EVOLUTIONARY MALWARE CHALLENGING ANTI-VIRUS Ing. Andrea Marcelli, PhD student
[email protected]
CAD Group
JOINT OPEN LAB
Slide and Test Programs
jimmy-sonny.github.io/EvoMalwareTalk/
2
Sub7 • • • • •
Created by Mobman in 1999 (version 2) RAT (Remote Administration Tool) Made of 3 parts: Client, EditServer, Server It is a Trojan, it is difficult to legitimate its usage Download: www.aldocardoni.com/hack-soft/sub_seven.htm
3
Sub7
4
Introduction •
People have complete faith in anti-virus (More than 80% * of computer users use it)
•
However, protection mechanisms are less effective than we would expect
• •
Malware analysis is like a cat-and-mouse game We studied and developed malware obfuscation mechanisms for evaluating Anti-Virus products.
* Microsoft SIR Volume 18 - December 2014
5
Index • • • • • •
Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session
6
Malware
/ malicious software /
• •
Trojan, Worms, Rootkits, Viruses… From “writing for fun” to “writing for profit”
7
8
Malware
/ malicious software /
• •
Polymorphic and Metamorphic malware TALK from Mikko Hypponen at DEFCON 19 https://www.youtube.com/watch?v=qPAUTsUr-Eg
9
Malware Production Line •
Buy exploits, 0Day, Shellcode http://0day.today/ claims: “Injector is the ultimate database of exploits and vulnerabilities”
• • •
Create the Malware Infects Devices (botnet) Sell infected hosts.
10
Exploit Payout
https://www.zerodium.com/program.html
11
Ransomware
12
Ransomware
13
Index • • • • • •
Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session
14
Anti-Virus
Detection Ratio vs False Positive Ration
15
Anti-Virus \x00\x6a Geometric Detection
Signature Detection
Disassembler and State Machine
Emulator 16
Example MOV AX, MZ MOV EDI, 0x5A4D3D66
66 3D 4D 5A BF 66 3D 4D 5A
Signature detection fails. Disassembler with a State Machine not.
17
static analysis
Anti-Virus \x00\x6a Geometric Detection
Signature Detection
Disassembler and State Machine
Emulator dynamic analysis 18
Anti-Virus 57 AV engines 44 AV engines 21 AV engines
19
Index • • • • • •
Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session
20
Anti AV Techniques • • • • • •
Obfuscation Techniques Anti-Debugger Anti-Disassembly Anti-Emulation Portable Executable malformations Packing
GOAL: break static (dynamic) analysis 21
Hiding Techniques Polimorphic Encrypted
Oligomorphic
1997
1988
Cascade
Metamorphic
1998
Memorial Crypto
* Hunting for Metamorphic - Peter Ferrie and Peter Szor http://z0mbie.daemonlab.org
22
2002
Zmist
Portable Executable • • • • • •
File format for Windows Executable and DLLs Introduced in Windows NT 3.1 It is a data structure that wraps executable code Headers: DOS Header, PE Header, Section Table Section: .text, .data, .reloc, .debug, .import, .export PE-bear https://hshrzd.wordpress.com/pe-bear/
23
Portable Executable Start with MZ. Real working DOS program. Start with PE00. File Header, Optional Header
DOS Header PE Header
Raw Address, Raw Size, Virtual Address, Virtual Size
Section Table
Executable Code, Program Entry Point, Jump Table
.text
Global and static variables initialised at compile time.
.data
.reloc
Information about address relocation.
24
encrypt
Packer Original PE
Packed PE
DOS Header
Header Packed Section
PE Header
Packed Section
Section Table
compress
Code Packed Section
Import
Stub Routine
Data
25
Windows Loader • • • • • • •
Reads DOS Header, PE Header, Section Header Creates a Virtual Address Space for the process Maps the sections in the address space and set attributes Performs base relocation (optionally) Loads DLLs and Fix Import Table Creates the Stack and Heap Creates the initial thread and starts the process.
26
Shellcode • •
Shellcode is a payload of raw executable code
•
It has to fulfil special requirements: it has to be relocatable, load required libraries, and as short as possible
•
Main difference between Windows and Unix shellcode is the way in which system call are called
•
Example: http://0day.today/exploit/20485
Originally used to obtain interactive shell access on the compromised system
27
Adding code to PE • • • •
Usually used to inject shellcode Adding code to an existing section (cavity viruses) Enlarge an existing section (could be tricky) Add an entirely new section.
28
Index • • • • • •
Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session
29
What we have developed
• • •
Evolutionary Opcode Generator Shellcode Injector Ad-hoc packer
30
What we have developed
• • •
Evolutionary Opcode Generator
Malware Obfuscation through Evolutionary Packer GECCO 2015
Shellcode Injector Challenging Anti-Virus through Evolutionary Malware Obfuscation Evo* 2016
Ad-hoc packer
31
Evolutionary Opcode Generator • • • •
Goal: create an encoding and a decoding function using x86 ASM Opcode is the binary representation of an assembly instruction No assembly and linking phase It exploits Evolutionary Algorithms.
32
What we have developed
• • •
Evolutionary Opcode Generator Shellcode Injector Ad-hoc Packer Towards automated Malware Creation: code generation and code integration. ACM Symposium on Applied Computing
33
Shellcode Injector • • • •
Goal: obfuscate and inject a portion of malicious code Used in combination with shellcode Shellcode is a raw, self-contained and relocatable code The encoded shellcode, together with a decoding routine, is injected in the target executable.
34
Evolutionary Payload Result Uncoded
Code Evolution 1
Code Evolution 2
Code Evolution 3
Virus Total
61%
4%
4%
2%
Opswat Metascan
56%
9%
7%
2%
57 AVs
44 AVs
35
What we have developed
• • •
Evolutionary Opcode Generator Shellcode Injector Ad-hoc Packer
36
Ad-hoc Packer •
Generates a new encoded version of a program, plus an unpacker
• • •
It acts on the whole executable Not necessarily malicious Tests target the Portable Executable file format.
37
Tests • • • •
Eight recent virus samples for Windows 32bit All have been successfully packed Manually debugged to verify functionalities Analysed using both Online and Installed version of AVs.
38
Original Malware Win32.Bee Win32.Benny Win32.Blackcat Win32.Bolzano Win32.Crypto Win32.Driller Win32.Eva Win32.Invictus 0
25
50 Detection Percentage
Exact
Heuristic
39
75
100
Encoded Malware Win32.Bee Win32.Benny Win32.Blackcat Win32.Bolzano Win32.Crypto Win32.Driller Win32.Eva Win32.Invictus 0
25
50 Detection Percentage
Exact
Heuristic
40
75
100
20
20
15
15
Number of AV
Number of AV
Original vs. Encoded
10
10
5
5
0
0 0%
12 - 30%
50 - 90%
100%
0%
Detection Percentage
12 - 30%
50 - 90%
Detection Percentage
41
100%
Detection worsening 20
Number of AV
15
10
5
0 100%
70 - 90%
25 - 40%
< 13%
Detection Percentage
42
0%
Tests Conclusion • • • •
AV is one of the most complicated applications Today’s most effective solution is signature-detection However AV research must target heuristic detection My current research focus on machine learning for behavioural pattern recognition.
43
Index • • • • • •
Malware Introduction Anti-Virus Obfuscation Techniques What we have Developed & Test Results Our vision of Malware Detection Hands-on Session
44
Behavioural Analysis • • •
Static analysis suffers from obfuscation techniques
• •
Most of new malware released is a variant of an existing one
The real malware behaviour is the one of the execution Current techniques try to decide the executable goodness by analysing its behaviour
Cloud based solution is the future (or the present)
45
The idea
Classify malware in families through their behaviours.
46
New approach to malware detection • • • • •
Detect if a malware sample has already been analysed Analyse malware behaviour within an emulator Classify malware in families on the basis of its pattern Detect if known programs have been altered Zero Day is not our target.
47
Known problems •
Malware classification requires to deal with thousands of different classifiers (computational feasible?)
• •
Behavioural features filtering Code emulation (tens of solution, which is the best?)
48
Hands-on
49
Malware Packing • • •
Use the packer to pack an executable Analyse the differences using PE-bear OllyDbg to debug the runtime behaviour.
50
Our First Malware with Shellter
• • • •
Download shellter https://www.shellterproject.com/download/ Download putty.exe http://goo.gl/XbTF Execute shellter.exe and target putty.exe Select Metasploit payload bind_tcp
51
Shellcode Emulation with Libemu • • • • •
Download libemu https://github.com/buffer/libemu Download Pylibemu https://github.com/buffer/pylibemu python emuprofile.py < shellcode3.bin sctest -Sgs 1000000 -v -G test.dot < shellcode 3.bin dot shellcode.dot -Tpng -o shellcode.png
52
Malware Reversing • • • •
Olly Debugger to analyse the malicious executable Breakpoint on the extended resource section Debugging the decoding process Identify the malicious shellcode
53
Special Thanks Peter Ferrie Principal Anti-virus Researcher
Antonio Forzieri
Cyber Security Practice Lead, EMEA
Gabriele Zanoni
EMEA Principal Solutions Architect
WE WANT YOU THESIS AVAILABLE for information:
[email protected] [email protected]