Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3 , XiaoFeng Wang 1 , Zhenkai Liang 4 and Mike Reiter 2 1 Indiana University at Bloomington 2 University of North Carolina at Chapel Hill 3 Center for Software Excellence, Microsoft 4 Carnegie Mellon University
22
Embed
Dr. XiaoFeng Wang AGIS: Towards Automatic Generation of Infection Signatures Zhuowei Li 1,3, XiaoFeng Wang 1, Zhenkai Liang 4 and Mike Reiter 2 1 Indiana.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Dr. XiaoFeng Wang
AGIS: Towards Automatic Generation of Infection Signatures
Zhuowei Li1,3, XiaoFeng Wang1, Zhenkai Liang4 and Mike Reiter2
1 Indiana University at Bloomington2 University of North Carolina at Chapel Hill3 Center for Software Excellence, Microsoft4 Carnegie Mellon University
Dr. XiaoFeng Wang
Exploit signatures vs. infection signatures
Exploit Signature
Infection Signature
Dr. XiaoFeng Wang
How to get infection signatures?
Manually analyze malware infections
Automated analysis Invariant extraction from replication code Checksum Invariance from network traffic
cannot handle even the simplest metamorphism
Dr. XiaoFeng Wang
Our solution: AGIS
Automated malware analysisRun malware in a sandboxed environment Identify mal-behaviors using generalized polices
Automated infection signature generationFrom the code necessary for infections’ missions “vanilla” infections and regular-expression signatures
Certain resilience to obfuscated infections
Dr. XiaoFeng Wang
Differences from prior work
Behavior-based malware detectionOnly analyze add-on based infectionsNo signature generation
Panorama Finer-grained analysis, but very slowNo signature generation
Dr. XiaoFeng Wang
How does AGIS work?
Dr. XiaoFeng Wang
Malicious behavior detection
Create an infection graph
Set detection policies
Detection and behavior extraction
Dr. XiaoFeng Wang
Infection graph and back tracking
downloader.exe
keylogger.exe
keylogger process
run registryhook.dll
key.log
1. dowload 1. dowload
2. modify
3. run
4. hook
5. save
Dr. XiaoFeng Wang
Detection policies
Specifications for malicious behaviors
Keylogger rule syscall for hooking keyboard, and callback function output syscalls (Writefiles, Sendto…)
Mass-mailing worm rule loop for searching directories to read file, and syscall SMTP servers
Dr. XiaoFeng Wang
Infection signature extraction
Dynamic analysis and static analysisGet instructions necessary for malicious behaviors
Build signatures from the instructions
Dr. XiaoFeng Wang
Analyses
Dynamic analysisFind API calls for malicious behavior (M-calls) Identify their call sites through stack walking
Static analysis Instructions prepares for M-calls’ parameters (chops)
Dr. XiaoFeng Wang
Obfuscated code
Metamorphism Junk-code injection: dealt by chopsCode transposition: dealt by CFG register assignment, instruction replacement: left for
scanner
PolymorphismModify code signature
Dr. XiaoFeng Wang
Get signatures
Vanilla malware Chop
Regular-expression signatureBlocks: consecutive instructions on a chopConjunction of blocks