Malware Obfuscation through Evolutionary Packers Marco Gaudesi
Andrea Marcelli
Ernesto Sanchez
Giovanni Squillero
Alberto Tonda
Malware
Goal
/ malicious software /
Develop a new obfuscation mechanism based on evolutionary algorithms.
communicates
It can be used by security industries to stress the analysis methodologies and to test the ability to react to malware mutations.
Packed PE
PE Header
Header
Packers have been originally designed to save disk space. Then they have been introduced in the word of malicious software: the code must be decrypted before static analysis can be applied. Moreover changing the encryption key produces a completely different executable.
Encrypted
Packed Section
Code Packed Section
Import
Stub Routine
Data
Metamorphic
Oligomorphic
1988
1997
Cascade
One of the easiest ways to hide the functionality of the virus code was encryption. The virus starts with a constant decryptor that is followed by the encrypted virus body.
Packed Section
Section Table
1998 Crypto
Memorial
Oligomorphic viruses do change their decryptors in new generations. Win95/Memorial had the ability to build 96 different decryptor patterns.
The unpacking stub:
Evolutionary
2002
Polymorphic viruses can create an endless number of new decryptors that use different encryption methods to encrypt the constant part (except their data areas) of the virus body. Crypto used a random decryption algorithm that implemented brute force attack against its constant but variably encrypted virus body.
???
Zmist
Metamorphic viruses do not have a decryptor, nor a constant virus body. However, they are able to create new generations that look different. Zmist is capable of decompiling Portable Executable files to its smallest elements, it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable.
1) It decompresses and decrypts the original code. 2) It resolves the imports of the executable: if the import table is packed, the loader cannot resolve the imports and load the corresponding DLLs.
The idea of genetic selection for behaviours was first seen in 2002. W32/Smile
Polymorphism using genetic algorithms was first seen in 2005.
W32/Zellome
3) It transfers back the control to the Original Entry Point (OEP).
The malware uses an evolutionary algorithm to generate completely new obfuscating algorithms. The individuals are a set of working packers and the ‘fitness’ is how similar the new executable is to the original one.
Generating the code
2
propagates
A packer compresses or encrypts the instructions and data of a program generating a new executable version. At run time, the new executable decompress the original program in memory, and then jump into it.
Original PE
Optional
1
executes the payload
Polymorphic
Packer
hides as long as possible
Generate an opcode sequence. Randomly-generated, variable-length sequence of x86 assembler instructions.
Test the sequence. Is it reversible?
4
Encoding and decoding routines are applied subsequently to sequence of bytes.
Code encryption.
5
3 Fitness evalutation with the Jaccard Index.
Jaccard Index
Creation of a new packer variant.
|A \ B| J(A, B) = |A [ B|
It is used to evaluate the similarity between a Malware sample and the original one.
Reproduction.
The decoding routine is embedded in the new executable. At run time it will restore the original program in memory.
Jaccard Distribution of a sample similar to the original one.
Jaccard Distribution of a sample that maximise the dissimilarity.
Experimental Evaluation Tcp bind shellcode from Metasploit. Well-known AV signature. \xfc\xe8\x82\x00\x00\x00 \x60\x89\xe5\x31\xc0\x64 \x8b\x50\x30\x8b\x52\x0c 328 byte length \x8b\x52\x14\x8b\x72\x28 High initial detection rate + Executable behavior susceptible to heuristic evaluation
Evolutionary botnet as whole prey-predator ecosystem.
Future Development
44 AV engines
+
anti-debugging Evolution of the anti-debugging techniques that are used in an attempt to slow down the analysis as much as possible.
Further evaluation with locally installed AVs.
Non encoded
Evo1
Evo2
Evo3 hiding mechanism
Gecco_poster.indd 1
Virus Total
35/57
2/57
2/57
1/57
OPSWAT Metascan
25/44
4/44
3/44
1/44
Unencoded version of the executable.
Evo 1 uses a quite simple encrypting technique.
Evo 2 implements a sophisticated encoding mechanism with shuffled instructions.
Evo 3 makes use of several operations that aim to confuse heuristic engines.
Further evolution and mutation of the executable structure, trying to increase the complexity of the analysis.
anti-disassembly
C&C communication
Evolution of anti-disassembly techniques that use specially crafted code or data to cause disassembly analysis tool to produce an incorrect program listing.
It is in charge of the mutation of redundant Command & Control channels through the usage of variable port number, improper usage of existing protocols, randomized scanning and encrypted traffic.
Packer Jaccard Index Future Development Experimental ... - GitHub
Well-known AV signature. 328 byte length ... Moreover changing the encryption key produces a completely diffe- ... lowed by the encrypted virus body. Memorial.
A packer compresses or encrypts the instructions and data of a program ... the code must be decrypted before static analysis can be applied. Moreover .... The research aims at developing a detection mechanism based on multiple classifier ...
Spreading malicious code is a complex problem for malware authors. Because of the recent advancements on malware detection technologies both malware authors and penetration testers having hard time with bypassing security measures and products such a
Domain-specific abstraction. Direct mapping to ... remember to free memcpy(strings[s], buf, i); ..... People want stability and 100% compatibility. â With significant ...
logical spatial logics [10], whereas temporal information is described by a Kripke ..... minutes, depending on the formula, on a quite standard laptop computer.
BUSMASTER is located in a Git repository on the open source hosting platform ... version of the installer, e.g. Git-1.7.7-preview20111014.exe (as of 2011-10-26).
Page 10 .... Android's âlife of a patchâ flowchart. Gerrit is only one tiny part in the middle. Replace that one part with email, and everything still works, and goes ...
Jan 29, 2015 - (ad d_ co⦠om pi_sh ow. _a ll_m ca_ pa rams op al_p rog ress_ set_e ... 1.0E+01. 1.0E+02. 1.0E+03. 1.0E+04. M emory. Inc rease in. M. C. A. _P. M. L_ ..... Express. PCI. Express. Comm. Engine. (Packet. Processing). Comm.
Dec 29, 2009 - OCaml is a powerful language, trust me. 1.1 OCaml vs Other Programming Languages. 1.2 Toolset. 1NOTE: convention: use we/you, but try to ...
Development Guide. A basic understanding of Git is required ... (3400 and 3500). All changes should build and boot Linux on all the targets described in the wiki.
aragon.one. Page of. 1 15 ... Aragon organizations will be able to opt-in into the Aragon Network, which will provide services like upgradeability and a decentralized court arbitration system for Aragon organizations. For more information ...
May 13, 2015 - Data sources for the ECMWF Meteorological Opera^onal System. 10 .... 13/05/15. 24. Big Data. Scalable Algorithms. Pla orm Uncertainty ...
camera system are addressed in detail. .... The structure contains mounts for six thrusters, camera .... [13] Y. C. Sun and C. C. Cheah, "Coordinated control of.
Jamison Hahn, Eric Hoffman, Kelly Lin, Brianne Mintern, Brittany Terner, and Jade Wu. I am also indebted to the 30 other students who served as friendly and reliable experimenters over the course of this research program. Dean Radin, Senior Scientist
1I set 100 as the minimum number of participants/sessions for each of the experiments reported in this article because most effect ... Across all 100 sessions, participants correctly identified the future position of the erotic pictures significantly
Nov 6, 2013 - introduction and is available as a free pdf download at Manning's site here: ... the 10 minute video introducing this tool if you are not already familiar with it here: ... of this exercise is to demonstrate the server framework on top
The benefit you get by reading this book is ... is getting deeper an individual read a lot of information you will get. This kind of ... lovely laptop even cell phone.
The test statistics for the Anderson-Darling and Cramer-von Mises tests are the same as ..... This was a conscious decision by the package creator because of.
The benefit you get by reading this book is ... is getting deeper an individual read a lot of information you will get. This kind of ... lovely laptop even cell phone.