a survey on automated dynamic malware analysis evasion
play

A Survey On Automated Dynamic Malware Analysis Evasion and - PowerPoint PPT Presentation

Oct 28, 2022 •336 likes •684 views

A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Blent Yener River Loop Security Rensselaer Polytechnic Institute (RPI) Introduction Automated dynamic malware analysis is

  1. A Survey On Automated Dynamic Malware Analysis Evasion and Counter-Evasion: PC, Mobile, and Web Alexei Bulazel & Bülent Yener River Loop Security Rensselaer Polytechnic Institute (RPI)

  2. Introduction Automated dynamic malware analysis is essential to keep up ● with modern malware (and potentially malicious software) ● Problem: malware can detect and evade analysis ● Solution: detect or mitigate anti-analysis

  3. Scope Survey of ~200 works on evasive malware ● techniques, detection, mitigation, and case studies Mostly academic works, with a few industry ● talks and publications ● In this presentation - focus on PC-based malware experimentation, more discussion than survey

  4. Dynamic Automated Analysis Systems a.k.a: “malware sandboxes” “detonation chambers”

  5. Takeaways Evasive malware and defenders continually evolve to counter ● one another The fight between malware and analysis systems is likely to ● continue long into the future There are immense challenges to experimental evaluation and ● the ability to establish ground truth

  6. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

  7. Offense - Detecting Analysis Systems Fingerprint Classes ● bool beingAnalyzed = DetectAnalysis(); ○ Environmental Artifacts if(beingAnalyzed) ○ Timing { CPU Virtualization ○ BehaveBenignly(); Process Introspection ○ } ○ Reverse Turing Tests else ○ Network Artifacts { Mobile Sensors ○ InfectSystem(); } Browser Specific ○

  8. Environmental Artifacts & Timing Unique distinguishing Timing discrepancies in analysis ● ● characteristics of the analysis systems environment itself ● Sources: Usernames Emulation / virtualization overhead ○ ○ ○ System settings ○ Analysis instrumentation overhead Date Overhead of physical hardware ○ ○ ○ Installed software instrumentation (potentially) Files on disk Challenging to mitigate ○ ● ○ Running processes ○ Garfinkle et al: “extreme engineering Number of CPUs ○ hardship and huge runtime ○ Amount of RAM overhead”

  9. CPU Virtualization & Process Introspection CPU “Red Pills” Discrepancies in internal state ● ● ● Discrepancies in CPU behavior ○ Memory or register contents Function hooks ○ introduced by virtualization ○ Injected libraries Erroneously accepted/rejected ○ Page permission eccentricities ○ instructions ● Commonly used in anti-DBI Incorrect exception behavior ○ ○ Flag edge cases MSRs ○ ○ CPUID/SIDT/SGDT/etc discrepancy Particularly applicable for ● emulators

  10. Reverse Turing Tests & Network Artifacts ● Computer decides if it is ● Fixed IP address interacting with computer or Network isolation ● human ● Incorrectly emulated network ● Passive: mouse movement, typing devices or protocols cadence, process churn, scrolling ● Unusually fast internet service Active: user must click a dialogue ● box ● Wear-and-Tear: evidence of human use, copy-paste clipboard, “recently opened” file lists, web history, phone camera photos

  11. Detection - Discussion Variety of sources: underlying technologies facilitating analysis, system ● configuration, analysis instrumentation Easy to use = easy to mitigate ● Difficult to use = difficult to mitigate ● ● Reverse Turing Tests seem to be growing in relevance, and are extremely difficult to mitigate against

  12. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

  13. Detecting Malware Evasion Detecting that malware exhibits evasive behavior under dynamic analysis, ● but not mitigating evasion ○ Comparatively fewer works relative to mitigation work ● Early work - detecting known anti-analysis-techniques ○ 2008: Lau et al.’s DSD-Tracer ● Most works use multi-system execution ○ Run malware in multiple systems and compare behavior offline - discrepancies may indicate evasion in one or more of these systems

  14. Multi-System Execution ● Instruction-level (2009: Kang et al.) ○ Too low level, prone to detect spurious differences ● System call-level (2010: Balzarotti et al. / 2015: Kirat & Vigna - MalGene) ○ Higher level than just instructions ○ MalGene uses algorithms taken from bioinformatics work in protein alignment Persistent changes to system state (2011: Lindorfer et al. - Disarm) ● ○ Jaccard distance-based comparisons ● Behavioral profiling (2014: Kirat et al. - BareCloud) ○ What malware did vs. how it did it, “hierarchical similarity” algorithms from computer vision and text similarity research

  15. Evasion Detection - Discussion Multi-system execution is a common solution for evasion detection ● ● Offline algorithms do not detect evasion in real time Evolution over time to increasingly complex algorithmic approaches, ● working over increasingly abstracted execution traces Detection does not solve the main challenge of evasion, so there is less ● work in the field compared to mitigation research

  16. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

  17. Defense - Mitigating Evasion Mitigating evasive behavior in malware so that analysis can proceed ● unhindered Early approaches ● ○ Binary Modification ○ Hiding Environment Artifacts ○ State Modification ○ Multi-Platform Record and Replay ● Path Exploration ● Hypervisor-based Analysis ● Bare Metal Analysis & SMM-based Analysis Discussion ●

  18. Early Approaches ● Binary Modification ● State Modification ○ 2006: Vasudevan et al. - Cobra ○ 2009: Kang et al. ○ Emulate code in blocks like QEMU ■ Builds upon detection work “dynamic state modification” (DSM), ■ Remove or rewrite malware ■ modifications to state force instructions that could be used for malware execution down alternative detection paths ● Hiding Environmental Artifacts ● Multi-Platform Record and Replay 2007: Willems et al. - CWSandbox ○ 2012: Yan et al. - V2E ○ ■ In system kernel driver hides ■ Kang et al.’s DSMs are not scalable environmental artifacts for multiple anti-analysis checks ○ Oberheide later demonstrated several ■ Don’t mitigate individual detection techniques against CWSandbox occurrences of evasion, make evasion irrelevant because systems are inherently transparent

  19. Path Exploration 2007: Moser et al. ● ○ Looks broadly at code coverage and analyzing trigger-based malware Track when input is used to make control flow decisions, change it to force execution down ○ different code paths 2008: Brumley et al. - MineSweeper ● ○ Trigger-based malware focused Represents inputs to potential triggers symbolically, while other code is executed concretely ○

  20. Hypervisor-based Analysis 2008: Dinaburg et al. - Ether ● ○ Catch system calls and context switches from Xen Despite extensive efforts to make analysis transparent, Pék et al. created nEther and were ○ able to detect Ether ● 2009: Nguyen et al. - MAVMM ○ AMD SVM with custom hypervisor ○ Thompson et al. subsequently demonstrated timing attacks that can be used to detect MAVMM and other hypervisor based systems ● 2014: Lengyel et al. - DRAKVUF Xen-based, instruments code with injected breakpoints ○

  21. Bare Metal Analysis ● 2011, 2014: Kirat et al. - BareBox & ● SMM-based analysis: all the transparency BareCloud benefits of bare metal, while restoring ○ BareBox - in-system kernel driver introspection BareCloud - post-run disk forensics ○ Full access to system memory, protection ○ from modification, high speed, protection ● 2012: Willems et al. from introspection ○ Hardware-based branch tracing features ● 2013 & 2015: Zhang et al. - Spectre, MalT ○ Analyzed evasive PDFs ○ Spectre: SMM-based analysis, 100x faster than VMM based introspection ● 2016: Spensky et al. - LO-PHI ○ MalT - SMM-based debugging ○ Instrument physical hardware ○ Capture RAM and disk activity at the ● 2016: Leach et al. - Hops hardware level ○ SMM memory snapshotting and PCI-based ○ Scriptable user keyboard/mouse instrumentation interaction with USB-connected Arduinos

  22. Mitigation - Discussion Two broad categories: active and passive mitigation ● ○ Active - detect-then-mitigate Passive - build inherent transparency ○ Passive approaches have been more prevalent ● ○ Hypervisors, bare metal, etc Bare metal is the cutting edge in academic research, but it may not be ● scalable to industry applications ○ Promising, but not a panacea against any class of attacks other than CPU-based

  23. Presentation Outline 1. Introduction 2. Offense - Detecting Analysis Systems 3. Defense - Detecting Malware Evasion 4. Defense - Mitigating Malware Evasion 5. Discussion 6. Conclusion

Recommend

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware

When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware

When a Tree Falls: Using Diversity in Ensemble Classifiers to Identify Evasion in Malware Detectors Charles Smutz Angelos Stavrou George Mason University Motivation Machine learning used ubiquitously to improve information security

814 views • 30 slides
GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie

Introduction Malware analysis Visualization Conclusion GroDDViewer: Dynamic dual view of Android malware Jean-Franois Lalande Mathieu Simon Valrie Viet Triem Tong GraMSec 2020 CIDRE team June 22th 2020 Introduction Malware analysis

530 views • 28 slides
Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University

Toward Automated Forensic Analysis of Obfuscated Malware Ryan J. Farley George Mason University Department of Computer Science Committee: Xinyuan Wang, Hakan Aydin, Songqing Chen, Brian Mark Where Innovation Is Tradition April 24, 2015

611 views • 59 slides
Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2

Automated capability analysis in Wordpress plugins Using static and dynamic analysis SNE RP2 Frank Uijtewaal Collab: DongIT (dongit.nl) Initial project goal Find a new and interesting type of security analysis for web applications

480 views • 35 slides
Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim

Malware analysis using visualized images and entropy graphs Kyoung Soo Han Jae Hyun Lim Boojoong Kang Eul Gyu Im Presented by Ruikai Zheng CISC850 Cyber Analytics 1.Introduction Malware variants developed using automated tools

206 views • 20 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan

How Current Android Malware Seeks to Evade Automated Code Analysis Siegfried Rasthofer, Irfan Asrar , Stephan Huber, Eric Bodden Technische Universitt Darmstadt, Darmstadt, Germany Fraunhofer SIT, Darmstadt, Germany Appthority, San

344 views • 22 slides
Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

Static vs. Dynamic Analysis Static analysis: analyze source code or byte code Imprecise

I NTELLI D ROID A Targeted Input Generator for the Dynamic Analysis of Android Malware Michelle Y. Wong and David Lie University of Toronto Department of Electrical and Computer Engineering NDSS Symposium 2016 ! ! ! B ACKGROUND Static vs.

1.02k views • 32 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues

From SOC to Analyst: bridging automated and manual analyses Practical Considerations and Issues July, 10th 2017 Raphal Rigo Typical (ideal) workflow of a malware sample reverser binary SOC CERT special malware malware SOC

89 views • 7 slides
Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware

Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware

Tien Phan Malware Manipulation 2019-08-26 2 Pokemon Fusion Con - Fusion Malicious Malware + = Softicious X Software Tien Phan Malware Manipulation 2019-08-26 3 Reverse Engineering More time consuming Dynamic Analysis

555 views • 22 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele

Towards Automated Dynamic Analysis for Linux-based Embedded Firmware Dominic Chen 1 , Manuel Egele 2 , Maverick Woo 1 , David Brumley 1 1 Carnegie Mellon University, 2 Boston University {ddchen, pooh, dbrumley}@cmu.edu, megele@bu.edu 2 FIRMADYNE

404 views • 22 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier

Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier Mehrenberger, Raphal Rigo, Sarah Zennou Plan Introduction Automated analysis Machine learning experiments 2 M. Mehrenberger, R. Rigo, S. Zennou ::

637 views • 12 slides
Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier

Ubiquitous and Mobile Computing CS 528: A Survey of Mobile Malware in the Wild Alex Fortier Computer Science Dept. Worcester Polytechnic Institute (WPI) What is mobile malware? Targeted at Android, iOS, Symbian (discontinued), Windows Phone

507 views • 17 slides
Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki

Mobile and Ubiquitous Computing CS 525M: A Survey of Mobile Malware in the Wild Hiromu Enoki Computer Science Dept. Worcester Polytechnic Institute (WPI) 1 Introduction Mobile Malware is fairly recent July 2004 Cabir virus came out on

487 views • 24 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens

Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int.

622 views • 39 slides

More recommend