malware packers for dummies
play

Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com - PowerPoint PPT Presentation

Jun 29, 2023 •5 likes •435 views

Tripoux: Reverse-Engineering Of Malware Packers For Dummies Joan Calvet j04n.calvet@gmail.com Deepsec 2010 The Context (1) A lot of malware families use home-made packers to protect their binaries, following a standard model: EP OEP

  1. Tripoux: Reverse-Engineering Of Malware Packers For Dummies Joan Calvet – j04n.calvet@gmail.com Deepsec 2010

  2. The Context (1) • A lot of malware families use home-made packers to protect their binaries, following a standard model: EP OEP Original Unpacking code binary • The unpacking code is automatically modified for each new distributed binary. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 2

  3. The Context (2) • Usually people are only interested into the original binary : 1. It’s where the “real” malware behaviour is. 2. It’s hard to understand packers. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 3

  4. The Context (3) • But developing an understanding of the unpacking code helps to: – Get an easy access to the original binary (sometimes “generic unpacking algorithm” fails..!) – Build signatures (malware writers are lazy and there are often common algorithms into the different packer’s instances) – Find interesting pieces of code: checks against the environment, obfuscation techniques,... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 4

  5. The Question Why the human analysis of such packers is difficult, especially for beginners ? Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 5

  6. When trying to understand a packer, we can not just sit and observe the API calls made by the binary: • This is only a small part of the packer code • There can be useless API calls (to trick emulators,sandboxes...) We have to dig into the assembly code, that brings the first problem... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 6

  7. Problem 1: x86 Semantic • The x86 assembly language is pretty hard to learn and manipulate. • Mainly because of inexplicit side-effects and different operation semantics depending on the machine state (operands, flags): MOVSB Read ESI, Read EDI, Read [ESI], Write [EDI] If the DF flag is 0 , the ESI and EDI register are incremented If the DF flag is 1 , the ESI and EDI register are decremented Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 7

  8. Problem 1: x86 Semantic • When playing with standard code coming from a compiler, you only have to be familiar with a small subset of the x86 instruction set. • But we are in a different world... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 8

  9. Problem 1: x86 Semantic Example : Win32.Waledac’s packer Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 9

  10. Problem 2: Amount Of Information • Common packed binaries have several million instructions executed into the protection layers. • Unlike standard code, we can not say that each of these line has a purpose. • It’s often very hard to choose the right abstraction level when looking at the packed binary: “Should I really understand all these lines of code ?” Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 10

  11. Problem 2: Amount Of Information Example : Win32.Swizzor’s packer Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 11

  12. Problem 3: Absence Of (easily seen) High-Level Abstractions • We like to “divide and conquer” complicated problems. • In a standard binary: ... This is a function! We can thus consider the code inside it as a “block” that shares a common purpose Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 12

  13. Problem 3: Absence Of (easily seen) High-Level Abstractions • But in our world, we can have: Win32.Swizzor’s packer Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 13

  14. Problem 3: Absence Of (easily seen) High-Level Abstractions • No easy way left to detect functions and thus divide our analysis in sub-parts. • Also true for data: no more high-level structures , only a big array called memory. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 14

  15. The Good News • Most of the time there is only one “interesting” path inside the protection layers (the one that actually unpacks the original binary). • It’s pretty easy to detect that we have taken the “good” path : suspicious behaviour (network packets, registry modifications...) that indicate a successful unpacking. Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 15

  16. Proposed Solution • Let’s use this fact and adopt a pure dynamic analysis approach : – Trace the packed binary and collect the x86 side- effects (address problem 1) – Define an intermediate representation with some high level abstractions (address problem 3) – Build some visualization tools to easily navigate through the collected information (address problem 2) Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 16

  17. Project Architecture Static instructions High level Timeline view Dynamic instructions TRACER CORE ENGINE Execution details IDA Pro Program environment Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 17

  18. How to collect a maximum of information about the malware execution ? STEP 1: THE TRACER 18

  19. Tracing Engine (1) • Pin : dynamic binary instrumentation framework: – Insert arbitrary code (C++) in the executable (JIT compiler) – Rich library to manipulate assembly instructions, basic blocks, library functions … – Deals with self-modifying code • Check it at http://www.pintool.org/ • But what information do we want to gather at run- time ? Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 19

  20. Tracing Engine (2) 1. Detailed description of the executed x86 instructions – Binary code, address, size – Instruction “type”: • (Un)Conditional branch • (In)Direct branch • Stack related Make post-analysis easier • Throws an exception • API call • ... – Data-flow information : • Memory access (@ + size) • Register access Make side-effects explicit (Problem 1!) – Flags access: read and possibly modified 20

  21. Tracing Engine (3) 2. Interactions with the operating system: – The “official” way: API function calls • We only trace the malware code thanks to API calls detection (dynamically and statically linked libraries). • We dump the IN and OUT arguments of each API call , plus the return value, thanks to the knowledge of the API functions prototypes. – The “unofficial” way: direct access to user land Windows structures like the PEB and the TEB : • We gather their base address at runtime (randomization!) 21

  22. Tracing Engine (4) 3. Output: 1: Dynamic instructions file Time Address Hash Effects RR_ebx_eax 1 0x40100a 0x397cb40 WR_ebx RM_419c51_1 2 0x40100b 0x455e010 RR_ebx ... 2: Static instructions file Binary Hash Length Type W Flags R Flags code 0x397cb40 1 0 0 8D4 43 0x455e010 1 60 0 0 5E ... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 22

  23. Tracing Engine (5) 3. Output: 3: Program environment Type Module name Address DOSH ADVAPI32.DLL 77da0000 PE32H ADVAPI32.DLL 77da00f0 PE32H msvcrt.dll 77be00e8 DOSH DNSAPI.dll 76ed0000 PEB 0 7ffdc000 TEB 0 7ffdf000 ... Tripoux: Reverse-engineering of malware packers for dummies - DeepSec 2010 23

  24. STEP 2: THE CORE ENGINE 24

  25. The Core Engine (1) • Translate the tracer output into something usable. • Set up some high-level abstractions onto the trace (Problem 3): – Waves – Loops 25

  26. The Core Engine (2) 1. Waves: • Represent a subset of the trace where there is no self-modification code : Two instructions i and j are in the same wave if i doesn’t modify j and j doesn’t modify i . • Easy to detect in the trace: – Store the written memory by each instruction. – If we execute a written instruction: end of the current wave and start of a new wave. 26

  27. The Core Engine (3) 2. Loops: • Instructions inside a loop have a common goal : memory decryption, research of some specific information, anti-emulation... • Thus they are good candidate for abstraction! • But how to detect loops ? 27

  28. The Core Engine (4) 2. Loops: TRACE POINT OF VIEW (SIMPLIFIED) STATIC POINT OF VIEW EXECUTED TIME INSTRUCTION1 1 INSTRUCTION2 2 INSTRUCTION3 3 INSTRUCTION1 4 INSTRUCTION2 5 … … When tracing a binary, can we just define a loop as the repetition of an instruction ? 28

  29. The Core Engine (5) 2. Loops: TRACE POINT OF VIEW (SIMPLIFIED) STATIC POINT OF VIEW EXECUTED TIME INSTRUCTION1 1 INSTRUCTION5 2 INSTRUCTION6 3 INSTRUCTION2 4 … … INSTRUCTION3 5 INSTRUCTION5 6 INSTRUCTION6 7 This is not a loop ! So what’s a loop ? 29

  30. The Core Engine (6) 2. Loops: (SIMPLIFIED) STATIC POINT OF VIEW TRACE POINT OF VIEW EXECUTED TIME INSTRUCTION1 1 INSTRUCTION2 2 INSTRUCTION3 3 INSTRUCTION1 4 INSTRUCTION2 5 INSTRUCTION3 6 INSTRUCTION1 7 … … What actually define the loop, is the back edge between instructions 3 and 1. 30

Recommend

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%)

Malware Obfuscation Techniques: Packing November 18, 2014 Malware and packing Not packed (20%) 80% of new malware are packed with various packers Malware Obfuscation Techniques: Packing 2 Malware and packing Not packed (20%) 80%

985 views • 51 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

570 views • 22 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon

Do dummies pay off? Limits of dummy traffic protection in anonymous communication systems Simon Oya , Carmela Troncoso and Fernando Prez-Gonzlez Introduction Anonymous channels hide correspondences (input/output). Dummies are a common

402 views • 18 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us,

Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us,

Qualitative and Quantitative Evaluation of Software Packers Mar a Baz guez , Jos us, Ricardo J. Rodr e Merseguer All wrongs reversed rjrodriguez@unizar.es @RicardoJRdez www.ricardojrodriguez.es Department of Computer

505 views • 47 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies

Ein Blick in die Hexenkche der Exploit Entwickler aka Der Hacker und die 7 Geilein 27/03/2018 // Exploit Development for Dummies https://www.bee-itsecurity.at // Page 2 27/03/2018 // Exploit Development for Dummies

613 views • 48 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides
Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware

DeepSec IDSC Android Malware Adventures Mert Can Cokuner Krat Ouzhan Aknc Android Malware Adventures Agenda INTRODUCTION ANDROID MALWARE COMMAND & CONTROL QUESTIONS & ANSWERS 2 1 2 3 4 Android Malware

1.01k views • 64 slides
Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of

Malware Defense I TDDD17 Information Security, Second Course Ulf Kargn Department of Computer and Information Science Linkping University Malware Defense Agenda 2 Two lectures Lecture I : Malware basics, malware on the PC,

621 views • 40 slides
FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for

FIGHTING MALWARE WITH MACHINE LEARNING Edward Raff Jared Sylvester Mark McLean Need ML for Malware Amount of malware is growing exponentially Anti-virus and signature based approaches are reactionary, dont work for novel malware

127 views • 11 slides
CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware

On Static Malware Detection Tayssir Touili LIPN, CNRS & Univ. Paris 13 Motivation: Malware Detection The number of new malware exceeds 75 million by the end of 2011, and is still increasing. The number of malware that produced

1.34k views • 91 slides
Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning

Introduction to Security Malware Ming Chow (mchow@cs.tufts.edu) Twitter: @0xmchow Learning Objectives By the end of this week, you will be able to: Describe types of malware See certain malware behaviors Scan and analyze malware

883 views • 25 slides
National Honey Packers and Dealers Association N i l H P k d D l A i i Galveston Texas

National Honey Packers and Dealers Association N i l H P k d D l A i i Galveston Texas

True Source Certified TM National Honey Packers and Dealers Association N i l H P k d D l A i i Galveston Texas January 6, 2011 Elise Gagnon President, Odem International/Vice Chair, True Source Honey Lauren Brink Food Services

342 views • 13 slides
Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487

Lecture 12 Malware Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Malware review How does the malware start running? Logic bomb? Trojan horse? Virus?

470 views • 27 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides

More recommend