Malware Analysis at AIRBUS Practical Considerations and Issues July, 12th 2017 Xavier Mehrenberger, Raphaël Rigo, Sarah Zennou
Plan Introduction Automated analysis Machine learning experiments 2 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Context • high number of received binary samples • analyst time is in limited supply • ⇒ need automated analysis and triage 3 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Typical workflow of a malware sample binary malware exotic malware reverser malicious? new? SOC Security Operations Center Our tools • Tools for automated malware analysis and triage, for SOC (Security Operations Center) • Tools for manual analysis by reverser – including our own, BinCAT 4 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Plan Introduction Automated analysis Machine learning experiments 5 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
SOC Tasks Incoming binaries processing • distinguish malicious from benign files; • determine what a malware sample does; • learn to recognize future similar samples (identify artifacts); • distinguish targeted malware from opportunistic ones (phishing, etc.); • give priorities on suspicious malware that have to be inspected by a reverser Observation: targeted malware are much more unsual than opportunistic ones 6 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Infrastructure REbus: communication bus (developed in-house, open source) • goal: make analysis tools cooperate! • exchange of typed messages ( /binary/pe/%abc123...def ) • independent programs may choose to process each message, based on type • decentralized processing & workflow • facilitates experimentation • scalable Analysis agents • wrappers for existing tools • implementations of published techniques Open source! https://github.com/airbus-seclab/rebus (agents will be published soon) 7 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Automated analysis (I) Analysis automation • extract e-mails, archives • extract javascript from PDFs • extract macros from documents Identification • sha256, . . . • exif data • document rendering • visual rendering (packer?) Static metadata extraction • list imports • extract suspicious strings 8 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Automated analysis (II) Signature matching • apply yara rules • antiviruses (IRMA) • signature-based identification techniques (peid, signsrch. . . ) • query public databases (NSRL, virustotal) • common RAT configuration extraction tools Dynamic analysis • run sample through several sandboxes • several OS images • collect and consolidate results • dubious behaviour detected by the sandbox • accessed files • resources: registry keys, mutexes, pipes. . . • network operations 9 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Plan Introduction Automated analysis Machine learning experiments 10 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
ML experiments hashing distance computation feature extraction (minhash) classification goal : identify similar malware, classify into families features • opcodes (using several disassemblers: IDA, objdump, jakstab, amoco) • strings • imports, . . . combined feature extraction & distance computation algorithms • ssdeep • sdhash • simhash • bindiff, . . . 11 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
ML Issues • issues: • feature choice • representative initial corpus to train your classifier • new samples may be completely different from what you already know (not a physical process) • new samples have to be compared to every known sample Θ( n 2 ) • typical data base are not well labelled (VT) • use analyst feedback in ML algorithms • application: identify near-identical new samples ⇒ reduce manual analysis 12 M. Mehrenberger, R. Rigo, S. Zennou :: Malware Analysis at AIRBUS
Recommend
More recommend