Completed
Nature of the Arms Race Until recently, malware was "analysis environment aware" Detect analysis environments Execute successfully otherwise Malware could be "analysis environment oblivious" Exploit …
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Flowers for Automated Malware Analysis
Automatically move to the next video in the Classroom when playback concludes
- 1 Intro
- 2 The centerpiece of current threats on the Internet Botnets (Spamming, DDOS, etc.) Information Theft Financial Fraud Used by real criminals Criminal Infrastructure Domain of Organized Crime
- 3 There is a pronounced need to understand malware behavior Threat Discovery and Analysis Compromise Detection Forensics and Asset Remediation Malware authors make analysis challenging - Direct financi…
- 4 Operate through sensitive data structure relocation, binary software translation Vulnerable to detection of side effects In older versions of VMWare, SYSRET treated as NOP when executed in ring 3
- 5 Operate through use of hardware virtualization extensions (e.g., Intel VT-x or AMD SVM) Extensions to x86 ISA (new instructions) Certain instructions cause VMExits Must be handled correctly Older ver…
- 6 Transparency Requirements Higher Privilege No Non-privileged Side Effects Same Instruction Execution Semantics Identical Exception Handling Identical Notion of Time
- 7 Requirements Cont'd In-guest Tools - No higher privilege Non-privileged side effects Exception handling issues Reduced Privilege Guests (VMware, etc) Non-privileged side effects Emulation (QEMU, Simi…
- 8 Inverting Analysis Detection
- 9 Nature of the Arms Race Until recently, malware was "analysis environment aware" Detect analysis environments Execute successfully otherwise Malware could be "analysis environment oblivious" Exploit …
- 10 Propagated in part by drive-by downloads Payload is only intermediate agent Agent gathers hardware UUID, submits request to C&C for full version Hardware UUID hashed (MDS), hash used as decryption ke…
- 11 May not be a good idea Leaves hint for brute-force cracking Instead, only encrypt critical mechanisms For example, encrypt C&C domain names
- 12 Subset of Process Environment Block Username, Computer Name, CPU Identifier MAC Address GPU Information GetAdapteridentifier User Security Identifier (SID) Randomly generated by the OS Unique across …
- 13 Host ID must be determined before malware instance is installed Use intermediate downloader agent - Intermediate agent could be used by researchers to obtain instance bound to analysis environment Us…
- 14 Advantages Protections of Modern Cryptography Knowledge of how key is derived does not affect the integrity of the protection Sample Independence Intelligence collected from one malware instance prov…
- 15 Advantages HIE-protected binary is only an interpreter (contains no malicious functionality) Instance cannot be analyzed offline Complementary to HIE for tasks served to the interpreter
- 16 protections offered Granularity of analysis used does not affect protections Protections can be broken only if the configuration parameters of the original execution environment are matched
- 17 Collect and duplicate host and network environment information Depending on the information, may have privacy and policy problems Duplicating network identifier requires analysis system deployment on…
