Monirul Sharif1, Andrea Lanzi2,
Jonathon Giffin1, Wenke Lee1
1Georgia
Institute of Technology
2Universit`a degli Studi di Milano
NDSS 2008
Introduction
We need to understand malware…
Rootkits
Keyloggers
Viruses
System-wide effects
Malware
Exploits Worms
Spyware
Trojans
Bots
Reverse engineering and Malware Analysis
Capabilities
HundredsPropagation
of new malwareControl
samples appear
almost everyday…
Malware
Malware
Malware
Malware
Malware
Malware
Automated analysis systems have become very important
Obfuscations that are easily applicable on existing code can be a threat
We present a Simple, Automated and Transparent Obfuscation
against state-of-the-art malware analyzers
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
2
Malware Analysis and Obfuscations
Defense
Offense
Static Analysis based approaches
Polymorphism, metamorphism,
packing, opaque predicates,
anti-disassembly
nse
respo
Dynamic malware analysis
Trigger-based behavior
(Logic bombs, time bombs,
anti-debugging, anti-emulation, etc.)
nse
respo
Dynamic multipath exploration
(Moser et al. 2007)
Bitscope (Brumley et al. 2007)
EXE (Cadar et al. 2006)
Forced execution (Wilhelm et al. 2007)
NDSS 2008
?
Conditional Code Obfuscation
Impeding Malware Analysis Using Conditional Code Obfuscation
3
Rest of the Talk
o Conditional Code Obfuscation
Principles
o Static analysis based automation
o Automatic applicability on existing malware without modification
o
o Implications
Implications on Existing Analyzers
o Measuring Obfuscation Strength
o
o Prototype Implementation and Evaluation
o
Evaluation on malware
o Weaknesses and Defense
o
How analysis can be improved to defender
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
4
Principles of Our Attack
Malware Binary
Inputs
Unknown
?
Condition
Trigger-based
behavior
Any static and
dynamic analysis
approach
Input Oblivious
Analyzer
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
5
Principles of Our Attack
Malware Binary
Condition
Unknown
Inputs
cmd = get_command(sock);
if (strcmp(cmd, “logkeys”)==0))
{
LogKeys()
}
Trigger-based
behavior
cmd = get_command(sock);
if (Hash(cmd)== H))
{
LogKeys()
}
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
6
Principles of Our Attack
Malware Binary
Condition
Unknown
Inputs
cmd = get_command(sock);
if (strcmp(cmd, “logkeys”)==0))
{
LogKeys()
}
Trigger-based
Trigger-based
behavior (K )
behavior
The key is
inside the
program
NDSS 2008
cmd = get_command(sock);
if (strcmp(cmd, “logkeys”)==0))
{
decrypt(encr_LogKeys, K );
encr_LogKeys()
}
encr_LogKeys(){
}
Impeding Malware Analysis Using Conditional Code Obfuscation
7
Principles of Our Attack
Malware Binary
Condition
Unknown
Inputs
cmd = get_command(sock);
if (strcmp(cmd, “logkeys”)==0))
{
LogKeys()
}
Trigger-based
behavior
cmd = get_command(sock);
if (Hash(cmd)== H))
{
decrypt(encr_LogKeys, cmd);
encr_LogKeys()
}
The key is no
longer inside
the code
NDSS 2008
encr_LogKeys(){
}
Impeding Malware Analysis Using Conditional Code Obfuscation
8
General Obfuscation Mechanism
Original Code
Obfuscated Code
Hash(c)
if ( X == c ) {
B
if ( Hash(X) == Hc ) {
Decr(BE, X)
Encr(B, c)
BE
}
}
o o Candidate
Conditions
- Conditions with equality
Hash function
Properties:
o o The
usual ‘==‘resistance
operator – Protects against reversing
Pre-image
o String equalityHard
checks
– strcmp,
strncmp etc.
to find
c givenmemcmp,
H
c
o
Conditions with ‘>’, ‘<‘, ‘!=‘ will not work
o Conditional
Code
o Second pre-image resistance - Program correctness
o
Any code
that
onlyc’when
Hard
to executes
find another
wherecondition
Hash(c’)is=satisfied
H
c
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
9
Automation Using Static Analysis
o Identify Candidate Conditions
Identify functions and create CFG for each function
o Find blocks containing candidate conditions
o
o Conditional code Identification
Intra-procedural - Basic blocks control dependent on condition
with true outcome
o Inter-procedural - Set of all functions only reachable from
selected basic blocks
o
o Exclude functions reachable from default path
o
Conservative conditional code selection for function pointers
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
10
Automation Using Static Analysis
Handling Common Conditional Code
if
if
P
Q
P
Q
KP
KQ
KP
KQ
B
BP
Encr(B, KP)
BQ
Encr(B, KQ)
• Two keys are used in two paths. Duplicate code
• If one path is not candidate condition, no use in
concealing the trigger code
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
11
Automation Using Static Analysis
Handling Complex Conditions
if ( X==a && Y==b ) {
Attack()
}
if ( X==a ) {
if (Y==b ) {
Attack()
}
}
Logical “and”
if ( X==a || Y==b ) {
Attack()
}
if ( X==a )
Attack()
}
else if (Y==b ) {
Attack()
}
Logical “or”
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
12
Automation Using Static Analysis
Handling Complex Conditions
switch (cmd) {
if (cmd==0)
attack1();
case 0:
attack1();
break;
case 1:
recon();
if (cmd==1) {
recon();
attack2();
}
case 2:
attack2();
if (cmd==2)
attack2();
}
Switch Case
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
13
Consequences to Existing Analyzers
• Multi-Path Exploration (Moser et al., Bitscope)
Constraints are built for each path
o Hash functions are non-linear, so cannot find solution
o
• Input Discovery (EXE)
Solves constraints to get inputs – symbolic execution
o Same problem, cannot find derive input
o
Hash(X)==H
Condition C
B
Trigger-based
behavior
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
14
Consequences to Existing Analyzers
• Forced Execution
Without solving constraints, forces execution
o Without key, program crashes
o
• Static Analysis
o
Same as packed code, static analysis on trigger code is not
possible
Hash(X)==H
Condition C
B
Trigger-based
behavior
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
15
Attacks on the Obfuscation
o Attacks on Hash(X)=Hc
o
Find possible X for satisfying the above
o Input domain
Domain(X) – set of all possible values X may take
o With time t for every hash computation,
total time = Domain(X)t
o
o
For an integer I, Domain(I) = 232
o Brute Force attacks
o Dictionary Attacks
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
16
Prototype Implementation
• Overview
o
o
Implemented for Linux
Takes malware C source code and outputs obfuscated ELF binaries
• Analysis Level – both source code and binary levels required
o
o
Source and IR level – type information is essential
Binary level – decrypted code must be executable
LLVM
.c
Compiler
Framework
Malware
Source (c/c++)
Find candidate conditions
conditional code and keys.
Perform transformation.
DynInst
.o
ELF Binary
(x86)
Binary
Analysis/
Instrumentation
Encrypt marked
Blocks with keys
remove keys
.o
Final obfuscated
ELF Binary
(x86)
Simplified architectural view of the automated obfuscation system
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
17
Analysis and Transformation Phase
• Candidate Code Replacement
o
o
o
Enc(X)/Dec(X) Encryption/Decryption – AES with 256 bit keys
Hash function – Hash(X) - SHA-256
Different hash functions based on data type of X
• Decryption Keys and Markers
o
Key generation – Key(X) = Hash(X|N), N is Nonce
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
18
Encryption Phase
• DynInst based binary transformation tool
o
o
o
Finds Decipher(), and End_marker() and key (Kc)
Encrypts binary code with key
Removes marker and key from code
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
19
Experimental Results
• Evaluated by Obfuscating Malware Programs
o
Selected representative malware source programs for
Linux with trigger based behavior
• Evaluation Method
o
o
o
Manually identified malicious triggers in malware
Applied obfuscation, counted how many were
completely obfuscated by the automated system
Considered three levels of obfuscation strength –
Strong – strings
Medium – integers
Weak – booleans and return codes
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
20
Experimental Results
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
21
Analysis of the Technique
(Strengths and Weaknesses)
• Knowledgable attacker can modify program to improve
obfuscation effectiveness
• Increase candidate conditions - replace <, >, !=
operators with ‘==‘
• Increase conditional code – incorporate triggers that
encapsulate more execution behavior
• Increase input domains - Use variables with larger
domains (e.g. strings) or use larger integers
• Weaknesses
• Input domain may be very small in some cases
• Upside on Malware detection – but polymorphic
layers can be added
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
22
Defense Approaches
o Incorporating cracking engine
o Equipped with decryptors where various keys are
tried out repeatedly
o Input domain knowledge (for dictionary attacks)
o Determine type information – reduce domain
space
o Syscall return codes
o Input-aware analysis
o Gather I/O traces along with malware binaries
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
23
Conclusion
o We presented an obfuscation technique that can be
widely applicable on existing malware
o The obfuscation conceals trigger based behavior from
existing and future analyzers
o We have shown its effectiveness on malware using our
implemented automated prototype
o We presented its weaknesses and possible ways
analyzers can be improved to defeat it
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
24
Thank you
Questions?
[email protected]
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
25
Experimental Results
NDSS 2008
Impeding Malware Analysis Using Conditional Code Obfuscation
26