prevalence and impact of low entropy packing schemes in
play

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware - PowerPoint PPT Presentation

Jan 29, 2024 •434 likes •686 views

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

  1. Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1

  2. Packing 2

  3. Scope / Packing Definition (Our definition of) packing implies ● Original code present, but NOT in an executable form (i.e., it is encrypted/compressed/encoded) ● Real code recovered at run-time We exclude from our study ● JIT compilers ● Droppers ● Emulators (Themida) ● Shellcode 3

  4. Packed or not packed: that is the question ● Fundamental in malware analysis ● Wrong classification ⇒ ○ costly and time-consuming dynamic analysis trying to unpack the sample ○ pollute the datasets used in many malware analysis studies ○ even worse, EVASION ● Our (false) friend: the entropy ○ compressed/encrypted data has high entropy levels Is it still a reliable metric? 4

  5. Our Agenda 1. The propagation of low-entropy packed samples 2. The adopted schemes 3. Current tools/approaches vs. low-entropy packed malware 5

  6. Dataset Do malware authors use low-entropy schemes to evade entropy checks? ● 50.000 Portable Executable files (excluding libraries and .Net applications) ● 2013 - 2019 ● Classified as malicious by more than 20 antivirus engines ● Entropy H < 7.0 ) 1 5 0 ( 2 e . m a s - t i g u n i n r B r o f , y o s x i t n t e S a m p l o t t i , c r o e a t h ○ entire file [1] a l z o f B y o , d r t u r e s e d n a l P d i e - u r t g i t g a n U l o A n : o c t i p e s i n e r k a c p p e e D ○ each section [2] e u l o d m n o t h P y ○ overlay data - - l e e f i p s b l e a u t e c x e P E o r r f z e l y n a a c a t i s t - e - y z a l n M a [1] Lyda and Hamrock. Using entropy analysis to find encrypted and packed malware (2007). 6 [2] Han and Lee. Packed PE file detection for malware forensics (2009).

  7. Packer Detector Two main purposes ● Build a ground truth ● Measure the low-entropy packed malware propagation in wild 7

  8. Packer Detector (1/5) PC ... Lists status 0x00001232 WL = [ ] xor eax, eax WXL = [ ] mov WORD PTR [0x2000], 0x9090 0x00001234 ... 0x00000000 0x00002000 0x00000000 0x00002004 ... 8

  9. Packer Detector (2/5) ... Lists status PC 0x00001232 WL = [ ] xor eax, eax WXL = [ ] mov WORD PTR [0x2000], 0x9090 0x00001234 ... 0x00000000 0x00002000 0x00000000 0x00002004 ... 9

  10. Packer Detector (3/5) ... Lists status 0x00001232 WL = [ xor eax, eax (0x1234,0x2000); (0x1234, 0x2001) mov WORD PTR [0x2000], 0x9090 PC 0x00001234 ] ... WXL = [ ] 0x00000000 0x00002000 0x00000000 0x00002004 ... Memory Write 10

  11. Packer Detector (4/5) ... Lists status 0x00001232 WL = [ xor eax, eax (0x1234,0x2000); (0x1234, 0x2001) mov WORD PTR [0x2000], 0x9090 0x00001234 ] ... WXL = [ ] PC 0x00009090 0x00002000 0x00000000 0x00002004 Not interesting instructions ... 11

  12. Packer Detector (5/5) ... Lists status 0x00001232 WL = [ xor eax, eax (0x1234,0x2000); (0x1234, 0x2001) mov WORD PTR [0x2000], 0x9090 0x00001234 ] ... WXL = [ (0x1234, 0x2000) ] 0x00009090 PC 0x00002000 0x00000000 0x00002004 ... 12

  13. Packer Detector - False Negatives ● False Negatives -- packed samples detected as not packed ○ unexpected crash ○ virtual environment detection ○ missing dependencies ○ incorrect command line arguments We discarded the samples that did not exhibit a sufficient runtime behavior ● ○ did not invoke at least 10 disk or network-related syscalls ○ samples whose executed instructions did not span at least five memory pages ● 50.000 - 3.705 = 46.295 13

  14. Hidden high-entropy data While packed with a high-entropy scheme, these samples are undetected by our set of filters PE header ● Packed data, but the data was Encrypted data ○ not stored in any of the section .text ○ nor in the overlay area Encrypted data ● 11.6% (5.386/46.295) .data ○ dominated by two families: hematite and hworld ● E.g., hematite ○ file infector ○ area created between the PE header and the first section 14

  15. Packer Detector - Results 31.5% (14.583/46.295) ⇒ entropy alone is a very poor metric to select packed samples Packed Not packed Hidden high- entropy data 15

  16. Schemes Taxonomy w.r.t. Entropy 1. Decreasing ○ Byte Padding ○ Encoding 2. Unchanged ○ Transposition ○ Monoalphabetic Substitution 3. Slightly Increasing ○ Polyalphabetic Substitution 16

  17. Scheme Classifier Relies on the output of Packer Detector ⇒ Written and eXecuted List [ WXL ] ● Every packing scheme needs to follow the same steps while unpacking ○ locate and access the source buffer that contains the packed data ○ perform operations on such data ○ write the unpacked data in the destination buffer ● We use PANDA to perform deterministic record and replay of a sample ○ ⟨ PCx , AWy ⟩ ∈ [ WXL ] ○ backward data-flow analysis to locate the source buffer ● Decision making based on the byte distribution of source and destination buffers 17

  18. Scheme Classifier - Results 18

  19. Case Study: Custom Encoding ( Emotet ) Two layers of packing ● The second layer uses a custom high-entropy encryption with an 8-bytes long key ● The first layer reduces the entropy from 7.63 to 6.57 ● Custom encoding + byte padding 19

  20. Signature and Rule-Based Packing Detection ● Detect It Easy (DIE) ○ signatures based on a scripting language ● PEiD ○ signatures only contain low-level byte patterns ● Manalyze ○ signatures ○ PE structure heuristics ■ unusual section names ■ sections WX ■ low number of imported functions ■ resources bigger than the file itself ■ sections with H > 7.0 20

  21. Signature and Rule-Based Packing Detection - Results ● DIE detects no well-known packer in our entire dataset ● PEiD and Manalyze generated a large number of false positives ○ detected the presence of packing more often in unpacked samples than in the packed group ● Manalyze alerts are based on sections names used by some off-the-shelf packers ○ why the malware authors used those names? ○ they could be fake clues used on purpose to deceive automated tools 21

  22. ML Packing Detection ● 15 approaches deal with this problem (SOTA) ● Several features categories ○ PE structure, heuristics, opcodes, n-grams, statistics, entropy ● Features vector ( W ): union of all features from previous studies ̃ ) ! ○ A separate features vector excluding the entropy ( W ● The most popular classifiers: SVM, RF, MLP ● Dataset: low entropy packed + not packed (~40K) 22

  23. ML Packing Detection - Results Considering H Not Considering H NO classifier was able to identify accurately low-entropy packed malware! 23

  24. Conclusions ● Low-entropy packing schemes are a real and widespread problem ● Existing static analysis techniques are unsuccessful against them Entropy ❌ ○ Signature and Rule-Based ❌ ○ Machine Learning ❌ ○ ● There is need for new solutions ● Low-entropy packing schemes must be considered in future experiments -- Thank you for your attention -- 24

Recommend

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro

Prevalence and Impact of Low-Entropy Packing Schemes in the Malware Ecosystem Alessandro Mantovani (EURECOM), Simone Aonzo (UniGe), Xabier Ugarte Pedrero (CISCO), Alessio Merlo (UniGe), Davide Balzarotti (EURECOM) 1 Packing 2 Scope / Packing

256 views • 23 slides
- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

- - packing p a - packing algo- packing cking rithms algo- a l g o - theorems rithms

algorithmic composition dForm + IM WS2010 Inst. f. Arch. a. Media packing algorithms packing algorithms packing algorithms p a c k i n g packing algorithms packing algorithms algorithms packing packing algorithm 1 algorithms - -

39 views • 3 slides
Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of

Entropy, Relative Entropy, Cross Entropy Entropy Entropy, H(x) is a measure of the uncertainty of a discrete random variable. Properties: H(x) &gt;= 0 Entropy Entropy Lesser the probability for an event, larger the entropy.

471 views • 21 slides
ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel

Background Evaluation Conclusion ROP Gadget Prevalence and Survival under Compiler-based Binary Diversification Schemes Joel Coffman Daniel M. Kelly Christopher C. Wellons Andrew S. Gearhart Johns Hopkins University Applied Physics

1.28k views • 45 slides
Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar

Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar

Entropy stable schemes for hyperbolic conservation laws Praveen Chandrashekar praveen@math.tifrbng.res.in Center for Applicable Mathematics Tata Institute of Fundamental Research Bangalore-560065, India http://cpraveen.github.io GIAN Course

1.25k views • 111 slides
KE and entropy stable schemes for compressible flows Praveen. C praveen@math.tifrbng.res.in

KE and entropy stable schemes for compressible flows Praveen. C praveen@math.tifrbng.res.in

KE and entropy stable schemes for compressible flows Praveen. C praveen@math.tifrbng.res.in Tata Institute of Fundamental Research Center for Applicable Mathematics Bangalore 560065 http://math.tifrbng.res.in/ praveen Indo-German Conference

520 views • 39 slides
Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S)

Entropy and The Second Law of Thermodynamics Entropy (S) Entropy is o8en related to disorder but not strictly correct Entropy is a measure

351 views • 8 slides
Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1

Entropy Entropy Formal Modeling in Cognitive Science Lecture 25: Entropy, Joint Entropy, Conditional Entropy 1 Entropy Entropy and Information Joint Entropy Frank Keller Conditional Entropy School of Informatics University of Edinburgh

81 views • 4 slides
Entropy stable schemes for compressible flows on unstructured meshes Deep Ray Tata Institute of

Entropy stable schemes for compressible flows on unstructured meshes Deep Ray Tata Institute of

Entropy stable schemes for compressible flows on unstructured meshes Deep Ray Tata Institute of Fundamental Research Center for Applicable Mathematics Bangalore deep@math.tifrbng.res.in http://math.tifrbng.res.in/deep SCPDE-2014, Hong Kong

690 views • 52 slides
Screening, Prevalence, and the Impact on Kindergarten Readiness Elizabeth Anthony, PhD, Stephen

Screening, Prevalence, and the Impact on Kindergarten Readiness Elizabeth Anthony, PhD, Stephen

Early Childhood Lead Exposure in Cuyahoga County: Screening, Prevalence, and the Impact on Kindergarten Readiness Elizabeth Anthony, PhD, Stephen Steh, MA, Meghan Salas Atwell, PhD, and Rob Fischer, PhD Center on Urban Poverty and Community

379 views • 22 slides
Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the

Outline Entropy Coding Definition of Entropy Three Entropy coding techniques: (taken from the Technion) Huffman coding Arithmetic coding Lempel-Ziv coding 2 Entropy Definitions Alphabet : A finite set containing at least

402 views • 10 slides
Disclosures I have nothing to disclose New ALS diagnostics and Treatment Prevalence and Impact

Disclosures I have nothing to disclose New ALS diagnostics and Treatment Prevalence and Impact

2/13/2020 Disclosures I have nothing to disclose New ALS diagnostics and Treatment Prevalence and Impact on Patients and Caregivers Catherine Lomen-Hoerth, MD, PhD Professor of Clinical Neurology, UCSF Recent Advances in Neurology 2020 1 2

256 views • 8 slides
Packing patterns in restricted permutations Lara Pudwell faculty.valpo.edu/lpudwell Rutgers

Packing patterns in restricted permutations Lara Pudwell faculty.valpo.edu/lpudwell Rutgers

Introduction Packing with Classical Restrictions Packing in Alternating Permutations Wrapping up Packing patterns in restricted permutations Lara Pudwell faculty.valpo.edu/lpudwell Rutgers Experimental Math Seminar March 5, 2020 Packing

986 views • 79 slides
Atlas Refinement with Bounded Packing Efficiency Presented by Jerry Yin Packing efficiency

Atlas Refinement with Bounded Packing Efficiency Presented by Jerry Yin Packing efficiency

ACM Transactions on Graphics 2019 Hao-Yu Liu, Xiao-Ming Fu, Chunyang Ye, Shuangming Chai, Ligang Liu Atlas Refinement with Bounded Packing Efficiency Presented by Jerry Yin Packing efficiency Store high-frequency information in

388 views • 14 slides
Impact of Minihalos on Cosmic Reionization and Numerical Schemes behind It Kyungjin Ahn Chosun

Impact of Minihalos on Cosmic Reionization and Numerical Schemes behind It Kyungjin Ahn Chosun

Impact of Minihalos on Cosmic Reionization and Numerical Schemes behind It Kyungjin Ahn Chosun University Cosmic Radiative Transfer Comparison Project IV, Austin Dec 2012 w/ Paul Shapiro, Ilian Iliev, Garrelt Mellema, Ue-Li Pen, Yi Mao, Jun

442 views • 25 slides
Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically

Road detection via entropy By Anna Zaidman 1 1 What is entropy? Entropy is a mathematically - defined thermodynamic quantity that helps to account for the flow of energy through a thermodynamic process. 2 What is

467 views • 13 slides
Sphere packing, lattice packing, and related problems Abhinav Kumar Stony Brook April 25, 2018

Sphere packing, lattice packing, and related problems Abhinav Kumar Stony Brook April 25, 2018

Sphere packing, lattice packing, and related problems Abhinav Kumar Stony Brook April 25, 2018 Sphere packings Definition A sphere packing in R n is a collection of spheres/balls of equal size which do not overlap (except for touching). The

1.6k views • 134 slides
Algorithms Theory 13 Bin Packing Prof. Dr. S. Albers Winter term 07/08 Bin packing 1.

Algorithms Theory 13 Bin Packing Prof. Dr. S. Albers Winter term 07/08 Bin packing 1.

Algorithms Theory 13 Bin Packing Prof. Dr. S. Albers Winter term 07/08 Bin packing 1. Problem definition and general observations 2. Approximation algorithms for the online bin packing problem 3. Approximation algorithms for the offline

420 views • 25 slides
Reduce Tax Impact on Employee Compensation Through Retirement Benefit Schemes Presentation to

Reduce Tax Impact on Employee Compensation Through Retirement Benefit Schemes Presentation to

Reduce Tax Impact on Employee Compensation Through Retirement Benefit Schemes Presentation to Pakistan Society of Human Resource Management Omer Morshed 5 July 2013 Composition of Employee Compensation Amounts Paid in Cash (including

582 views • 20 slides
30/10/2017 History Prevalence/Impact Stigma 1 30/10/2017 Yearly Number of Opioid

30/10/2017 History Prevalence/Impact Stigma 1 30/10/2017 Yearly Number of Opioid

30/10/2017 History Prevalence/Impact Stigma 1 30/10/2017 Yearly Number of Opioid Toxicity Deaths in Ontario by Drug , 2002 - 2014 550 500 450 400 Number of Deaths 350 Codeine Fentanyl 300 Heroin 250 Hydromorpho ne

440 views • 15 slides
WHY IMPORTANT Treatment approach PREVALENCE alone will &amp; not reduce IMPACT burden

WHY IMPORTANT Treatment approach PREVALENCE alone will &amp; not reduce IMPACT burden

WHY IMPORTANT Treatment approach PREVALENCE alone will &amp; not reduce IMPACT burden Benefits of MENTAL good mental HEALTH AN health and IMPORTANT wellbeing and reduced mental END IN ITSELF illness It is possible EVIDENCE FOR

364 views • 33 slides
The Kepler Conjecture Adrian Rauchhaus 21. Juni 2018 The Theorem There is no packing of equally

The Kepler Conjecture Adrian Rauchhaus 21. Juni 2018 The Theorem There is no packing of equally

The Kepler Conjecture Adrian Rauchhaus 21. Juni 2018 The Theorem There is no packing of equally sized spheres in the Euclidean three-space with a higher average density than that of the cubic close packing and the hexagonal close packing

1.06k views • 90 slides
Extremal Hypergraphs for Packing and Covering Penny Haxell University of Waterloo Joint work

Extremal Hypergraphs for Packing and Covering Penny Haxell University of Waterloo Joint work

Extremal Hypergraphs for Packing and Covering Penny Haxell University of Waterloo Joint work with L. Narins and T. Szab o 1 Packing Let H be a hypergraph. A packing or matching of H is a set of pairwise disjoint edges of H . The parameter

519 views • 22 slides
E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION

E N T R O P Y S T R U C T U R E Entropy versus resolution Tomasz Downarowicz MOTIVATION Entropy measures exponential complexity in a topological dynamical system: topological entropy very crude, entropy function on invariant

556 views • 23 slides

More recommend