LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security.

Slides:

Advertisements

Similar presentations

8. Code Generation. Generate executable code for a target machine that is a faithful representation of the semantics of the source code Depends not only.

Advertisements

Chapter 1 We’ve Got Problems…. Four Horsemen  … of the electronic apocalypse  Spam --- unsolicited bulk o Over 70% of traffic  Bugs ---

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Fast and Precise In-Browser JavaScript Malware Detection

Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Computer-Aided Software Engineering Tools – An overview.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 10 04/18/2011 Security and Privacy in Cloud Computing.

Copyright © 2006 by The McGraw-Hill Companies, Inc. All rights reserved. McGraw-Hill Technology Education Copyright © 2006 by The McGraw-Hill Companies,

Computer Science 1620 Lifetime & Scope. Variable Lifetime a variable's lifetime is finite Variable creation: memory is allocated to the variable occurs.

Kaspersky Lab: The Best of Both Worlds Alexey Denisyuk, pre-sales engineer Kaspersky Lab Eastern Europe 5 th April 2012 / 2 nd InfoCom Security Conference.

Project By Ben Woodard ISC 110 Professor: Dr. Elaine Wenderholm.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Code Injection and Software Cracking’s Effect on Network Security Group 5 Jason Fritts Utsav Kanani Zener Bayudan ECE 4112 Fall 2007.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Automated malware classification based on network behavior

Silvio Cesare Ph.D. Candidate, Deakin University.

MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Grifﬁn, Symantec Research.

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 17: Code Mining.

1 Spyware, Adware, and Browser Hijacking. ECE Agenda What is Spyware? What is Adware? What is Browser Hijacking? Security concerns and risks Prevention,

Maintaining Information Systems Modern Systems Analysis and Design.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Software Obfuscation from Crackers’ viewpoint Y, Hiroki; K, Yuichiro; M Akito, N Masahide; M Ken-ichi Proceedings of the IASTED International Conference.

Spyware and Viruses Group 6 Magen Price, Candice Fitzgerald, & Brittnee Breze.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

Ether: Malware Analysis via Hardware Virtualization Extensions Author: Artem Dinaburg, Paul Royal, Monirul Sharif, Wenke Lee Presenter: Yi Yang Presenter:

WebVizOr: A Fault Detection Visualization Tool for Web Applications Goal: Illustrate and evaluate the uses of WebVizOr, a new tool to aid web application.

Monnappa KA  Info Security Cisco  Member of SecurityXploded  Reverse Engineering, Malware Analysis, Memory Forensics 

Hardware Assisted Control Flow Obfuscation for Embedded Processors Xiaoton Zhuang, Tao Zhang, Hsien-Hsin S. Lee, Santosh Pande HIDE: An Infrastructure.

ANTIVIRUS SOFTWARE.  Antivirus software is the most widespread mechanism for defending individual hosts against threats associated with malicious software,

Malware Analysis Jaimin Shah & Krunal Patel Vishal Patel & Shreyas Patel Georgia Institute of Technology School of Electrical and Computer Engineering.

Executable Unpacking using Dynamic Binary Instrumentation Shubham Bansal (iN3O) Feb 2015 UndoPack 1.

Unit Testing 101 Black Box v. White Box. Definition of V&V Verification - is the product correct Validation - is it the correct product.

Christopher Kruegel University of California Engin Kirda Institute Eurecom Clemens Kolbitsch Thorsten Holz Secure Systems Lab Vienna University of Technology.

1 OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications.

CompSci 725 RiskRanker Authors Michael Grace - North Carolina State University, Raleigh, NC, USA & NQ Mobile Security Research Center, Beijing, China Yajin.

C++ Programming Basic Learning Prepared By The Smartpath Information systems

SmartReport Backend Reporting Tool © 2003 ITC Software

Programming with Microsoft Visual Basic th Edition

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

System Implementation. © 2011 Pearson Education, Inc. Publishing as Prentice Hall 2 Chapter 13 FIGURE 13-1 Systems development life cycle with the implementation.

Antivirus software.

Cryptography and Network Security Sixth Edition by William Stallings.

Computer Systems Viruses. Virus A virus is a program which can destroy or cause damage to data stored on a computer. It’s a program that must be run in.

Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.

Comments, Conditional Statements Continued, and Loops Engineering 1D04, Teaching Session 4.

Antivirus Software Troy Behmer. Outline Topics covered: – What is Antivirus software (AVS)? – What are the advantages and disadvantages of AVS? – What.

TECHDOTCOMP SUPPORT TECHDOTCOMP nd Ave, Seattle, WA 98122, USA Phone:

Unveiling Zeus Automated Classification of Malware Samples Abedelaziz Mohaisen Omar Alrawi Verisign Inc, VA, USA Verisign Labs, VA, USA

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

Easy3s Smart Cop antivirus Total Security for Internet ERA.

Reverse Engineering Contemporary Countermeasures By: Joshua Schwartz.

Internet Vulnerabilities & Criminal Activity Internet Forensics 12.1 April 26, 2010 Internet Forensics 12.1 April 26, 2010.

Tool Support for Testing

Chapter 1. Basic Static Techniques

Harvesting Runtime Values in Android Applications That Feature Anti-Analysis Techniques Presented by Vikraman Mohan.

Malware Reverse Engineering Process

TaintART: A Practical Multi-level Information-Flow Tracking System for Android RunTime Sadiq Basha.

Twitter Augmented Android Malware Detection

Algorithm Analysis CSE 2011 Winter September 2018.

Rapid fire performance testing of 250 websites

Executive Director and Endowed Chair

Executive Director and Endowed Chair

CMSC 491/691 Malware Analysis

Presentation transcript:

LOGOPolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware Royal, P.; Halpin, M.; Dagon, D.; Edmonds, R.; Wenke Lee; Computer Security Applications Conference, ACSAC '06. 22nd Annual Dec Page(s): Presented by Kiet Vo

PolyUnpack Summary  “Modern malware often hides the malicious portion of their program code by making it appear as data at compile time and transforming it back into executable code at run time.”  In this paper the authors discuss a technique for automating the process of extracting the hidden- code of this type of malware.  A tool called PolyUnpack, can deobfuscate/decrypt the hidden code for later analysis.

PolyUnpack Appreciative Comments  The author has convinced well that PolyUnpack can detect more unpack-executing malware when compared with other dissemblers like PEiD and perform hidden code extraction efficiently.  One short coming in evaluating how well PolyUnpack assists malware reverse engineering and analysis is that the experiment was not knowing the inner workings of AV tools to see how well it helps the AV tools. The authors even planned to know the inner workings of several AV company labs but because of trade secrets, this was not possible. So the experiment was carefully planned and well thought.

Critical Comments  The paper does not say how the analysts manually unpack a given malware instance.  No comparisons made with other popular AV tools like Norton Antivirus as more users would get affected.

PolyUnpack How efficient is the tool?  I like this new feature of detecting multiple unpacking:  Some instances of unpack-executing malware complicate the process of extracting their hidden code by having the unpacked code perform additional unpacking.  Think of it as an executable file, inside another executable file. Which can be inside another executable file.  When executed, the ‘outer’ executable will unpack the contents of the inner executable into memory and execute it.  PolyUnpack used to acquire the innermost body of unpacked code, until the extracted code produces no unpacked code. 1. The hidden code is extracted into an executable version. 2. The new binary is then tested for unpack-execute behaviour. The first 2 steps are repeated until innermost most of the hidden code is extracted.

PolyUnpack How accurate is the tool?  PolyUnpack is evaluated using more than 3400 known malware binaries.  PolyUnpack identifies more unpack executing programs than PEiD ( a popular tool for detecting unpack executing programs).  PolyUnpack found 1754 samples to be unpack-executing and extracted their hidden code.  PEiD identified only 1482 samples.  Extracting without knowledge of how the runtime code is generated.  Efficiency: Manual extraction of hidden code takes more time:  Manually unpacking a given malware instance takes between 15 and 60 mins.  The average time PolyUnpack performs for each malware instance is less than 20 mins; over 60% took less than 5 mins.

PolyUnpack Questions  With the current increase of new unpack-executing malware. Do you think PolyUnpack would help other Antivirus software reduce false negative results or detect all unpack-execute malware?