8 research outputs found
On the Dissection of Evasive Malware
Complex malware samples feature measures to impede automatic and manual analyses, making their investigation cumbersome. While automatic characterization of malware benefits from recently proposed designs for passive monitoring, the subsequent dissection process still sees human analysts struggling with adversarial behaviors, many of which also closely resemble those studied for automatic systems. This gap affects the day-to-day analysis of complex samples and researchers have not yet attempted to bridge it. We make a first step down this road by proposing a design that can reconcile transparency requirements with manipulation capabilities required for dissection. Our open-source prototype BluePill (i) offers a customizable execution environment that remains stealthy when analysts intervene to alter instructions and data or run third-party tools, (ii) is extensible to counteract newly encountered anti-analysis measures using insights from the dissection, and (iii) can accommodate program analyses that aid analysts, as we explore for taint analysis. On a set of highly evasive samples BluePill resulted as stealthy as commercial sandboxes while offering new intervention and customization capabilities for dissection
Resurrecting anti-virtualization and anti-debugging: Unhooking your hooks
Dynamic malware analysis involves the debugging of the associated binary files and the monitoring of changes in sandboxed environments. This allows the investigator to manipulate the code execution path and environment to develop an understanding of the malware’s internal workings, aims and modus operandi. However, the latest state of the art malware may incor- porate anti-virtual environment (VM) and anti-debugging countermeasures (i.e. to determine whether the malware is being executed in a VM or us- ing a debugger prior to payload execution). We argue that for the malware to be effective, it will need to support an array of anti-detection and eva- sion mechanisms. In essence, from the malware’s perspective, it needs to adopt a “defence in depth” paradigm to achieve its underlying business logic functionality. Beyond the malicious uses, software vendors to preserve the intellectual property rights of their products often resort to similar methods to deter competitors from gaining intelligence from the binaries or prevent customers from using their products in unauthorised hardware. In this work, we illustrate how Windows architecture impedes the work of debuggers when they analyse with armoured binaries. The debugger and the malware have the same privileges, so the attacker may manipulate theaddress space that the debugger operates and, e.g. bypass detection. We showcase this by presenting a new framework (ANTI), which automates the procedure of integrating anti-debugging and anti-VM in the binary. Specifi- cally, ANTI introduces an anti-hooking method targeting Windows binaries, where hooks applied by state of the art debuggers are removed and injects its code in other processes. This significantly compounds the challenge of binary analysis. Our extensive evaluation also demonstrates that ANTI successfully circumvents detection from state-of-the-art detection methods. Therefore, ANTI illustrates that current tools for dynamic analysis have serious implementation gaps that allow for binaries to bypass them. More alarmingly, ANTI shows how one can use well-known methods to “resurrect” old attacks
HyperDbg: Reinventing Hardware-Assisted Debugging (Extended Version)
Software analysis, debugging, and reverse engineering have a crucial impact
in today's software industry. Efficient and stealthy debuggers are especially
relevant for malware analysis. However, existing debugging platforms fail to
address a transparent, effective, and high-performance low-level debugger due
to their detectable fingerprints, complexity, and implementation restrictions.
In this paper, we present HyperDbg, a new hypervisor-assisted debugger for
high-performance and stealthy debugging of user and kernel applications. To
accomplish this, HyperDbg relies on state-of-the-art hardware features
available in today's CPUs, such as VT-x and extended page tables. In contrast
to other widely used existing debuggers, we design HyperDbg using a custom
hypervisor, making it independent of OS functionality or API. We propose
hardware-based instruction-level emulation and OS-level API hooking via
extended page tables to increase the stealthiness. Our results of the dynamic
analysis of 10,853 malware samples show that HyperDbg's stealthiness allows
debugging on average 22% and 26% more samples than WinDbg and x64dbg,
respectively. Moreover, in contrast to existing debuggers, HyperDbg is not
detected by any of the 13 tested packers and protectors. We improve the
performance over other debuggers by deploying a VMX-compatible script engine,
eliminating unnecessary context switches. Our experiment on three concrete
debugging scenarios shows that compared to WinDbg as the only kernel debugger,
HyperDbg performs step-in, conditional breaks, and syscall recording, 2.98x,
1319x, and 2018x faster, respectively. We finally show real-world applications,
such as a 0-day analysis, structure reconstruction for reverse engineering,
software performance analysis, and code-coverage analysis
HyperDbg: Reinventing Hardware-Assisted Debugging
Software analysis, debugging, and reverse engineering have a crucial impact in today's software industry. Efficient and stealthy debuggers are especially relevant for malware analysis. However, existing debugging platforms fail to address a transparent, effective, and high-performance low-level debugger due to their detectable fingerprints, complexity, and implementation restrictions.
In this paper, we present StealthDbg, a new hypervisor-assisted debugger for high-performance and stealthy debugging of user and kernel applications. To accomplish this, StealthDbg relies on state-of-the-art hardware features available in today's CPUs, such as VT-x and extended page tables. In contrast to other widely used existing debuggers, we design StealthDbg using a custom hypervisor, making it independent of OS functionality or API. We propose hardware-based instruction-level emulation and OS-level API hooking via extended page tables to increase the stealthiness. Our results of the dynamic analysis of 10,853 malware samples show that StealthDbg's stealthiness allows debugging on average 22% and 26% more samples than WinDbg and x64dbg, respectively. Moreover, in contrast to existing debuggers, StealthDbg is not detected by any of the 13 tested packers and protectors. We improve the performance over other debuggers by deploying a VMX-compatible script engine, eliminating unnecessary context switches. Our experiment on three concrete debugging scenarios shows that compared to WinDbg as the only kernel debugger, StealthDbg performs step-in, conditional breaks, and syscall recording, 2.98x, 1319x, and 2018x faster, respectively. We finally show real-world applications, such as a 0-day analysis, structure reconstruction for reverse engineering, software performance analysis, and code-coverage analysis
Dissection of Modern Malicious Software
The exponential growth of the number of malicious software samples, known by malware in
the specialized literature, constitutes nowadays one of the major concerns of cyber-security
professionals. The objectives of the creators of this type of malware are varied, and the means
used to achieve them are getting increasingly sophisticated. The increase of the computation
and storage resources, as well as the globalization have been contributing to this growth, and
fueling an entire industry dedicated to developing, selling and improving systems or solutions for
securing, recovering, mitigating and preventing malware related incidents. The success of these
systems typically depends of detailed analysis, often performed by humans, of malware samples
captured in the wild. This analysis includes the search for patterns or anomalous behaviors that
may be used as signatures to identify or counter-attack these threats.
This Master of Science (Ms.C.) dissertation addresses problems related with dissecting and analyzing
malware. The main objectives of the underlying work were to study and understand the
techniques used by this type of software nowadays, as well as the methods that are used by
specialists on that analysis, so as to conduct a detailed investigation and produce structured
documentation for at least one modern malware sample. The work was mostly focused in malware
developed for the Operating Systems (OSs) of the Microsoft Windows family for desktops.
After a brief study of the state of the art, the dissertation presents the classifications applied to
malware, which can be found in the technical literature on the area, elaborated mainly by an
industry community or seller of a security product. The structuring of the categories is nonetheless
the result of an effort to unify or complete different classifications. The families of some of
the most popular or detected malware samples are also presented herein, initially in a tabular
form and, subsequently, via a genealogical tree, with some of the variants of each previously
described family. This tree provides an interesting perspective over malware and is one of the
contributions of this programme.
Within the context of the description of functionalities and behavior of malware, some advanced
techniques, with which modern specimens of this type of software are equipped to ease their
propagation and execution, while hindering their detection, are then discussed with more detail.
The discussion evolves to the presentation of the concepts related to the detection and defense
against modern malware, along with a small introduction to the main subject of this work. The
analysis and dissection of two samples of malware is then the subject of the final chapters of the
dissertation. A basic static analysis is performed to the malware known as Stuxnet, while the
Trojan Banker known as Tinba/zuzy is subdued to both basic and advanced dynamic analysis.
The results of this part of the work emphasize difficulties associated with these tasks and the
sophistication and dangerous level of samples under investigation.O crescimento exponencial do número de amostras de software malicioso, conhecido na gíria
informática como malware, constitui atualmente uma das maiores preocupações dos profissionais
de cibersegurança. São vários os objetivos dos criadores deste tipo de software e a forma
cada vez mais sofisticada como os mesmos são alcançados. O aumento da computação e capacidade
de armazenamento, bem como a globalização, têm contribuído para este crescimento, e
têm alimentado toda uma indústria dedicada ao desenvolvimento, venda e melhoramento de
sistemas ou soluções de segurança, recuperação, mitigação e prevenção de incidentes relacionados
com malware. O sucesso destes sistemas depende normalmente da análise detalhada, feita
muitas vezes por humanos, de peças de malware capturadas no seu ambiente de atuação. Esta
análise compreende a procura de padrões ou de comportamentos anómalos que possam servir
de assinatura para identificar ou contra-atacar essas ameaças.
Esta dissertação aborda a problemática da análise e dissecação de malware. O trabalho que
lhe está subjacente tinha como objetivos estudar e compreender as técnicas utilizadas por este
tipo de software hoje em dia, bem como as que são utilizadas por especialistas nessa análise,
de forma a conduzir uma investigação detalhada e a produzir documentação estruturada sobre
pelo menos uma amostra de malware moderna. O trabalho focou-se, sobretudo, em malware
desenvolvido para os sistemas operativos da família Microsoft Windows para computadores de
secretária. Após um breve estudo ao estado da arte, a dissertação apresenta as classificações
de malware encontradas na literatura técnica da especialidade, principalmente usada pela indústria,
resultante de um esforço de unificação das mesmas. São também apresentadas algumas
das famílias de malware mais detetadas da atualidade, inicialmente através de uma tabela e,
posteriormente, através de uma árvore geneológica, com algumas das variantes de cada uma das
famílias descritas previamente. Esta árvore fornece uma perspetiva interessante sobre malware
e constitui uma das contribuições deste programa de mestrado.
Ainda no âmbito da descrição de funcionalidades e comportamentos do malware, são expostas,
com algum detalhe, algumas técnicas avançadas com as quais os programas maliciosos mais
modernos são por vezes munidos com o intuito a facilitar a sua propagação e execução, dificultando
a sua deteção. A descrição evolui para a apresentação dos conceitos adjacentes à deteção
e combate ao malware moderno, assim como para uma pequena introdução ao tema principal
deste trabalho. A análise e dissecação de duas amostras de malware moderno surgem nos capítulos
finais da dissertação. Ao malware conhecido por Stuxnet é feita a análise básica estática,
enquanto que ao Trojan Banker Tinba/zusy é feita e demonstrada a análise dinâmica básica e
avançada. Os resultados desta parte são demonstrativos do grau de sofisticação e perigosidade
destas amostras e das dificuldades associadas a estas tarefas
A Survey and Evaluation of Android-Based Malware Evasion Techniques and Detection Frameworks
Android platform security is an active area of research where malware detection techniques continuously evolve to identify novel malware and improve the timely and accurate detection of existing malware. Adversaries are constantly in charge of employing innovative techniques to avoid or prolong malware detection effectively. Past studies have shown that malware detection systems are susceptible to evasion attacks where adversaries can successfully bypass the existing security defenses and deliver the malware to the target system without being detected. The evolution of escape-resistant systems is an open research problem. This paper presents a detailed taxonomy and evaluation of Android-based malware evasion techniques deployed to circumvent malware detection. The study characterizes such evasion techniques into two broad categories, polymorphism and metamorphism, and analyses techniques used for stealth malware detection based on the malware’s unique characteristics. Furthermore, the article also presents a qualitative and systematic comparison of evasion detection frameworks and their detection methodologies for Android-based malware. Finally, the survey discusses open-ended questions and potential future directions for continued research in mobile malware detection
Технології протидії виявленню віртуалізації шкідливим ПЗ
Завданням роботи є аналіз технік ухилення від виявлення віртуалізації,
вивчення методів продії ним, розробка класифікації та проведення
статистичного дослідження технік ухилення, які використовують ШПЗ, та
зведення результатів роботи у таблиці у форматі “техніка – протидія техніці” за
кожною окремою категорією.
Метою роботи є створення методики щодо протидії виявленню
шкідливим програмним забезпеченням, чутливим до середовища виконання,
віртуальних машин на базі десктопної версії ОС Windows.
Предметом дослідження є: технології виявлення та протидії виявленню
віртуалізації. Об’єктом дослідження є: шкідливе програмне забезпечення,
чутливе до середовища виконання.The task of the work is to analyze the techniques of virtualization evasion, to
study the methods of its implementation, to develop a classification and statistical
research on evasion techniques, that are used by malware, and to summarize the
results in a table in the format " technique - its countermeasure" for each category.
The aim of the work is to create a methodology for counteracting the detection
of virtual machines based on the desktop version of Windows by context-aware
malware.
The subject of research are: virtualization detection technologies and their
counteractions. The object of research is: context-aware malware