SlideShare une entreprise Scribd logo

Now you see me, now you don't: chasing evasive malware - Giovanni Vigna

Télécharger en tant que PPTX, PDF
Lastline, Inc.
Lastline, Inc.

This document discusses evasive malware and techniques for detecting it. It begins with an introduction of the author and their background in malware research. It then covers how malware has evolved over time to target systems and evade detection. Various techniques used by malware to evade static and dynamic analysis are described. The document argues that eliciting dormant code and introducing honey-users could help with detection. It concludes that visibility is key to tracking evasive malware and more advanced analysis methods are needed.

Technologie
1  sur  30
Now You See Me, Now You Don’t: Chasing Evasive Malware Giovanni Vigna CTO @ Lastline, Inc. and Professor @ Department of Computer Science University of California Santa Barbara
Who am I? • Co-founder and CTO at Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware • Professor of Computer Science at the University of California in Santa Barbara – Many system security papers in academic conferences – Started malware research around 2004, focusing on evasive malware – Built and made available to the public practical systems (Anubis, Wepawet, Revolver, …) – Lead Shellphish, the longest-running hacking team at DefCon’s CTF
Malware Evolution Targeted Attacks and Cyberwarfare !!! Time $$ Damage Billions Millions Hundreds of Thousands Thousands Hundreds Cybercrime Cybervandalism $$$ #@!
AV Can’t Keep Up
Arms Race(s) Malicious Binary Obfuscated Polymorphic Malicious sandbox Binary Behavior-based Anti-malware Evasive Malicious Signature-based Binary Anti-virus Malicious JavaScript Obfuscated Polymorphic Malicious honeyclient JavaScript Behavior-based Anti-malware Evasive Malicious Signature-based JavaScript Web Gateways
An Evasion Framework Artifact, Provenance Labels/Blocks Executes/Displays Analysis System Target System Known Malicious Artifacts, Provenance Known Benign Artifacts, Provenance Activates Producer Consumer
An Evasion Framework Analysis System Target System Consumer SPAM X N/A N/A Phishing X N/A X Social Engineering N/A N/A X Malware Installs N/A (*) N/A X Malicious Documents X X X Malicious Web Pages X X N/A Malicious Binaries X N/A N/A (*) First downloader
Evading Static Analysis • Static analysis techniques can be evaded by making the (relevant) code unavailable – Packing/encrypting – Delaying the inclusion of code • Static analysis techniques can be evaded by exploiting differences in the parsing capabilities of the target system vs. analysis system – Parsing the executable (the target is the OS) – Parsing the document (the target is the Office application) • Static analysis techniques can be foiled by making certain operations depend on values known only at run-time – Table lookups based on user-provided input
Evading Static Analysis • The code is stored encoded in the registry and executed using an intricate command line: rundll32.exe "javascript:..mshtml,RunHTMLApplication ;document.write(74script language=jscript.encode>+(new%20ActiveXObject(WScript.Shell)). RegRead(HKCUsoftwaremicrosoftwindowscurrentversionrun )+74/script>)"
Evading Dynamic Analysis • Dynamic analysis techniques can be evaded by fingerprinting the environment (and not execute) – Detection of modified environment • Instrumented libs • Auxiliary processes/services – Detection of specific HW/SW configurations • Devices • Users • File names
Evading Dynamic Analysis
Evading Dynamic Analysis • Dynamic analysis techniques can be evaded by exploiting differences in the execution capabilities of the target system vs. analysis system – Semantics (virtualization/emulation introduces differences) – Speed (analysis systems are usually slower) – Available resources (analysis has a finite, limited time) • Sleeping • Stalling loops
Evading Dynamic Analysis
Evading Dynamic Analysis • Dynamic analysis can be evaded by checking for the presence of a human (“reverse Turing test”) – Keyboard/mouse is attached – Mouse moves • These activities cannot be too obvious or the user will become suspicious
Visibility Matters Traditional Sandboxes Full-System Emulation Important behaviors and evasion happen here
What Needs to Be Done (Now) • Use the evasive behavior as a signal for detection – Detect fingerprinting – Detect failures to execute • Rely on binary-level program analysis techniques to identify stalling – Characterize program evolution – Identify loops and push through
What’s Next? (Threat-wise) • As evasion detection improves, cybercriminals will be forced into mimicry • Mimicry is the process of creating malware that mimics the behavior of benign applications (until the analysis is completed)
What’s Next? (Protection-wise) • The next approach is eliciting – Elicit: verb evoke or draw out (a reaction, answer, or fact) from someone. "I tried to elicit a smile from Joanna” synonyms: obtain, bring out, draw out, extract, evoke, bring about, bring forth, induce, excite, give rise to, call forth, prompt, generate, engender, spark off, trigger, kindle; • Identify dormant code • Introduce the honey-user
C&C Site Exploit Site
Conclusions • Malware is (and will always be) in continuous evolution • Evasion is a process, not a phase • It is important to create countermeasures that require major efforts/resources from the attacker • Visibility is key – Traditional anti-malware is based on simple microscopes – We need electronic (malware) microscopes
Questions? VS.
Backup Slides
The Golden Standard: Bare Metal • Comparison of execution in bare metal with execution on various types of analysis platforms Pre-filter Synchronized Execution Bare-metal Ether Anubis Virtualbox Behavior Comparison Incoming samples • BareCloud: Bare-metal Analysis-based Evasive Malware Detection Dhilung Kirat, Chris Kruegel, and Giovanni Vigna Proceedings of the USENIX Security Symposium, 2014 Scheduler Profiles Profiles Profiles Profiles Behavior Deviation Score
BareCloud Results • Collected 110,005 samples from Anubis that had interesting behavior – Samples with little or no activity – Samples with different combinations of filesystem and network activity • Compared profiles using hierarchical similarity • Identified 5,835 evasive samples
Detecting Evasive Web Malware • State-of-the-art in honeyclients – High-interaction honeyclients visit web pages and record modifications to the underlying system (file system, registry, processes) – Unexpected changes are attributed to attacks • Limitations – Defenders need to know in advance the components that will be targeted by attacks – Configuration can be complex and incomplete • Some of the vulnerable components are incompatible with each other – Limited explanatory power
Revolver: Detecting Evasions in Web-based Malware • Providing an oracle available to the public has drawbacks – Malware can be tested before deployment • Exploitation of discrepancies leads to failed detection • Can we use this against the bad guys? – Revolver: An Automated Approach to the Detection of Evasive Web-based Malware A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, G. Vigna in Proceedings of the USENIX Security Symposium Washington, D.C. August 2013
Evasion: Liberal Configuration var nop="%uyt9yt2yt9yt2"; var nop=(nop.replace(/yt/g,"")); var sc0="%ud5db%uc9c9%u87cd..."; var sc1="%"+"yutianu"+"ByutianD"+ ...; var sc1=(sc1.replace(/yutian/g,"")); var sc2="%"+"u"+"54"+"FF"+ "%u"+"BE"+...+"A"+"8"+"E"+"E"; var sc2=(sc2.replace(/yutian/g,"")); var sc=unescape(nop+sc0+sc1+sc2); try { new ActiveXObject("yutian"); } catch (e) { var nop="%uyt9yt2yt9yt2"; var nop=(nop.replace(/yt/g,"")); var sc0="%ud5db%uc9c9%u87cd..."; var sc1="%"+"yutianu"+"ByutianD"+ ...; var sc1=(sc1.replace(/yutian/g,"")); var sc2="%"+"u"+"54"+"FF"+ "%u"+"BE"+...+"A"+"8"+"E"+"E"; var sc2=(sc2.replace(/yutian/g,"")); var sc=unescape(nop+sc0+sc1+sc2); }
Revolver IF … VAR <= NUM Web Oracle IF … VAR <= NUM Similarity computation {bi, mj} Malicious evolution Data-dependency JavaScript infections Evasions Pages ASTs Candidate pairs … …
Evaluation: Evasion • Collected 6,468,623 pages, of which 265,692 malicious • Extracted 20,732,766 benign scripts, and 186,032 malicious scripts • Derived 705,472 unique ASTs and 55,701 malicious ASTs • For each benign AST, found ~70 malicious neighbors • Computed 208K candidate pairs – 6,996 Injections (701 classes) – 101,039 Data dependencies (475 classes) – 4,147 Evasions (155 classes) – 2, 490 Evolutions (273 classes)
http://revolver.cs.ucsb.edu

Recommandé

Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
Lastline, Inc.
 

Recommandé

Malware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade DetectionMalware in the Wild: Evolving to Evade Detection
Malware in the Wild: Evolving to Evade Detection
Lastline, Inc.
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Lastline, Inc.
 
Introduction to Malware - Part 1
Introduction to Malware - Part 1 Introduction to Malware - Part 1
Introduction to Malware - Part 1
Lastline, Inc.
 
Next Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and DefenseNext Generation Advanced Malware Detection and Defense
Next Generation Advanced Malware Detection and Defense
Luca Simonelli
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in FirmwareUsing Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Using Static Binary Analysis To Find Vulnerabilities And Backdoors in Firmware
Lastline, Inc.
 
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015 Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Most Ransomware Isn’t As Complex As You Might Think – Black Hat 2015
Lastline, Inc.
 
Lastline Case Study
Lastline Case StudyLastline Case Study
Lastline Case Study
Lastline, Inc.
 
Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
Rahul Mohandas
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
Andrew Case
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
Digit Oktavianto
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Rod Soto
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
Julia Yu-Chin Cheng
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
ESET
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
Greg Foss
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration Testing
Won Ju Jub
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
ESET
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
SecurityMetrics
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
Mayur Nanotkar
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
Nasir Bhutta
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Claus Cramon Houmann
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 

Contenu connexe

Tendances

Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
SecurityMetrics
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
Priyanka Aash
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
Raffael Marty
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
RootedCON
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
EC-Council
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
Dragos, Inc.
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
EC-Council
 

Tendances (20)

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Setup Your Personal Malware Lab
Setup Your Personal Malware LabSetup Your Personal Malware Lab
Setup Your Personal Malware Lab
 
Penetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability ScanningPenetration Testing vs. Vulnerability Scanning
Penetration Testing vs. Vulnerability Scanning
 
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case StudiesIoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies
 
Creating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & VisualizationCreating Your Own Threat Intel Through Hunting & Visualization
Creating Your Own Threat Intel Through Hunting & Visualization
 
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
Dynamic Population Discovery for Lateral Movement (Using Machine Learning)
 
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
Jaime Blasco - Fighting Advanced Persistent Threat (APT) with Open Source Too...
 
The Honeynet Project Introduction
The Honeynet Project IntroductionThe Honeynet Project Introduction
The Honeynet Project Introduction
 
2014: Mid-Year Threat Review
2014: Mid-Year Threat Review2014: Mid-Year Threat Review
2014: Mid-Year Threat Review
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Ethical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration TestingEthical Hacking &amp; Penetration Testing
Ethical Hacking &amp; Penetration Testing
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
How Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for BusinessHow Ethical Hacking is Healthy for Business
How Ethical Hacking is Healthy for Business
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Hacking Web Apps by Brent White
Hacking Web Apps by Brent WhiteHacking Web Apps by Brent White
Hacking Web Apps by Brent White
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases
 
The Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial SecurityThe Four Types of Threat Detection and Use Cases in Industrial Security
The Four Types of Threat Detection and Use Cases in Industrial Security
 
Defending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael BanksDefending Against 1,000,000 Cyber Attacks by Michael Banks
Defending Against 1,000,000 Cyber Attacks by Michael Banks
 

En vedette

Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Alex Pinto
 
KCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' StoryboardKCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' Storyboard
francesliam
 

En vedette (15)

Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
Thought Leader Global 2014 Amsterdam: Taking Security seriously -> Going beyo...
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
APT - Project
APT - Project APT - Project
APT - Project
 
Intelligence Driven Security
Intelligence Driven SecurityIntelligence Driven Security
Intelligence Driven Security
 
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
The cavalry is us i tdays-luxembourg 2014.11.20 v1.0
 
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
I am the Cavalry (The Cavalry Is Us) Sourceconf September 2015
 
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 
Demo ni nic
Demo ni nicDemo ni nic
Demo ni nic
 
Realmadrid-Atleticodemadrid
Realmadrid-AtleticodemadridRealmadrid-Atleticodemadrid
Realmadrid-Atleticodemadrid
 
KCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' StoryboardKCB101 Not Your Mothers' Storyboard
KCB101 Not Your Mothers' Storyboard
 
Prezentacja1
Prezentacja1Prezentacja1
Prezentacja1
 
Indikasi Tidak Umum Pada Penggunaan Lower Inclined Plane
Indikasi Tidak Umum Pada Penggunaan Lower Inclined PlaneIndikasi Tidak Umum Pada Penggunaan Lower Inclined Plane
Indikasi Tidak Umum Pada Penggunaan Lower Inclined Plane
 
Three things for wildcard ssl certs
Three things for wildcard ssl certsThree things for wildcard ssl certs
Three things for wildcard ssl certs
 

Similaire à Now you see me, now you don't: chasing evasive malware - Giovanni Vigna

Chasing web-based malware
Chasing web-based malwareChasing web-based malware
Chasing web-based malware
FACE
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
Atif Ghauri
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
Dinis Cruz
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
Invincea, Inc.
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
Denim Group
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
Priyanka Aash
 

Similaire à Now you see me, now you don't: chasing evasive malware - Giovanni Vigna (20)

Malware Classification and Analysis
Malware Classification and AnalysisMalware Classification and Analysis
Malware Classification and Analysis
 
RIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob HolcombRIoT (Raiding Internet of Things) by Jacob Holcomb
RIoT (Raiding Internet of Things) by Jacob Holcomb
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment Building next gen malware behavioural analysis environment
Building next gen malware behavioural analysis environment
 
Chasing web-based malware
Chasing web-based malwareChasing web-based malware
Chasing web-based malware
 
NextGen Endpoint Security for Dummies
NextGen Endpoint Security for DummiesNextGen Endpoint Security for Dummies
NextGen Endpoint Security for Dummies
 
ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011ISACA Ethical Hacking Presentation 10/2011
ISACA Ethical Hacking Presentation 10/2011
 
The Joy of Proactive Security
The Joy of Proactive SecurityThe Joy of Proactive Security
The Joy of Proactive Security
 
How to break web applications
How to break web applicationsHow to break web applications
How to break web applications
 
Owasp joy of proactive security
Owasp joy of proactive securityOwasp joy of proactive security
Owasp joy of proactive security
 
Super1
Super1Super1
Super1
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
Building Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSABuilding Your Application Security Data Hub - OWASP AppSecUSA
Building Your Application Security Data Hub - OWASP AppSecUSA
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
From Thousands of Hours to a Couple of Minutes: Automating Exploit Generation...
 
Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action Is Antivirus (AV) Dead or Just Missing in Action
Is Antivirus (AV) Dead or Just Missing in Action
 
Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016Is av dead or just missing in action - avar2016
Is av dead or just missing in action - avar2016
 
501 ch 8 risk management tools
501 ch 8 risk management tools501 ch 8 risk management tools
501 ch 8 risk management tools
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Drop, Stop & Roll
Drop, Stop & RollDrop, Stop & Roll
Drop, Stop & Roll
 

Dernier

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Dernier (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 

Now you see me, now you don't: chasing evasive malware - Giovanni Vigna

  • 1. Now You See Me, Now You Don’t: Chasing Evasive Malware Giovanni Vigna CTO @ Lastline, Inc. and Professor @ Department of Computer Science University of California Santa Barbara
  • 2. Who am I? • Co-founder and CTO at Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware • Professor of Computer Science at the University of California in Santa Barbara – Many system security papers in academic conferences – Started malware research around 2004, focusing on evasive malware – Built and made available to the public practical systems (Anubis, Wepawet, Revolver, …) – Lead Shellphish, the longest-running hacking team at DefCon’s CTF
  • 3. Malware Evolution Targeted Attacks and Cyberwarfare !!! Time $$ Damage Billions Millions Hundreds of Thousands Thousands Hundreds Cybercrime Cybervandalism $$$ #@!
  • 5. Arms Race(s) Malicious Binary Obfuscated Polymorphic Malicious sandbox Binary Behavior-based Anti-malware Evasive Malicious Signature-based Binary Anti-virus Malicious JavaScript Obfuscated Polymorphic Malicious honeyclient JavaScript Behavior-based Anti-malware Evasive Malicious Signature-based JavaScript Web Gateways
  • 6. An Evasion Framework Artifact, Provenance Labels/Blocks Executes/Displays Analysis System Target System Known Malicious Artifacts, Provenance Known Benign Artifacts, Provenance Activates Producer Consumer
  • 7. An Evasion Framework Analysis System Target System Consumer SPAM X N/A N/A Phishing X N/A X Social Engineering N/A N/A X Malware Installs N/A (*) N/A X Malicious Documents X X X Malicious Web Pages X X N/A Malicious Binaries X N/A N/A (*) First downloader
  • 8. Evading Static Analysis • Static analysis techniques can be evaded by making the (relevant) code unavailable – Packing/encrypting – Delaying the inclusion of code • Static analysis techniques can be evaded by exploiting differences in the parsing capabilities of the target system vs. analysis system – Parsing the executable (the target is the OS) – Parsing the document (the target is the Office application) • Static analysis techniques can be foiled by making certain operations depend on values known only at run-time – Table lookups based on user-provided input
  • 9. Evading Static Analysis • The code is stored encoded in the registry and executed using an intricate command line: rundll32.exe "javascript:..mshtml,RunHTMLApplication ;document.write(74script language=jscript.encode>+(new%20ActiveXObject(WScript.Shell)). RegRead(HKCUsoftwaremicrosoftwindowscurrentversionrun )+74/script>)"
  • 10. Evading Dynamic Analysis • Dynamic analysis techniques can be evaded by fingerprinting the environment (and not execute) – Detection of modified environment • Instrumented libs • Auxiliary processes/services – Detection of specific HW/SW configurations • Devices • Users • File names
  • 12. Evading Dynamic Analysis • Dynamic analysis techniques can be evaded by exploiting differences in the execution capabilities of the target system vs. analysis system – Semantics (virtualization/emulation introduces differences) – Speed (analysis systems are usually slower) – Available resources (analysis has a finite, limited time) • Sleeping • Stalling loops
  • 14. Evading Dynamic Analysis • Dynamic analysis can be evaded by checking for the presence of a human (“reverse Turing test”) – Keyboard/mouse is attached – Mouse moves • These activities cannot be too obvious or the user will become suspicious
  • 15. Visibility Matters Traditional Sandboxes Full-System Emulation Important behaviors and evasion happen here
  • 16. What Needs to Be Done (Now) • Use the evasive behavior as a signal for detection – Detect fingerprinting – Detect failures to execute • Rely on binary-level program analysis techniques to identify stalling – Characterize program evolution – Identify loops and push through
  • 17. What’s Next? (Threat-wise) • As evasion detection improves, cybercriminals will be forced into mimicry • Mimicry is the process of creating malware that mimics the behavior of benign applications (until the analysis is completed)
  • 18. What’s Next? (Protection-wise) • The next approach is eliciting – Elicit: verb evoke or draw out (a reaction, answer, or fact) from someone. "I tried to elicit a smile from Joanna” synonyms: obtain, bring out, draw out, extract, evoke, bring about, bring forth, induce, excite, give rise to, call forth, prompt, generate, engender, spark off, trigger, kindle; • Identify dormant code • Introduce the honey-user
  • 20. Conclusions • Malware is (and will always be) in continuous evolution • Evasion is a process, not a phase • It is important to create countermeasures that require major efforts/resources from the attacker • Visibility is key – Traditional anti-malware is based on simple microscopes – We need electronic (malware) microscopes
  • 23. The Golden Standard: Bare Metal • Comparison of execution in bare metal with execution on various types of analysis platforms Pre-filter Synchronized Execution Bare-metal Ether Anubis Virtualbox Behavior Comparison Incoming samples • BareCloud: Bare-metal Analysis-based Evasive Malware Detection Dhilung Kirat, Chris Kruegel, and Giovanni Vigna Proceedings of the USENIX Security Symposium, 2014 Scheduler Profiles Profiles Profiles Profiles Behavior Deviation Score
  • 24. BareCloud Results • Collected 110,005 samples from Anubis that had interesting behavior – Samples with little or no activity – Samples with different combinations of filesystem and network activity • Compared profiles using hierarchical similarity • Identified 5,835 evasive samples
  • 25. Detecting Evasive Web Malware • State-of-the-art in honeyclients – High-interaction honeyclients visit web pages and record modifications to the underlying system (file system, registry, processes) – Unexpected changes are attributed to attacks • Limitations – Defenders need to know in advance the components that will be targeted by attacks – Configuration can be complex and incomplete • Some of the vulnerable components are incompatible with each other – Limited explanatory power
  • 26. Revolver: Detecting Evasions in Web-based Malware • Providing an oracle available to the public has drawbacks – Malware can be tested before deployment • Exploitation of discrepancies leads to failed detection • Can we use this against the bad guys? – Revolver: An Automated Approach to the Detection of Evasive Web-based Malware A. Kapravelos, Y. Shoshitaishvili, M. Cova, C. Kruegel, G. Vigna in Proceedings of the USENIX Security Symposium Washington, D.C. August 2013
  • 27. Evasion: Liberal Configuration var nop="%uyt9yt2yt9yt2"; var nop=(nop.replace(/yt/g,"")); var sc0="%ud5db%uc9c9%u87cd..."; var sc1="%"+"yutianu"+"ByutianD"+ ...; var sc1=(sc1.replace(/yutian/g,"")); var sc2="%"+"u"+"54"+"FF"+ "%u"+"BE"+...+"A"+"8"+"E"+"E"; var sc2=(sc2.replace(/yutian/g,"")); var sc=unescape(nop+sc0+sc1+sc2); try { new ActiveXObject("yutian"); } catch (e) { var nop="%uyt9yt2yt9yt2"; var nop=(nop.replace(/yt/g,"")); var sc0="%ud5db%uc9c9%u87cd..."; var sc1="%"+"yutianu"+"ByutianD"+ ...; var sc1=(sc1.replace(/yutian/g,"")); var sc2="%"+"u"+"54"+"FF"+ "%u"+"BE"+...+"A"+"8"+"E"+"E"; var sc2=(sc2.replace(/yutian/g,"")); var sc=unescape(nop+sc0+sc1+sc2); }
  • 28. Revolver IF … VAR <= NUM Web Oracle IF … VAR <= NUM Similarity computation {bi, mj} Malicious evolution Data-dependency JavaScript infections Evasions Pages ASTs Candidate pairs … …
  • 29. Evaluation: Evasion • Collected 6,468,623 pages, of which 265,692 malicious • Extracted 20,732,766 benign scripts, and 186,032 malicious scripts • Derived 705,472 unique ASTs and 55,701 malicious ASTs • For each benign AST, found ~70 malicious neighbors • Computed 208K candidate pairs – 6,996 Injections (701 classes) – 101,039 Data dependencies (475 classes) – 4,147 Evasions (155 classes) – 2, 490 Evolutions (273 classes)

Notes de l'éditeur

  1. On Day 0, only 51% of antivirus scanners detected new malware samples When none of the antivirus scanners detected a malware sample on the first day, it took an average of two days for at least one antivirus scanner to detect it After two weeks, there was a notable bump in detection rates (up to 61%), indicating a common lag time for antivirus vendors Over the course of 365 days, no single antivirus scanner had a perfect day - a day in which it caught every new malware sample After a year, there are samples that 10% of the scanners still do not detect