OmniUmpack: Fast, Generic, and Safe Unpacking of Malware Authors: Lerenzo Martignoni, Mihai Christodorescu and Somesh Jha Computer Security Applications Conference 2007 (ACSAC’07) Presented by LIU Limin 1 Agenda • • • • • Introduction Design Implementation Evaluation Conclusion 2 Agenda • • • • • Introduction Design Implementation Evaluation Conclusion 3 Packed malware • Term packed refers to malware whose payload is either compressed or encrypted. – E.g. polymorphic malware • An unpacking routine that restores the original code from memory and then executes it during runtime. – Self-decompression or self-decryption – Several layers of unpacking 4 Why malware packed? • Anti-analysis – Reverse engineering – Experts can make the malware hard to analyze • Anti-virus tools evasion – Existing packers are modified to evade anti-virus tools at the rate of 10-15 per month. – 80% new malware are packed with various packers. – 50% new malware samples are repacked versions of existing malware. How to effectively recover the real malicious code? 5 Traditional unpacking approaches • Algorithmic unpacking – Using specific unpacking routines to recover the original program, one routine per packing algorithms. • ClamAV – Limited to a fixed set of known packers. 6 Traditional unpacking approaches (Cont.) • Generic unpacking – Emulation/tracing of the execution until the unpacking routine terminates. • PolyUnpack ([ACSAC 06]), Renovo ([Worm 07]) – Limitations • Unpacking is slow because of instruction-level tracing. • Effectiveness depends on the fidelity of the emulation environment. • The detection of the termination of the unpacking routine is undecidable. 7 Goals of OmniUnpack • Generic unpacking with low-overhead by tracking memory access at the page level. • Precise unpacking by running the program on native OS. • An in-memory malware detection strategy independent of packing and self-modification. 8 Agenda • • • • • Introduction Design Implementation Evaluation Conclusion 9 OmniUnpack: simple strategy • Tracking all memory writes and the program counter. • The execution of a previously written memory locations indicates the end of an unpacking stage. • All written-then-executed (or written and about to be executed) memory locations should then be analyzed by a malware detector. Starting from this strategy, designing an unpacking algorithm that achieves low overhead yet does not compromise the security of the system. 10 Execution traces for a packed executable • Ideally – The detection of the termination of the unpacking routine is undecidable. • Coarse-grained memory access tracking – using hardware mechanism at page level. – Written-then-executed pages are indicative of unpacking but not indicative of the end of unpacking. – Increasing the chance to detect spurious unpacking stages (up to hundreds of thousands stages) . – The overhead introduced by invoking the malware detector 11 every time a written memory page is executed is prohibitive. OmniUnpack-enhanced detection • Heuristic: An unpacking stage is completed when the execution of previous written page is followed by a dangerous system call. • Choice of dangerous system calls – A dangerous system call is a system call whose execution can leave the system in an unsafe state. 12 Continuous monitoring of the execution • OmniUnpack implements a continuous monitoring approach, where the execution is observed in its entirety. – Multiple unpacking stages – Approximation of the end of an unpacking stage • A solution for the undecidability of the problem of detecting the real end of the unpacking stage. • The low overhead of OmniUnpack allows for continuous monitoring in an end-user environment. 13 Algorithm 14 Example • Execution Trace : <x(0), w(1), s1, w(2), x(1), s2, x(2), s3, …> – – – – – – – – x(0): W = Ø, WX = Ø s1 is not dangerous w(1): W= {1}, WX = Ø and WX is empty. s1 (NtOpenFile): W = {1}, WX = Ø w(2): W = {1,2}, WX= Ø x(1): W = {1,2}, WX= {1} s2 is not dangerous. s2 (NtOpenKey): W = {1,2}, WX= {1} x(2): W = {1,2), WX = {1,2} s3 (NtDeleteFile): The system call is dangerous, malware detector is invoked to scan all the memory pages in W. 15 Agenda • • • • • Introduction Design Implementation Evaluation Conclusion 16 Architecture • Kernel driver – Tracking memory access – Detecting when the dangerous system call occurs – Triggering malware detection • User-space Component – Malware detector responsible for ondemand scanning of memory of the suspicious program. 17 Monitoring memory accesses • The W⊕X policy is enforced on the memory pages of the suspicious program. – A memory page can be either writable or executable. • Page-fault exceptions are trapped by OmniUnpack. – When an unpacking routine writes the unpacked code to memory, the destination page is marked writable but not executable. – When an unpacking stage ends, the access to this page for execution will cause a protection exception because of the lack of execution permission. – Intercept and process such exceptions. • Non-executable pages can be emulated via software mechanism with a minimal overhead. – PaX PAGEEXEC 18 Monitoring system calls • Intercepting the system calls of interest (dangerous ones) through interposition on the system-call dispatch table. • If newly generated code is present in the program memory, the code is executed, and the execution is followed by a dangerous system call, then consider the unpacking stage concluded and trigger malware detection. • At the end of scanning, write permissions are revoked from all scanned pages. 19 User-space malware detector • Any malware detection strategy can be used to scan the code generated during the previous stage. • OmniUnpack only provides a detector with data to analyze and then authorizes, or denies, the execution of such data according to the response of the detector. • A bug in the malware detector will not compromise the stability of the whole system since the detector is running in user-space. 20 Agenda • • • • • Introduction Design Implementation Evaluation Conclusion 21 Experimental evaluation • Successfully monitored all the analyzed samples and detected the end of each unpacking stage. • Handled 80% of packed malware, while ClamAV handled only about 15%. • Armadillo and CExe unpack the original payload on disk and then execute this executable. • • N/A: programs that did not execute correctly after packing, with or without OmniUnpack. 22 IMPL: a limitation of the current OmniUnpack implementation. Time to unpack • OmniUnpack was significantly faster than PolyUnpack. (e.g., with UPX OmniUnpack was 20.56 times faster than PolyUnpack.) • In 42% of the cases PolyUnpack timeout (300 secs). • OmniUnpack was within one order of magnitude of ClamAV (e.g., with UPX OmniUnpack was only 5 times slower). • In 75% cases, ClamAV failed to unpack. 23 Overhead for benign programs • About 6% average overhead on non-packed applications. • About 11% average overhead on packed applications (with UPX). 24 Agenda • • • • • Introduction Design Implementation Evaluation Conclusion 25 Conclusion • A new unpacking technique that addresses the shortcomings of previous unpackers. – Generic unpacker • Able to deal with known and unknown unpacking algorithms. • resilient to anti-debugging, anti-VM and anti-emulation techniques. • Integrated with any operating system and any malware detector without trading off efficiency or unpacking capability. – Suitable for use on end-user environment. • Minimizing the overhead by using hardware mechanism and working directly in the OS. – Safe in the presence of multiple unpacking stages. – Improved detection rate. • Any malware detector can delegate to OmniUnpack the recovery of the packed code. 26 Limitations • Imprecision of page-level tracking. – The memory monitoring at page level caused the undecidability of the specific addresses which are really accessed on the page. – The assumption that memory accesses potentially affect all addresses on a page will cause the identification of spurious unpacking stages. • Incomplete extracted instructions. – The content of written-then-executed page is modified before invoking a dangerous system call. 27 Thank you! Questions? 28 PolyUnpack ([ACSAC 06]) • Performing static analysis over malware instance to acquire its static code model. • The statically derived model and malware instance are fed into the dynamic analysis component. • The execution of malware paused after each instruction and its context is compared with the model. • When the first instruction of a sequence not found in the static model is detected, representations of that unknown instructions sequences are written out and the malware’s execution is halted. 29 Renovo ([Worm 07]) • Heuristic: the original program code and data should be present in memory to be executed, and also the instruction point should jump to the OEP of the restored program code which has been written in memory at runtime. • A technique dynamically extract the hidden original code and the OEP from the packed executable by examining whether the current instruction has been generated at run-time, after the program binary was loaded. • Instruction level. 30
© Copyright 2024 Paperzz