Template - CSC 497, 583 Advanced s in Computer Security Modern Malware Analysis Anti-virus Software

Download this Presentation


Presentation Transcript

  • 1.CSC 497/583 Advanced Topics in Computer Security Modern Malware Analysis Anti-virus Software, Dynamic Heuristic Analysis Si Chen (schen@wcupa.edu) Class13
  • 2.What we’ve learned so far... Basic Analysis Quickly glean information from the sample(s) Help guide and focus Advanced Analysis
  • 3.What we’ve learned so far... Advanced Analysis - Static Used to see what is going on Confirm suspicions aroused during basic analysis Identify functionality Advanced Analysis - Dynamic Control the program Take new code paths Change data
  • 4.What we’ve learned so far... Windows API and systems How does malware interact with Windows? How does Windows make malware author’s lives easier? How does it make their lives harder?
  • 5.Anti-virus: How they actually work Nowadays AV scans our system on real-time basis. Information is analyzed based on the origin of the information i.e. source of information. Operates differently depending upon source of information.
  • 6.Anti-virus working from top level view. If the file is found malicious then the information will not be copied onto the destination location. (Here destination in our case is HD)
  • 7.One of the two possibilities takes place When the data is found to be legitimate, the scanner forwards that data to the destination location. When virus is detected then a warning is sent to UI for user`s action. Interface may vary.
  • 8.Process flow of working of AV. AV scanner, scanning information on real time.
  • 9.AV detection techniques(Scan - Engines) Signature Based detection (also sometimes called as “string based” detection) AV maintains a dictionary of the signatures of known Viruses, malwares, spywares etc. This dictionary is stored at client side and is usually in binary. Next-generation signature based detection Disadvantage?
  • 10.AV detection techniques(Scan - Engines) Example: https://www.cs.wcupa.edu/schen/csc497/VirusShare_00001.md5
  • 11.Heuristic based Detection Used to detect new, unknown viruses in your system that has not yet been identified. Based on the piece-by-piece examination of a virus. Looks for the sequence of instruction that differentiate the virus from ‘normal programs’ Disadvantage? Example: Lab1
  • 12.AV bypassing techniques
  • 13.Packed and Obfuscated Malware Malware writers often use packing or obfuscation to make their files more difficult to detect or analyze. Obfuscated programs are ones whose execution the malware author has attempted to hide. Packed programs are a subset of obfuscated programs in which the malicious program is compressed and cannot be analyzed. Both techniques will severely limit your attempts to statically analyze the malware.
  • 14.Packers and Cryptos
  • 15.Packed and Obfuscated Malware
  • 16.Binders and Packers Binders
  • 17.Splitting the File and Code Obfuscation These are those programs that split a single files into no. of small sized files. One may change some code into some small chunked file to evade AV detection and again join it and scan it to check whether AV flags it malicious or not. A trial and Error method..
  • 18.Behavioral based detection Just observes how the program executes, rather than merely emulating its execution. Identify malware by looking for suspicious behavior. Disadvantage?
  • 19.Sandboxing Based detection What is “sandbox” ? Isolate the files which are to be scanned and monitors their activity.
  • 20.Heuristic Engines Heuristic engines are basically statistical and rule based analyze mechanisms. Their main purpose is detecting new generation(previously unknown) viruses by categorizing and giving threat/risk grades to code fragments according to predefined criteria. Heuristic engines are the most advanced part of AV products they use significant amount of rules and criteria. Since no anti virus company releases blueprints or documentation about their heuristic engines all known selective criteria's about their threat/risk grading policy are found with trial and error.
  • 21.Dynamic Heuristic Analysis PE file contains C:\, D:\, E:\ And windows, System32 Folder and system file monitoring the behavior of the unknow sample, logging the function call, parameters, etc… malware expert use the log file to find the key features and add it to the malware database
  • 22.Some of the known rules about threat grading – Decryption loop detected – Reads active computer name – Reads the cryptographic machine GUID – Contacts random domain names – Reads the windows installation date – Drops executable files – Found potential IP address in binary memory – Modifies proxy settings – Installs hooks/patches the running process – Injects into explorer – Injects into remote process – Queries process information – Sets the process error mode to suppress error box – Unusual entrophy – Possibly checks for the presence of antivirus engine – Monitors specific registry key for changes
  • 23.Some of the known rules about threat grading – Contains ability to elevate privileges – Modifies software policy settings – Reads the system/video BIOS version – Endpoint in PE header is within an uncommon section – Creates guarded memory regions – Spawns a lot of processes – Tries to sleep for a long time – Unusual sections – Reads windows product id – Contains decryption loop – Contains ability to start/interact device drivers – Contains ability to block user input
  • 24.
  • 25.Experiment In today’s experiment, we want to monitoring the behavior of a ransomware, generate a log file. And analysis it.
  • 26.Ransomware Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. 
  • 27.Experiment Malware behavior(s): Find all docx file in the current folder change their filename to it’s CRC32 (hash) value, and change the filename to crc32 Use the first 16 bytes to do XOR with 0x01  to simulate file encryption generate a txt file to ask for money (or bitcoin ) delete itself  the best way to protect itself
  • 28.Q & A