Presentation is loading. Please wait.

Presentation is loading. Please wait.

Malware Repository Update David Dagon Georgia Institute of Technology

Published byGerard Wilkins Modified over 10 years ago

Similar presentations

Presentation on theme: "Malware Repository Update David Dagon Georgia Institute of Technology"— Presentation transcript:

1 Malware Repository Update David Dagon Georgia Institute of Technology dagon@cc.gatech.edu

2 Context OARC is contemplating the operation of a malware repository I report on the implementation of this repository –Design rationale –Demo –Other developments that I trust may be received as good news These slides expand on a previous talk w/ Paul Vixie at Defcon –Errors in both are my own

3 Overview How malware is collected and shared now Malfease’s service-oriented repository –Automated unpacking –Header analysis Demonstration Policy considerations for OARCs operation

4 Current Practices Numerous private, semi-public malware collections –Need trust to join (for some value of “trust”) –“Too much sharing” often seen as competitive disadvantage –Quotas often used Incomplete collections: reflect sensor bias –Darknet-based collection –IRC surveillance –Honeypot-based collection

5 Shortcomings Malware authors know and exploit weaknesses in data collection Illuminating sensors –“Mapping Internet Sensors with Probe Response Attacks”, Bethencourt, et al., Usenix 2005 Automated victims updates –“Queen-bot” programs keep drones in 0-day window

6 Queen-Bot Programs Malware authors use packers –Encrypted/obfuscated payloads –Small stub programs to inflate the payload Queen bots –Automate the creation of new keys, binaries –Each new packed program is different But the same semantic program –Compiler tricks used Dead code injected, idempotent statements introduced, register shuffling, etc.

7 Queen-Bot Programs

8 Queen bots therefore an instance of generative programming What are their uses? –Automated updating –Evasion of AV signatures How do they evade AV? –We need a rough conceptual model of malware lifecycle …

9 Queen-Bot Programs: Indirect Evidence

10 Malware Life Cycle A-day0-day D-dayR-day Four conceptual phases of malware life cycle: A-day: malware authored 0-day: release D-day: first opportunity for detection R-day: response (e.g., virus signature update)

11 Malware Life Cycle A-day0-day D-dayR-day Recent AV goal: reduce response time AV update cycles previously measured weeks/days Now measured in hours/minutes (or should be)

12 Malware Life Cycle A-day0-day D-dayR-day How to improve detection time... Given that... Malware authors avoid known sensors Repositories don’t share

13 Sensor Illumination Technique –Malware authors compile single, unique virus; –Send to suspected sensor –Wait and watch for updates

14 Sensor Illumination Virus

15 Malware Life Cycle A-day0-day D-dayR-day Because of illumination and limited sharing, distance (0day, detection) is days, while distance (detection, response) is (ideally) hours. Minutes*Days* * Average order of time; anecdotes will vary

16 Malware Life Cycle A-day0-day D-dayR-day MinutesDays A-day0-day D-dayR-day Bot runs for ~1/2 day, and updates to new, evasive binary UPDATE!

17 Malware Life Cycle A-day0-day D-dayR-day MinutesDays A-day0-day D-dayR-day A-day0-day D-dayR-day UPDATE! UPDATE!

18 Malware Life Cycle A-day0-day D-dayR-day MinutesDays A-day0-day D-dayR-day A-day0-day D-dayR-day PerpetualZero-daywindow UPDATE! UPDATE!

19 Example from virustotal.com

20 Solution: Service-Oriented Repository Malfease uses hub-and-spoke model –Hub is central collection of malware –Spokes are analysis partners Hub: –Malware, indexing, search –Static analysis: header extraction, icons, libraries –Metainfo: longitudinal AV scan results Spoke: –E.g., dynamic analysis, unpacking

21 Malware Repo Requirements Malware repos should not: –Help illuminate sensors –Serve as a malware distribution site Malware repo should: –Help automate analysis of malware flood –Coordinate different analysts (RE gurus, MX gurus, Snort rule writers, etc.)

22 Approach: Service-Oriented Repository Repository allows upload of samples –Downloads restricted to classes of users Repository provides binaries and analysis –Automated unpacking –Win32 PE Header analysis –Longitudinal detection data What did the AV tool know, and when did it know it? –Soon: Malware similarity analysis, family tree

23 Overview

24 Repository User Classes Unknown users –Scripts, random users, even bots Humans –CAPTCHA-verified Authenticated Users –Known trusted contributors

25 Repository Access Goals Unknown users –Upload; view aggregate statistics Humans –Upload; download analysis of their samples Authenticated Users –Upload; download all; access analysis

26 Basic User View

27 Analysis Page for Sample

28 Static Analysis Example

29 Note search ability

30 Example: Search on icons All samples with matching icons

31 Dynamic Analysis Unpacked binary Available for Download, Along with asm version

32 Binary Analysis (Spoke) Example Motivation: find “key” information in malware Previously, binaries trivially yielded relevant information: strings samples/*.exe | grep -i \ gmail 0edcxzse @ gmail.com d4rkhdeflood @ gmail.com...

33 Binary Analysis (Spoke) Example Now, however, malware is packed –E.g., of 409 samples, 11% were trivially unpackable. Indicates high degree of packing For 81 non-packed samples, only 7 contained strings recognizable as mail addrs. Why such a low result for all samples? –Implies runtime data transformations

34 Binary Analysis (Spoke) Example Address for WS2_32.dll:Send (and data for email address) are constructed dynamically

35 Spoke Example trace_irc=> select distinct email from abusive_email where email ilike '%gmail.com'; email ----------------------- 0edcxzse@gmail.com 0paparazzo@gmail.com 100money@gmail.com 1977.24@gmail.com 1r4d3x@gmail.com 2006.infos@gmail.com... etc. etc. etc. Thus, malfease's collection is transformed to operationally relelvant feeds

36 Policy Considerations Who gets access? –Anonymous upload: limited analysis –Registered upload: collection management –Trusted researcher: full search/full analysis –Does this approach meet OARC's approval? Branding (Spoke) opportunities –Analysis partners may offer/demo analysis services

37 Policy Consideration Resources –All front-end code BSD licensed Spoke analysis tools may sport any license –Hardware and development courtesy of Damballa Coordination with other malware repos? –MIRT/PIRT –APWG

38 OARC Resources So far, no cost to OARC –Hardware, dev work courtesy of Damballa We have until January 2007 to finish major work Needed OARC resources: –Blessing/acceptance A review/edit of policies –Mailing lists (one for dev, one for users) –Possible mirror –Feedback from members –Malware (send samples!)

39 Conclusion Service-oriented repository See malfease.oarci.net for details Questions?

Download ppt "Malware Repository Update David Dagon Georgia Institute of Technology"

Similar presentations

Configuration management

Configuration management
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.

Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology.
An Overview. BizLink BizLink is a Social Networking platform for business. It allows colleagues to come together, ask questions, share resources, form.

An Overview. BizLink BizLink is a Social Networking platform for business. It allows colleagues to come together, ask questions, share resources, form.
Xyleme A Dynamic Warehouse for XML Data of the Web.

Xyleme A Dynamic Warehouse for XML Data of the Web.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.

1 © 2006 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Using the Cisco Technical Support & Documentation Website for Security.
Automated Tracking of Online Service Policies J. Trent Adams 1 Kevin Bauer 2 Asa Hardcastle 3 Dirk Grunwald 2 Douglas Sicker 2 1 The Internet Society 2.

Automated Tracking of Online Service Policies J. Trent Adams 1 Kevin Bauer 2 Asa Hardcastle 3 Dirk Grunwald 2 Douglas Sicker 2 1 The Internet Society 2.
© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, 2006 2:00pm EST, 11:00am PST George Spafford, President Spafford.

© 2006 Jupitermedia Corporation Webcast TitleSuccessful Rollout Planning 1 January 19, :00pm EST, 11:00am PST George Spafford, President Spafford.
This chapter is extracted from Sommerville’s slides. Text book chapter 29 1 1.

This chapter is extracted from Sommerville’s slides. Text book chapter
Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.

Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee College of Computing, Georgia Institute of Technology USENIX Security '08 Presented by Lei Wu.
Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.

Information Security Introduction to Information Security Michael Whitman and Herbert Mattord 14-1.
Silvio Cesare Ph.D. Candidate, Deakin University.

Silvio Cesare Ph.D. Candidate, Deakin University.
Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)

Lucent Technologies – Proprietary Use pursuant to company instruction Learning Sequential Models for Detecting Anomalous Protocol Usage (work in progress)
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.

Software Analysis & Deobfuscation Engine. Page  2  Project Name: SADE  Project Members: Faiza Khalid, Komal Babar and Abdul Wahab  Project Supervisor.
DroidKungFu and AnserverBot

DroidKungFu and AnserverBot
WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

WARNINGBIRD: A Near Real-time Detection System for Suspicious URLs in Twitter Stream.

Similar presentations

Ads by Google