Presentation is loading. Please wait.

Presentation is loading. Please wait.

Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi.

Published byJoseph Darcy James Modified over 9 years ago

Similar presentations

Presentation on theme: "Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi."— Presentation transcript:

1 Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi

2 Outline Overview of Generic Unpacker 1 System Call Level Heuristic 2 Statistics-Based Unpacking 3 Evaluation Metrics 4

3 Overview of Unpacker  Static analyses: decompile and analyze the logical structure, flow, and data stored within the binary itself.  Dynamic analyses: monitor the behavior of the malware binary at runtime.  Fine-grained monitor (Instruction-level)  Coarse-grained monitor (page-level)

4 Generic Automatic Unpackers PolyUnpackRenovoOmniUnpack Eureka Instruction-level Page-levelSystem call level Model-base trigger Heuristic trigger Heuristic and Statistical trigger slow fast  The variability in unpacking strategies come from the granularity of tracking unpacking behavior.

5 Eureka Coarse-grained execution tracing NtTerminateProcess NtCreateProcess Eureka Statistical bigram analysis bigram.

6 Coarse-grained Execution Tracing  Eureka uses the event of program exit as a trigger.  NtTerminateProcess implies that the unpacked malicious payload has been successfully decrypted.  A large fraction of current malware use a new process (NtCreateProcess) to execute the unpacked malicious payload.

7 Problems  Not all malware exit and keep an executing version resident in memory  Packers can make spurious event of creating new process.  Malware authors can simply avoid exiting the malware process.  The above two simple heuristics may work for a large fraction of malware today( as much as 80%), it may not be the same for future malware.

8 Evaluation

9 Statistical bigram analysis  Mining statistical patterns in x86 code  Use simple n-gram analysis  Use the IDA Pro to extract regions from executable that were marked as functions.  Looking for the most common bigrams ( opcode pairs or 2-byte opcodes) and space bigrams( byte pairs separated by 1 or more bytes)  Found FF 15(call), FF 75(push), E8---00 and E8---FF are prevalent in x86 code.

10 Occurrence summary of bigrams calcexplorernotepadpingshutdown FF 15(call)246304541558132 FF 75(push)23524942454185 E8---FF(call)158322011808749 E8---00(call)74610911085766

11 Bigram Counts  Bigram counts during execution of goat file packed with Aspack

12 Bigram Counts  Bigram counts during execution of goat file packed with Molbox

13 Bigram Counts  Bigram counts during execution of goat file packed with Armadillo

14 Bigram Counts  There are consistent and significant shifts in the bigram counts.  The simple bigram counting approach had over a 95% success rate in distinguishing between packed and unpacked malware instance.

15 Evaluation Metrics  Code-to-data ratio  An observable difference between packed code and unpacked code is the amount of identifiable code and data found in the binary  Use IDA Pro to identify valid code sequences.  In IDA Pro, data are represented by db, dw or dd.  In packed executables, the ratio is below 3%.  In unpacked executables, the ratio is above 50%.

16 Code-to-data ratio Packed Unpacked

17 Code-to-data ratio Grey area stand for data Blue area stand for code Packed notepad.exe memory space Original notepad.exe memory space

18

Download ppt "Eureka: A Framework for Enabling Static Malware Analysis the 13 th European Symposium on Research in Computer Security (ESORICS) conference 2008 WANG Zhi."

Similar presentations

Saumya Debray The University of Arizona Tucson, AZ 85721.

Saumya Debray The University of Arizona Tucson, AZ
1 3 Computing System Fundamentals 3.5 Data Representation.

1 3 Computing System Fundamentals 3.5 Data Representation.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.

KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit.
Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.

Program Slicing Mark Weiser and Precise Dynamic Slicing Algorithms Xiangyu Zhang, Rajiv Gupta & Youtao Zhang Presented by Harini Ramaprasad.
Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.

Linear Obfuscation to Combat Symbolic Execution Zhi Wang 1, Jiang Ming 2, Chunfu Jia 1 and Debin Gao 3 1 Nankai University 2 Pennsylvania State University.
B. Childers, M. L. Soffa, J. Beaver, L. Ber, K. Cammarata, J. Litman, J. Misurda Presented by: Priyanka Puri 1000676053 SOFTTEST: A FRAMEWORK FOR SOFTWARE.

B. Childers, M. L. Soffa, J. Beaver, L. Ber, K. Cammarata, J. Litman, J. Misurda Presented by: Priyanka Puri SOFTTEST: A FRAMEWORK FOR SOFTWARE.
Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science ©2002-2004 Matt Bishop.

Malicious Logic What is malicious logic Types of malicious logic Defenses Computer Security: Art and Science © Matt Bishop.
Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.

Impeding Malware Analysis Using Conditional Code Obfuscation Paper by: Monirul Sharif, Andrea Lanzi, Jonathon Giffin, and Wenke Lee Conference: Network.
Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.

Effective and Efficient Malware Detection at the End Host Clemens Kolbitsch, Paolo Milani TU Vienna Christopher UCSB Engin Kirda.
Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)

Binary Obfuscation Using Signals Igor V. Popov ( University of Arizona)‏ Saumya K. Debray (University of Arizona)‏ Gregory R. Andrews (University of Arizona)
Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:

Anomaly Detection Using Call Stack Information Security Reading Group July 2, 2004 Henry Feng, Oleg Kolesnikov, Prahlad Fogla, Wenke Lee, Weibo Gong Presenter:
LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.

LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan.
Catriel Beeri Pls/Winter 2004/5 environment1 1 The Environment Model  Introduction and overview  A look at the execution model  Dynamic scoping  Static.

Catriel Beeri Pls/Winter 2004/5 environment1 1 The Environment Model  Introduction and overview  A look at the execution model  Dynamic scoping  Static.
@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.

@ NCSU Zhi NCSU Xuxian Microsoft Research Weidong Microsoft NCSU Peng NCSU ACM CCS’09.
1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.

1 Memory Model of A Program, Methods Overview l Memory Model of JVM »Method Area »Heap »Stack.
Module 8: Monitoring SQL Server for Performance. Overview Why to Monitor SQL Server Performance Monitoring and Tuning Tools for Monitoring SQL Server.

Module 8: Monitoring SQL Server for Performance. Overview Why to Monitor SQL Server Performance Monitoring and Tuning Tools for Monitoring SQL Server.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.

MutantX-S: Scalable Malware Clustering Based on Static Features Xin Hu, IBM T.J. Watson Research Center; Sandeep Bhatkar and Kent Griffin, Symantec Research.

Similar presentations

Ads by Google