On the Reverse Engineering of the Citadel Botnet

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.Comment: 10 pages, 17 figures. This is an updated / edited version of a paper appeared in FPS 201

Ingeniería de software: estrategias de desarrollo, mantenimiento y migración de sistemas en la nube

Los avances de las tecnologías de la información y de la comunicación requieren que las organizaciones se adapten al contexto. Esta tarea implica la construcción de nuevos sistemas y el ajuste de otros preexistentes para que los procesos se lleven a cabo de manera eficiente y confiable. La primer tarea se debe llevar a cabo siguiendo pasos bien definidos con el propósito de desarrollar software de calidad y seguro. La segunda implica la utilización de métodos y técnicas de mantenimiento y migración sofisticadas que permitan transformar un sistema que utiliza tecnología antigua en otro que usa tecnología de punta y que a su vez mantenga / mejore los requisitos de calidad y seguridad. Dicha tarea es extremadamente complicada porque no solo necesita de un conocimiento acabado de estrategias de mantenimiento, de conceptos de calidad y de seguridad sino que también exige entrelazar creativamente los saberes para elaborar estrategias eficientes y robustas de forma tal que las organizaciones puedan utilizar sus sistemas lo antes posible. En este artículo se describe un proyecto de investigación de reciente creación cuyo principal objetivo es el desarrollo de estrategias de mantenimiento y migración de sistemas de software que transformen sistemas que usan tecnología obsoleta en otros que empelan tecnología de punta y hacen uso de la nube preservando / mejorando las características de calidad y seguridad.Eje: Ingeniería de Software.Red de Universidades con Carreras en Informátic

Uso de ingeniería inversa para hacer frente al malware

Este artículo es producto del proyecto de investigación “Cyber Security Architecture for Incident Management” desarrollado en la Escuela Colombiana de Ingeniería Julio Garavito en el año 2018.Introducción: La ingeniería inversa permite deconstruir y extraer conocimiento de objetos. El uso de la inge-niería inversa en el análisis de malware es extremadamente útil para comprender las funcionalidades y los propósitos de una muestra sospechosa.Métodos: Este artículo utiliza Radare, la cual es una de las herramientas de código abierto más populares para ingeniería inversa con el objetivo de hacer frente a las amenazas de malware.Resultados: Se presenta un caso de uso relacionado al análisis de malware anti-sandbox, de forma que sea posible analizar el comportamiento de la muestra utilizando una sandbox. Además, se presenta otro caso de uso en el que se desarrolla un análisis en profundidad de una aplicación maliciosa de Android dirigida a la audiencia de un evento popular (Copa Mundial de la FIFA 2018), que permite demostrar la relevancia de las técnicas de ingeniería inversa en las estrategias de protección al usuario final.Conclusiones: Este artículo muestra cómo los resultados de un proceso de ingeniería inversa se pueden inte-grar con reglas Yara, lo que permite detectar malware, y también muestra una alternativa para generar auto-máticamente reglas Yara a través del generador yarGen.Originalidad: El uso de soluciones de ingeniería inversa de código abierto por parte de las agencias de seguri-dad del estado no ha sido discutido anteriormente, lo que hace de este artículo un elemento notable de apoyo hacia la modernización de las fuerzas militares.Limitación: Se comparten diferentes enfoques y perspectivas sobre las limitaciones en el uso de ingeniería inversa por parte de las agencias de seguridad del estado.This paper is a product of the research Project “Cyber Security Architecture for Incident Management” develo-ped in the Colombian School of Engineering Julio Garavito in the year 2018.Introduction: Reverse engineering involves deconstructing and extracting knowledge about objects. The use of reverse engineering in malware analysis is extremely useful in understanding the functionalities and purposes of a suspicious sample.Methods: This paper makes use of Radare which is one of the most popular open source tools for reverse engineering, with the aim of dealing with malware. Results: A use case related to hacking of anti-sandbox malware is presented, in such a way that it is possible to analyze the behavior of the sample using a sandbox. Additionally, another use case is presented, where an in-depth analysis of a malicious Android application aimed to the audience of a popular event (FIFA World Cup 2018) is developed, making it possible to demonstrate the relevance of reverse engineering techniques in end-user protection strategies. Conclusions: This paper shows how the results of a reverse engineering process can be integrated with Yara rules, allowing for the detection of malware on the fly, and it also shows an alternative to automatically gene-rating Yara rules through the yarGen generator. Originality: Use of Open Source reversing solutions by Colombian Law Enforcement Agencies has not been discussed previously, making this paper a notable element toward the modernization of the military forces.Limitation: Different approaches and perspectives about the limitations in the use of reverse engineering by Law Enforcement Agencies are also shared.Este artigo é produto do projeto de pesquisa “Cyber Security Architecture for Incident Management” desenvol-vido na Escuela Colombiana de Ingeniería Julio Garavito em 2018.Introdução: a engenharia reversa permite desconstruir e extrair conhecimento de objetos. O uso da engenharia reversa na análise de malware é extremamente útil para compreender as funcionalidades e os propósitos de uma amostra suspeita.Métodos: para isso, utiliza-se Radare, que é uma das ferramentas de código aberto mais populares para en-genharia reversa com o objetivo de enfrentar as ameaças de malware.Resultados: apresenta-se um caso de uso relacionado à análise de malware anti-sandbox, de forma que seja possível analisar o comportamento da amostra utilizando uma sandbox. Além disso, apresenta-se outro caso de uso em que se desenvolve uma análise em profundidade de uma aplicação maliciosa de Android dirigida à audiência de um evento popular (Copa do Mundo da FIFA 2018), que permite demonstrar a relevância das técnicas de engenharia reversa nas estratégias de proteção do usuário final.Conclusões: este artigo mostra como os resultados de um processo de engenharia reversa podem ser integra-dos com regras Yara, o que permite detectar malware, e também mostra uma alternativa para gerar automati-camente regras Yara por meio do gerador yarGen.Originalidade: o uso de soluções de engenharia reversa de código aberto por parte das agências de segurança do Estado não tem sido discutido anteriormente, o que torna este estudo um elemento notável de apoio à modernização das forças militares.Limitação: compartilham-se diferentes abordagens e perspectivas sobre as limitações no uso de engenharia reversa por parte das agências de segurança do Estad

APPROXIMATE DISASSEMBLY

For the past two decades, computer viruses have been a constant security threat. A computer virus is a type of malware that may damage computer systems by destroying data, crashing the system, or through other malicious activity. Among the different types of viruses, metamorphic viruses are one of the most difficult to detect since such viruses change their internal structures with each mutation, making signature-based detection infeasible. Many construction kits are available that can be used to easily generate metamorphic strains of any given virus. Previous work has shown that metamorphic viruses are detectable using Hidden Markov Models (HMM). In such an HMM-based approach, instruction opcodes are observed and a model is trained to detect a given virus family. These instruction opcodes are obtained by disassembling the binary executable file. However, the disassembling process is time-consuming, making the process impractical. In this project, we develop and demonstrate a technique to derive an approximate opcode sequence directly from the executable file, which, in general, reduces the time required as compared to a standard disassembly process

Structural Entropy and Metamorphic Malware

Metamorphic malware is capable of changing its internal structure without al- tering its functionality. A common signature is nonexistent in highly metamorphic malware. Consequently, such malware may remain undetected even under emulation and signature scanning combined. In this project, we use the concept of structural entropy to analyze variations in the complexity of data within a file. The process consists of two stages, namely, file segmentation and sequence comparison. In the file segmentation stage, we use entropy measurements and wavelet analysis to segment a file. The second stage measures the similarity of files by computing the edit distance between sequence segments. We apply this technique to the metamorphic detection problem and show that we can obtain strong results in certain challenging cases

Shellzer: a tool for the dynamic analysis of malicious shellcode

Abstract. Shellcode is malicious binary code whose execution is triggered after the exploitation of a vulnerability. The automated analysis of malicious shellcode is a challenging task, since encryption and evasion techniques are often used. This paper introduces Shellzer, a novel dynamic shellcode analyzer that generates a complete list of the API functions called by the shellcode, and, in addition, returns the binaries retrieved at run-time by the shellcode. The tool is able to modify on-thefly the arguments and the return values of certain API functions in order to simulate specific execution contexts and the availability of the external resources needed by the shellcode. This tool has been tested with over 24,000 real-world samples, extracted from both web-based driveby-download attacks and malicious PDF documents. The results of the analysis show that Shellzer is able to successfully analyze 98 % of the shellcode samples

Optimization of code caves in malware binaries to evade machine learning detectors

Machine Learning (ML) techniques, especially Artificial Neural Networks, have been widely adopted as a tool for malware detection due to their high accuracy when classifying programs as benign or malicious. However, these techniques are vulnerable to Adversarial Examples (AEs), i.e., carefully crafted samples designed by an attacker to be misclassified by the target model. In this work, we propose a general method to produce AEs from existing malware, which is useful to increase the robustness of ML-based models. Our method dynamically introduces unused blocks (caves) in malware binaries, preserving their original functionality. Then, by using optimization techniques based on Genetic Algorithms, we determine the most adequate content to place in such code caves to achieve misclassification. We evaluate our model in a black-box setting with a well-known state-of-the-art architecture (MalConv), resulting in a successful evasion rate of 97.99 % from the 2k tested malware samples. Additionally, we successfully test the transferability of our proposal to commercial AV engines available at VirusTotal, showing a reduction in the detection rate for the crafted AEs. Finally, the obtained AEs are used to retrain the ML-based malware detector previously evaluated, showing an improve on its robustness.This research was supported by the Ministerio de Ciencia, Innovación y Universidades (Grant Refs. PGC2018-095322-B-C22 and PID2019-111429RB-C21), by the Region of Madrid grant CYNAMON- CM (P2018/TCS-4566), co-financed by European Structural Funds ESF and FEDER, and the Excellence Program EPUC3M17

An enhanced performance model for metamorphic computer virus classification and detectioN

Metamorphic computer virus employs various code mutation techniques to change its code to become new generations. These generations have similar behavior and functionality and yet, they could not be detected by most commercial antivirus because their solutions depend on a signature database and make use of string signature-based detection methods. However, the antivirus detection engine can be avoided by metamorphism techniques. The purpose of this study is to develop a performance model based on computer virus classification and detection. The model would also be able to examine portable executable files that would classify and detect metamorphic computer viruses. A Hidden Markov Model implemented on portable executable files was employed to classify and detect the metamorphic viruses. This proposed model that produce common virus statistical patterns was evaluated by comparing the results with previous related works and famous commercial antiviruses. This was done by investigating the metamorphic computer viruses and their features, and the existing classifications and detection methods. Specifically, this model was applied on binary format of portable executable files and it was able to classify if the files belonged to a virus family. Besides that, the performance of the model, practically implemented and tested, was also evaluated based on detection rate and overall accuracy. The findings indicated that the proposed model is able to classify and detect the metamorphic virus variants in portable executable file format with a high average of 99.7% detection rate. The implementation of the model is proven useful and applicable for antivirus programs

Assembly to Open Source Code Matching for Reverse Engineering and Malware Analysis

The process of software reverse engineering and malware analysis often comprise a combination of static and dynamic analyses. The successful outcome of each step is tightly coupled with the functionalities of the tools and skills of the reverse engineer. Even though automated tools are available for dynamic analysis, the static analysis process is a fastidious and time-consuming task as it requires manual work and strong expertise in assembly coding. In order to enhance and accelerate the reverse engineering process, we introduce a new dimension known as clone-based analysis. Recently, binary clone matching has been studied with a focus on detecting assembly (binary) clones. An alternative approach in clone analysis, which is studied in the present research, is concerned with assembly to source code matching. There are two major advantages in considering this extra dimension. The first advantage is to avoid dealing with low-level assembly code in situations where the corresponding high-level code is available. The other advantage is to prevent reverse engineering parts of the software that have been analyzed before. The clone-based analysis can be helpful in significantly reducing the required time and improving the accuracy of static analysis. In this research, we elaborate a framework for assembly to open-source code matching. Two types of analyses are provided by the framework, namely online and offline. The online analysis process triggers queries to online source code repositories based on extracted features from the functions at the assembly level. The result is the matched set of references to the open-source project files with similar features. Moreover, the offline analysis assigns functionality tags and provides in-depth information regarding the potential functionality of a portion of the assembly file. It reports on function stack frames, prototypes, arguments, variables, return values and low-level system calls. Besides, the offline analysis is based on a built-in dictionary of common user-level and kernel-level API functions that are used by malware to interact with the operating system. These functions are called for performing tasks such as file I/O, network communications, registry modification, and service manipulation. The offline analysis process has been expanded through an incremental learning mechanism which results in an improved detection of crypto-related functions in the disassembly. The other developed extension is a customized local code repository which performs automated source code parsing, feature extraction, and dataset generation for code matching. We apply the framework in several reverse engineering and malware analysis scenarios. Also, we show that the underlying tools and techniques are effective in providing additional insights into the functionality, inner workings, and components of the target binaries