Flowers for Automated Malware Analysis

Flowers for Automated Malware Analysis

Black Hat via YouTube Direct link

Operate through sensitive data structure relocation, binary software translation Vulnerable to detection of side effects In older versions of VMWare, SYSRET treated as NOP when executed in ring 3

4 of 17

4 of 17

Operate through sensitive data structure relocation, binary software translation Vulnerable to detection of side effects In older versions of VMWare, SYSRET treated as NOP when executed in ring 3

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Flowers for Automated Malware Analysis

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Intro
  2. 2 The centerpiece of current threats on the Internet Botnets (Spamming, DDOS, etc.) Information Theft Financial Fraud Used by real criminals Criminal Infrastructure Domain of Organized Crime
  3. 3 There is a pronounced need to understand malware behavior Threat Discovery and Analysis Compromise Detection Forensics and Asset Remediation Malware authors make analysis challenging - Direct financi…
  4. 4 Operate through sensitive data structure relocation, binary software translation Vulnerable to detection of side effects In older versions of VMWare, SYSRET treated as NOP when executed in ring 3
  5. 5 Operate through use of hardware virtualization extensions (e.g., Intel VT-x or AMD SVM) Extensions to x86 ISA (new instructions) Certain instructions cause VMExits Must be handled correctly Older ver…
  6. 6 Transparency Requirements Higher Privilege No Non-privileged Side Effects Same Instruction Execution Semantics Identical Exception Handling Identical Notion of Time
  7. 7 Requirements Cont'd In-guest Tools - No higher privilege Non-privileged side effects Exception handling issues Reduced Privilege Guests (VMware, etc) Non-privileged side effects Emulation (QEMU, Simi…
  8. 8 Inverting Analysis Detection
  9. 9 Nature of the Arms Race Until recently, malware was "analysis environment aware" Detect analysis environments Execute successfully otherwise Malware could be "analysis environment oblivious" Exploit …
  10. 10 Propagated in part by drive-by downloads Payload is only intermediate agent Agent gathers hardware UUID, submits request to C&C for full version Hardware UUID hashed (MDS), hash used as decryption ke…
  11. 11 May not be a good idea Leaves hint for brute-force cracking Instead, only encrypt critical mechanisms For example, encrypt C&C domain names
  12. 12 Subset of Process Environment Block Username, Computer Name, CPU Identifier MAC Address GPU Information GetAdapteridentifier User Security Identifier (SID) Randomly generated by the OS Unique across …
  13. 13 Host ID must be determined before malware instance is installed Use intermediate downloader agent - Intermediate agent could be used by researchers to obtain instance bound to analysis environment Us…
  14. 14 Advantages Protections of Modern Cryptography Knowledge of how key is derived does not affect the integrity of the protection Sample Independence Intelligence collected from one malware instance prov…
  15. 15 Advantages HIE-protected binary is only an interpreter (contains no malicious functionality) Instance cannot be analyzed offline Complementary to HIE for tasks served to the interpreter
  16. 16 protections offered Granularity of analysis used does not affect protections Protections can be broken only if the configuration parameters of the original execution environment are matched
  17. 17 Collect and duplicate host and network environment information Depending on the information, may have privacy and policy problems Duplicating network identifier requires analysis system deployment on…

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.