Top

International Journal of Information Security

Published in:

03-03-2021 | regular contribution

[m]allotROPism: a metamorphic engine for malicious software variation development

Authors: Christos Lyvas, Christoforos Ntantogian, Christos Xenakis

Published in: International Journal of Information Security | Issue 1/2022

Activate our intelligent search to find suitable subject content or patents.

search-config

AI-assisted search

Off

Abstract

For decades, code transformations have been a vital open problem in the field of system security, especially for cases like malware mutation engines that generate semantically equivalent forms of given malicious payloads. While there are abundant works on malware and on malware phylogenies classification and detection in general, the fundamental principles about malicious transformations to evade detection have been neglected. In the present work, we introduce a mutation engine, named [m]allotROPism, to generate malicious code deviations with equivalent semantics from a static-analysis point of view. To achieve this, we reduce the problem of generating semantically equivalent solutions of given assembly code into a decision problem, and we solve it with the aid of satisfiability modulo theories. Moreover, we leverage return-oriented programming techniques to alter the traditional execution control flow from text to stack memory segment. We have implemented our proposed mutation engine and evaluated its detection evasion capabilities. Results show that so far, our approach is undetectable against popular free and commercial anti-malware products. We release the implementation of [m]allotROPism as open source. Our intention is to provide a method to generate malware families for experimental purposes and inspire further state-of-the-art research in the field of malware analysis.

previous article Automatic analysis of attack graphs for risk mitigation and prioritization on large-scale and complex networks in Industry 4.0

next article Privacy preserving data sharing and analysis for edge-based architectures

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

inform now

Available only for authorised users

In chemistry, the ability of an element to exist in more than one physical form without change of state is called allotropism.

https://gitlab.ds.unipi.gr/systems-security-laboratory/mallotropism.

https://github.com/RolfRolles/SynesthesiaYS.

https://github.com/RUB-SysSec/syntia.

Introduced initially to execute Unix Shell commands and it is usually written in machine code.

https://gitlab.ds.unipi.gr/systems-security-laboratory/mallotropism.

https://github.com/gpoulios/ROPInjector.

Shacham, H.: The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86). In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 552–561. ACM, New York (2007)

Bauer, J.M., Van Eeten, M.J., Chattopadhyay, T., Wu, Y.: Itu study on the financial aspects of network security: Malware and spam. ICT Applications and Cybersecurity Division, International Telecommunication Union, Final Report (July 2008)

PandaLabs, 2017 in Figures: The Exponential Growth of Malware (Accessed August 2, 2018). https://www.pandasecurity.com/mediacenter/malware/2017-figures/

Schwartz, E.J., Avgerinos, T., Brumley, D.: Q: exploit hardening made easy. In: USENIX Security Symposium, pp. 25–41 (2011)

Dullien, T., Kornau, T., Weinmann, R.-P.: A framework for automated architecture-independent gadget search. In: 4th USENIX Workshop on Offensive Technologies (WOOT 10) (2010)

Ma, H., Lu, K., Ma, X., Zhang, H., Jia C., Gao, D.: Software watermarking using return-oriented programming. In: Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS’15. ACM, New York, NY, USA, pp. 369–380 (2015)

Lu, K., Xiong, S., Gao, D.: Ropsteg: program steganography with return oriented programming. In: Proceedings of the 4th ACM Conference on Data and Application Security and Privacy, CODASPY’14. ACM, New York, NY, USA, pp. 265–272 (2014)

Mu, D., Guo, J., Ding, W., Wang, Z., Mao, B., Shi, L.: Ropob: obfuscating binary code via return oriented programming. In: Security and Privacy in Communication Networks. Springer International Publishing, London (2018)

Weidler, N.R., Brown, D., Mitchell, S.A., Anderson, J., Williams, J.R., Costley, A., Kunz, C., Wilkinson, C., Wehbe, R., Gerdes, R.: Return-oriented programming on a resource constrained device. Sustain. Comput. Inf. Syst. 22, 244–256 (2019)

10.

Mohan, V., Hamlen, K.W.: Frankenstein: a tale of horror and logic programming. Book Reviews (02) (2017)

11.

Mohan, V., Hamlen, K.W.: Frankenstein: stitching malware from benign binaries. In: 21s USENIX Workshop on Offensive Technologies (WOOT 12), Austin, TX, pp. 77–84 (2012)

12.

Poulios, G., Ntantogian, C., Xenakis, C.: Ropinjector: using return oriented programming for polymorphism and antivirus evasion, Blackhat USA (2015)

13.

Ming, J., Xu, D., Jiang, Y., Wu, D.: Binsim: trace-based semantic binary diffing via system call sliced segment equivalence checking. In: 26th USENIX Security Symposium (2017)

14.

Jha, S., Gulwani, S., Seshia, S.A., Tiwari, A.: Oracle-guided component-based program synthesis. In: Proceedings of the 32nd ACM/IEEE International Conference on Software Engineering-Volume 1. ACM, New York, pp. 215–224 (2010)

15.

Rolles, R.: Synesthesia: a modern approach to shellcode generation (2016). http://www.msreverseengineering.com/blog/2016/11/8/synesthesia-modern-shellcode-synthesis-ekoparty-2016-talk

16.

Dutertre, B., De Moura, L.: The yices smt solver, Tool paper at SRI. International 2(2), 1–5 (2006)

17.

Blazytko, T., Contag, M., Aschermann, C., Holz, T.: Syntia: synthesizing the semantics of obfuscated code. In: USENIX Security Symposium (2017)

18.

Shacham, H., Page, M., Pfaff, B., Goh, E.-J., Modadugu, N., Boneh, D.: On the effectiveness of address-space randomization. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 298–307. ACM, New York (2004)

19.

Abadi, M., Budiu, M., Erlingsson, U., Ligatti, J.: Control-flow integrity principles. ACM Trans. Inf. Syst. Secur. 13(1), 4:1-4:40 (2009)CrossRef

20.

Carlini, N., Wagner, D.: \(\{\)ROP\(\}\) is still dangerous: breaking modern defenses. In: 23rd USENIX Security Symposium, pp. 385–399 (2014)

21.

Schaefer, T.J.: The complexity of satisfiability problems. In: Proceedings of the 10th Annual ACM Symposium on Theory of Computing, pp. 216–226. ACM, New York (1978)

22.

De Moura, L., Bjørner, N.: Z3: an efficient SMT solver. In: International Conference on Tools and Algorithms for the Construction and Analysis of Systems, pp. 337–340. Springer, Berlin (2008)

23.

Park, D., Zhang, Y., Saxena, M., Daian, P., Roşu, G.: A formal verification tool for ethereum vm bytecode. In: Proceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp. 912–915. ACM, New York (2018)

24.

Vanhoef, M., Piessens, F.: Symbolic execution of security protocol implementations: handling cryptographic primitives. In: 12th USENIX Workshop on Offensive Technologies (WOOT 18) (2018)

25.

Vanegue, J., Heelan, S., Rolles, R.: SMT solvers in software security. In: 6th USENIX Workshop on Offensive Technologies (WOOT 12) (2012)

26.

Bornholt, J.: Program synthesis, explained (Accessed February 2, 2018). https://homes.cs.washington.edu/bornholt/post/synthesis-for-architects.html (2018)

27.

Szor, P.: The Art of Computer Virus Research and Defense. Pearson Education, London (2005)

28.

O’Kane, P., Sezer, S., McLaughlin, K.: Obfuscation: the hidden malware. IEEE Secur. Privacy 9(5), 41–47 (2011)CrossRef

29.

Spafford, E.H.: The internet worm program: an analysis. ACM SIGCOMM Comput. Commun. Rev. 19(1), 17–57 (1989)CrossRef

30.

Wartell, R., Mohan, V., Hamlen, K.W., Lin, Z.: Binary stirring: self-randomizing instruction addresses of legacy x86 binary code. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 157–168. ACM, New York (2012)

31.

Pappas, V., Polychronakis, M., Keromytis, A.D.: Smashing the gadgets: hindering return-oriented programming using in-place code randomization. In: 2012 IEEE Symposium on Security and Privacy (SP), pp. 601–615. IEEE, New York (2012)

32.

Ispoglou, K.K., Payer, M.: Malwash: washing malware to evade dynamic analysis. In: 10th USENIX Workshop on Offensive Technologies (WOOT 16) (2016)

33.

Ming, J., Xin, Z., Lan, P., Wu, D., Liu, P., Mao, B.: Replacement attacks: automatically impeding behavior-based malware specifications. In: Applied Cryptography and Network Security—13th International Conference, ACNS 2015, pp. 497–517. Springer, Berlin (2015)

34.

Cohen, F.: Computer viruses: theory and experiments. Comput. Secur. 6(1), 22–35 (1987)CrossRef

Title: [m]allotROPism: a metamorphic engine for malicious software variation development
Authors: Christos Lyvas
Christoforos Ntantogian
Christos Xenakis
Publication date: 03-03-2021
Publisher: Springer Berlin Heidelberg
Published in: International Journal of Information Security / Issue 1/2022
Print ISSN: 1615-5262
Electronic ISSN: 1615-5270
DOI: https://doi.org/10.1007/s10207-021-00541-y

Springer Professional

Abstract

Please log in to get access to your license.

Dont have a licence yet? Then find out more about our products and how to get one now:

Springer Professional "Technik"

Springer Professional "Wirtschaft+Technik"

Springer Professional "Wirtschaft"

Other articles of this Issue 1/2022

Privacy preserving data sharing and analysis for edge-based architectures

Track for surveys

Robotics cyber security: vulnerabilities, attacks, countermeasures, and recommendations

A new smart smudge attack using CNN

Public key versus symmetric key cryptography in client–server authentication protocols

DAPP: automatic detection and analysis of prototype pollution vulnerability in Node.js modules

Premium Partner