• Tidak ada hasil yang ditemukan

A Survey on Automated Dynamic Malware-Analysis Techniques and Tools

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2023

Membagikan "A Survey on Automated Dynamic Malware-Analysis Techniques and Tools"

Copied!
42
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 42 Halaman )

Teks penuh

The collection of machines under the control of the botmaster is called a botnet. This section provides a brief overview of the different classes of malware programs observed in the wild. This section provides an overview of the infection vectors commonly used by malicious software to infect a victim's system.

Such cases do not necessarily make use of the system call interface and may bypass this analysis method. Windows Native API. The Windows Native API [Nebbett 2000] sits between the system call interface and the Windows API. Assignment statements, for example, usually propagate the taint label of the source operand to the target.

Instruction Trace

To trace the flow of information at a binary level, instrumentation is usually done in an environment where there is complete control over the process under analysis. The value and applicability of information flow tracing for malware analysis is discussed by Cavallaro et al. If information flow techniques become widespread in analysis tools, it can be expected that malware authors will come up with mechanisms that attempt to bypass such systems.

The feasibility of systems that perform address or pointer tainting is evaluated in Slowinska and Bos [2009].

Autostart Extensibility Points

Researchers have so far demonstrated systems that perform data, address, and control flow tracing [Kim et al. Some of the tools presented in Section 5 suggest that address staining is viable in an environment that uses this type of information to limit odor propagation to the parts of the system considered relevant to the analysis.

IMPLEMENTATION STRATEGIES

  • Analysis in User/Kernel Space
  • Analysis in an Emulator
  • Analysis in a Virtual Machine
  • Resetting of the Analysis Environment
  • Network Simulation
  • The Malware Analysis Arms Race and Its Consequences

However, the desired information consists of higher-level abstract concepts of the guest operating system (eg, system calls, file handles, etc.). A common requirement for analysis systems that operate through full system emulation is that the analysis be limited to a single process (i.e., the sample under analysis), and therefore not analyze other system components. API monitoring in such a system can be accomplished by comparing the value of the instruction pointer to the entry points of the known function in the dynamic libraries that provide the APIs.

To mitigate the impact of the semantic gap, there are hybrid approaches that perform the analysis in the emulator and gather higher-level information (e.g. the list of loaded modules, etc.) using an additional component running in the guest system [ Bayer et al. As with an emulator, the VMM only has access to the state of the virtual machine. Once the VMM learns the CR3 value of the analyzed process, it sets the trap flag in the CPU's EFLAGS register.

Software solution. The software's direct approach consists of taking an image of the hard drive containing the base image with the analysis environment. Denying the entire network access to the sample under analysis will most likely result in incomplete observations of malware behavior. This rebuild happens only in memory which prevents any unpacked version of the binary from leaking to disk.

Then, it is known when an unmodified version of the original binary is present in the process's address space. Depending on which parts of the system are modified to perform the monitoring, different techniques can be applied to hide the presence of the analysis tool. The page fault handler can be configured to report an unchanged version of the memory page in such cases.

Thus, by repeatedly setting the flag in the corresponding interrupt handler, an instruction trace of the monitored process can easily be produced.

MALWARE ANALYSIS TOOLS

  • Anubis
  • Multiple-Path Exploration
  • CWSandbox
  • Norman Sandbox
  • Joebox
  • Ether: Malware Analysis via Hardware Virtualization Extensions
  • WiLDCAT
  • Hookfinder
  • Dealing with Packed Binaries
  • Spyware Analysis

Automatic dynamic malware analysis tools generate their reports based on a single execution trace of the sample under analysis. To easily access the hook functions, they are compiled into a DLL that is injected into the sample address space at startup. It is thus straightforward to increase the throughput of the entire system by adding more analyzing clients to the system.

Instruction execution monitoring is implemented by setting the trap flag of the CPU when executing code in the guest system. With this information, a human analyst has a very detailed representation of the actions performed by the analyzed system. Queries from the guest system to get or set the trap flag are always evaluated on the shadow return of the flag.

Once the system call is registered, Ether has full access to the memory of the guest operating system, allowing analysis of the parameters. This trace includes all instructions involving tainted data and enables reconstruction of the method used to implant the hook into the system. Justin is based on the idea that after the unpacking routine completes, a copy of the original malware is present in the process's memory.

As mentioned in section 4.2, such systems only have access to the hardware state of the emulated system. To determine whether a function has been called by the BHO, the system maintains the call stack for all function calls. The system uses a modified version of the Qemu full-system emulator to execute the infection.

A taint graph is a representation of the processes and modules that operate on the corrupted data.

MALWARE CLUSTERING—BEYOND PLAIN ANALYSIS

Malware Clustering Based on Anubis

To bridge the semantic gap between the high-level OS view and the hardware state accessible by the emulator, the following techniques are applied. Similar to Renovo (Section 5.9.2), this is accomplished by a kernel-mode component running in the emulated environment that monitors process creation and library loading and communicates this information outside the emulated guest operating system. The link between emulated disk sectors and the abstract notion of a file on the emulated system is accomplished by The Sleuth Kit [Carrier] forensic tool.

With this detailed information, Panorama constructs a color graph during an analysis for the analyzed sample. During the analysis, a set of test cases is executed that introduces sensitive data to the system, and Panorama monitors the behavior of the component being analyzed, as well as the rest of the system, with respect to this data. The authors introduce three policies that are evaluated on the color graph to determine whether the analyzed sample behaves maliciously.

If a malware sample, for example, creates a file whose filename depends on the current system date, this dependency is recognized by the system. Finally, the set of control flow decisions that depend on contaminated data are also recorded. Once the execution traces are created, augmented with the patch information, a behavioral profile is extracted for each trace.

Compared to the sequence of system calls stored in execution traces, this representation is semantically richer, allowing the system to better unify semantically equivalent behavior. During the generation of behavioral profiles, the information recorded by spreading the spots is used to describe whether the objects are dependent on each other, as just described.

Behavioral Classification of Malware

In addition, taint propagation provides the ability to detect characteristics such as reading the executable of a process and its transmission over the network, as commonly exhibited by worms. The profile consists of operating system objects (eg files, processes, etc.) and associated operations (eg read, write, create, etc.). For example, reading 256 bytes from a file at a time is semantically equivalent to reading one byte 256 times.

To demonstrate the scalability of their approach, the authors evaluated their tool on a set of 75,000 malware samples clustered within three hours.

Learning and Classification of Malware Behavior

The system may be confronted with samples that do not belong to any known families or exhibit behavior characteristic of several families. If the sample exhibits behavior from more than one family, or none at all, the sample is classified as unknown, indicating further manual inspection.

CORRELATING TECHNIQUES AND TOOLS

The remainder of this section elaborates on the semantics of the individual functions listed in the table. Analysis implementation. The most characteristic feature of the mentioned tools is at which privilege level the analysis is performed in comparison with the privilege level of the analyzed sample. However, each of these tools must bridge the already mentioned semantic gap between the hardware level of the analyzer and the guest operating system.

CWSandbox is designed to work with any operating system of the Win32 family (Windows 2000, XP and Vista). OS-agnostic approaches like Ether don't latch onto the Windows API because they don't have the necessary information about where—or, more precisely, at what memory addresses—API functions reside. WiLDCAT does not have built-in support for intercepting system calls, but setting a breakpoint at the beginning of the relevant functions allows the analyst to monitor their execution.

Function call parameters. Most of the survey instruments analyze the parameters passed to the monitored functions and correlate that information where appropriate. Anubis, on the other hand, uses these analysis results to perform behavioral clustering on malware samples. Lockout techniques. Systems running at the same privilege level as the analyzed malware apply different levels of cloaking techniques to hide themselves from the sample being analyzed.

WiLDCAT implements a variety of cloaking techniques to cover up the modifications it has made to the system. It stores a shadow copy of the trap flag in the EFLAGS registry, as well as hides its changes in the site's protection settings.

CONCLUSION

InProceedings of the 5th International Conference on Intrusion Detection and Malware and Vulnerability Assessment (DIMVA). InProceedings of the IEEE International Conference on Reliable Systems and Networks with FTCS and DCC (DSN'08). InProceedings of the 6th Joint Meeting of the European Software Engineering Conference and the ACM SIGSOFT International Symposium on Foundations of Software Engineering.

Proceedings of the Annual Joint Conference of the IEEE Computer and Communication Society (INFOCom).

Gambar

Table I. Comparison of General Malware Analysis Tools

Referensi

Unduh sekarang ( PDF - 42 Halaman - 359.88 KB )

Garis besar

CONCLUSION

Dokumen terkait

A THEME ANALYSIS OF PARATACTIC AND HYPOTACTIC CLAUSE COMPLEXES ON LUKE CHAPTER 17 OF THE ENGLISH STANDARD VERSION BIBLE IN THE ESV.org

By analyzing the content, the techniques for data collection are as follows: 1 Observing all versions of Luke 17 in the ESV.org that are very similar to the Indonesian language version