evolutionary malware challenging anti-virus - GitHub

Viewer
Transcript

EVOLUTIONARY MALWARE CHALLENGING ANTI-VIRUS Ing. Andrea Marcelli, PhD student [email protected]

CAD Group

JOINT OPEN LAB

Slide and Test Programs

jimmy-sonny.github.io/EvoMalwareTalk/

2

Sub7 • • • • •

Created by Mobman in 1999 (version 2) RAT (Remote Administration Tool) Made of 3 parts: Client, EditServer, Server It is a Trojan, it is difficult to legitimate its usage Download: www.aldocardoni.com/hack-soft/sub_seven.htm

3

Sub7

4

Introduction •

People have complete faith in anti-virus (More than 80% * of computer users use it)

•

However, protection mechanisms are less effective than we would expect

• •

Malware analysis is like a cat-and-mouse game We studied and developed malware obfuscation mechanisms for evaluating Anti-Virus products.

* Microsoft SIR Volume 18 - December 2014

5

Index • • • • • •

Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session

6

Malware

/ malicious software /

• •

Trojan, Worms, Rootkits, Viruses… From “writing for fun” to “writing for profit”

7

8

Malware

/ malicious software /

• •

Polymorphic and Metamorphic malware TALK from Mikko Hypponen at DEFCON 19 https://www.youtube.com/watch?v=qPAUTsUr-Eg

9

Malware Production Line •

Buy exploits, 0Day, Shellcode http://0day.today/ claims: “Injector is the ultimate database of exploits and vulnerabilities”

• • •

Create the Malware Infects Devices (botnet) Sell infected hosts.

10

Exploit Payout

https://www.zerodium.com/program.html

11

Ransomware

12

Ransomware

13

Index • • • • • •

Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session

14

Anti-Virus

Detection Ratio vs False Positive Ration

15

Anti-Virus \x00\x6a Geometric Detection

Signature Detection

Disassembler and State Machine

Emulator 16

Example MOV AX, MZ MOV EDI, 0x5A4D3D66

66 3D 4D 5A BF 66 3D 4D 5A

Signature detection fails. Disassembler with a State Machine not.

17

static analysis

Anti-Virus \x00\x6a Geometric Detection

Signature Detection

Disassembler and State Machine

Emulator dynamic analysis 18

Anti-Virus 57 AV engines 44 AV engines 21 AV engines

19

Index • • • • • •

Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session

20

Anti AV Techniques • • • • • •

Obfuscation Techniques Anti-Debugger Anti-Disassembly Anti-Emulation Portable Executable malformations Packing

GOAL: break static (dynamic) analysis 21

Hiding Techniques Polimorphic Encrypted

Oligomorphic

1997

1988

Cascade

Metamorphic

1998

Memorial Crypto

* Hunting for Metamorphic - Peter Ferrie and Peter Szor http://z0mbie.daemonlab.org

22

2002

Zmist

Portable Executable • • • • • •

File format for Windows Executable and DLLs Introduced in Windows NT 3.1 It is a data structure that wraps executable code Headers: DOS Header, PE Header, Section Table Section: .text, .data, .reloc, .debug, .import, .export PE-bear https://hshrzd.wordpress.com/pe-bear/

23

Portable Executable Start with MZ. Real working DOS program. Start with PE00. File Header, Optional Header

DOS Header PE Header

Raw Address, Raw Size, Virtual Address, Virtual Size

Section Table

Executable Code, Program Entry Point, Jump Table

.text

Global and static variables initialised at compile time.

.data

.reloc

Information about address relocation.

24

encrypt

Packer Original PE

Packed PE

DOS Header

Header Packed Section

PE Header

Packed Section

Section Table

compress

Code Packed Section

Import

Stub Routine

Data

25

Windows Loader • • • • • • •

Reads DOS Header, PE Header, Section Header Creates a Virtual Address Space for the process Maps the sections in the address space and set attributes Performs base relocation (optionally) Loads DLLs and Fix Import Table Creates the Stack and Heap Creates the initial thread and starts the process.

26

Shellcode • •

Shellcode is a payload of raw executable code

•

It has to fulfil special requirements: it has to be relocatable, load required libraries, and as short as possible

•

Main difference between Windows and Unix shellcode is the way in which system call are called

•

Example: http://0day.today/exploit/20485

Originally used to obtain interactive shell access on the compromised system

27

Adding code to PE • • • •

Usually used to inject shellcode Adding code to an existing section (cavity viruses) Enlarge an existing section (could be tricky) Add an entirely new section.

28

Index • • • • • •

Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session

29

What we have developed

• • •

Evolutionary Opcode Generator Shellcode Injector Ad-hoc packer

30

What we have developed

• • •

Evolutionary Opcode Generator

Malware Obfuscation through Evolutionary Packer GECCO 2015

Shellcode Injector Challenging Anti-Virus through Evolutionary Malware Obfuscation Evo* 2016

Ad-hoc packer

31

Evolutionary Opcode Generator • • • •

Goal: create an encoding and a decoding function using x86 ASM Opcode is the binary representation of an assembly instruction No assembly and linking phase It exploits Evolutionary Algorithms.

32

What we have developed

• • •

Evolutionary Opcode Generator Shellcode Injector Ad-hoc Packer Towards automated Malware Creation: code generation and code integration. ACM Symposium on Applied Computing

33

Shellcode Injector • • • •

Goal: obfuscate and inject a portion of malicious code Used in combination with shellcode Shellcode is a raw, self-contained and relocatable code The encoded shellcode, together with a decoding routine, is injected in the target executable.

34

Evolutionary Payload Result Uncoded

Code Evolution 1

Code Evolution 2

Code Evolution 3

Virus Total

61%

4%

4%

2%

Opswat Metascan

56%

9%

7%

2%

57 AVs

44 AVs

35

What we have developed

• • •

Evolutionary Opcode Generator Shellcode Injector Ad-hoc Packer

36

Ad-hoc Packer •

Generates a new encoded version of a program, plus an unpacker

• • •

It acts on the whole executable Not necessarily malicious Tests target the Portable Executable file format.

37

Tests • • • •

Eight recent virus samples for Windows 32bit All have been successfully packed Manually debugged to verify functionalities Analysed using both Online and Installed version of AVs.

38

Original Malware Win32.Bee Win32.Benny Win32.Blackcat Win32.Bolzano Win32.Crypto Win32.Driller Win32.Eva Win32.Invictus 0

25

50 Detection Percentage

Exact

Heuristic

39

75

100

Encoded Malware Win32.Bee Win32.Benny Win32.Blackcat Win32.Bolzano Win32.Crypto Win32.Driller Win32.Eva Win32.Invictus 0

25

50 Detection Percentage

Exact

Heuristic

40

75

100

20

20

15

15

Number of AV

Number of AV

Original vs. Encoded

10

10

5

5

0

0 0%

12 - 30%

50 - 90%

100%

0%

Detection Percentage

12 - 30%

50 - 90%

Detection Percentage

41

100%

Detection worsening 20

Number of AV

15

10

5

0 100%

70 - 90%

25 - 40%

< 13%

Detection Percentage

42

0%

Tests Conclusion • • • •

AV is one of the most complicated applications Today’s most effective solution is signature-detection However AV research must target heuristic detection My current research focus on machine learning for behavioural pattern recognition.

43

Index • • • • • •

Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session

44

Behavioural Analysis • • •

Static analysis suffers from obfuscation techniques

• •

Most of new malware released is a variant of an existing one

The real malware behaviour is the one of the execution Current techniques try to decide the executable goodness by analysing its behaviour

Cloud based solution is the future (or the present)

45

The idea

Classify malware in families through their behaviours.

46

New approach to malware detection • • • • •

Detect if a malware sample has already been analysed Analyse malware behaviour within an emulator Classify malware in families on the basis of its pattern Detect if known programs have been altered Zero Day is not our target.

47

Known problems •

Malware classification requires to deal with thousands of different classifiers (computational feasible?)

• •

Behavioural features filtering Code emulation (tens of solution, which is the best?)

48

Hands-on

49

Malware Packing • • •

Use the packer to pack an executable Analyse the differences using PE-bear OllyDbg to debug the runtime behaviour.

50

Our First Malware with Shellter

• • • •

Download shellter https://www.shellterproject.com/download/ Download putty.exe http://goo.gl/XbTF Execute shellter.exe and target putty.exe Select Metasploit payload bind_tcp

51

Shellcode Emulation with Libemu • • • • •

Download libemu https://github.com/buffer/libemu Download Pylibemu https://github.com/buffer/pylibemu python emuprofile.py < shellcode3.bin sctest -Sgs 1000000 -v -G test.dot < shellcode 3.bin dot shellcode.dot -Tpng -o shellcode.png

52

Malware Reversing • • • •

Olly Debugger to analyse the malicious executable Breakpoint on the extended resource section Debugging the decoding process Identify the malicious shellcode

53

Special Thanks Peter Ferrie Principal Anti-virus Researcher

Antonio Forzieri

Cyber Security Practice Lead, EMEA

Gabriele Zanoni

EMEA Principal Solutions Architect

WE WANT YOU THESIS AVAILABLE for information: [email protected] [email protected]

Clam AntiVirus 0.99.1 User Manual - GitHub