Flowers for Automated Malware Analysis

Intro
The centerpiece of current threats on the Internet Botnets (Spamming, DDOS, etc.) Information Theft Financial Fraud Used by real criminals Criminal Infrastructure Domain of Organized Crime
There is a pronounced need to understand malware behavior Threat Discovery and Analysis Compromise Detection Forensics and Asset Remediation Malware authors make analysis challenging - Direct financial motivation
Operate through sensitive data structure relocation, binary software translation Vulnerable to detection of side effects In older versions of VMWare, SYSRET treated as NOP when executed in ring 3
Operate through use of hardware virtualization extensions (e.g., Intel VT-x or AMD SVM) Extensions to x86 ISA (new instructions) Certain instructions cause VMExits Must be handled correctly Older versions of KVM terminate with unhandled exit on guest execution of VMREAD
Transparency Requirements Higher Privilege No Non-privileged Side Effects Same Instruction Execution Semantics Identical Exception Handling Identical Notion of Time
Requirements Cont'd In-guest Tools - No higher privilege Non-privileged side effects Exception handling issues Reduced Privilege Guests (VMware, etc) Non-privileged side effects Emulation (QEMU, Simics) No identical instruction execution
Inverting Analysis Detection
Nature of the Arms Race Until recently, malware was "analysis environment aware" Detect analysis environments Execute successfully otherwise Malware could be "analysis environment oblivious" Exploit observation that malware is overwhelmingly collected in one environment and analyzed in another Bind to and successfully execute only on
Propagated in part by drive-by downloads Payload is only intermediate agent Agent gathers hardware UUID, submits request to C&C for full version Hardware UUID hashed (MDS), hash used as decryption key to RC4 stream cipher Full version will only run on host with same hardware UUID
May not be a good idea Leaves hint for brute-force cracking Instead, only encrypt critical mechanisms For example, encrypt C&C domain names
Subset of Process Environment Block Username, Computer Name, CPU Identifier MAC Address GPU Information GetAdapteridentifier User Security Identifier (SID) Randomly generated by the OS Unique across a Windows domain
Host ID must be determined before malware instance is installed Use intermediate downloader agent - Intermediate agent could be used by researchers to obtain instance bound to analysis environment Use short-lived, one-time URLs similar to
Advantages Protections of Modern Cryptography Knowledge of how key is derived does not affect the integrity of the protection Sample Independence Intelligence collected from one malware instance provides no advantage in
Advantages HIE-protected binary is only an interpreter (contains no malicious functionality) Instance cannot be analyzed offline Complementary to HIE for tasks served to the interpreter
protections offered Granularity of analysis used does not affect protections Protections can be broken only if the configuration parameters of the original execution environment are matched
Collect and duplicate host and network environment information Depending on the information, may have privacy and policy problems Duplicating network identifier requires analysis system deployment on an unprecedented and globally cooperative scale