formal avenue for chasing metamorphic malware
play

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda - PowerPoint PPT Presentation

Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy Joint work with Roberto Giacobazzi, Saumya Debray, Arun Lakhotia presented by Isabella Mastroeni CREST, May 30th 2013 Dalla Preda (CREST 2013) Chasing


  1. Formal Avenue for Chasing Metamorphic Malware Mila Dalla Preda University of Verona, Italy Joint work with Roberto Giacobazzi, Saumya Debray, Arun Lakhotia presented by Isabella Mastroeni CREST, May 30th 2013 Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 1 / 25

  2. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  3. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Malware detector Is a program D that determines whether a program P is malicious � true if D determines that P is malicious D ( P ) = false otherwise Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  4. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Malware detector Is a program D that determines whether a program P is malicious � true if D determines that P is malicious D ( P ) = false otherwise An ideal malware detector is sound and complete: S OUND = no false positives (no false alarms) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  5. Introduction Metamorphism M ALWARE DETECTION M ALWARE = M AL icious soft WARE Malware detector Is a program D that determines whether a program P is malicious � true if D determines that P is malicious D ( P ) = false otherwise An ideal malware detector is sound and complete: S OUND = no false positives (no false alarms) C OMPLETE = no false negatives (no missed alarms) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 2 / 25

  6. Introduction Metamorphism M ALWARE DETECTION Standard malware detectors: Signature Checking Identify a sequence of instructions which is unique to a malware (virus signature) then scan programs for signatures Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 3 / 25

  7. Introduction Metamorphism M ALWARE DETECTION Standard malware detectors: Signature Checking Identify a sequence of instructions which is unique to a malware (virus signature) then scan programs for signatures Low false positive rate, easy to use Cumbersome, difficult to extract automatically, easy to foil How can we escape signature checking? Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 3 / 25

  8. Introduction Metamorphism M ALWARE DETECTION Standard malware detectors: Signature Checking Identify a sequence of instructions which is unique to a malware (virus signature) then scan programs for signatures Low false positive rate, easy to use Cumbersome, difficult to extract automatically, easy to foil How can we escape signature checking? B Y DYNAMICALLY MODIFYING MALWARE STRUCTURE ! Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 3 / 25

  9. Introduction Metamorphism E SCAPE S IGNATURE C HECKING Polymorphic malware The malware code is encrypted and contains a decryption routine that decrypts the code and then executes it. Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 4 / 25

  10. Introduction Metamorphism E SCAPE S IGNATURE C HECKING Polymorphic malware The malware code is encrypted and contains a decryption routine that decrypts the code and then executes it. Metamorphic malware The malware applies semantics-preserving transformations (e.g. obfuscations) to mutate its own code as it propagates. Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 4 / 25

  11. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES E QUIVALENT CODE REPLACEMENT MOV EAX , [ X ] XOR EAX , EAX MOV EBX , [ Y ] ADD EAX , [ X ] ADD EAX , EBX ADD EAX , [ Y ] MOV [ X ], EAX MOV [ X ], EAX Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 5 / 25

  12. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES E QUIVALENT CODE REPLACEMENT MOV EAX , [ X ] XOR EAX , EAX MOV EBX , [ Y ] ADD EAX , [ X ] ADD EAX , EBX ADD EAX , [ Y ] MOV [ X ], EAX MOV [ X ], EAX R EGISTER RENAMING MOV EAX , [ X ] MOV ECX , [ X ] MOV EBX , [ Y ] MOV EAX , [ Y ] ADD EAX , EBX ADD ECX , EAX MOV [ X ], EAX MOV [ X ], ECX Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 5 / 25

  13. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES C ODE REORDERING MOV EAX , [ X ] MOV EBX , [ Y ] MOV EBX , [ Y ] MOV EAX , [ X ] ADD EAX , EBX ADD EAX , EBX MOV [ X ], EAX MOV [ X ], EAX Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 6 / 25

  14. Introduction Metamorphism M ETAMORPHIC C ODE - E XAMPLES C ODE REORDERING MOV EAX , [ X ] MOV EBX , [ Y ] MOV EBX , [ Y ] MOV EAX , [ X ] ADD EAX , EBX ADD EAX , EBX MOV [ X ], EAX MOV [ X ], EAX G ARBAGE INSERTION MOV EAX , [ X ] MOV EAX , [ X ] MOV EBX , [ Y ] MOV EBX , [ Y ] ADD EAX , EBX ADD EAX , EBX MOV [ X ], EAX PUSH , ESI MOV [ X ], EAX POP ESI Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 6 / 25

  15. Motivation The Problem Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 7 / 25

  16. Motivation The Problem C HASING M ETAMORPHISM In order to detect metamorphic malware variants malware detector should be based on SEMANTIC program features. Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 8 / 25

  17. Motivation The Problem C HASING M ETAMORPHISM In order to detect metamorphic malware variants malware detector should be based on SEMANTIC program features. Abstract models of malware that ideally capture the essence of being malicious while abstracting from the details that are modified by metamorphism; system call, symbolic names, automata, cfg, rewriting rules towards normal forms, model checking.... Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 8 / 25

  18. Motivation The Problem C HASING M ETAMORPHISM In order to detect metamorphic malware variants malware detector should be based on SEMANTIC program features. Abstract models of malware that ideally capture the essence of being malicious while abstracting from the details that are modified by metamorphism; system call, symbolic names, automata, cfg, rewriting rules towards normal forms, model checking.... A PRIORI KNOWLEDGE OF THE METAMORPHIC TRANSFORMATIONS Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 8 / 25

  19. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  20. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Metamorphic signature is a characterization of the set L of the possible code variants generated by a metamorphic malware Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  21. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Metamorphic signature is a characterization of the set L of the possible code variants generated by a metamorphic malware σ IS A METAMORPHIC VARIANT ⇒ σ ∈ L Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  22. Motivation The Problem T HE C HALLENGE The malware code contains the metamorphic engine (70%) Metamorphic signature is a characterization of the set L of the possible code variants generated by a metamorphic malware σ IS A METAMORPHIC VARIANT ⇒ σ ∈ L T HE P ROBLEM Is there a way for systematically extracting a metamorphic signature without a priori knowledge of the metamorphic transformations used? Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 9 / 25

  23. Motivation The Problem I DEALLY . . . Program Evolution Graph A precise description of the evolution of the code during execution Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 10 / 25

  24. Motivation The Problem I DEALLY . . . Program Evolution Graph A precise description of the evolution of the code during execution Given a self-modifying program P 0 we would like to generate its program evolution graph (or a sound approximation) Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 10 / 25

  25. Other State Program Info The Idea T HE I DEA The ME is part of the code of the metamorphic malware Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

  26. Other State Program Info The Idea T HE I DEA The ME is part of the code of the metamorphic malware ⇒ The description of the metamorphic behaviour – code evolution – is inside the trace semantics of the metamorphic malware Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

  27. The Idea T HE I DEA The ME is part of the code of the metamorphic malware ⇒ The description of the metamorphic behaviour – code evolution – is inside the trace semantics of the metamorphic malware The state contains a description of the program that is executed Other State Program Info Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

  28. The Idea T HE I DEA The ME is part of the code of the metamorphic malware ⇒ The description of the metamorphic behaviour – code evolution – is inside the trace semantics of the metamorphic malware The state contains a description of the program that is executed Other State Program Info We use Abstract Interpretation! Dalla Preda (CREST 2013) Chasing Metamorphism CREST, May 30th 2013 11 / 25

Recommend


More recommend