usa 2012
play

USA 2012 Scientific but Not Academical Overview of Malware - PowerPoint PPT Presentation

Feb 14, 2023 •246 likes •757 views

USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies Rodrigo Rubira Branco (@BSDaemon) Rodrigo Rubira Branco (@BSDaemon) Gabriel Negreira Barbosa (@gabrielnb) Gabriel Negr eira

  1. USA 2012 Scientific but Not Academical Overview of Malware Anti-Debugging, Anti-Disassembly and Anti-VM Technologies Rodrigo Rubira Branco (@BSDaemon) Rodrigo Rubira Branco (@BSDaemon) Gabriel Negreira Barbosa (@gabrielnb) Gabriel Negr eira Barbosa (@gabrielnb) Pedr Pedro Drimel Neto (@pdrimel) o Drimel Neto (@pdrimel)

  2. Were we live… 2 � BLACK HAT USA 2012

  3. Nah, we live actually here… BLACK HAT USA 2012

  4. São Paulo BLACK HAT USA 2012

  5. Agenda l Introduction / Motivation l Objectives l Methodology l Dissect || PE Project l Executive Summary l Techniques l Resources l Conclusions 5 � BLACK HAT USA 2012

  6. Introduc)on ¡/ ¡Mo)va)on ¡ l Hundreds of thousands of new samples every week l Still, automation is about single tasks or single analysis l Presentations still pointing tens of thousands in tests (what about the millions of samples?) l Companies promote research which uses words such as ‘many’ instead of X number BLACK HAT USA 2012

  7. Before ¡con)nue, ¡some ¡defini)ons ¡... ¡ l Anti-Debugging Techniques to compromise debuggers and/or the debugging process l l Anti-Disassembly Techniques to compromise disassemblers and/or the disassembling process l l Obfuscation Techniques to make the signatures creation more difficult and the disassembled l code harder to be analyzed by a professional l Anti-VM: Techniques to detect and/or compromise virtual machines l BLACK HAT USA 2012

  8. Objec)ves ¡ l Analyze millions of malware samples l Share the current results related to: Anti-Debugging l Anti-Disassembly l Obfuscation l Anti-VM l l Keep sharing more and better results in our portal (www.dissect.pe): New malware samples are always being analyzed l Detection algorithms are constantly being improved l The system does not analyze only anti-RE things l BLACK HAT USA 2012

  9. Dissect ¡|| ¡PE ¡Project ¡ l Scalable and flexible automated malware analysis system l Receives malware from trusted partners l Portal available for partners, researchers and general media with analysis data BLACK HAT USA 2012

  10. Dissect ¡|| ¡PE ¡– ¡Overview ¡ l Free research malware analysis system for the community Open architecture l Works with plugins l l 10 dedicated machines distributed in 3 sites: 2 sites in Brazil (São Paulo and Bauru cities) l 1 site in Germany l l Some numbers: Receives more than 150 GB of malwares per day l More than 30 million unique samples l BLACK HAT USA 2012

  11. Dissect ¡|| ¡PE ¡– ¡Partners ¡ BLACK HAT USA 2012

  12. Dissect ¡|| ¡PE ¡– ¡Backend ¡ l Each backend downloads samples scheduled for analysis (our scheduler algorithms are documented in a IEEE Malware2011 paper) l Analyze samples Both static and dynamic analysis currently supported l l Analysis results accessible from the portal Sync'ed back from the backend l l Some characteristics: Plugins l Network traffic l Unpacked version of the malware l BLACK HAT USA 2012

  13. Dissect ¡|| ¡PE ¡– ¡Plugins ¡ l Samples are analyzed by independent applications named “plugins” l Easy to add and/or remove plugins Just a matter of copy and remove their files l l Language independent l Easy to write new plugins: Needed information come as arguments l - We usually create handlers so the researcher does not need to change his actual code Simply print the result to stdout l - The backend takes care of parsing it accordingly BLACK HAT USA 2012

  14. Dissect ¡|| ¡PE ¡– ¡Plugin ¡Examples ¡ l Python print “My plugin result.” l C #include <stdio.h> int main(int argc, char **argv) { printf(“My plugin result.\n”); return 1; } BLACK HAT USA 2012

  15. Dissect ¡|| ¡PE ¡– ¡Plugin ¡Types ¡ l Static: Usually executed outside of the VM (we already have an exception for the l unpacking plugin) Failsafe: errors do not compromise the system l Might get executed in one of two different situations depending on where we l copied the plugin: - Before the malware is executed - After the malware was executed l Dynamic: Executed inside a Windows system (for now the only supported OS, soon others) l BLACK HAT USA 2012

  16. Dissect ¡|| ¡PE ¡– ¡Network ¡Traffic ¡ l During dynamic analysis all the network traffic is captured l Pcap available at the portal l Dissectors: Analyze the pcap and print the contents in a user-friendly way l Supporting IRC, P2P, HTTP, DNS and other protocols l SSL inspection (pre-loaded keys) l BLACK HAT USA 2012

  17. Methodology ¡ l Used a total of 72 cores and 100 GB of memory l Analyzed only 32-bit PE samples l Packed samples: Different samples using the same packer were counted as 1 unique l sample - So, each sample was analyzed once Analyzed all packers present among the 4 million samples l l Unpacked samples: Avoided samples bigger than 3,9 MB for performance reasons (with some l exceptions such as the Flame Malware) BLACK HAT USA 2012

  18. Methodology ¡ l Static analysis: Main focus of this presentation l Improves the throughput (with well-written code) l Not detectable by malwares l l Dynamic counter-part: It is not viable to statically detect everything l Already developed and deployed, but is not covered by this presentation l - The related results can be found at https://www.dissect.pe BLACK HAT USA 2012

  19. Methodology ¡ l Malware protection techniques in this work: State-of-the-art papers/journals l Malwares in the wild l Some techniques we documented are not yet covered by our system: l - The system is constantly being updated All techniques were implemented even when there were no public examples of it l (github) l Our testbed comprises 883 samples to: Detect bugs l Performance measurement l Technique coverage l BLACK HAT USA 2012

  20. Methodology ¡ l Possible techniques detection results: Detected: l - Current detection algorithms detected the malware protection technique Not detected: l - Current detection algorithms did not detect the malware protection technique Evidence detected: l - Current detection algorithms could not deterministically detect the protection technique, but some evidences were found BLACK HAT USA 2012

  21. Methodology ¡ l Analysis rely on executable sections and in the entrypoint one Decreases the probability to analyze data as code l Improves even more the analysis time l For now we miss non-executable areas, even if they are referred by analyzed l sections (future work will cover this) l Disassembly-related analysis framework: Facilitates the development of disassembly analysis code l Speeds up the disassembly process for plugins l Calls-back the plugins for specific instruction types l Disassembly once, analyze all l Care must be taken to avoid disassembly attacks l BLACK HAT USA 2012

  22. Execu)ve ¡Summary ¡ BLACK HAT USA 2012

  23. Packed ¡vs ¡Not ¡Packed ¡ BLACK HAT USA 2012

  24. Top ¡Packers ¡ BLACK HAT USA 2012

  25. Malware ¡Targe)ng ¡Brazilian ¡Banks ¡ BLACK HAT USA 2012

  26. Protec)ng ¡Mechanisms ¡of ¡Packers ¡ Paper (yes, we wrote one...) BLACK HAT USA 2012

  27. Protected ¡Samples ¡ BLACK HAT USA 2012

  28. An)-­‑RE ¡Categories ¡ BLACK HAT USA 2012

  29. An)-­‑Disassembly ¡ BLACK HAT USA 2012

  30. An)-­‑Debugging ¡ BLACK HAT USA 2012

  31. Obfusca)on ¡ BLACK HAT USA 2012

  32. An)-­‑VM ¡ BLACK HAT USA 2012

  33. An)-­‑Debugging ¡Techniques ¡ l Studied and documented 33 techniques l Currently scanning samples for 30 techniques Detected: Marked in green l Evidence: Marked in yellow l Not covered: Marked in black l BLACK HAT USA 2012

  34. An)-­‑Debugging ¡Techniques ¡ PEB NtGlobalFlag (Section 3.1) l IsDebuggerPresent (Section 3.2) l CheckRemoteDebuggerPresent (Section 3.3) l Heap flags (Section 3.4) l NtQueryInformationProcess – ProcessDebugPort (Section 3.5) l Debug Objects – ProcessDebugObjectHandle Class (Section 3.6) l Debug Objects – ProcessDebugFlags Class [1] (Section 3.7) l NtQuerySystemInformation – SystemKernelDebuggerInformation (Section 3.8) l OpenProcess – SeDebugPrivilege (Section 3.9) l Alternative Desktop (Section 3.10) l BLACK HAT USA 2012

  35. An)-­‑Debugging ¡Techniques ¡ Self-Debugging (Section 3.11) l RtlQueryProcessDebugInformation (Section 3.12) l Hardware Breakpoints (Section 3.13) l OutputDebugString (Section 3.14) l BlockInput (Section 3.15) l Parent Process (Section 3.16) l Device Names (Section 3.17) l OllyDbg – OutputDebugString (Section 3.18) l FindWindow (Section 3.19) l SuspendThread (Section 3.20) l BLACK HAT USA 2012

  36. An)-­‑Debugging ¡Techniques ¡ SoftICE – Interrupt 1 (Section 3.21) l SS register (Section 3.22) l UnhandledExceptionFilter (Section 3.23) l Guard Pages (Section 3.24) l Execution Timing (Section 3.25) l Software Breakpoint Detection (Section 3.26) l Thread Hiding (Section 3.27) l NtSetDebugFilterState (Section 3.28) l Instruction Counting (Section 3.29) l Header Entrypoint (Section 3.30) l Self-Execution (Section 3.31) l BLACK HAT USA 2012

Recommend

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02

02 11 2012 1 02 11 2012 ** * *** *** *** ** * * ** ** ** * * * 2 02 11 2012 Source: Wijewantha (1964); Fox (1977); Basuki (1981); Peries &amp; Liyanage (1983) 3 02 11 2012 Source: Situmorang,

381 views • 13 slides
12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health

12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health

12/12/2012 1 12/12/2012 2 12/12/2012 Whole grain consumption is also related to other health effects (besides those mentioned in this slide) e.g. laxation, gut functioning and other types of cancer. This presentation will focus on healthy

696 views • 30 slides
2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission

2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission

CENTER FOR I NVASI VE PLANT MANAGEMENT Liz Galli-Noble, CI PM Director 2012 2012 NAISN W Worksho hop April 22, 22, 2012 2012 Cancun, M , Mex exico CIPM Mission To promote ecologically sound management of invasive plants in western North

600 views • 18 slides
Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians

Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians

2/21/2012 How Natural Forces Affected Egyptian Civilization 1 2/21/2012 2 2/21/2012 Greeks Romans Persians Egyptians Mesopotamians 3 2/21/2012 Pyramids(118) of Egypt Acropolis, Athens Persepolis, Iran 4 2/21/2012 The roots of

1.05k views • 59 slides
(1) Adjudication! 3 October 2012 (2) Estidama! 4 October 2012 2 October 2012 (3) The

(1) Adjudication! 3 October 2012 (2) Estidama! 4 October 2012 2 October 2012 (3) The

October 2012 Can Adjudication assist Abu Dhabi in achieving its Sustainability (Estidama) goals for the construction industry? Presentation by: Paul Straker FCInstCES, FRICS, FICE, MCIArb October 2012 1 October 2012 Credit to Others

492 views • 36 slides
New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012

New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012

New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 New Britain Palm Oil Ltd 2012 February 2012 Preliminary Results 2011 1 Recently upgraded facilities on New Britain 2 Introduction New Britain Palm Oil Ltd 2012 Record

686 views • 44 slides
H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011

H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011

Reykjavk, 30 August 2012 H1 2012 Results Main results Key figures H1 2012 H1 2011 Q2 2012 Q1 2012 Q2 2011 Q1 2011 2011 2010 Net interest income 18,573 16,849 10,020 8,553 9,704 7,145 32,649 24,685 Profit after taxes 11,877

419 views • 17 slides
Timeline May 7, 2012 Reviewed Scenarios A and B May 14, 15 &amp; 16, 2012 Held

Timeline May 7, 2012 Reviewed Scenarios A and B May 14, 15 &amp; 16, 2012 Held

10/18/2012 August 15, 2011 Began discussion of the California Voting Rights Act and its impacts on RUSD February 6, 2012 Board of Education adopted legal and local preference demographical criteria to be used in

324 views • 8 slides
2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results -

2012 Results and Strategy Review 2012 Results - Review Ken Hanna Chairman 3 2012 Results - Review Angus Cockburn Chief Financial Officer 4 2012 Results Pre-Exceptional 2011 2012 Movement m m As reported Underlying Revenue 1,583

442 views • 21 slides
Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3

Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3

Henkel Q3 2012 Kasper Rorsted Carsten Knobel London Nov 16, 2012 1 November 16, 2012 Q3 2012 Henkel Analyst &amp; Investor Meeting Disclaimer This information contains forward-looking statements which are based on current estimates

932 views • 33 slides
2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012

2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012

2012 H1 Performance 2012 H1 Performance l Benot Potier l Chairman and CEO Paris, July 30, 2012 l Fabienne Lecorvaisier l Chief Financial Officer 2012 H1 Performance Paris, July 30, 2012 Soft growth in Q2 Performance preserved Strong cash

811 views • 52 slides
2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August

2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August

10/15/2012 2012 ELD Standards: Challenges and Promises in Implementation WIDA 2012 ELD Debut Event August 9, 2012 | Madison, WI September 20, 2012 | Denver, CO Diep Nguyen, Ph.D. NorthEastern Illinois University n-nguyen8@neiu.edu

555 views • 14 slides
2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial

2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial

2012 Interim Results 2012 Interim Results Ken Hanna Chairman 2012 Interim Results Financial Review Angus Cockburn Finance Director 2012 Interim Results 2012 2011 Movement m m As reported Underlying Revenue 734 637 15% 16%

400 views • 23 slides
Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological

Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological

iGEM 2012 iGEM 2012 Cambridge, MA, 3. - 5. 11. 2012 Amsterdam, 6. 7. 10. 2012 Standard therapy with Biological drugs Advantages Specific Safe OUR SURVEY OF HEPATITIS C PATIENTS Effective None 12% Drawbacks Strong 37%

823 views • 42 slides
Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this

Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this

Third quarter 2012 results 2012 results 7 November 2012 1 Disclaimer Figures included in this presentation are unaudited. On 18 April 2012, BNP Paribas issued a restatement of its quarterly results for 2011 reflecting, in particular, an

1.23k views • 73 slides
Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this

Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this

Second quarter 2012 results 2012 results 2 August 2012 1 Disclaimer Figures included in this presentation are unaudited. On 18 April 2012, BNP Paribas issued a restatement of its quarterly results for 2011 reflecting, in particular, an

935 views • 77 slides
enersis 9M 2012 results Enersis consolidated results 9M 2012 Highlights in 9M 2012 Distribution:

enersis 9M 2012 results Enersis consolidated results 9M 2012 Highlights in 9M 2012 Distribution:

07 | 11 | 2012 enersis 9M 2012 results Enersis consolidated results 9M 2012 Highlights in 9M 2012 Distribution: an increase in 2,373 GWh in physical sales and close to 380 thousand new customers were added in the period Generation: despite the

725 views • 30 slides
endesa chile 9M 2012 results Endesa Chile consolidated results 9M 2012 Highlights of 9M 2012

endesa chile 9M 2012 results Endesa Chile consolidated results 9M 2012 Highlights of 9M 2012

07 | 11 | 2012 endesa chile 9M 2012 results Endesa Chile consolidated results 9M 2012 Highlights of 9M 2012 Growth of 2.5% in electricity demand in the region Lower Revenues due to an increase in Operating Costs, related with higher fuel and

241 views • 21 slides
2012 LEVY HEARING December 18, 2012 Meeting of the Board 2012 Levy Calendar Discussion

2012 LEVY HEARING December 18, 2012 Meeting of the Board 2012 Levy Calendar Discussion

12/11/12 2012 LEVY HEARING December 18, 2012 Meeting of the Board 2012 Levy Calendar Discussion Preliminary Discussion October 9, 2012 of Proposed 2012 Levy Tentative Levy Approval November 20, 2012 Levy Request Published December

292 views • 10 slides
Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman

Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman

Full Year 2012 1 Results presentation Full year ended 30 June 2012 12 September 2012 Full Year 2012 2 Bob Lawson Chairman Nightingale Woods,Wendover Full Year 2012 3 Mark Clare Group Chief Executive Newberry Corner, Churchinford Full

928 views • 60 slides
enersis 1H 2012 results Enersis consolidated results 1H 2012 Highlights in 1H 2012 Distribution:

enersis 1H 2012 results Enersis consolidated results 1H 2012 Highlights in 1H 2012 Distribution:

26 | 07 | 2012 enersis 1H 2012 results Enersis consolidated results 1H 2012 Highlights in 1H 2012 Distribution: an increase in 1,582 GWh in physical sales and close to 377,000 new customers were added in the period Generation: despite the

669 views • 29 slides
P P O O H H S S K K R R O O W W 2012 2012 24 25 October

P P O O H H S S K K R R O O W W 2012 2012 24 25 October

Special program P P O O H H S S K K R R O O W W 2012 2012 24 25 October www.people.marcegaglia.com WED n o i s i 24 v i d p i r t s a l i g a g e c r a M i g , a i B o z n e r o L New steel

364 views • 24 slides
Staff Meeting November 6, 2012 1 00 1:00 p.m. 2:00 p.m. 2 00 SEB 2099 November 6, 2012 1

Staff Meeting November 6, 2012 1 00 1:00 p.m. 2:00 p.m. 2 00 SEB 2099 November 6, 2012 1

11/7/2012 Staff Meeting November 6, 2012 1 00 1:00 p.m. 2:00 p.m. 2 00 SEB 2099 November 6, 2012 1 11/7/2012 Todays Agenda 1. Opening Remarks and Welcome 2. Approval of Agenda 3. Approval of Minutes April 27, 2012 4. Faculty

638 views • 21 slides
P P O O H H S S K K R R O O W W 2012 2012 24 25 October

P P O O H H S S K K R R O O W W 2012 2012 24 25 October

Special program P P O O H H S S K K R R O O W W 2012 2012 24 25 October www.people.marcegaglia.com THU Marcegaglia sheet &amp; heavy plate division 25 Nazzareno Rubino, The flat universe: Marcegaglia expertise 0 0 . 4

600 views • 36 slides

More recommend