ses2017 - malware analysismalware-analysis techniques and tools", acm comput. surv. 2012...
TRANSCRIPT
![Page 1: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/1.jpg)
Research Center for Cyber Intelligence and information Security
CIS SapienzaResearch Center for Cyber Intelligence
and information Security
CIS Sapienza
MalwareAnalysis
SystemsandEnterpriseSecurity2017-2018Dr.GiuseppeLaurenza,Ph.D.Student,[email protected]
![Page 2: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/2.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
![Page 3: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/3.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Whatisamalware?Softwareintentionallymalicious§ Causedamagestoasoftwaresystem§ Breaksoftwareservice§ Stealelectronicdata§ Getaccesstoprivatesystems§ …
Infectionvectors§Emailattachments(socialengineering)
§Pendrives§Websites(drive-bydownload)
§…
![Page 4: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/4.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Somestatistics
Totalnumberofmalwaresamplesinthelast10years(source:AV-TEST)
![Page 5: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/5.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Somestatistics
“CostofCyberCrimeStudy:Global”,Ponemon,2015
![Page 6: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/6.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
CostofdatabreachesinItalyin2014(fromastudybyPonemon InstituteLLC,sponsoredbyIBM)
Ponemon Institute©ResearchReport,«2015CostofDataBreachStudy:Italy”
• 22organizationsfrom12differentsectorsinvolved• Totalcost:1.98million€(+2.6%wrt 2013)• Averagecostpercompromisedrecord:105€(+3.4%)• Compromisedrecordsperdatabreach– Average:~19K– Minimum:~4.5K– Maximum:~74K
![Page 7: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/7.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
![Page 8: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/8.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast(«HowMalwareworksandwhy»,FireEye2014)
• Thenumberofnewmalwareandthecorrespondingeconomicdamageincreaseyearbyyear
• Understandinghowanattackerworksiffundamental– Whatareherguidelines?– Whatherpriorities?
• Acriticalanalysisofpastattackscanshedsomelight…
![Page 9: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/9.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
LessonsfromthepastMattBishop,“AnalysisoftheILOVEYOUWorm”,2000
https://en.wikipedia.org/wiki/ILOVEYOU
• ILOVEYOU- 2000– Emailhavingsubject«ILOVEYOU»– Usertemptedtoopentheattached«loveletter»– ActuallyitisaVisualBasicscriptwhich• Forwardsthesameemailtoallvictim’scontacts(onMSOutlook)• Downloadsandinstallsatrojan tostealpasswords
– Effects• 50millioninfectionsin10days• 5.5-8.7billionUS$damages• Estimatedremovalcosts:15billionUS$
![Page 10: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/10.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast
• ILOVEYOU- 2000
Beyondtechnicaldetails,themostinterestingaspectregardsthewayusershavebeentemptedtoopenthemaliciousattachment
Lesson#1Blesstheuser
![Page 11: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/11.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttps://www.sans.org/reading-room/whitepapers/malicious/nimda-worm-different-98
https://en.wikipedia.org/wiki/Nimda
• Nimda - 2001– Itspreadsthrough• Email:.exeattachmentautomaticallyexecutedwhentheemailisopened(client->client)• Sharedfolders:replication(client->client)• BackdoorsonIIS/PWSservers:itexploitsthosecreatedbyotherworms(e.g.,CodeRedII,sadmind/IIS),copiesitselfamongwebcontentsprovidedbytheserver(client->server)• Compromisedservers:malwaredownloadedviaweb(server->client)
![Page 12: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/12.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://www.computereconomics.com/article.cfm?id=133
• Nimda - 2001– Itenablesanattackertotakecontrolofinfectedmachine• CreatesadministrativeshareofdiskC(enablesanadministratorusertoremotelyaccess)
• CreatesaGuestuseradaddsittoAdministratorgroup– Economiceffects:635millionUS$
![Page 13: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/13.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast
• Nimda - 2001
Provedthefeasibility(andconvenience)ofattackingaserverindirectly
throughitsclients
Lesson#2Don’tneedtotargettheserver
![Page 14: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/14.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
LessonsfromthepastMoore,Paxson,Savage,Shannon,Staniford,Weaver,“InsidetheSlammerWorm”, IEEESecurityandPrivacy 1,42003
https://en.wikipedia.org/wiki/SQL_Slammer
• SQLSlammer- 2003– Itexploitsabuffer-overflowvulnerabilityofMSSQLServerandMSDE(ondesktopcomputers)
– 376bytesofcodeinmemory• Nomaliciouscontent• ItgeneratesrandomIPaddressandsendsitselfthroughUDPonport1434
– Morethan75Kmachinesinfectedintenminutes
![Page 15: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/15.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://www.securityfocus.com/news/2186
http://www.cnet.com/news/counting-the-cost-of-slammer/
• SQLSlammer- 2003– Generationofveryhighratetraffic
• Someroutersbecomeunresponsive• Theothersstartcommunicatingtoupdatetheirroutingtables• Thisgeneratesfurthertrafficwhichmakesadditionalrouterscrash• Rebootedroutersgenerateevenmoretraffictoupdateroutingtablesagain…
– Damagesrelatedtoserviceinterruption• Washington’s911serviceterminals• BankofAmerica’sATMs• ContinentalAirlines’onlineticketsellingservice
London-basedmarketintelligencefirmMi2gsaidthatthewormcausedbetween$950millionand$1.2billioninlostproductivityinitsfirstfivedaysworldwide
![Page 16: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/16.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepast
• SQLSlammer- 2003
Thepossibilitytoexploitdesktopmachinesallowsattackerstoamplifytheeffect
Lesson#3ThereisalwayssomethingavailableontheClient
![Page 17: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/17.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttps://en.wikipedia.org/wiki/Blaster_(computer_worm)
Bailey,Cooke,Jahanian,Watson,"TheBlasterWorm:ThenandNow,"in Security&Privacy,IEEE ,vol.3,no.4,2005
• Blaster- 2003– July,16:Microsoftbulletin
• VulnerabilityofWindowsRPCinterfacewhichenablesexecutingarbitrarycode• Correspondingpatchreleased
– July,26:exploitpubliclyavailable– August,11:Blasterbeginsspreading– August,15:423Kmachinesinfected– August,16:SYNfloodonport80towindowsupdate.com
![Page 18: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/18.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/financial_costs.html
• Blaster- 2003
Thewormspreadeventhoughthepatchwasalreadyavailable
foralmostamonth
Lesson#4TimetoMarketisimportant
AccordingtotheInformationTechnologySystemsandServices(ITSS)departmentatStanford,theMSBlasterwormattacksinSummer2003costanestimated $1.5millionmeasuredintimespentindisinfectingcomputers
![Page 19: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/19.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
LessonsfromthepastLaboratoryofCryptographyandSystemSecurity(CrySyS Lab),
DepartmentofTelecommunicationsofBudapestUniversityofTechnologyandEconomics,«sKyWIper (a.k.a.Flamea.k.a.Flamer):Acomplexmalwarefortargetedattacks”,technicalreport2015
• Flame- 2012– 20MB,allowstoloadadditionalmodules– Fivedistinctencryptionmethods– SQLiteDBtokeepstructuredinformation– Morethan50domainsforC&C– SpreadingthroughLANandpendrives– Canrecordaudio,keyboardactivities,networktraffic,Skypecalls
– Evidencesaboutithasbeendevelopedforespionage
![Page 20: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/20.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Lessonsfromthepasthttp://cs.stanford.edu/people/eroberts/cs181/projects/2003-04/security/financial_costs.html
• Blaster- 2003
Reuseofcodeofothermalware,modularandextensiblearchitecture,
generalpurposefunctionalities
Lesson#5ROIinmalwaredevelopment
![Page 21: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/21.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
![Page 22: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/22.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Malwaredetection
Processtodecidewhetheragivensampleisamalware
inthefollowingweonlyconsiderWindowsexecutablesassamples
![Page 23: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/23.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Malwareanalysis
Studyofagivensampletoacquireknowledgeaboutits
possiblemaliciousnature
![Page 24: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/24.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DetectionvsAnalysis
• Malwaredetectionisaspecifictypeofmalwareanalysis• Ingeneral,malwareanalysisoutputscanbeusedtomalwaredetection• Malwareanalysisusuallyleveragessomeexistingknowledgebase
![Page 25: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/25.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
MalwarefamiliesandvariantsV.Ghanaei,C.S.Iliopoulos,R.E.Overill."AStatisticalApproachforDiscoveringCritical
MaliciousPatternsinMalwareFamilies".PATTERNS2015
•AmalwareXisavariant ofanothermalwareYifXcanbeobtainedfromYbyapplyingsomemutations– MalwareXandYshareconsiderableportionsofcriticalcode
– Variantsofasamemalwarebelongtothesamefamily
• ClusteringmalwareinfamiliesisAV-dependent
![Page 26: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/26.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Othertypesofmalwareanalysis
• Variantsdetection:givenamalwareM,–WhichmalwarearevariantofM?variantselection–WhichfamilyMbelongsto?familyselection
• Categorydetection (trojan horse,worm,virus,…)• Noveltyandsimilaritydetection– Recognizewhatisnoveltoanalyzeitinmoredetail– Recognizewhatisalreadyknowntoavoidanalyzeitagain
![Page 27: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/27.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Othertypesofmalwareanalysis
• DevelopmentdetectionM.Graziano,D.Canali,L.Bilge,A.Lanzi,D.Balzarotti.“Needlesinahaystack:Mininginformationfrompublicdynamicanalysissandboxesformalwareintelligence”.USENIXSecurity15
– Onlinetoolsusedbymalwaredeveloperstotestnewmalware– Theanalysisofsubmissionstothesetoolscanallowtodetect
«worksinprogress»• Attribution
– Whodevelopedagivenmalware?– Worequestedthedevelopmentofagivenmalware?
• Triage:givemalwareapriority
![Page 28: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/28.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
![Page 29: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/29.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
StaticapproachesMoser,Kruegel,Kirda,"LimitsofStaticAnalysisforMalwareDetection“,
inComputerSecurityApplicationsConference,2007
• Don’trequiremalwareexecution,onlyitscontentisanalyzed• Signature-basedtechniques– Databaseofregularexpressionsspecifyingthesequencesofbytes/instructionsconsideredasmalicious
– Noteffectiveagainstpolymorphicmalware…• Polymorphicmalware– Malwareappearanceischangedby• Encryption• Appending/pre-pendingdata
![Page 30: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/30.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Staticapproaches• LimitsofPolymorphicmalware– Decryptedcoderemainsthesame– Signature-basedtechniquesondatainmemory
• Allowtheirdetection• Noteffectiveagainstmetamorphicmalware…
• Metamorphicmalware– Recodeitselfeverytimetheyre-propagates
• AddavariablenumberofNOP• Permutationofusedregisters• Insertionofisolatedcodesections(neverexecuted)• Shufflingoffunctionsanddatastructures
![Page 31: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/31.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
StaticapproachesChristodorescu,Jha,Seshia,Song,Bryant,
"Semantics-awaremalwaredetection,"inSecurityandPrivacy2005
• LimitsofMetamorphicmalware– Malwaresemanticremainsthesame– Semantic-awaremalwaredetector
• Checkifasoftwareissemanticallysimilartoaknownmalware• Template:representsamaliciousbehavior
– Decryptinginpolymorphicmalware– Searchforemailaddresses– …
• Matchingoftemplatestocodesectionsofthesampletoanalyze– Basedontheeffectsinmemory
![Page 32: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/32.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
![Page 33: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/33.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
DynamicapproachesM.Egele,T.Scholte,E.Kirda,C.Kruegel,"Asurveyonautomateddynamic
malware-analysistechniquesandtools",ACMComput.Surv.2012
• Requiremalwareexecutiontoanalyzeitsactualbehavior• Severalapproaches,complementarytoeachother– Monitoringoffunctioncalls– Analysisofparameterspassedtofunctions– Tracingofinformationflows– Tracingofexecutedinstructions– MonitoringofAutoStart ExtensibilityPoints
![Page 34: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/34.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Monitoringoffunctioncalls– Allowstoobtainahigh-levelviewoftherealbehavior– Functioncallsinterceptedthroughhooking– Malwareexecutinginkernel-modecanbypasshooks– Analysisoffunctioncallstrace
• Representedasagraph– Nodesarefunctions– Edgesarefunctioncalls
• Matchingtoknownmalwarebasedongraphdistance– i.e.,editdistance
![Page 35: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/35.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Analysisofparameterspassedtofunctions– Focusonrealvaluespassedwhenafunctionisinvoked– Tracingthevaluesofparametersandreturnedresultallowstolinkdistinctfunctioncalls
– Example• open() returnsthedescriptorofthefilejustopened• read() requiresfiledescriptorasparameter• Ifdescriptorsarethesame,thelinkisobvious
![Page 36: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/36.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Tracingofinformationflows– Goal:understandinghowdataofinterestpropagateassoftwarecomputethem
– Datatobemonitoredaremarkedwithlabels• Theselabelspropagatetogetherwithmarkeddataandenabletracing
• Trivialexample» X:datumofinterestmarkedwithlabelL1» Instruction:Y = X» L1 ispropagatedtoY
![Page 37: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/37.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Tracingofinformationflows– Aspectstotakeintoaccount
• Directdependenciesbetweendata» A = A + X» IfbothA andX arelabeled,howtopropagatethelabel?
• Addressdependencies» Read/writeaddressesderivedfromlabeleddata» A = X[10] whereX islabeled» B = C[Y] whereY islabeled
![Page 38: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/38.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Dynamicapproaches• Tracingofexecutedinstructions– Sequenceofassemblyinstructions– Canincludeadditionalusefulinformation
• Example:reportonsystemcallsandfunctioncalls• MonitoringofAutoStart ExtensibilityPoints– ASEP:mechanismsallowingapplicationstobeexecutedatstartuporwhenanotherspecificapplicationstarts
– Oftenusedbymalwaretobecomepersistent– Canprovideinformationusefulfordetectionpurposes
![Page 39: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/39.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
Outline• Introduction• Lessonsfromthepast• Malwaredetectionvsanalysis• Malwareanalysistechniques• Staticapproaches• Dynamicapproaches• Approachesbasedondownloadpatterns
![Page 40: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/40.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Malwarearedeliveredwithincampaigns– Usersforced/luredtoclickmalevolentlinksoropenmaliciousattachments
– Attackersuseasmartdeliveryinfrastructure• DomainsandIPaddressesarechangedfrequently• Canavoiddetectionmechanismsbasedonblacklists
– e.g.,GoogleSafeBrowsing• Isitpossibletocharacterizethewaymalwarearedownloadedsoastoidentifydistinguishingpatterns?
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
![Page 41: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/41.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•AMICOAccurateMalwareIdentificationviaClassificationoflivenetworktrafficObservations– Trafficmonitoringtoextractinformationondownloadedfiles– MachineLearningtechniquestoclassifyfilesinmaliciousorbenign
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
![Page 42: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/42.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Typesofusedfeatures– Infoonpastdownloads(howmanytimesithasbeendownloaded,…)
– Infoondomains(howmanymalwaredownloadedfromthatdomain,…)
– InfoonserverIP (howmanymalwaredownloadedfromthatIP,…)
– InfoonURLstructure (howmanymalwaredownloadedfromsimilarURLs,…)
– Infoonthedownload(fileextension,presenceofreferer,…)
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
![Page 43: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/43.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Classification:givenasamplejustdownloaded,decidewhetheritisamalwarebyanalyzingitsprovenance– Computeabooleanfunctionf({feature values})–MachineLearningtolearntocomputesuchafunctionhavingatdisposalatrainingset• Setofelements[{feature values},f({feature values})]• Agroundtruthisrequiredtocreatethetrainingset– AMICOusesVirusTotal (https://www.virustotal.com/)
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013
![Page 44: SES2017 - Malware Analysismalware-analysis techniques and tools", ACM Comput. Surv. 2012 •Require malware execution to analyze its actual behavior •Several approaches, complementary](https://reader035.vdocuments.mx/reader035/viewer/2022071113/5feaa62382bb0914c4274943/html5/thumbnails/44.jpg)
Research Center for Cyber Intelligence and information Security
CIS Sapienza
•Experimentalresultsverypromising– 90%truepositive– 0.1%falsepositive– Zeroday malwaredetected!!!
•Veryfastclassification– Itisnotrequiredtoanalyzesamplecontentorbehavior
•Limitation– Featurecomputationrequirestocollectstatisticsover2/3
monthsofdownloadsØ Bootstrapof2/3monthsrequired!!!
ApproachesbasedondownloadpatternVadrevu,Rahbarinia,Perdisci,Li,Antonakakis,
"MeasuringandDetectingMalwareDownloadsinLiveNetworkTraffic",ESORICS2013