an overview of malware packing n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
An Overview of Malware Packing PowerPoint Presentation
Download Presentation
An Overview of Malware Packing

play fullscreen
1 / 88

An Overview of Malware Packing

144 Views Download Presentation
Download Presentation

An Overview of Malware Packing

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. An Overview of Malware Packing Jenna Kallaher Costas Akrivoulis Raul Gonzalez

  2. Packers "Programs that transform an input binary's appearance without affecting its execution semantics" [1]

  3. Packers "Programs that transform an input binary's appearance without affecting its execution semantics" ... For the purposes of [1]

  4. Packers - Motivation • Frustrate reverse engineer! • Increase barrier to entry for analysis • Cost, Technical understanding • Avoid signatures • Avoid classifications/triage

  5. Era 3 Block-based Packing Instruction Virtualization Era 2 Metamorphism Anti-RE Outline Era 1 Encryption Polymorphism

  6. Era 1 Alpha Pack

  7. Encryption Alpha Pack

  8. Encryption - Motivation Goal Evade static signature Idea • Encrypt the binary • Different keys == different signatures

  9. Encryption What one thinks about when they hear "packer" Packer encrypts all of the data and/or text, then decrypts at runtime

  10. Encryption – Key Generation • Embed key • Fetch key • Derive key

  11. Encryption – Embed Key B = Original Binary K = Encryption Key E = Encryption Function Be = Ek(B) D = Decryption Code Malware = Be | K | D

  12. Encryption - Fetch Key Decryptor code "phones home” • Retrieves key from master Master can authenticate malware • Verify environment • Attestation

  13. Encryption - Derive Key No phones • Evade attribution • No network constraints Targeted • Wrong environment == wrong key

  14. Encryption - Limitations Requires decryption before run • Decryptor can be signatured Encrypt the decryptor? • Need decryptor' for the decryptor... Some stub code needs to be "plain text"

  15. Polymorphism Alpha Pack

  16. Polymorphism - Motivation Goal Make every signature unique Idea Mutate the encrypted binary • Re-key • Obfuscate decryptor code

  17. Polymorphism - Techniques • Dead Code Insertion • Variable Renaming • Register Reordering • Code Reordering • Code Transposition • Instruction Substitution • Branch Inversion • ...

  18. Polymorphism - Dead Code pop ebx pop ecx push .haha ret db 0xab db 0xbc db 0xcdff db 0xe8 db 0xa9 .haha: xor eax, eax mov ecx, 1 nop xchg eax, ecx push edx pop edx ret

  19. Polymorphism - Register Reorder

  20. Polymorphism - Limitations Unencrypted binary is constant • Evades static signatures Emulators • Run malware, freeze upon decryption • Memory dump can be signatured Not robust enough

  21. Era 2 Alpha Pack

  22. Metamorphism Alpha Pack

  23. Metamorphism - Motivation Goal Make every signature unique Idea Mutate the plaintext binary • Physically different • Semantically equivalent

  24. Metamorphism - Techniques • Dead Code Insertion • Variable Renaming • Register Reordering • Code Reordering • Code Transposition • Instruction Substitution • Branch Inversion • ...

  25. Metamorphism - Code Reorder

  26. mov $0, %eax test %eax, %eax jz .hello Metamorphism - Substitution • A * 4 == A << 2 • jmp .hello ==

  27. Metamorphism - Branch Inversion if (false) bar() else foo() if (true) == foo() else bar()

  28. Metamorphism - Limitations Hidden Markov Models: System being modeled is assumed to be a Markov Process with hidden states. "State is not directly visible, but output, dependant on the state, is visible.“ [2]

  29. Metamorphism - Limitations Hidden Markov Models: Use output, to reason about the properties of the hidden states in the system. Allows for Statistical Pattern Analysis

  30. Metamorphism - Limitations • Treat variants of a single binary as a family • Train a model, use HMM to represent the statistical properties of that family • Use trained model to decide whether a new variant belongs to the family or not - based on its statistical properties

  31. Metamorphism - Limitations [3]

  32. Metamorphism - Limitations Similarity Index: Pair program P with malware m, of family M Find their similarity index, Spm If somewhat similar, • Compare mwith its variants to find average similarity index, Sm, amongst family M If Sm < Spm, then P is in M

  33. Metamorphism - Limitations Detectable, variants are: • Too similar to each other • Too different from normal programs Good metamorphism requires high degree of: • Metamorphic variant differences • Regular programs similarities Defensive techniques exist (and work)

  34. Anti-Reversing Alpha Pack

  35. Anti-RE - Motivation Enemies of malware: • Virtual Machines • Debuggers • Disassemblers • Emulators • Memory Dumpers Any of the above imply: • “Non-production" settings • Reverse engineering likely occurring

  36. Anti-RE - Motivation Goal Run ONLY on production systems Idea Find metrics for answering: • "Am I in a VM?" • "Am I in a debugger?" • "Am I being disassembled?" • "Am I being emulated?" • "Am I being dumped?"

  37. Anti-RE - in Malware • [4]

  38. Anti-RE - Techniques • [4]

  39. Anti-Disassembly Alpha Pack

  40. Anti-Disassembly - Prevalence • [4]

  41. Anti-Disassembly - Push Ret .code start: pop eax pop ebx pop ecx push .continue ret db 0xab db 0xbc db 0xcd db 0xff db 0xaa db 0x1 db 0x2 db 0xff db 0xef db 0xe9 db 0xab db 0xe8 db 0xa9 .continue: xor eax,eax mov ecx,1 nop xchg eax,ecx push edx pop edx ret .end start • [4]

  42. Anti-Disassembly - Push Pop Math • Push known immediate to stack • Immediately pop to a register • Do some math on the register • Register holds desired value, but that value never appears directly in the code

  43. Anti-Virtualization Alpha Pack

  44. Anti-Virtualization - Techniques Common x86 Instructions for VM Detection • cpuid • sidt (Red Pill) • sldt • sgdt • smsw • str • in System Artifacts Invalid Instructions

  45. Anti-Virtualization - Prevalence • [4]

  46. Anti-Virtualization - in #define VMWARE_HYPERVISOR_MAGIC 0x564D5868 #define VMWARE_HYPERVISOR_PORT 0x5658 #define VMWARE_PORT_CMD_GETVERSION 10 #define VMWARE_PORT(cmd, eax, ebx, ecx, edx) \ __asm__("inl (%%dx)" : \ "=a"(eax), "=c"(ecx), "=d"(edx), "=b"(ebx) : \ "0"(VMWARE_HYPERVISOR_MAGIC), \ "1"(VMWARE_PORT_CMD_##cmd), \ "2"(VMWARE_HYPERVISOR_PORT), "3"(UINT_MAX) : \ "memory"); int hypervisor_port_check(void) { uint32_t eax, ebx, ecx, edx; VMWARE_PORT(GETVERSION, eax, ebx, ecx, edx); int in_hyp = (ebx == VMWARE_HYPERVISOR_MAGIC); printf(“%sVMWare\n”, in_hyp ? “”: “Not ”); return in_hyp; } • [6]

  47. Anti-Virtualization - CPUID mov $0x1, %eax cpuid and $0x80000000, %ecx test %ecx, %ecx jnz virtualized mov $0x0, %eax ret virtualized: mov $0x1, %eax ret

  48. Anti-Virtualization - Artifacts VMWare • VMWare Tools Process • 300+ registry references to VMWare in WinXP • 50+ file system references to VMWare or VMX in WinXP Virtual Hardware • MAC Address • USB Controller Type Anomalies in clock synch between host and guest • [7]

  49. Anti-Debugging Alpha Pack

  50. Anti-Debugging - Techniques • Windows • IsDebuggerPresent • CheckIsRemoteDebuggerPresent • NtQueryProcessInformation • PEB • Linux • Ptrace of Self