컴퓨터 보안 특론 (Special Topics in Computer Security) Intro to Malware 조성제 (Cho, Seong-je) Spring, 2020 Computer Security & OS Lab. Dankook University
컴퓨터 보안 특론 (Special Topics in Computer Security)
Intro to Malware
조성제 (Cho, Seong-je)
Spring, 2020
Computer Security & OS Lab.
Dankook University
References
A general definition of malware, S. Kramer and J. C. Bradfield, J Comput Virol (2010) 6:105–114
Malware Incident Response - Static Analysis, CIS 6395, Incident Response Technologies, Fall 2016, Dr. Cliff Zou, UCF
Practical Malware Analysis, Kris Kendall and Chad McMillan, Mandiant (Intelligent Information Security, Black Hat
CS155: Computer and Network Security (Stanford Univ.)
Introduction to Malware, Murat Kantarcioglu, UT Dallas
Wikipedia
Many slides come from the references above, Please do not replicate, distribute, upload, and post this lecture notes.
2Computer Security & OS Lab, DKU
Malware, Benware, …
Malware (malicious software)
● software that harmfully attacks other software, where to harmfully attack can be observed to mean to cause the actual behavior to differ from the intended behavior.
● Malicious code
Benware (benign software) ≈ Goodware (good software)
● A software system s is benware by definition if and only if s is non-damaging ordamages only software systems that damage benware.
Source: A general definition of malware, S. Kramer and J. C. Bradfield, J Comput Virol (2010) 6:105–114
3Computer Security & OS Lab, DKU
Malware
Malware - “malicious software” is software designed to harm or surreptitiously access a computer system without the owner’s informed consent
Types of malware:
◦ Computer viruses - a computer program that can replicate itself and spread from one computer to another through human intervention
◦ Worms - a program that actively transmits itself over a network to infect other computers without human intervention
◦ Trojan horses - malicious programs disguised as something innocuous or desirable
◦ Spyware /keylogger
◦ Dishonest adware
◦ Backdoor
◦ Rootkits - malicious program installed on a system which stays concealed to avoid detection and disinfection
◦ Other malicious or unwanted software or programs
4Computer Security & OS Lab, DKU
Malware
Generally● Any code that “performs evil”
Today● Executable content with unknown functionality that is resident on a
system on investigative interest
− Viruses
− Worms
− Intrusion Tools
− Spyware
− Rootkits
− Ransomware
5Computer Security & OS Lab, DKU
Some History
Malware’s most common pathway from attacker to victim is through the Internet via e-mail and the Web
“Elk Cloner” (1981) is one of the first known microcomputer viruses that spread "in the wild," – outside the computer system or lab in which it was written
● Designed as a boot sector virus that infected Apple II OSes and spread from disk to disk
Fred Cohen from the University of Southern California wrote his paper "Computer Viruses - Theory and Experiments“ in 1984 that was the first paper to explicitly call a self-reproducing program a "virus"
The first mobile phone virus, Cabir, appeared in 2004.
In Sept. 2001, Code Red worm started a new phase of malware fast and world-wide automatic spreading
In 2004, Bagle mass-mailing worm formed Bagle botnet to facilitate spam email proxy/relay
6Computer Security & OS Lab, DKU
What to Infect by Malware
Executable
Interpreted file
● Macro, Script, …
Kernel
Service
Master Boot Record (MBR)
Hypervisor
7Computer Security & OS Lab, DKU
Types of Viruses
Boot sector infectors
Executable infectors
Multipartite virus● A virus that can infect either boot sectors or executables
TSR (“Terminate and Stay Resident”) virus● A virus that stays active in memory after the application (or bootstrapping, or disk
mounting) is completed
Stealth virus● A virus that conceals infection of files
Encrypted virus● A virus that is enciphered except for a small deciphering routine
● Code packing
Polymorphic virus
Macro virus● A virus that is written in a macro language: a programming language which is embedded
inside a SW application (e.g., word processors and spreadsheet applications)
8Computer Security & OS Lab, DKU
How is malware attached to an executable?
How is malware installed?
Overwriting malware
9Computer Security & OS Lab, DKU
Targeted
ExecutableMalwareMalware
How is malware attached to an executable?
How is malware installed?
Prepending malware
10Computer Security & OS Lab, DKU
Targeted
Executable
Malware
Infected
host
Executable
Malware
How is malware attached to an executable?
How is malware installed? Or Where is malware installed?
Appending malware
11Computer Security & OS Lab, DKU
Targeted
Executable
Malware
Infected
host
Executable
Malware
How is malware attached to an executable?
How is malware installed?
Cavity malware
12Computer Security & OS Lab, DKU
Targeted
Executable Infected
host
Executable
Malware
Malware
How is malware attached to an executable?
How is malware installed?
Multi-Cavity malware
13Computer Security & OS Lab, DKU
Targeted
ExecutableMalware
Malware
Malware
Malware
How is malware installed?
Packers
14Computer Security & OS Lab, DKU
MalwareInfected host
Executable
Packer
Payload
Encrypted Viruses
• Payload is the part of transmitted data that is the actual intended message. Headers and metadata are sent only to enable payload delivery.
• Payload is the portion of the malware which performs malicious action.
Packer functionalities
Compress
Encrypt
Randomize (polymorphism)
Anti-debug technique
Add-junk
Anti-Virtual Machine (Anti-VM)
● Malware attempts to detect whether it is being run inside a virtual machine.
− If a virtual machine is detected, it can act differently or simply not run.
Virtualization
● Code virtualization
15Computer Security & OS Lab, DKU
Polymorphic Viruses
A virus that changes its form each time it inserts itself into another code
Idea is to prevent signature detection by changing the “signature” or instructions used for deciphering routine
At instruction level: substitute instructions
At algorithm level: different algorithms to achieve the same purpose
Toolkits to make these exist (Mutation Engine, Trident Polymorphic Engine)
Example These are different instructions (with different bit patterns) but have the
same effect:
● add 0 to register
● subtract 0 from register
● xor 0 with register
● no-op
Polymorphic virus would pick randomly from among these instructions
16Computer Security & OS Lab, DKU
Signature of Malware
Antivirus databases contain what are called signatures, both in common usage and in writing.
A virus signature is a continuous sequence of bytes that is common for a certain malware sample.
● It’s contained within the malware or the infected file and not in unaffected files.
Nowadays, signatures are far from sufficient to detect malicious files.
● Malware creators obfuscate, using a variety of techniques to cover their tracks.
17Computer Security & OS Lab, DKU
Source: Antivirus fundamentals: Viruses, signatures, disinfection, https://www.kaspersky.com/blog/signature-virus-disinfection/13233/
Signature of Malware
Source: Evolution of Computer Virus Concealment and Anti-Virus Techniques: A Short Survey
18Computer Security & OS Lab, DKU
Example of two hash-based signatures: ClamAV signatures for the Kido malware matching (a) the complete file and (b) only a specific PE Section of the malware. Source: Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks, ASIA CCS 2017.
ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
Cryptographic hash function• SHA-256, MD5, …• How does they work?
Advanced Malware Detection –Signatures vs. Behavior Analysis
John Cloonan, Apr. 2017
https://www.infosecurity-magazine.com/opinions/malware-detection-signatures/
Computer Security & OS Lab, DKU 19
Signature-based malware detection
Strengths
● identify “known” malware
● Algorithms can quickly and efficiently scan an object to determine its signature.
● It is speedy, simple to run, and widely available.
Weakness
● It can’t recognize new versions of malicious code.
● Signature DB can be huge
− When an object is identified as malicious, its signature is added to a DB.
20Computer Security & OS Lab, DKU
Don’t wait for signature
Verifying that a new file is malicious can be complex and time consuming, and often the malware has already evolved by then.
● The Cisco 2017 Annual Cybersecurity Report found that 95% of malware files they analyzed weren’t even 24 hours old, indicating a fast “time to evolve”.
● The delay in identifying new forms of malware makes corporations vulnerable to serious damages.
Modern malware often strikes immediately, decimating in a short period of time.
● Jigsaw starts deleting files within 24 hours.
● HDDcryptor infected 2000 systems at the San Francisco Municipal Transport Agency before it was detected.
● Therefore, being vulnerable to infection while waiting for a signature is very risky.
21Computer Security & OS Lab, DKU
Don’t wait for signature
Another problem is that today’s advanced malware can alter its signature to avoid detection;
● signatures are created by examining the internal components of an object and malware authors simply modify these components while preserving the object’s functionality and behavior.
There are multiple transformation techniques, including code permutation, register renaming, expanding and shrinking code, and the insertion of garbage code or other constructs.
22Computer Security & OS Lab, DKU
Signature-based malware detection
“Signature-based approaches never keep up with the speed at which malware is created and
evolved”
Source:
Mihai Christodorescu and Somesh Jha. Static analysis of executables to detect malicious patterns. In Proceedings of the 12th conference on USENIX Security Symposium - Volume 12, SSYM’03, pages 12–12, Berkeley, CA, USA, 2003. USENIX Association.
23Computer Security & OS Lab, DKU
Behavior-based malware detection
☞ Signature-based detection can’t recognize newly released forms of malware
Behavior-based malware detection evaluates an object based on its intended actions before it can actually execute that behavior.
● An object’s behavior, or in some cases its potential behavior, is analyzed for suspicious activities.
● Attempts to perform actions that are clearly abnormal or unauthorized would indicate the object is malicious, or at least suspicious.
There’s a multitude of behaviors that point to potential danger.
● Some examples include any attempt to discover a sandbox environment, disabling security controls, installing rootkits, and registering for autostart.
24Computer Security & OS Lab, DKU
Behavior-based malware detection
Evaluating for malicious behavior as it executes is called dynamic analysis.
● Dynamic analysis may introduce latency while the object is exercised
Threat potential or malicious intent can also be assessed by static analysis,
which looks for dangerous capabilities within the object’s code and structure.
● Static analysis can be performed in real-time
While no solution is completely foolproof, behavior-based detection still leads technology to uncover new and unknown threats in near real-time.
25Computer Security & OS Lab, DKU
Behavior-based malware detection
Some examples of where behavior-based technology succeeds when signature-based systems fail are:
● Protecting against new and unimagined types of malware attacks
● Detecting an individual instance of malware targeted at a person or organization
● Identifying what the malware does in a specific environment when files are opened
● Obtaining comprehensive information about the malware
There are a few important limitations to be aware of.
● If malware determines it’s running in a sandbox, it’ll attempt to avoid detection by curtailing malicious activities.
● It’s critical that a sandbox remains undetectable, and most are not.
26Computer Security & OS Lab, DKU
How behavior-based solutions work
Advanced malware detection solutions observe and evaluate in context every line of code executed by the malware.
● They analyze all requests to access specific files, processes, connections, or services.
● This includes each instruction executed at the OS level or other programs that have been invoked, including low-level code hidden by rootkits.
The technology identifies all malicious, or at least suspicious activity, which when taken together, makes it very clear that a file is malicious before it is released onto the network to actually execute any potentially damaging behavior.
27Computer Security & OS Lab, DKU
Why analyze Malware?
Malware Detection
Computer Security & OS Lab, DKU 28
Analyzing Malware
Why analyze malware?
● To assess damage
● To discover indicators of compromise
● To determine sophistication level of an intruder
● To identify a vulnerability
● To catch the “bad guy”
● To answer questions …
29Computer Security & OS Lab, DKU
Why Analyze Malware?
Business Questions
1. What is the purpose of the malware?
2. How did it get here?
3. Who is targeting us and how good are they(malware writers) ?
4. How can I get rid of it?
5. What did they steal?
6. How long has it been here?
7. Does it spread on its own?
8. How can I find it on other machines?
9. How do I prevent this from happening in the future?
30Computer Security & OS Lab, DKU
Why Analyze Malware?
Technical Questions
1. Network Indicators?
2. Host-based Indicators?
3. Persistence mechanism?
4. Date of compilation?
5. Date of installation?
6. What language was it written in?
7. Is it packed?
8. Was it designed to thwart analysis?
9. Does it have any rootkit functionality?
31Computer Security & OS Lab, DKU
Indicator (일의 현황·사정 변화 등을 나타내는) 지표
Summary
Definition of Malware
Types of Malware
● Malware family
How is malware attached to an executable?
Where is malware installed?
Some ways to bypass anti-malware
Anti-malware evasion techniques
Signature-based malware detection
Behavior-based malware detection
32Computer Security & OS Lab, DKU