program that can copy itself and infect a computer without.
1 Advance Computer Architecture CSE 8383 Ranya Alawadhi.
Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:
ICS 145B -- L. Bic1 Project: Main Memory Management Textbook: pages ICS 145B L. Bic.
EECS 354 Network Security Reverse Engineering. Introduction Preventing Reverse Engineering Reversing High Level Languages Reversing an ELF Executable.
Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.
Roberto Paleari,Universit`a degli Studi di Milano Lorenzo Martignoni,Universit`a degli Studi di Udine Emanuele Passerini,Universit`a degli Studi di Milano.
Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
HIPS Host-Based Intrusion Prevention System By Ali Adlavaran & Mahdi Mohamad Pour (M.A. Team) Life’s Live in Code Life.
Auther: Kevian A. Roudy and Barton P. Miller Speaker: Chun-Chih Wu Adviser: Pao, Hsing-Kuo.
Replay Compilation: Improving Debuggability of a Just-in Time Complier Presenter: Jun Tao.
Using Memory Management to Detect and Extract Illegitimate Code for Malware Analysis Carsten Willems 1, Thorsten Holz 1, Felix Freiling 2 1 Ruhr-University.
Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.
SEMINAR WEI GUO. Software Visualization in the Large.
1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.
RIVERSIDE RESEARCH INSTITUTE Deobfuscator: An Automated Approach to the Identification and Removal of Code Obfuscation Eric Laspe, Reverse Engineer Jason.
Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,
Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Instrumentation in Software Dynamic Translators for Self-Managed Systems Bruce R. Childers Naveen Kumar, Jonathan Misurda and Mary.
CISC Machine Learning for Solving Systems Problems Presented by: Ashwani Rao Dept of Computer & Information Sciences University of Delaware Learning.
CISC Machine Learning for Solving Systems Problems Presented by: Satyajeet Dept of Computer & Information Sciences University of Delaware Automatic.
LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.
Processes and Virtual Memory
BarrierWatch: Characterizing Multithreaded Workloads across and within Program-Defined Epochs Socrates Demetriades and Sangyeun Cho Computer Frontiers.
Nadathur R Satish and Pierre-Yves Droz EECS Department, University of California Berkeley.
Automated Worm Fingerprinting Authors: Sumeet Singh, Cristian Estan, George Varghese and Stefan Savage Publish: OSDI'04. Presenter: YanYan Wang.
Exploiting Instruction Streams To Prevent Intrusion Milena Milenkovic.
1 Xen and the Art of Binary Modification Lies, Damn Lies, and Page Frame Addresses Greg Cooksey and Nate Rosenblum, March 2007.
Best detection scheme achieves 100% hit detection with
Behavior Isolation in Enterprise Systems Mohamed Mansour
Improve query performance with the new SQL Server 2016 query store!! Michelle Gutzait Principal Consultant at
Cyber Physiology Analysis Framework Concept
Techniques, Tools, and Research Issues
Setup a VM to use for analyzing malware
When Machine Learning Meets Security – Secure ML or Use ML to Secure sth.? ECE 693.
Presentation transcript:

Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi

Outline Overview of Generic Unpacker 1 System Call Level Heuristic 2 Statistics-Based Unpacking 3 Evaluation Metrics 4

Overview of Unpacker  Static analyses: decompile and analyze the logical structure, flow, and data stored within the binary itself.  Dynamic analyses: monitor the behavior of the malware binary at runtime.  Fine-grained monitor (Instruction-level)  Coarse-grained monitor (page-level)

Generic Automatic Unpackers PolyUnpackRenovoOmniUnpack Eureka Instruction-level Page-levelSystem call level Model-base trigger Heuristic trigger Heuristic and Statistical trigger slow fast  The variability in unpacking strategies come from the granularity of tracking unpacking behavior.

Eureka Coarse-grained execution tracing NtTerminateProcess NtCreateProcess Eureka Statistical bigram analysis bigram.

Coarse-grained Execution Tracing  Eureka uses the event of program exit as a trigger.  NtTerminateProcess implies that the unpacked malicious payload has been successfully decrypted.  A large fraction of current malware use a new process (NtCreateProcess) to execute the unpacked malicious payload.

Problems  Not all malware exit and keep an executing version resident in memory  Packers can make spurious event of creating new process.  Malware authors can simply avoid exiting the malware process.  The above two simple heuristics may work for a large fraction of malware today( as much as 80%), it may not be the same for future malware.

Evaluation

Statistical bigram analysis  Mining statistical patterns in x86 code  Use simple n-gram analysis  Use the IDA Pro to extract regions from executable that were marked as functions.  Looking for the most common bigrams ( opcode pairs or 2-byte opcodes) and space bigrams( byte pairs separated by 1 or more bytes)  Found FF 15(call), FF 75(push), E and E8---FF are prevalent in x86 code.

Occurrence summary of bigrams calcexplorernotepadpingshutdown FF 15(call) FF 75(push) E8---FF(call) E8---00(call)

Bigram Counts  Bigram counts during execution of goat file packed with Aspack

Bigram Counts  Bigram counts during execution of goat file packed with Molbox

Bigram Counts  Bigram counts during execution of goat file packed with Armadillo

Bigram Counts  There are consistent and significant shifts in the bigram counts.  The simple bigram counting approach had over a 95% success rate in distinguishing between packed and unpacked malware instance.

Evaluation Metrics  Code-to-data ratio  An observable difference between packed code and unpacked code is the amount of identifiable code and data found in the binary  Use IDA Pro to identify valid code sequences.  In IDA Pro, data are represented by db, dw or dd.  In packed executables, the ratio is below 3%.  In unpacked executables, the ratio is above 50%.

Code-to-data ratio Packed Unpacked

Code-to-data ratio Grey area stand for data Blue area stand for code Packed notepad.exe memory space Original notepad.exe memory space