detecting environment sensitive malware
play

Detecting Environment-Sensitive Malware Martina Lindorfer Vienna - PowerPoint PPT Presentation

Oct 16, 2023 •123 likes •381 views

Int. Secure Systems Lab Vienna University of Technology Detecting Environment-Sensitive Malware Martina Lindorfer Vienna University of Technology Clemens Kolbitsch Paolo Milani Comparetti 1 Motivation Int. Secure Systems Lab Vienna

  1. Int. Secure Systems Lab Vienna University of Technology Detecting Environment-Sensitive Malware Martina Lindorfer Vienna University of Technology Clemens Kolbitsch Paolo Milani Comparetti 1

  2. Motivation Int. Secure Systems Lab Vienna University of Technology • Sandboxes widely used to observe malicious behavior • Anubis: Dynamic malware analysis sandbox - Online since February 2007 - Over 2,000 distinct users - Over 10,000,000 samples analyzed • Malware tries to differentiate sandbox from real system • No malicious activity in sandbox à analysis evasion • Attackers can use samples to perform reconnaissance 2 Martina Lindorfer, RAID 2011

  3. Motivation Int. Secure Systems Lab Vienna University of Technology ***** ***** ***** 3 Martina Lindorfer, RAID 2011

  4. Evasion Techniques Int. Secure Systems Lab Vienna University of Technology • “Environment-sensitive” malware checks for - Characteristics of the analysis environment - Characteristics of the Windows environment • Emulation/Virtualization detection • Timing • Unique identifiers • Running processes • Restricted network access • Public IP addresses 4 Martina Lindorfer, RAID 2011

  5. Evasion Countermeasures Int. Secure Systems Lab Vienna University of Technology • Transparent Monitoring Platform (e.g. Ether) - “undetectable” - Vulnerable to timing attacks - Vulnerable to detection of the specific Windows environment • Evasion Detection - Execute malware in multiple environments - Detect deviations in behavior and identify root cause - Modify analysis sandboxes to thwart evasion techniques 5 Martina Lindorfer, RAID 2011

  6. Our Approach Int. Secure Systems Lab Vienna University of Technology • D ISARM “DetectIng Sandbox-AwaRe Malware” - Agnostic to root cause of divergence in behavior - Agnostic to employed monitoring technologies • Automatically screen samples for evasive behavior • Collect execution traces in different environments • Eliminate spurious differences in behavior caused by different environments • Compare normalized behavior and detect deviations • Use findings to make sandbox resistant against evasion 6 Martina Lindorfer, RAID 2011

  7. Outline Int. Secure Systems Lab Vienna University of Technology • D ISARM • Evaluation • Conclusion 7 Martina Lindorfer, RAID 2011

  8. D ISARM Int. Secure Systems Lab Vienna University of Technology z z z • Execution monitoring - Execute malware in multiple sandboxes - Different monitoring technologies & Windows installations • Behavior comparison - Normalize behavior from different environments - Measure distance of behavior and calculate evasion score 8 Martina Lindorfer, RAID 2011

  9. Execution Monitoring Int. Secure Systems Lab Vienna University of Technology • Out-of-the-box monitoring • Anubis • modified version of Qemu emulator • Heavy-weight monitoring • In-the-box monitoring • Light-weight monitoring à portable to any host • Windows kernel driver • Intercept system calls by SSDT hooking • Multiple executions in each sandbox to compensate for randomness in behavior 9 Martina Lindorfer, RAID 2011

  10. Behavior Normalization Int. Secure Systems Lab Vienna University of Technology • Eliminate differences not caused by malware behavior - Differences in hardware, software, username, language, … 1. Remove noise 2. Generalize user-specific artifacts 3. Generalize environment 4. Randomization detection 5. Repetition detection 6. File system & registry generalization 10 Martina Lindorfer, RAID 2011

  11. Example Repetition Detection Int. Secure Systems Lab Vienna University of Technology File system Sandbox A File system Sandbox B ... ... C:\WINDOWS\system32\w32tm.exe C:\WINDOWS\system32\w32tm.exe C:\WINDOWS\system32\ C:\WINDOWS\system32\wdfmgr.exe wdfmgr.exe C:\WINDOWS\system32\wextract.exe C:\WINDOWS\system32\wextract.exe C:\WINDOWS\system32\wiaacmgr.exe C:\WINDOWS\system32\wiaacmgr.exe C:\WINDOWS\system32\winchat.exe C:\WINDOWS\system32\winchat.exe C:\WINDOWS\system32\winhlp32.exe C:\WINDOWS\system32\ C:\WINDOWS\system32\WinFXDocObj.exe WinFXDocObj.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winhlp32.exe C:\WINDOWS\system32\winmine.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\winmsd.exe C:\WINDOWS\system32\winmine.exe C:\WINDOWS\system32\winspool.exe C:\WINDOWS\system32\winmsd.exe C:\WINDOWS\system32\winver.exe C:\WINDOWS\system32\*.exe C:\WINDOWS\system32\winspool.exe C:\WINDOWS\system32\ C:\WINDOWS\system32\wmpstub.exe wmpstub.exe C:\WINDOWS\system32\winver.exe C:\WINDOWS\system32\wowdeb.exe C:\WINDOWS\system32\wowdeb.exe C:\WINDOWS\system32\wowexec.exe C:\WINDOWS\system32\wowexec.exe C:\WINDOWS\system32\wpabaln.exe C:\WINDOWS\system32\wpabaln.exe C:\WINDOWS\system32\wpnpinst.exe C:\WINDOWS\system32\wpdshextautoplay.exe C:\WINDOWS\system32\ wpdshextautoplay.exe C:\WINDOWS\system32\write.exe C:\WINDOWS\system32\wpnpinst.exe ... C:\WINDOWS\system32\write.exe ... 11 Martina Lindorfer, RAID 2011

  12. Behavior Comparison Int. Secure Systems Lab Vienna University of Technology • Behavioral Profiles file|C:\foo.exe|write:1 process|C:\Windows\foo.exe|create:0 network|tcp_conn_attempt_to_host|www.foobar.com - Set of actions on operating system resources • Only persistent state changes - file/registry writes, network actions, process creations • Distance between two profiles: Jaccard Distance 12 Martina Lindorfer, RAID 2011

  13. Evasion Score Int. Secure Systems Lab Vienna University of Technology • Evasion Score calculated in two steps: Max Diameter Max Distance 1. Intra-sandbox distance ( diameter ) between executions in the same sandbox 2. Inter-sandbox distance ( distanc e) between executions in different sandboxes • If E ≥ threshold à classify as different behavior 13 Martina Lindorfer, RAID 2011

  14. Int. Secure Systems Lab Vienna University of Technology Evaluation 14 Martina Lindorfer, RAID 2011

  15. Setup Int. Secure Systems Lab Vienna University of Technology • 2 different monitoring technologies • 3 different Windows images • Driver inside Qemu to facilitate deployment Image Characteristics Monitoring Sandbox Technology Software Username Language 1 Anubis Windows XP SP3, IE6 Administrator English 2 Driver Same as Anubis Windows XP SP3, IE7, 3 Driver User English JRE, .NET, Office Windows XP SP2, IE6, 4 Driver Administrator German JRE 15 Martina Lindorfer, RAID 2011

  16. Training Dataset Int. Secure Systems Lab Vienna University of Technology • 185 malware samples - Randomly selected from submissions to Anubis - Only one sample per malware family • Optimize normalization and scoring • Manual classification Anubis Evasion % 2 . 76.8 % 9 Same Behavior 3.2 % Driver Evasion 2.2 % German Incompatibility 5 . 4 % .NET Required 3.2 % Other Reasons 16 Martina Lindorfer, RAID 2011

  17. Threshold Selection Int. Secure Systems Lab Vienna University of Technology 17 Martina Lindorfer, RAID 2011

  18. Result Accuracy Int. Secure Systems Lab Vienna University of Technology • Proportion of correctly classified samples • Each normalization improves results • Accuracy > 90% for thresholds 0.3 – 0.6 • Max. accuracy 99.5 % for threshold 0.4 18 Martina Lindorfer, RAID 2011

  19. Test Dataset Int. Secure Systems Lab Vienna University of Technology • 1,686 malware samples - Selected from submissions to Anubis Dec 2010 – March 2011 - Max. 5 samples per malware family • Used threshold of 0.4 selected from training dataset • 25.65 % of samples above threshold • Manual examination of randomly selected samples - Discovered evasion techniques against Anubis - Discovered ways to improve the software configuration 19 Martina Lindorfer, RAID 2011

  20. Qualitative Results Int. Secure Systems Lab Vienna University of Technology Anubis Evasion • Timing (Anubis 10x slower than driver in Qemu) • Check for parent process • Incomplete randomization of Anubis characteristics - Computer name - Machine GUID - Hard disk information Driver Evasion • Some samples restored SSDT addresses - Restrict access to kernel memory 20 Martina Lindorfer, RAID 2011

  21. Qualitative Results Int. Secure Systems Lab Vienna University of Technology Environment Sensitivity • Configuration flaws in Anubis image - .NET environment - Microsoft Office - Java Runtime Environment (samples infect Java Update Scheduler) False Positives • Sality family creates registry keys and values dependent on username 21 Martina Lindorfer, RAID 2011

  22. Limitations Int. Secure Systems Lab Vienna University of Technology • Samples can evade D ISARM by evading ALL sandboxes à eliminate shared sandbox characteristics - All sandboxes inside Qemu for our evaluation - Network configuration (restricted network access, public IPs) • No automatic detection of root cause for evasion à use in combination with other tools: - Balzarotti et al.: Efficient Detection of Split Personalities in Malware (NDSS 2010) - Johnson et al.: Differential Slicing: Identifying Causal Execution Differences for Security Applications (Oakland 2011) 22 Martina Lindorfer, RAID 2011

Recommend

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen

StormDroid: A streaminglized Machine Learning-Based System for Detecting Android Malware Sen Chen, Minhui Xue, Zhushou Tang, Lihua Xu, Haojin Zhu Malware Detection in Android 1.6 million apps in Google Play Store in July 2015

441 views • 22 slides
Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware

Procopiou Anna 931769 Professor: Dr. Athanasopoulos Elias 1 Articles 1. Detecting Malware Domains at the Upper DNS Hierarchy -M.Antonakakis et. al 2. ZMap: Fast Internet-wide Scanning and Its Security Applications -Z. Durumeric et. al 2

1.17k views • 89 slides
Detecting the behavioral relationships of malware connections (slides) Conference Paper August

Detecting the behavioral relationships of malware connections (slides) Conference Paper August

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/307638742 Detecting the behavioral relationships of malware connections (slides) Conference Paper August 2016 CITATIONS READS 0

380 views • 17 slides
MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico

MaMaDroid: Detecting Android Malware by Building Markov Chains of Behavioral Models Enrico Mariconti , Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, Gianluca Stringhini. NDSS 2017, 28-02-2017 Motivation: Android

1.21k views • 37 slides
Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo

Detecting Self-Mutating Malware Using Control-Flow Graph Matching Danilo Bruschi Lorenzo Martignoni Mattia Monga Dipartimento di Informatica e Comunicazione Universit` a degli Studi di Milano { bruschi,martign,monga } @dico.unimi.it

356 views • 23 slides
WEBCOP: LOCATING NEIGHBORHOODS OF MALWARE ON THE WEB Reid Andersen Jay Stokes

WEBCOP: LOCATING NEIGHBORHOODS OF MALWARE ON THE WEB Reid Andersen Jay Stokes

WEBCOP: LOCATING NEIGHBORHOODS OF MALWARE ON THE WEB Reid Andersen Jay Stokes Christian Seifert Microsoft Research Kumar Chellapilla Microsoft Search Detecting Malicious Web Pages Detecting Malicious Web Pages Production

427 views • 23 slides
Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of

On the Need of Precise Inter-App ICC Classification for Detecting Android Malware Collusions Karim O. Elish, Danfeng (Daphne) Yao, and Barbara G. Ryder Department of Computer Science Virginia Tech May 21, 2015 Problem and Motivation Malware

139 views • 13 slides
Detecting DGA malware using NetFlow Martin Grill , Ivan Nikolaev , Veronica Valeros

Detecting DGA malware using NetFlow Martin Grill , Ivan Nikolaev , Veronica Valeros

Detecting DGA malware using NetFlow Martin Grill , Ivan Nikolaev , Veronica Valeros , Martin Rehak Cisco Systems, Inc. magrill@cisco.com, inikolae@cisco.com, vvaleros@cisco.com, marrehak@cisco.com Faculty of

606 views • 6 slides
x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in

x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in

x86 ASM (1) 1 last time: VMs confjgurablity consistent environment isolation run malware in safe environment key mechanism: hardware support hardware gives VM monitor control when needed backup mechanism: emulation, binary translation 2

1.34k views • 118 slides
Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir

Introduction Mining specifications Detecting malware Results References Mining malware specifications through static reachability analysis Hugo Daniel Macedo 1 Tayssir Touili 2 1 INRIA Rocqencourt 2 LIAFA Univ. Paris 7 November 4, 2013

870 views • 45 slides
Data Races are Bad Race: two threads access memory without synchronization and at least one is a

Data Races are Bad Race: two threads access memory without synchronization and at least one is a

C ONTEXT - SENSITIVE C ORRELATION A NALYSIS FOR D ETECTING R ACES Polyvios Pratikakis Jeff Foster Michael Hicks University of Maryland, College Park Context-sensitive Correlation Analysis for Detecting Races p.1/ ?? Data Races are Bad

1.28k views • 76 slides
1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint

1 Panda Endpoint Protection Suites Index: A New Endpoint Environment A New Endpoint Solution t A New Endpoint Environment i i t E E d A N The New Endpoint Reality Increasing Malware Risk 2M malware signatures identified

515 views • 14 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic

12/6/2013 Detecting Fakes Image Forensics: Detecting Forged Photos 1.Detecting photorealistic graphics 2.Detecting manipulated images Photo manipulation is the application of image editing techniques to photographs in order to create an

306 views • 13 slides
A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted

A6: Sensitive Data Exposure A6 Sensitive Data Exposure Sensitive data stored or transmitted insecurely Failure to protect all sensitive data Usernames, passwords, password hashes, credit-card information, identity info Session

416 views • 17 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:>

Hunting and detecting APTs using Sysmon and PowerShell logging TOM UELTSCHI BOTCONF 2018 C:> whoami /all Tom Ueltschi Swiss Post CERT / SOC / CSIRT since 2007 (over 11 years!) Focus & Interests: Malware Analysis, Threat Intel,

1.45k views • 115 slides

More recommend