malware obfuscation techniques packing
play

Malware Obfuscation Techniques: Packing November 18, 2014 Malware - PowerPoint PPT Presentation

Nov 25, 2022 •458 likes •985 views

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%) 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2 Malware and packing Not packed (20%) 80%

  1. Malware Obfuscation Techniques: Packing November 18, 2014

  2. Malware and packing Not packed (20%) • 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2

  3. Malware and packing Not packed (20%) • 80% of new malware are packed with various packers 50% of new malware samples are simply repacked versions of existing malware Malware Obfuscation Techniques: Packing 2

  4. Code packing ◮ A technique to hide the real code of a program through one or more layers of compression/encryption ◮ At run-time the unpacking routine restores the original code in memory and then executes it Malware Obfuscation Techniques: Packing 3

  5. Code packing ◮ A technique to hide the real code of a program through one or more layers of compression/encryption ◮ At run-time the unpacking routine restores the original code in memory and then executes it Malicious code Malware Obfuscation Techniques: Packing 3

  6. Code packing ◮ A technique to hide the real code of a program through one or more layers of compression/encryption ◮ At run-time the unpacking routine restores the original code in memory and then executes it Unpacking Malicious routine code Malware Obfuscation Techniques: Packing 3

  7. Code packing ◮ A technique to hide the real code of a program through one or more layers of compression/encryption ◮ At run-time the unpacking routine restores the original code in memory and then executes it Unpacking Unpacking Malicious routine routine code Malware Obfuscation Techniques: Packing 3

  8. Code packing ◮ A technique to hide the real code of a program through one or more layers of compression/encryption ◮ At run-time the unpacking routine restores the original code in memory and then executes it Unpacking Unpacking Malicious routine routine code The effectiveness of malware detectors depends on the ability to recover the “real” malicious code, but recovery often fails! Malware Obfuscation Techniques: Packing 3

  9. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware Obfuscation Techniques: Packing 4

  10. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program Malware Obfuscation Techniques: Packing 4

  11. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? Malware Obfuscation Techniques: Packing 4

  12. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malware Obfuscation Techniques: Packing 4

  13. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malicious Malware Obfuscation Techniques: Packing 4

  14. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malicious Generic unpacking Emulation/tracing of the execution until the unpacking routine terminates (e.g., PolyUnpack [ACSAC 06] and Renovo [WORM 07] ) Malware Obfuscation Techniques: Packing 4

  15. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malicious Generic unpacking Emulation/tracing of the execution until the unpacking routine terminates (e.g., PolyUnpack [ACSAC 06] and Renovo [WORM 07] ) Packed code Malware Obfuscation Techniques: Packing 4

  16. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malicious Generic unpacking Emulation/tracing of the execution until the unpacking routine terminates (e.g., PolyUnpack [ACSAC 06] and Renovo [WORM 07] ) Packed code Malware Obfuscation Techniques: Packing 4

  17. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malicious Generic unpacking Emulation/tracing of the execution until the unpacking routine terminates (e.g., PolyUnpack [ACSAC 06] and Renovo [WORM 07] ) Packed code Malware Obfuscation Techniques: Packing 4

  18. Traditional approaches to deal with packed code Algorithmic unpacking Use of specific unpacking routines to recover the original code (i.e., one routine per packing algorithm) Malware detector Malicious program ???? ???? Malicious Generic unpacking Emulation/tracing of the execution until the unpacking routine terminates (e.g., PolyUnpack [ACSAC 06] and Renovo [WORM 07] ) Unpacked code Packed code Malware Obfuscation Techniques: Packing 4

  19. A simple generic unpacker ◮ Track all memory writes and the program counter ◮ The execution of a previously written memory location denotes the end of an unpacking stage ◮ All written-then-executed memory locations should then be analyzed by a malware detector Malware Obfuscation Techniques: Packing 5

  20. A simple generic unpacker ◮ Track all memory writes and the program counter ◮ The execution of a previously written memory location denotes the end of an unpacking stage ◮ All written-then-executed memory locations should then be analyzed by a malware detector Extend this idea to design an iterative unpacking algorithm that achieves low overhead yet does not compromise the security of the system Malware Obfuscation Techniques: Packing 5

  21. Goals of Real-Time Unpackers ◮ Generic unpacking with low-overhead by using existing hardware mechanisms ◮ Precise unpacking by running the program on the native OS ◮ A new malware detection strategy, independent of packing, where the malware detector analyzes new pieces of code before they are executed. Malware Obfuscation Techniques: Packing 6

  22. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Malware Obfuscation Techniques: Packing 7

  23. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Executed page Memory Written page Executed memory location Written memory location Malware Obfuscation Techniques: Packing 7

  24. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Executed page Memory Written page Executed memory location Written memory location Malware Obfuscation Techniques: Packing 7

  25. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Executed page Memory Written page Executed memory location Written memory location Malware Obfuscation Techniques: Packing 7

  26. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Executed page Memory Written page Executed memory location Malicious code Written memory location Malware Obfuscation Techniques: Packing 7

  27. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Executed page Memory Written page Executed memory location Written memory location Unfortunately... ◮ Written-then-executed locations are indicative of unpacking but not indicative of the end of unpacking ◮ Coarse-grained memory accesses tracking further increases the chances to detect spurious unpacking stages (up to hundreds of thousands stages) Malware Obfuscation Techniques: Packing 7

  28. Efficient tracking of memory accesses Coarse-grained memory access tracking (at page level), through the use of hardware mechanisms Executed page Memory Written page Executed memory location Malicious code Written memory location Unfortunately... ◮ Written-then-executed locations are indicative of unpacking but not indicative of the end of unpacking ◮ Coarse-grained memory accesses tracking further increases the chances to detect spurious unpacking stages (up to hundreds of thousands stages) Malware Obfuscation Techniques: Packing 7

Recommend

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Optimization and Obfuscation

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Optimization and Obfuscation

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Optimization and Obfuscation Techniques)%00 Techniques)%00 Roberto Salgado Co-founder of Websec Provide information security solutions Pen-testing, training

1.11k views • 93 slides
Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

256 views • 23 slides
Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

686 views • 24 slides
Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris

Netgator: Malware Detection Using Program Interactive Challenges Brian Schulte, Haris Andrianakis, Kun Sun, and Angelos Stavrou Intro Increase of stealthy malware in enterprises Obfuscation, polymorphic techniques Often uses

766 views • 25 slides
Alpha Presentation Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint

Alpha Presentation Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint

Alpha Presentation Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint Adam Johanknecht Nick Lojewski Vivian Qian Derek Renusch Dan Somary Department of Computer Science and Engineering Michigan State University

140 views • 9 slides
- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

algorithmic composition dForm + IM WS2010 Inst. f. Arch. a. Media packing algorithms packing algorithms packing algorithms p a c k i n g packing algorithms packing algorithms algorithms packing packing algorithm 1 algorithms - -

39 views • 3 slides
Project Plan Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint Nick

Project Plan Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint Nick

Project Plan Defeating Malware Payload Obfuscation The Capstone Experience Team Proofpoint Nick Lojewski Adam Johanknecht Dan Somary Vivian Qian Derek Renusch Department of Computer Science and Engineering Michigan State University Spring

134 views • 12 slides
HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection

HOST Circuit Obfuscation I ECE 525 Hardware Obfuscation (Drawn from "Hardware Protection thr Obfuscation) Circuit modification techniques designed to conceal or lock the functionality and/or circuit structure The modifications are designed

157 views • 11 slides
) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniques)%00 Roberto

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniques)%00 Roberto

) UNION SELECT `This_Talk` AS ('New Optimization and Obfuscation Techniques)%00 Roberto Salgado Co-founder of Websec Provide informa4on security solu4ons Pen-tes4ng, training and

1.27k views • 109 slides
Obfuscation: Positive Results and Techniques Benjamin Lynn Manoj Prabhakaran Amit Sahai

Obfuscation: Positive Results and Techniques Benjamin Lynn Manoj Prabhakaran Amit Sahai

Obfuscation: Positive Results and Techniques Benjamin Lynn Manoj Prabhakaran Amit Sahai Stanford University Princeton University Princeton University EUROCRYPT '04 Obfuscation Hide the internals of

721 views • 28 slides
PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst,

PV204 Security technologies In-Memory Malware Analysis Vclav Lorenc Senior Security Analyst, Oracle + NetSuite Agenda Basic intro No assembly required No malware (de)obfuscation magic How does the OS look inside?

847 views • 57 slides
Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt

Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt

Obfuscation Lecture 26 Different Flavours VBB Obfuscation Note: Considers only corrupt receiver x 1 Virtual f O(f) F B f(x 1) Black-Box x 2 (VBB) f(x 2) Obfuscation : A Secure (and f Family f Family b b single

466 views • 18 slides
FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques

FIT5124 Advanced Topics in Security Lecture 9: Malware Functionality and Analysis Techniques Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 9: Malware

450 views • 29 slides
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation ( ) has emerged as a central hub

648 views • 36 slides
Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov

Limits on the Power of Indistinguishability Obfuscation and Functional Encryption Gilad Asharov Gil Segev Hebrew University This Talk A framework for proving impossibility results for commonly-used non-black-box techniques Limits on

596 views • 22 slides
Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and

Virus Infection Techniques: Boot Record Viruses Bill Harrison CS4440/7440 Malware Analysis and Defense Reading } Start reading Chapter 4 of Szor 2 Virus Infection Techniques } We will survey common locations of virus infections: MBR (Master

727 views • 49 slides
Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON

Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON

Obfuscation: know your enemy Ninon EYROLLES neyrolles@quarkslab.com Serge GUELTON sguelton@quarkslab.com Introduction Control flow obfuscation Data flow obfuscation Python obfuscation Prelude Introduction Control flow obfuscation Data

1.23k views • 76 slides
OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan

OBFUSCURO : : A Commodity Obfuscation Engine for Intel SGX Adil Ahmad *, Byunggill Joe*, Yuan Xiao Yinqian Zhang, Insik Shin, Byoungyoung Lee (* denotes equal contribution) Program Obfuscation Program Obfuscation Trusted Untrusted (except

1.34k views • 116 slides
Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271

Outline Malware and the network, contd Denial of service and the network CSci 5271 Introduction to Computer Security Announcements intermission Malware and anonymity combined lecture Anonymous communications techniques Stephen McCamant

665 views • 10 slides
Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . .

Obfuscation from LWE? proofs, attacks, candidates Hoeteck Wee CNRS & ENS . . . . . . . . C x C x C x C C c obfuscation [ BGIRSVY01, H00, GR07, GGHRSW13 ] . . . . . . . . C x C x C x C C c obfuscation [

1.03k views • 92 slides
Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20

Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20

Authorship Obfuscation Using Heuristic Search Masters Thesis Defence by Janek Bevendorff on 20 June 2018 Supervisors: Prof. Dr. Benno Stein, PD Dr. Andreas Jakoby Unmasking for short texts Obfuscation against unmasking Obfuscation

1.38k views • 95 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Engineering Code Obfuscation ISSISP 2017 - Obfuscation I Christian Collberg Department of

Engineering Code Obfuscation ISSISP 2017 - Obfuscation I Christian Collberg Department of

Engineering Code Obfuscation ISSISP 2017 - Obfuscation I Christian Collberg Department of Computer Science University of Arizona http://collberg.cs.arizona.edu collberg@gmail.com Supported by NSF grants 1525820 and 1318955 and by the

924 views • 69 slides

More recommend