SPACE - 2016 Malware Characterization using Windows API Call Sequences Sanchit Gupta, Sarvjeet Kaur and Harshit Sharma Scientific Analysis Group DRDO Metcalfe House, Delhi – 110054
AIM Extraction of run-time behaviour of Malware by monitoring • system calls Categorize unknown Malware • SCOPE Operating System : Windows OS Category of Malware : Five Classes 1. Worm 2. Trojan-Downloader 3. Trojan-Spy 4. Trojan-Dropper 5. Backdoor 2 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Application Execution in Windows OS USER APPLICATION Windows-API (Kernel32.dll, Advapi32.dll & other Windows DLL ) User Level Operating System Native API (Ntdll.dll) Kernel API Kernel Level HARDWARE 3 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Application Execution in Windows OS MALWARE Windows-API (Kernel32.dll, Advapi32.dll & other Windows DLL ) User Level Operating System Native API (Ntdll.dll) Kernel API Kernel Level HARDWARE 4 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Application Execution in Windows OS Create a File CreateFile(..) (Kernel32.dll) User Level Operating System NtCreateFile() (ntdll.dll) NtCreateFile (SSDT) Kernel Level IRP_MJ_Write Driver DISK Write 5 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Application Execution in Windows OS Well Documented Version Independent Create a File Many Hooking Libraries CreateFile(..) (Kernel32.dll) User Level Operating System NtCreateFile() (ntdll.dll) NtCreateFile (SSDT) Kernel Level IRP_MJ_Write Driver HARD DISK 6 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Some Malicious Win-API Patterns Malicious Activity API Pattern (FindWindowA, ShowWindow, GetAsyncKeyState) (SetWindowsHookEx, Key Logger RegisterHotKey, GetMessage,UnhookWindowsHookEx) (GetDC, GetWindowDC), CreateCompatibleDC, CreateCompatibleBitmap, Screen Capture SelectObject, BitBlt, WriteFile (IsDebuggerPresent, CheckRemoteDebuggerPresent, OutputDebugStringA, Antidebugging OutputDebugStringW) Downloader URLDownloadToFile, (WinExec,ShellExecute) DLL Injection OpenProcess, VirtualAllocEx, WriteProcessMemory, CreateRemoteThread Dropper FindResource, LoadResource, SizeOfResource For each Malicious Activity: 1. Identification of such Win-API Call sequences 2. Extraction of same 7 of 20
Identification & Categorization of Win-APIs 534 Win – API Calls 1 2 3 4 ... 533 534 … OpenFile WriteFile Send GetHostbyName Connect GetSystemTime A B C D E ... Y Z … I/O I/O I/O I/O I/O Win- System Create Open Write Find Read Service Info 26 Category Win-APIs in ‘I/O create’ category is used to create I/O objects like file, folder, Stdin & Stdout. 8 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
CATEGORY SOME EXAMPLES Code No. of API 1 I/O Create CreatefileA, CreatePipe A 14 2 I/O Open OpenFile ,OpenFileMappingA B 10 3 I/O Write WriteFile, WriteConsoleW, WriteFileEx C 25 4 I/O Find FindFirstFileA, FindNextFileW D 13 5 I/O Read ReadFile, ReadFileEx, ReadConsoleA E 18 6 I/O Acces SetFileAttributesW, SetConsoleMode, F 19 7 Loading Library LoadLibraryExW ,FreeLibrary G 7 8 Registry Read RegOpenKeyExW, RegQueryValueA H 15 9 Registry Write RegSetValueA, RegSetValueW, I 13 ….. ………. 22 Internet Open/ Read InternetOpenUrlA, InternetReadFile V 13 23 Internet Write InternetWriteFile, TransactNamedPipe W 2 24 Win-Service Create CreateServiceW, CreateServiceA X 2 25 Win-Service Other StartServiceW, ChangeServiceConfigA Y 11 26 System Information GetSystemDirectoryW, GetSystemTime Z 35 TOTAL APIs 26 534
Win-API Call Extraction of Malware Host Machine: UBUNTU 14.01 Guest Machine : Win-XP SP2 APP-MON Execute Malware 520 for each Malware Class Total Sample: 2,600 Time Taken: 40 days Win-API Call Sequence Higher Level Category Sequence 10 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
N-gram Analysis of final Call sequence Tool Used: AntConc LIMITATION: F inds exactly same consecutive patterns 11 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Analysis of sequence: ssdeep Analysis ssdeep (Fuzzy Hash) Matches inputs that have homologies. Properties: • Non-Propagation • Alignment Robustness and • Signature Matching Criteria 12 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Analysis of sequence: ssdeep Analysis (2) FILE LENGTH : 26 KB ssdeep Hash: 768:9tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPLJzOmu:9UY+iXnnKqhXEQPl3u 13 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences SPACE-2016 : Malware Characterization using Windows API Call Sequences
Analysis of sequence: ssdeep Analysis (3) ssdeep Hash: 768:9tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPLJzOmu:9UY+iXnnKqhXEQPl3u CHANGE SSDEEP HASH MATCH ‘Annual’ 768:8tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL Removed from first 99 JzOmu:8UY+iXnnKqhXEQPl3u paragraph 768:XtshU9EFMiEHv1bDtNKm2tlfl5DXhAfQPL Replace 2016 with 2017 (15 83 JzObv:XUh+iinnK3hXEQPlCv replacements) 768:TtshG99FMiEHvcbDtNUq2twHl5DXhA9QVL Replace cryptography with 79 JzOIu:TUu+ijnnUshXGQVlVu cryptology (25 replacements) 768:TtshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL 99 Removes first 500 bytes JzOmu:TUY+iXnnKqhXEQPl3u 768:1tshU99FMiEHvIbDtNKm2tWHl5DXhAfQPL Removes first 1500 bytes and place 96 JzOm3:1UY+iXnnKqhXEQPl33 them in end 768:1tshU99FMiEHvUbDtNKm2tWHl5DXhAfQPL Remove first 1500 bytes and place 96 JzOmu:1UY+i5nnKqhXEQPl3u them in middle 768:9tshU99FMA&&vIbDtNKm2tWHl5DXhAfQPL 96 Remove 2000 bytes from middle JzOmu:9UY+/&nnKqhXEQPl3u 768:9tshU99FM91HvIbDtNKm2tWHl5DXhAfQPL Replace 800 bytes from middle with 97 JzOmu:9UY+6n&nKqhXEQPl3u random string SPACE-2016 : Malware Characterization using Windows API Call Sequences SPACE-2016 : Malware Characterization using Windows API Call Sequences
Analysis of sequence : ssdeep Analysis (2) matching score as malware classification criteria. 15 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Classification Results: Best Matching Class Training Data : 2000 Samples Testing Data : 120 samples per Malware Class MALWARE Worm Backdoor Trojan - Trojan - Trojan - CLASS Dropper Downloader Spy Worm 109 1 6 3 1 Backdoor 1 98 6 5 10 Trojan - 6 6 101 4 3 Dropper Trojan - 3 5 4 108 0 Downloader Trojan - 1 10 3 0 106 Spy 16 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Classification Results Comparison Existing (Malware vs Benign) Our Model (One Malware Class vs All)
Proposed Malware Classification Framework 18 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
FUTURE DIRECTION More number of samples • More Malware Categories like rootkit, botnet etc. • Other Operating systems like Linux, Android etc. • 19 of 20 SPACE-2016 : Malware Characterization using Windows API Call Sequences
Recommend
More recommend