Completed
Operate through use of hardware virtualization extensions (e.g., Intel VT-x or AMD SVM) Extensions to x86 ISA (new instructions) Certain instructions cause VMExits Must be handled correctly Older ver…
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Flowers for Automated Malware Analysis
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 The centerpiece of current threats on the Internet Botnets (Spamming, DDOS, etc.) Information Theft Financial Fraud Used by real criminals Criminal Infrastructure Domain of Organized Crime
- 3 There is a pronounced need to understand malware behavior Threat Discovery and Analysis Compromise Detection Forensics and Asset Remediation Malware authors make analysis challenging - Direct financi…
- 4 Operate through sensitive data structure relocation, binary software translation Vulnerable to detection of side effects In older versions of VMWare, SYSRET treated as NOP when executed in ring 3
- 5 Operate through use of hardware virtualization extensions (e.g., Intel VT-x or AMD SVM) Extensions to x86 ISA (new instructions) Certain instructions cause VMExits Must be handled correctly Older ver…
- 6 Transparency Requirements Higher Privilege No Non-privileged Side Effects Same Instruction Execution Semantics Identical Exception Handling Identical Notion of Time
- 7 Requirements Cont'd In-guest Tools - No higher privilege Non-privileged side effects Exception handling issues Reduced Privilege Guests (VMware, etc) Non-privileged side effects Emulation (QEMU, Simi…
- 8 Inverting Analysis Detection
- 9 Nature of the Arms Race Until recently, malware was "analysis environment aware" Detect analysis environments Execute successfully otherwise Malware could be "analysis environment oblivious" Exploit …
- 10 Propagated in part by drive-by downloads Payload is only intermediate agent Agent gathers hardware UUID, submits request to C&C for full version Hardware UUID hashed (MDS), hash used as decryption ke…
- 11 May not be a good idea Leaves hint for brute-force cracking Instead, only encrypt critical mechanisms For example, encrypt C&C domain names
- 12 Subset of Process Environment Block Username, Computer Name, CPU Identifier MAC Address GPU Information GetAdapteridentifier User Security Identifier (SID) Randomly generated by the OS Unique across …
- 13 Host ID must be determined before malware instance is installed Use intermediate downloader agent - Intermediate agent could be used by researchers to obtain instance bound to analysis environment Us…
- 14 Advantages Protections of Modern Cryptography Knowledge of how key is derived does not affect the integrity of the protection Sample Independence Intelligence collected from one malware instance prov…
- 15 Advantages HIE-protected binary is only an interpreter (contains no malicious functionality) Instance cannot be analyzed offline Complementary to HIE for tasks served to the interpreter
- 16 protections offered Granularity of analysis used does not affect protections Protections can be broken only if the configuration parameters of the original execution environment are matched
- 17 Collect and duplicate host and network environment information Depending on the information, may have privacy and policy problems Duplicating network identifier requires analysis system deployment on…