Challenging Anti-virus through Evolutionary Malware Obfuscation Marco Gaudesi
Andrea Marcelli
Ernesto Sanchez
Giovanni Squillero
Alberto Tonda
Malware
Goal
/ malicious software /
Develop a new obfuscation mechanism based on evolutionary algorithms.
communicates
It can be used by security industries to stress the analysis methodologies and to test the ability to react to malware mutations.
executes the payload propagates
Polymorphic
Packer
hides as long as possible
A packer compresses or encrypts the instructions and data of a program generating a new executable version. At run time, the new executable decompress the original program in memory, and then jump into it. Packers have been originally designed to save disk space. Then they have been introduced in the word of malicious software: the code must be decrypted before static analysis can be applied. Moreover changing the encryption key produces a completely different executable.
Encrypted
Metamorphic
Oligomorphic
1988
1997
Cascade
One of the easiest ways to hide the functionality of the virus code was encryption. The virus starts with a constant decryptor that is followed by the encrypted virus body.
1998
2002
Crypto Memorial
Oligomorphic viruses do change their decryptors in new generations. Win95/Memorial had the ability to build 96 different decryptor patterns.
The unpacking stub:
Evolutionary
Polymorphic viruses can create an endless number of new decryptors that use different encryption methods to encrypt the constant part (except their data areas) of the virus body. Crypto used a random decryption algorithm that implemented brute force attack against its constant but variably encrypted virus body.
???
Zmist
Metamorphic viruses do not have a decryptor, nor a constant virus body. However, they are able to create new generations that look different. Zmist is capable of decompiling Portable Executable files to its smallest elements, it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable.
1) It decompresses and decrypts the original code. 2) It resolves the imports of the executable: if the import table is packed, the loader cannot resolve the imports and load the corresponding DLLs.
The idea of genetic selection for behaviours was first seen in 2002. W32/Smile
Polymorphism using genetic algorithms was first seen in 2005.
W32/Zellome
3) It transfers back the control to the Original Entry Point (OEP).
The malware uses an evolutionary algorithm to generate completely new obfuscating algorithms. The individuals are a set of working packers and the ‘fitness’ is how similar the new executable is to the original one.
Generating the code pop esi push esi xor [esi],ebx add ebx,eax test eax,eax jnz 0x5 ret
5E 56 311E 01C3 85C0 75F7 C3
Test the sequence. Is it reversible?
Jaccard Index 4
Encoding and decoding routines are applied subsequently to sequence of bytes.
Creation of a new packer variant.
5
3
Jaccard Distribution of a sample that maximise the dissimilarity.
Reproduction
Original vs Encoded Version 20
20
15
15
5 0
0%
12-30%
50-90%
Detection Percentage
100%
Jaccard Distribution of a sample similar to the original one.
The decoding routine is embedded in the new executable. At run time it will restore the original program in memory.
Fitness evalutation with the Jaccard Index
10
|A \ B| J(A, B) = |A [ B|
It is used to evaluate the similarity between a Malware sample and the original one.
Code encryption
Number of AV
2
Randomly-generated, variable-length sequence of x86 assembler instructions.
Number of AV
1
Generate an opcode sequence
Experimental Evaluation 8 recent malware samples for Windows 32 bit
10 5 0
0%
12-30%
50-90%
Detection Percentage
Future Work IoT Worm The diffusion of Internet of the Things devices, strongly network oriented, which often lack of proper security measures represents the perfect environment where a new evolutionary worm, platform indipendent, can spread.
100%
57 AV engines
High initial detection rate + Executable behavior susceptible to heuristic evaluation
44 AV engines Further evaluation with locally installed AVs
Try the Evolutionary Obfuscator against advanced Anti-Virus based on Deep Neural Network.
Malware Detection Through Machine Learning With over 1 million malware samples caught every day in honeypots all over the world, new detection approaches are necessary. The research aims at developing a detection mechanism based on multiple classifier where each one targets a particular malware family.
Packer Jaccard Index Experimental Evaluation Generating ... - GitHub
A packer compresses or encrypts the instructions and data of a program ... the code must be decrypted before static analysis can be applied. Moreover .... The research aims at developing a detection mechanism based on multiple classifier ...
Well-known AV signature. 328 byte length ... Moreover changing the encryption key produces a completely diffe- ... lowed by the encrypted virus body. Memorial.
Spreading malicious code is a complex problem for malware authors. Because of the recent advancements on malware detection technologies both malware authors and penetration testers having hard time with bypassing security measures and products such a
doi:10.1016/j.jcms.2005.09.005, available online at http://www.sciencedirect.com. Experimental evaluation of three osteosynthesis devices used for stabilizing.
In this paper we describe implementations of two counting methods which are based on generating func- ... Pólya theory [2] is an important counting method when some objects that are ...... [9] http://www.tcs.hut.fi/Software/bliss/index.html. 19.
developed a great variety of potential defenses against fouling ... surface energy (Targett, 1988; Davis et al., 1989;. Wahl, 1989; Davis ... possibly provide an alternative to the commercial .... the concentrations of the metabolites in the source.
considered to be the primary unit of cancellous bone, are aligned along the ...... GSM is that its non-zero coefficients are clustered about the diagonal and the ...
Abstract. Power-efficient design of real-time embedded systems becomes more important as the system functionality is increasingly realized through software. This paper presents a dynamic power management method called cooperative voltage scaling (CVS
logical spatial logics [10], whereas temporal information is described by a Kripke ..... minutes, depending on the formula, on a quite standard laptop computer.
ation metrics such as those used for evaluating ma- chine translation systems such as BLEU (Papineni et al., 2002). These may be useful for evaluating how similar our generated candidates are to real tweets from the user or trending topic. Automated
with the âANLP-Course-Final-Reportâ tag of our ... API (with the AND operator) to search over all fields in ..... Computer Security Applications Conference, pages.
language and are defined like this: (, ... ... generates an error with an error code and an error message. ... node(*v, *l, *r) => 1 + size(*l) + size(*r).
surface energy (Targett, 1988; Davis et al., 1989;. Wahl ... possibly provide an alternative to the commercial .... with the solution (diluted in 0.5 ml methanol) after.
A test data adequacy criterion is a set of rules that pre- scribe some property ... control-flow test criteria check these Boolean decisions of the program based on ...
they are exposing many services occupying a lot of RAM. The RE-Mote has 16KB of RAM retention, which was not enough for ..... 1500. 2000. 2500. 3000. 3500. 4000. 4500. RSSI (dBm). Measurements. Figure 5. Histogram of the RSSI of indoor devices. Figur
Abstract. For a given test criterion, the number of test-sets satisfying the crite- rion may be very large, with varying fault detection effectiveness. In re- cent work [29], the measure of variation in effectiveness of test criterion was defined as
Customizing Data-plane Processing in. Edge Routers ... Lawful interception. Video streaming optimizer ... data plane applications that operate on a network slice ...
The benefit you get by reading this book is ... is getting deeper an individual read a lot of information you will get. This kind of ... lovely laptop even cell phone.