Int. Secure Systems Lab Vienna University of Technology Inspector Gadget Automated Extraction of Proprietary Gadgets from Malware Binaries Clemens KOLBITSCH Thorsten HOLZ Engin KIRDA Christopher KRUEGEL ck@iseclab.org Int. Secure Systems Lab Vienna University of Technology, Institute Eurecom Sophia Antipolis, UC Santa Barbara
Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging Inspector Gadget 2
Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging • Looking at the inner workings of every samples has become infeasible – … due to various obfuscation techniques – … due to analysis resistance (e.g., anti-debugging techniques) – … due to the huge number of malware families / variants Inspector Gadget 3
Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging 76 172 submissions Anubis 58 041 new samples Inspector Gadget 4
Motivation Int. Secure Systems Lab Vienna University of Technology • Analysis of malicious code is challenging • Looking at the inner workings of every samples has become infeasible – … due to various obfuscation techniques – … due to analysis resistance (e.g., anti-debugging techniques) – … due to the huge number of malware families / variants • Results of dynamic analys is cluttered by other behavior sample is capable of Inspector Gadget 5
Motivation Int. Secure Systems Lab Vienna University of Technology • Results of dynamic analys is cluttered by other behavior sample is capable of armzasn.net armzasn.net kevflnwroo.com kevflnwroo.com C & C dzqbpieiy.info C & C dzqbpieiy.info rqkixea.biz binary location binary rqkixea.biz location komug.net update komug.net vhiax.org update vhiax.org C & C C & C component communication component communication installation installation 220 mx.google.com 220 mx.google.com 250-google 250-google target 250-PIPELINING spam target 250-PIPELINING spam 250-SIZE 10240000 selection templating 250-SIZE 10240000 selection 250-VRFY templating 250-VRFY 250-STARTTLS 250-STARTTLS Inspector Gadget 6
Motivation Int. Secure Systems Lab Vienna University of Technology • Results of dynamic analysis cluttered by other behavior sample is capable of • Dynamic analysis is very resource consuming... • … and only provides temporary snapshot – malicious behavior might dependent on • analysis date & time • analysis environment (e.g., username, host OS, …) • availability of remote resources (e.g., C&C hosts) – needs to be repeatedly performed on single sample • at different points in time • preferably on different systems • even more time/resource consuming Inspector Gadget 7
Motivation – Inspector Int. Secure Systems Lab Vienna University of Technology Wouldn't it be cool if we were able to extract a single behavior into a standalone component and use this to re-invoke the behavior? • Removes clutter from analysis results • Independent of other malicious activity – can be executed without virtual environment • Easy to replay in a different situation such as – point in time – operating system Inspector Gadget 8
Motivating Example Int. Secure Systems Lab Vienna University of Technology • Conficker Domain Generation Algorithm (DGA) – decides which remote host to contact for C&C – domain depends on current time – current time is fetched from a remote host (e.g., msn) Inspector Gadget 9
Motivating Example Int. Secure Systems Lab Vienna University of Technology • Conficker Domain Generation Algorithm (DGA) armzasn.net – decides which remote host to contact for C&C armzasn.net armzasn.net armzasn.net kevflnwroo.com kevflnwroo.com kevflnwroo.com – domain depends on current time kevflnwroo.com C & C dzqbpieiy.info dzqbpieiy.info C & C dzqbpieiy.info dzqbpieiy.info rqkixea.biz binary rqkixea.biz location – current time is fetched from a remote host (e.g., msn) rqkixea.biz binary rqkixea.biz location komug.net komug.net update komug.net komug.net vhiax.org update vhiax.org vhiax.org vhiax.org C & C C & C component communication component communication installation installation 220 mx.google.com 220 mx.google.com 250-google 250-google target 250-PIPELINING spam target 250-PIPELINING spam 250-SIZE 10240000 selection templating 250-SIZE 10240000 selection 250-VRFY templating 250-VRFY 250-STARTTLS 250-STARTTLS Inspector Gadget 10
Outline Int. Secure Systems Lab Vienna University of Technology • Motivation – dynamic analysis reveals limited, temporary behavior • Behavior analysis & extraction – storing identified behavior into gadget • Behavior re-invocation – gadget player – gadget inversion • So... again, why...? – benefit recap • Gadget examples Inspector Gadget 11
Int. Secure Systems Lab Vienna University of Technology Behavior Analysis and Extraction Inspector Gadget 12
Extraction Overview Int. Secure Systems Lab Vienna University of Technology 4 step process Inspector Gadget 13
Extraction Overview Int. Secure Systems Lab Vienna University of Technology control flow & Anubis instructions API taint dependencies step 1: memory dynamic accesses analysis Find interesting behavior that Find interesting behavior that is to be extracted. is to be extracted. Example: Hm, to which domain Example: Hm, to which domain am I connecting here?? am I connecting here?? Inspector Gadget 14
Extraction Overview Int. Secure Systems Lab Vienna University of Technology Anubis step 2: behavior identification Map selected behavior to analyzed control flow & process & thread, API accesses and instructions control flow. control flow. outcome: API call / flow position outcome: API call / flow position Inspector Gadget 15
Extraction Overview Int. Secure Systems Lab Vienna University of Technology Anubis step 2.1: identification refinement Find and suggest data manipulating control flow & Find and suggest data manipulating instructions after chosen API call. instructions instructions after chosen API call. Possibly refine chosen position to Possibly refine chosen position to include the data processing. include the data processing. Inspector Gadget 16
Extraction Overview Int. Secure Systems Lab Vienna University of Technology control flow & API taint API taint call func1 call func1 instructions call func1 call func1 dependencies dependencies add %esp add %esp add %esp add %esp memory memory ... ... ... ... accesses accesses call func2 call func2 call func2 call func2 step 3: add %esp add %esp add %esp add %esp backward call func3 call func3 call func3 call func3 program slicing call StartS call StartS call StartS call StartS pop %eax pop %eax pop %eax pop %eax push “abc” push “abc” push “abc” push “abc” call DnsQry call DnsQry call DnsQry call DnsQry StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W Inspector Gadget 17
Extraction Overview Int. Secure Systems Lab Vienna University of Technology control flow & API taint API taint call func1 call func1 instructions call func1 call func1 dependencies dependencies add %esp add %esp ... add %esp add %esp ... memory memory ... ... call connect ... ... call connect accesses accesses call func2 call func2 jmp L_1 call func2 call func2 jmp L_1 step 3: add %esp add %esp L_0: add %esp add %esp L_0: backward call func3 call func3 call recv call func3 call func3 call recv program ... ... L_1: slicing call StartS call StartS L_1: call StartS call StartS test %eax pop %eax pop %eax test %eax pop %eax pop %eax je L_0 WSAStartup push “abc” push “abc” je L_0 WSAStartup push “abc” push “abc” call DnsQry call DnsQry call DnsQry call DnsQry connect connect StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W recv StartService StartService DnsQuery_W DnsQuery_W DnsQuery_W recv Inspector Gadget 18
Extraction Overview Int. Secure Systems Lab Vienna University of Technology step 4: gadget creation Inspector Gadget 19
Recommend
More recommend