nach oben

Journal of Computer Virology and Hacking Techniques

Erschienen in:

27.02.2017 | Original Paper

The other guys: automated analysis of marginalized malware

verfasst von: Marcus Felipe Botacin, Paulo Lício de Geus, André Ricardo Abed Grégio

Erschienen in: Journal of Computer Virology and Hacking Techniques | Ausgabe 1/2018

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In order to thwart dynamic analysis and bypass protection mechanisms, malware have been using several file formats and evasive techniques. While publicly available dynamic malware analysis systems are one of the main sources of information for researchers, security analysts and incident response professionals, they are unable to cope with all types of threats. Therefore, it is difficult to gather information from public systems about CPL, .NET/Mono, 64-bits, reboot-dependent, or malware targeting systems newer than Windows XP, which result in a lack of understanding about how current malware behave during infections on modern operating systems. In this paper, we discuss the challenges and issues faced during the development of this type of analysis system, mainly due to security features available in NT 6.x kernel versions of Windows OS. We also introduce a dynamic analysis system that addresses the aforementioned types of malware as well as present results obtained from their analyses.

Vorheriger Artikel Trends of anti-analysis operations of malwares observed in API call logs

Nächster Artikel Constructing a secure hacking-resistant IoT U-healthcare environment

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

As detailed on Sect. 4.4

We identified as .NET 0.6, 1.1, and 7.6% of all samples from our dataset collected in 2013, 2014, and the first quarter of 2015, respectively.

Solutions like Sandboxie (http://www.sandboxie.com) are not designed for this purpose and can be detected due to their userland modules.

https://www.vmray.com/technology/

http://www.sandboxie.com/index.php?ContributedUtilities#BlockProcessAccess

http://www.sandboxie.com/index.php?ExperimentalProtection

We measure suspended processes to avoid penalties from external factors.

http://anubis.iseclab.org, https://malwr.com, http://www.threatexpert.com, http://camas.comodo.com, http://www.threattracksecurity.com/resources/sandbox-malware-analysis.aspx

https://github.com/a0rtega/pafish

Afonso, V., Filho, D., Gregio, A., de Geus, P., Jino, M.: A hybrid framework to analyze web and os malware. In: 2012 IEEE International Conference on Communications (ICC), pp. 966–970 (2012). doi:10.1109/ICC.2012.6364108

Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E., Vigna, G.: Efficient detection of split personalities in malware. In: NDSS 2010, 17th Annual Network and Distributed System Security Symposium. San Diego, USA (2010)

Bayer, U., Kruegel, C., Kirda, E.: Ttanalyze: A tool for analyzing malware. In: 15th European Institute for Computer Antivirus Research Annual Conference (2006)

Bellard, F.: Qemu, a fast and portable dynamic translator. In: Proceedings of the Annual Conference on USENIX Annual Technical Conference, ATEC ’05, pp. 41–41. USENIX Association, Berkeley, CA, USA (2005). http://dl.acm.org/citation.cfm?id=1247360.1247401

Blog, S.L.: The inevitable mode—64-bit zeus enhanced with tor (2013). http://securelist.com/blog/events/58184/

Corregedor, M., Von Solms, S.: Windows 8 32 bit—improved security? In: AFRICON. IEEE, pp. 1–5 (2013). doi:10.1109/AFRCON.2013.6757678

Dinaburg, A., Royal, P., Sharif, M., Lee, W.: Ether: malware analysis via hardware virtualization extensions. In: Proceedings of the 15th ACM Conference on Computer and Communications Security, CCS ’08, pp. 51–62. ACM, New York, NY, USA (2008). doi:10.1145/1455770.1455779

Dolan-Gavitt, B., Leek, T., Zhivich, M., Giffin, J., Lee, W.: Virtuoso: narrowing the semantic gap in virtual machine introspection. In: Proceedings of the 2011 IEEE Symposium on Security and Privacy, SP ’11, pp. 297–312. IEEE Computer Society, Washington, DC, USA (2011). doi:10.1109/SP.2011.11

Egele, M., Scholte, T., Kirda, E., Kruegel, C.: A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv. 44(2), 6 (2012)CrossRef

10.

Fattori, A., Paleari, R., Martignoni, L., Monga, M.: Dynamic and transparent analysis of commodity production systems. In: Proceedings of the IEEE/ACM International Conference on Automated Software Engineering, ASE ’10, pp. 417–426. ACM, New York, NY, USA (2010). doi:10.1145/1858996.1859085

11.

Guarnieri, C.: Cuckoo sandbox. http://www.cuckoosandbox.org/ (2013)

12.

Guri, M., Kedma, G., Sela, T., Carmeli, B., Rosner, A., Elovici, Y.: Noninvasive detection of anti-forensic malware. In: 8th International Conference on Malicious and Unwanted Software: “The Americas” (MALWARE), pp. 1–10 (2013). doi:10.1109/MALWARE.2013.6703679

13.

j00ru: Defeating windows driver signature enforcement 3: the ultimate encounter. http://j00ru.vexillium.org/?p=1455

14.

Kaspersky: Equation group: questions and answers. http://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf

15.

Kirat, D., Vigna, G., Kruegel, C.: Barebox: efficient malware analysis on bare-metal. In: Proceedings of the 27th Annual Computer Security Applications Conference, pp. 403–412. ACM (2011)

16.

Kirat, D., Vigna, G., Kruegel, C.: Barecloud: bare-metal analysis-based evasive malware detection. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 287–301. USENIX Association, San Diego, CA (2014). https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/kirat

17.

Kruegel, C.: Full system emulation: achieving successful automated dynamic analysis of evasive malware. https://www.blackhat.com/docs/us-14/materials/us-14-Kruegel-Full-System-Emulation-Achieving-Successful-Automated-Dynamic-Analysis-Of-Evasive-Malware.pdf (2014)

18.

Lab, K.: The regin platform—nation-state ownage of gsm networks. http://securelist.com/files/2014/11/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

19.

Lindorfer, M., Di Federico, A., Maggi, F., Comparetti, P.M., Zanero, S.: Lines of malicious code: insights into the malicious software industry. In: Proceedings of the 28th Annual Computer Security Applications Conference. ACSAC ’12, pp. 349–358. ACM, New York, NY, USA (2012)

20.

Lindorfer, M., Kolbitsch, C., Milani Comparetti, P.: Detecting environment-sensitive malware. In: Recent Advances in Intrusion Detection Symposium (2011)

21.

Mercês, F.: Cpl malware—malicious control panel items. http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf

22.

Microsoft: Device input and output control (ioctl). https://msdn.microsoft.com/pt-br/library/windows/desktop/aa363219%28v=vs.85%29.aspx

23.

Microsoft: I/o request packets. https://msdn.microsoft.com/en-us/library/windows/hardware/hh439638%28v=vs.85%29.aspx

24.

Microsoft: Queueuserapc function. [https://msdn.microsoft.com/en-us/library/windows/desktop/ms684954%28v=vs.85%29.aspx

25.

Microsoft: Reg_notify_class enumeration. https://msdn.microsoft.com/pt-br/library/windows/hardware/ff560950%28v=vs.85%29.aspx

26.

Microsoft: Running 32-bit applications. https://msdn.microsoft.com/en-us/library/windows/desktop/aa384249%28v=vs.85%29.aspx

27.

Microsoft: Trojan:win32/jorik.c. http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/Jorik.C

28.

Microsoft: Using cplapplet. https://msdn.microsoft.com/en-us/library/windows/desktop/cc144199%28v=vs.85%29.aspx

29.

Microsoft: Win32/wootbot. http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Win32%2FWootbot

30.

Microsoft: CreateRemoteThread. http://msdn.microsoft.com/en-us/library/windows/desktop/ms682437(v=vs.85).aspx (2013)

31.

Microsoft: CmRegisterCallback. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541918(v=vs.85).aspx (2014)

32.

Microsoft: CmRegisterCallbackEx. http://msdn.microsoft.com/en-us/library/windows/hardware/ff541921(v=vs.85).aspx (2014)

33.

More, A., Tapaswi, S.: Virtual machine introspection: towards bridging the semantic gap. J. Cloud Comput. 3(1), 1–14 (2014). doi:10.1186/s13677-014-0016-2 CrossRef

34.

Petsas, T., Voyatzis, G., Athanasopoulos, E., Polychronakis, M., Ioannidis, S.: Rage against the virtual machine: hindering dynamic analysis of android malware. In: Proceedings of the Seventh European Workshop on System Security, EuroSec ’14, pp. 5:1–5:6. ACM, New York, NY, USA (2014)

35.

Pietrek, M.: Peering inside the pe: a tour of the win32 portable executable file format. https://msdn.microsoft.com/en-us/library/ms809762.aspx

36.

Reloaded, P.: Skywing. http://uninformed.org/?v=8&a=5

37.

Rienhardt, F.: Kernel-basedmonitoringonwindows(32/64bit). http://www.bitnuts.de/KernelBasedMonitoring.pdf (2012)

38.

Rodionov, E., Matrosov, A.: The evolution of tdl: conquering x64. http://www.eset.com/us/resources/white-papers/The_Evolution_of_TDL.pdf

39.

Seifert, C., Steenson, R., Welch, I., Komisarczuk, P., Endicott-Popovsky, B.: Capture—a behavioral analysis tool for applications and documents. Digit. Investig. 4S, 23–30 (2007)CrossRef

40.

Sikorski, M., Honig, A.: Practical Malware Analysis: The Hands-on Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)

41.

skape, Skywing: Bypassing patchguard on windows x64. http://uninformed.org/index.cgi?v=3&a=3

42.

Skywing: Subverting patchguard version 2. http://www.uninformed.org/?a=1&t=txt&v=6

43.

Thomas, S., Sherly, K., Dija, S.: Extraction of memory forensic artifacts from windows 7 ram image. In: 2013 IEEE Conference on Information and Communication Technologies (ICT), pp. 937–942. IEEE (2013)

44.

TrendMicro: Darkkomet. http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET

45.

TrendMicro: Tspy64_zbot.aanp. http://about-threats.trendmicro.com/Malware.aspx?language=au&name=TSPY64_ZBOT.AANP

46.

Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Priv. 5, 32–39 (2007)CrossRef

47.

Willems, C., Hund, R., Holz, T.: Cxpinspector: Hypervisor-based, hardware-assisted system monitoring. Tech. Rep. TR-HGI-2012-002, HGI, Ruhr-Universitat Bochum (2012)

Titel: The other guys: automated analysis of marginalized malware
verfasst von: Marcus Felipe Botacin
Paulo Lício de Geus
André Ricardo Abed Grégio
Publikationsdatum: 27.02.2017
Verlag: Springer Paris
Erschienen in: Journal of Computer Virology and Hacking Techniques / Ausgabe 1/2018
Elektronische ISSN: 2263-8733
DOI: https://doi.org/10.1007/s11416-017-0292-8

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Weitere Artikel der Ausgabe 1/2018

Diagnosing bot infections using Bayesian inference

Trends of anti-analysis operations of malwares observed in API call logs

State of the art of network protocol reverse engineering tools

An investigation of byte n-gram features for malware classification

Image spam analysis and detection

Constructing a secure hacking-resistant IoT U-healthcare environment