visual analysis of malware behavior - vizsec · 2020-06-03 · motivation • sandbox service -...
TRANSCRIPT
![Page 1: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/1.jpg)
Visual Analysis of Malware Behavior
October 11th, 2009
![Page 2: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/2.jpg)
About Us
• University of Mannheim, Germany
• Laboratory for Dependable Distributed Systems• Security research:
• Analysis of malware and spam• Honeypots / IT-Forensics
![Page 3: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/3.jpg)
Motivation
• Sandbox Service - CWSandbox.org
• Dynamic malware analysis • API-Hooking• Monitors 121 API-Calls out of 20 sections• Detailed Behavior Report (XML)
• Up to 4000 new samples per day• Manual processing not possible
![Page 4: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/4.jpg)
Motivation
• What are the main Operations?• Network activities?• Registry access?• Filesystem operations? • ...
• Which operations do not occur?•
![Page 5: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/5.jpg)
Motivation
• What are the main Operations?• Network activities?• Registry access?• Filesystem operations? • ...
• Which operations do not occur?•
Which samples are of interest?
![Page 6: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/6.jpg)
![Page 7: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/7.jpg)
![Page 8: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/8.jpg)
![Page 9: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/9.jpg)
![Page 10: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/10.jpg)
Visualization
• CWSandbox report is “too” detailed• Use visualization for abstraction• Simple to create• Comprehensible
• Treemaps and Threadgraphs
• Static version (Python, matplotlib)• Dynamic version using JavaScript (flot, Jit)
![Page 11: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/11.jpg)
Treemaps
• Quick overview• Displays the distribution of all operations• No information about the sequence of operations
• Use case: Malware clustering
![Page 12: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/12.jpg)
![Page 13: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/13.jpg)
![Page 14: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/14.jpg)
![Page 15: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/15.jpg)
![Page 16: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/16.jpg)
![Page 17: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/17.jpg)
![Page 18: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/18.jpg)
![Page 19: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/19.jpg)
![Page 20: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/20.jpg)
![Page 21: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/21.jpg)
Threadgraph
• Detailed view of the monitored behavior• Every monitored operation of all executed threads• Sequential order preserved
• Truncated Reports only (static version)• Zoom necessary (JavaScript)
![Page 22: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/22.jpg)
![Page 23: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/23.jpg)
![Page 24: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/24.jpg)
![Page 25: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/25.jpg)
![Page 26: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/26.jpg)
![Page 27: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/27.jpg)
![Page 28: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/28.jpg)
Analysis of malicious PDFs
• Monitor Adobe Acrobat Reader within CWSandbox• Autoupdate disabled
• Short experiment:• 200 benign PDFs• 17 malicious PDFs
• Two different Treemaps• Malicious operations are observable at once
![Page 29: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/29.jpg)
![Page 30: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/30.jpg)
![Page 31: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/31.jpg)
![Page 32: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/32.jpg)
![Page 33: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/33.jpg)
![Page 34: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/34.jpg)
Conclusion
• First attempt on visualization - need Feedback• Plots are accessible on CWSandbox.org
• Static + JavaScript version
• Study on image clustering and classification• Development of further visualization types
![Page 35: Visual Analysis of Malware Behavior - VizSec · 2020-06-03 · Motivation • Sandbox Service - CWSandbox.org • Dynamic malware analysis • API-Hooking • Monitors 121 API-Calls](https://reader033.vdocuments.mx/reader033/viewer/2022060309/5f0a3fa77e708231d42abb69/html5/thumbnails/35.jpg)
Questions?
http://pi1.informatik.uni-mannheim.dehttp://cwsandbox.org