Upload File

challenging anti-virus through evolutionary malware ... · polymorphic metamorphic??? evolutionary...

  • Home
  • Documents
  • Challenging Anti-virus through Evolutionary Malware ... · Polymorphic Metamorphic??? Evolutionary Cascade One of the easiest ways to hide the functionality of the virus code was
1
Challenging Anti-virus through Evolutionary Malware Obfuscation Marco Gaudesi Andrea Marcelli Ernesto Sanchez Giovanni Squillero Alberto Tonda Packer Jaccard Index J (A, B )= |A \ B | |A [ B | Experimental Evaluation 8 recent malware samples for Windows 32 bit A packer compresses or encrypts the instructions and data of a program generating a new executable version. At run time, the new executable decompress the original program in memory, and then jump into it. Packers have been originally designed to save disk space. Then they have been introduced in the word of malicious software: the code must be decrypted before static analysis can be applied. Moreover changing the encryption key produces a completely diffe- rent executable. The unpacking stub: 1) It decompresses and decrypts the original code. 2) It resolves the imports of the executable: if the import table is packed, the loader cannot resolve the imports and load the corre- sponding DLLs. 3) It transfers back the control to the Original Entry Point (OEP). Generating the code 1 3 2 4 5 Test the sequence. Is it reversible? Generate an opcode sequence Fitness evalutation with the Jaccard Index Code encryption Reproduction Goal Develop a new obfuscation mechanism based on evolutionary algorithms. It can be used by security industries to stress the analysis methodologies and to test the ability to react to malware mutations. Malware / malicious software / hides as long as possible communicates executes the payload propagates Encrypted 1988 Oligomorphic 1997 1998 2002 Polymorphic Metamorphic ??? Evolutionary Cascade One of the easiest ways to hide the functionality of the virus code was encryption. The virus starts with a constant decryptor that is fol- lowed by the encrypted virus body. Memorial Oligomorphic viruses do chan- ge their decryptors in new generations. Win95/Memo- rial had the ability to build 96 different decryptor patterns. Crypto Polymorphic viruses can create an endless number of new de- cryptors that use different en- cryption methods to encrypt the constant part (except their data areas) of the virus body. Cryp- to used a random decryption al- gorithm that implemented brute force attack against its constant but variably encrypted virus body. Zmist Metamorphic viruses do not have a decryp- tor, nor a constant virus body. However, they are able to create new generations that look different. Zmist is capable of decom- piling Portable Executable files to its smal- lest elements, it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable. The idea of genetic selection for behaviours was first seen in 2002. W32/Smile Polymorphism using genetic algorithms was first seen in 2005. W32/Zellome 57 AV engines 44 AV engines Further evaluation with locally installed AVs High initial detection rate + Executable behavior susceptible to heuristic evaluation It is used to evaluate the similarity between a Malware sample and the original one. Jaccard Distribution of a sample that maximise the dissimilarity. Jaccard Distribution of a sample similar to the original one. Randomly-generated, variable-length sequence of x86 assembler instructions. Encoding and decoding routines are applied sub- sequently to sequence of bytes. Creation of a new packer variant. The decoding routine is embedded in the new executable. At run time it will restore the original program in memory. The malware uses an evolutionary algorithm to generate completely new obfuscating algorithms. The individuals are a set of working packers and the ‘fitness’ is how similar the new executable is to the original one. 5E 56 311E 01C3 85C0 75F7 C3 pop esi push esi xor [esi],ebx add ebx,eax test eax,eax jnz 0x5 ret Future Work Try the Evolutionary Obfuscator against advanced Anti-Virus based on Deep Neural Network. 0 5 10 15 20 100% 50-90% 12-30% 0% Detection Percentage Number of AV 0 5 10 15 20 100% 50-90% 12-30% 0% Detection Percentage Number of AV Original vs Encoded Version IoT Worm The diffusion of Internet of the Things devices, strongly network oriented, which often lack of proper security measures represents the perfect envi- ronment where a new evolutionary worm, platform indipendent, can spread. Malware Detection Through Machine Learning With over 1 million malware samples caught every day in honeypots all over the world, new detection approaches are necessary. The research aims at developing a detection mechanism based on multiple classifier where each one targets a particular malware family.

Upload: others

Post on 07-Aug-2020

2 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: Challenging Anti-virus through Evolutionary Malware ... · Polymorphic Metamorphic??? Evolutionary Cascade One of the easiest ways to hide the functionality of the virus code was

Challenging Anti-virus through EvolutionaryMalware Obfuscation

Marco Gaudesi Andrea Marcelli Ernesto Sanchez Giovanni Squillero Alberto Tonda

Packer

Jaccard Index J(A,B) =|A \B||A [B|

Experimental Evaluation

8 recent malware samples forWindows 32 bit

A packer compresses or encrypts the instructions and data of a program generating a new executable version. At run time, the new executable decompress the original program in memory, and then jump into it.

Packers have been originally designed to save disk space.Then they have been introduced in the word of malicious software: the code must be decrypted before static analysis can be applied. Moreover changing the encryption key produces a completely diffe-rent executable.

The unpacking stub:1) It decompresses and decrypts the original code.

2) It resolves the imports of the executable: if the import table is packed, the loader cannot resolve the imports and load the corre-sponding DLLs.

3) It transfers back the control to the Original Entry Point (OEP).

Generating the code

1

3

2 4

5

Test the sequence. Is it reversible?

Generate an opcode sequence

Fitness evalutation with the Jaccard Index

Code encryption

Reproduction

GoalDevelop a new obfuscation mechanism based on evolutionary algorithms.

It can be used by security industries to stress the analysis methodologies and to test the ability to react to malware mutations.

Malware/ malicious software /

hides as long as possible

communicates

executes the payload

propagates

Encrypted

1988

Oligomorphic

1997 1998 2002

PolymorphicMetamorphic

???

Evolutionary

CascadeOne of the easiest ways to hide the functionality of the virus code was encryption. The virus starts with a constant decryptor that is fol-lowed by the encrypted virus body.

MemorialOligomorphic viruses do chan-ge their decryptors in new generations. Win95/Memo-rial had the ability to build 96 different decryptor patterns.

CryptoPolymorphic viruses can create an endless number of new de-cryptors that use different en-cryption methods to encrypt the constant part (except their data areas) of the virus body. Cryp-to used a random decryption al-gorithm that implemented brute force attack against its constant but variably encrypted virus body.

ZmistMetamorphic viruses do not have a decryp-tor, nor a constant virus body. However, they are able to create new generations that look different. Zmist is capable of decom-piling Portable Executable files to its smal-lest elements, it moves code blocks out of the way, inserts itself, regenerates code and data references, including relocation information, and rebuilds the executable.

The idea of genetic selection for behaviours was first seen in 2002.W32/Smile

Polymorphism using genetic algorithms was first seen in 2005.W32/Zellome

57 AV engines

44 AV engines

Further evaluation with locally installed AVs

High initial detection rate +

Executable behavior susceptible to heuristic

evaluation

It is used to evaluate the similarity between a Malwaresample and the original one.

Jaccard Distribution of a sample that maximise the dissimilarity.

Jaccard Distribution ofa sample similar to the original one.

Randomly-generated, variable-length sequence of x86 assembler instructions.

Encoding and decoding routines are applied sub-sequently to sequence of bytes.

Creation of a new packer variant.

The decoding routine is embedded in the new executable. At run time it will restore the original program in memory.

The malware uses an evolutionary algorithm to generate completely new obfuscating algorithms.

The individuals are a set of working packers and the ‘fitness’ is how similar the new executable is to the original one.

5E56311E01C385C075F7C3

pop esipush esixor [esi],ebxadd ebx,eaxtest eax,eaxjnz 0x5ret

Future Work Try the Evolutionary Obfuscator against advancedAnti-Virus based on Deep Neural Network.

0

5

10

15

20

100%50-90%12-30%0%

Detection Percentage

Num

ber o

f AV

0

5

10

15

20

100%50-90%12-30%0%

Detection Percentage

Num

ber o

f AV

Original vs Encoded Version

IoT WormThe diffusion of Internet of the Things devices, strongly network oriented, which often lack of proper security measures represents the perfect envi-ronment where a new evolutionary worm, platform indipendent, can spread.

Malware Detection Through Machine LearningWith over 1 million malware samples caught every day in honeypots all over the world, new detection approaches are necessary.The research aims at developing a detection mechanism based on multiple classifier where each one targets a particular malware family.

DEPARTMENT OF COMPUTER SCIENCEcreasing number of polymorphic and metamorphic viruses. A polymorphic virus makes use of a decrypter/encrypter stub, to make the creation of a signature

Evolutionary Enhancement of Zika Virus Infectivity in

Polymorphic and Metamorphic Malware - Black Hat · Metamorphic / Polymorphic Malware Fundamental Principles Malware must be defined semantically as the very same Virus, Worm, Bot,

EVOLUTIONARY BIOLOGY Copyright © 2019 Deep learning on ... · polymorphic mimicry complex of Heliconius erato and Heliconius melpomene. Euclidean phenotypic distances, calculated

Malware: threats and defensesclem.dii.unisi.it/~vipp/website_resources/courses/cyber... · 2020-05-14 · • Metamorphic virus: The difference with respect to polymorphic viruses

Charles Darwin University Crocodilepox virus evolutionary

Polymorphic mapping (Brutos mvc)

Computer Security DD2395 · Polymorphic Virus ! A virus can take things one step further: Rebuild the whole virus at every infection to something functionally identical ! There are

Advanced polymorphic techniques

Genome based Evolutionary study of SARS-CoV-2 towards the ... · virus (Azim et al., 2019b), Nipah virus (Saha et al., 2017), influenza virus (Hasan et al., 2019b) and so on. At present,

Lappeenranta University of Technology 5 April 2006 …index-of.es/Viruses/P/Polymorphic virus detection technology.pdf · Lappeenranta University of Technology 5 April 2006 Department

Epidemic History and Evolutionary Dynamics of Hepatitis B ...stacks.cdc.gov/view/cdc/4287/cdc_4287_DS1.pdf · Epidemic History and Evolutionary Dynamics of Hepatitis B Virus Infection

Android Security: Attack Patterns and Defense Mechanisms · Morphic Virus •Polymorphic virus •It decrypts its code, runs that code, and then when propagating itself encrypts the

Polymorphic P Systems

GNISREVER A POLYMORPHIC FILE-INFECTING RANSOMWARE … 1... · Malware Honeycomb virus POS bot botnet worm ransom ware . 5 trojan script/ macro Virlock virus POS bot botnet worm ransom

Close evolutionary relationship between rice black-streaked dwarf virus … · 2019. 4. 27. · Southern rice black-streaked dwarf virus (SRBSDV) are major viral pathogens in China

Using Molecular Information to Investigate the Evolutionary Origin of the HIV Virus

Evolutionary enhancement of Zika virus infectivity in · PDF fileEvolutionary enhancement of Zika virus infectivity in Aedes aegypti mosquitoes yang Liu 1,2 3*, Jianying Liu 1,3*,

Orthomyxoviridae Influenza Virus. Properties Spherical Virion ( polymorphic) Spherical Virion ( polymorphic) 100 nm Size 100 nm Size Segmented –SS-RNA

Evolutionary Trajectory of White Spot Syndrome Virus ...digital.csic.es/bitstream/10261/47878/1/Plos One 5_10...Evolutionary Trajectory of White Spot Syndrome Virus (WSSV) Genome Shrinkage

Healthspan Intranet - Polymorphic Products

Evolutionary Dynamics and Global Diversity of Influenza A Virus

Controlled chaos of polymorphic mucins in a metazoan ... · major challenge in evolutionary biology. ... systems predicts that an arms race takes place in which both host ... (pH

Virus Encyption CS 450 Joshua Bostic. topics Encryption as a deterent to virus scans. History of polymorphic viruses. Use of encryption by viruses

Polymorphic -Calculuswiki.ifs.hsr.ch/SemProgAnTr/files/mmeili_presentation_first_draft.pdf · Seminar HS2015 Content — Motivation — Parametric Polymorphism — The Polymorphic

Using Molecular Information to Investigate the Evolutionary Origin of the HIV Virus

The best of anti-virus technologies to protect your PCs€¦ · Password stealers Spyware Rootkits Riskware (riskware) Polymorphic viruses Worms Backdoors Jokers Paid dialers Hack

EVASION AND DETECTION OF METAMORPHIC VIRUSES · FIGURE 3 GENERATIONS OF A METAMORPHIC VIRUS ... infect() defines the mechanism of virus replication ... 3.2 Encrypted and Polymorphic

Polymorphic Light Eruption

Polymorphic Switches and PolyJoysticks

Functional and evolutionary impact of polymorphic ... · 1 Functional and evolutionary impact of polymorphic inversions in the human genome Carla Giner-Delgado1,2*, Sergi Villatoro1*,

Polymorphic Blending Attacks

Catecholaminergic Polymorphic Ventricular Tachycardia & RYR2

Maguari Virus Associated with Human Disease · virus (CVV), which does infect humans, ... sequence were aligned using the MUSCLE algorithm, and the evolutionary history for each tree

Fundamentals of the Host-Virus Evolutionary Arms Race Efrem S