Presentation is loading. Please wait.

Presentation is loading. Please wait.

Analysis of Mixed-mode Malware

Published byDamian Bishop Modified over 6 years ago

Similar presentations

Presentation on theme: "Analysis of Mixed-mode Malware"— Presentation transcript:

1 Analysis of Mixed-mode Malware
Christoph Csallner, University of Texas at Arlington Joint work with: Shabnam Aboughadareh This material is based upon work supported by the National Science Foundation under Grants No , , and Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

2 Well-known malware analysis tool: TEMU
User VM Kernel TEMU VMI Driver Send OS state TEMU Analysis HOST

3 Question: What if malware attacks the analysis tool, e.g., TEMU?
User VM Kernel Attack TEMU VMI Driver Send OS state HOST TEMU Analysis Component

4 Mixed-mode malware Phase 1: Modify OS kernel code/data
Phase 2: Payload uses modifications in attack Semantics determined by phase 1 success Malware analysis can only observe phase 2 if phase 1 succeeds But phase 1 may corrupt malware analysis

5 Zw1’’: Call ZW1, hide Mal.exe
Dropper.exe Zw1 ... Pointer to Zw1 Syscall table VMI Driver Mm1 VMI notification VMI Function Modifier User Kernel 1: Drop 1 Example with TEMU-style in-guest analysis tool (VMI = Virtual Machine Introspection) Preventing Dropper from running would prevent analyst from observing Mal.exe’s malicious behavior Dropper.exe 2 VMI notification Mm1 VMI Driver 2.2: Unpatch ... Pointer to Zw1 Syscall table 2.1: Hook Function Modifier Zw1 Mm1 Zw1’ ... Pointer to Zw1’ Syscall table Mal.exe 3 3.1: Create new process 3.2: Call ZW1 Dropper.exe False VMI VMI Driver Current process = Mal.exe Service A Zw1’’: Call ZW1, hide Mal.exe Current process ≠ Mal.exe

6 Malware Analysis: State of the Art
What TEMU [UC Berkeley] Both Ether [Georgia Tech] User- only Anubis (TTAnalyze) [UC SB et al.] Kernel- only d-Anubis [TU Vienna] Where Some components Inside malware domain Fully outside malware domain

7 Example with malware analysis tool that does not analyze entire system
Mal.exe 2. Call A User Kernel Execution path for service A (kernel-mode component) 1. Drop Rootkit 3. Intercept the execution of system call A in kernel Service A 4. Invoke system service B Service B

8 Concrete example: Ether
As before: Preventing Dropper from running would prevent analyst from observing Mal.exe’s malicious behavior Mal.exe Ether logs A 2. Call A User Kernel Execution path for service A (kernel-mode component) 1. Drop Rootkit What Actually Executes Service A 4. Invoke system service B Service B

9 Anubis (TTAnalyze) [UC SB et al.]
Malware Analysis What TEMU [UC Berkeley] SEMU [UT Arlington] Both User- only Anubis (TTAnalyze) [UC SB et al.] Ether [Georgia Tech] Kernel- only d-Anubis [TU Vienna] Where Some components Inside malware domain Fully outside malware domain

10 SEMU: Completely outside the guest
User Kernel QEMU VM Data Code Reverse Engineering Shadow Mem. Data: Name, addr, value HOST SEMU VMI Component Code: Name, addr Before malware execution

11 SEMU: Completely outside the guest
User Kernel QEMU VM Data Code Reverse Eng. Tracing Shadow Mem. Data: Name, addr, value SEMU VMI Component SEMU Analysis Component HOST Code: Name, addr Trace log Trace Analyzer Analysis Report After malware execution

12 Evaluation: SEMU is the only tool we tested that can fully analyze these mixed-mode malware samples:
Description Affected Object OS fct Kernel LOC User Slow- down Modify sys calls KTHREAD No 370 1,684 35.3 Modify sys calls (MDL) SSDT Yes 417 38.7 DKOM object hiding EPROCESS DRIVER_OBJECT 96 451 28.2 DKSM renaming 111 20.6 Privilege escalation 149 25.2 User-mode unhook 710 29.1

13 Execution time -- Fine-grained VMI: Instruction tracing
Subject w/o VMI [s] Ether SEMU Fine VMI [s] Ether SEMU Slowdown Ether SEMU Esinfo 0.63 2.42 20.54 21.39 32 8 Timezone 0.05 0.79 4.41 13.03 87 16 Whoami 0.03 0.72 4.49 19.83 149 27 UPX 0.32 9.00 45.58 322.60 141 35 RAR a 0.15 3.07 45.16 302.93 98

14 Inside-the-guest VMI in TEMU vs. Outside-the-guest VMI in SEMU
Subject w/o VMI [s] TEMU SEMU Coarse VMI [s] TEMU SEMU Slowdown TEMU SEMU PsGetsid 1.68 0.56 3.44 1.09 105 95 Pslist –t 3.19 1.03 4.69 1.31 47 27 Psinfo -s 5.76 2.88 9.79 4.78 70 66 Coreinfo 1.70 0.65 3.75 1.07 121 63 ListDLLs 3.20 2.58 5.01 57 45

Download ppt "Analysis of Mixed-mode Malware"

Similar presentations

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Debugging operating systems with time-traveling virtual machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.

DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis Lok Kwong Yan, and Heng Yin Syracuse University.
Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.

Secure In-VM Monitoring Using Hardware Virtualization Monirul Sharif, Wenke Lee, Weidong Cui, and Andrea Lanzi Presented by Tyler Bletsch.
Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.

Ensuring Operating System Kernel Integrity with OSck By Owen S. Hofmann Alan M. Dunn Sangman Kim Indrajit Roy Emmett Witchel Kent State University College.
Malware Detection via Virtual Machine Monitoring Wenke Lee.

Malware Detection via Virtual Machine Monitoring Wenke Lee.
Presented by Boris Yurovitsky

Presented by Boris Yurovitsky
1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.

1 Disco: Running Commodity Operating Systems on Scalable Multiprocessors Edouard Bugnion, Scott Devine, and Mendel Rosenblum, Stanford University, 1997.
An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.

An Out-of-the-Box Approach to High Assurance Computer System Monitoring and Integrity Protection Cyber Defense Conference, Rome, NY, May 12-14, 2008 Assistant.
Towards Application Security On Untrusted OS

Towards Application Security On Untrusted OS
A Virtual Environment for Investigating Counter Measures for MITM Attacks on Home Area Networks Lionel Morgan 1, Sindhuri Juturu 2, Justin Talavera 3,

A Virtual Environment for Investigating Counter Measures for MITM Attacks on Home Area Networks Lionel Morgan 1, Sindhuri Juturu 2, Justin Talavera 3,
SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.

SubVirt: Implementing malware with virtual machines Yi-Min Wang Chad Verbowski Helen J. Wang Jacob R. Lorch Microsoft Research Samuel T. King Peter M.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.

CSE598C Virtual Machines and Their Applications Operating System Support for Virtual Machines Coauthored by Samuel T. King, George W. Dunlap and Peter.
VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.

VMM Based Rootkit Detection on Android Class Presentation Pete Bohman, Adam Kunk, Erik Shaw.
A Hybrid Framework to Analyze Web and OS Malware Vitor M. Afonso, Dario S. Fernandes Filho, André R. A. Grégio1, PauloL.de Geus, Mario Jino.

A Hybrid Framework to Analyze Web and OS Malware Vitor M. Afonso, Dario S. Fernandes Filho, André R. A. Grégio1, PauloL.de Geus, Mario Jino.
Virtualization Concepts Presented by: Mariano Diaz.

Virtualization Concepts Presented by: Mariano Diaz.
Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.

Operating System Support for Virtual Machines Sam King George Dunlap Peter Chen CoVirt Project, University of Michigan.
Rootkits in Windows XP  What they are and how they work.

Rootkits in Windows XP  What they are and how they work.
KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:

KGuard: Lightweight Kernel Protection against Return-to-User Attacks Authors: Vasileios P. Kemerlis Georgios Portokalidis Angelos D. Keromytis Presenter:
EASEAndroid: Automatic Analysis and Refinement for SEAndroid Policy via Large-scale Audit Log Analytics Presenter: Hongyang Zhao Ruowen Wang, Xinwen Zhang,

EASEAndroid: Automatic Analysis and Refinement for SEAndroid Policy via Large-scale Audit Log Analytics Presenter: Hongyang Zhao Ruowen Wang, Xinwen Zhang,

Similar presentations

Ads by Google