Malware Variants Identification in Practice
Resumo
Malware are persistent threats to computer systems and analysis procedures allow developing countermeasures to them. However, as samples are spreading on growing rates, malware clustering techniques are required to keep analysis procedures scalable. Current clustering approaches use Call Graphs (CGs) to identify polymorphic samples, but they consider only individual functions calls, thus failing to cluster malware variants created by replacing sample's original functions by semantically-equivalent ones. To solve this problem, we propose a behavior-based classification procedure able to group functions on classes, thus reducing analysis procedures costs. We show that classifying samples according their behaviors (via function call semantics) instead by their pure API invocation is a more effective way to cluster malware variants. We also show that using a continence metric instead of a similarity metric helps to identify malware variants when a sample is embedded in another.Referências
Bonfante, G., Kaczmarek, M., and Marion, J.-Y. (2008). Architecture of a morphological malware detector.
Borello, J.-M., Filiol, E., and Mé, L. (2009). Are current antivirus programs able to detect complex metamorphic malware? an empirical evaluation. EICAR.
Borello, J.-M. and Mé, L. (2008). Code obfuscation techniques for metamorphic viruses. JICVHT.
Botacin, M., Geus, P. L. D., and Grégio, A. (2018). Enhancing branch monitoring for security purposes: From control ow integrity to malware analysis and debugging. ACM Trans. Priv. Secur.
Branco, R. R., Barbosa, G. N., and Neto, P. D. (2012). Scientic but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. https://tinyurl.com/y5f8kb3j.
Carrera, E. and Erdelyi, G. (2004). Digital genome mapping - advance binary malware analysis. https://tinyurl.com/y3klja7y.
Christodorescu, M., Jha, S., Seshia, S. A., Song, D., and Bryant, R. E. (2005). Semantics-aware malware detection. In 2005 IEEE Sec. & Priv., pages 32–46.
Egele, M., Scholte, T., Kirda, E., and Kruegel, C. (2008). A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv., 44(2):6:1–6:42.
Faruki, P., Laxmi, V., Gaur, M. S., and Vinod, P. (2012). Mining control ow graph as api call-grams to detect portable executable malware. In Proc. Int. Conf. Sec. of Inf. and Net., SIN '12. ACM.
Feng, Y., Anand, S., Dillig, I., and Aiken, A. (2014). Apposcopy: Semantics-based detection of android malware through static analysis.
Grégio, A. R. A., Afonso, V. M., Filho, D. S. F., de Geus, P. L., and Jino, M. (2015). Toward a taxonomy of malware behaviors. The Computer Journal, pages 1–20.
Independent (2017). Nhs cyber attack: Int. manhunt to nd criminals behind wannacry ransomware that crippled hospital systems. https://tinyurl.com/mzsvkua.
Jang, J.-w., Woo, J., Yun, J., and Kim, H. K. (2014). Mal-netminer: Malware classication based on social network analysis of call graph. In WWW. ACM.
Kong, D. and Yan, G. (2013). Discriminant malware distance learning on structural information for automated malware classication. In SIGKDD. ACM.
Kostakis, O., Kinable, J., Mahmoudi, H., and Mustonen, K. (2011). Improved call graph comparison using simulated annealing. In SAC. ACM.
Martins, G. B., Souto, E., de Freitas, R., and Feitosa, E. (2014). Estruturas virtuais e diferenciação de vértices em grafos de dependência para detecção de malware metamórco. Anais do XIV SBSEG.
Microsoft (2017). Wannacry ransomware. https://tinyurl.com/ljaz72z.
Paleari, R., Martignoni, L., Passerini, E., Davidson, D., Fredrikson, M., Gifn, J., and Jha, S. (2010). Automatic generation of remediation procedures for malware infections. In USENIX Sec.
Polino, M., Scorti, A., Maggi, F., and Zanero, S. (2015). Jackdaw: Towards automatic reverse engineering of large datasets of binaries.
Shang, S., Zheng, N., Xu, J., Xu, M., and Zhang, H. (2010). Detecting malware variants via function-call graph similarity. In MALWARE Conf.
Shao, P. and Smith, R. K. (2009). Feature location by ir modules and call graph. In ACM-SE 47.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, CA, USA, 1st edition.
Souppaya, M. and Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops. https://tinyurl.com/kh4mnjv.
TechNative (2016). Ransomware variants are now the top three most common malware types. https://tinyurl.com/y5suauy9.
Test, A. (2017). Malware statistics and trends report. https://tinyurl.com/ycxdzkmz.
TrendMicro (2017). Exploit kit. https://tinyurl.com/yxgl3hf9.
VxHeaven (1999). Vxheaven. http://vxheaven.org/.
Wu, L., Xu, M., Xu, J., Zheng, N., and Zhang, H. (2013). A novel malware variants detection method based on function-call graph. In Conf. Anthology, IEEE, pages 1–5.
Borello, J.-M., Filiol, E., and Mé, L. (2009). Are current antivirus programs able to detect complex metamorphic malware? an empirical evaluation. EICAR.
Borello, J.-M. and Mé, L. (2008). Code obfuscation techniques for metamorphic viruses. JICVHT.
Botacin, M., Geus, P. L. D., and Grégio, A. (2018). Enhancing branch monitoring for security purposes: From control ow integrity to malware analysis and debugging. ACM Trans. Priv. Secur.
Branco, R. R., Barbosa, G. N., and Neto, P. D. (2012). Scientic but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technologies. https://tinyurl.com/y5f8kb3j.
Carrera, E. and Erdelyi, G. (2004). Digital genome mapping - advance binary malware analysis. https://tinyurl.com/y3klja7y.
Christodorescu, M., Jha, S., Seshia, S. A., Song, D., and Bryant, R. E. (2005). Semantics-aware malware detection. In 2005 IEEE Sec. & Priv., pages 32–46.
Egele, M., Scholte, T., Kirda, E., and Kruegel, C. (2008). A survey on automated dynamic malware-analysis techniques and tools. ACM Comput. Surv., 44(2):6:1–6:42.
Faruki, P., Laxmi, V., Gaur, M. S., and Vinod, P. (2012). Mining control ow graph as api call-grams to detect portable executable malware. In Proc. Int. Conf. Sec. of Inf. and Net., SIN '12. ACM.
Feng, Y., Anand, S., Dillig, I., and Aiken, A. (2014). Apposcopy: Semantics-based detection of android malware through static analysis.
Grégio, A. R. A., Afonso, V. M., Filho, D. S. F., de Geus, P. L., and Jino, M. (2015). Toward a taxonomy of malware behaviors. The Computer Journal, pages 1–20.
Independent (2017). Nhs cyber attack: Int. manhunt to nd criminals behind wannacry ransomware that crippled hospital systems. https://tinyurl.com/mzsvkua.
Jang, J.-w., Woo, J., Yun, J., and Kim, H. K. (2014). Mal-netminer: Malware classication based on social network analysis of call graph. In WWW. ACM.
Kong, D. and Yan, G. (2013). Discriminant malware distance learning on structural information for automated malware classication. In SIGKDD. ACM.
Kostakis, O., Kinable, J., Mahmoudi, H., and Mustonen, K. (2011). Improved call graph comparison using simulated annealing. In SAC. ACM.
Martins, G. B., Souto, E., de Freitas, R., and Feitosa, E. (2014). Estruturas virtuais e diferenciação de vértices em grafos de dependência para detecção de malware metamórco. Anais do XIV SBSEG.
Microsoft (2017). Wannacry ransomware. https://tinyurl.com/ljaz72z.
Paleari, R., Martignoni, L., Passerini, E., Davidson, D., Fredrikson, M., Gifn, J., and Jha, S. (2010). Automatic generation of remediation procedures for malware infections. In USENIX Sec.
Polino, M., Scorti, A., Maggi, F., and Zanero, S. (2015). Jackdaw: Towards automatic reverse engineering of large datasets of binaries.
Shang, S., Zheng, N., Xu, J., Xu, M., and Zhang, H. (2010). Detecting malware variants via function-call graph similarity. In MALWARE Conf.
Shao, P. and Smith, R. K. (2009). Feature location by ir modules and call graph. In ACM-SE 47.
Sikorski, M. and Honig, A. (2012). Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco, CA, USA, 1st edition.
Souppaya, M. and Scarfone, K. (2013). Guide to malware incident prevention and handling for desktops and laptops. https://tinyurl.com/kh4mnjv.
TechNative (2016). Ransomware variants are now the top three most common malware types. https://tinyurl.com/y5suauy9.
Test, A. (2017). Malware statistics and trends report. https://tinyurl.com/ycxdzkmz.
TrendMicro (2017). Exploit kit. https://tinyurl.com/yxgl3hf9.
VxHeaven (1999). Vxheaven. http://vxheaven.org/.
Wu, L., Xu, M., Xu, J., Zheng, N., and Zhang, H. (2013). A novel malware variants detection method based on function-call graph. In Conf. Anthology, IEEE, pages 1–5.
Publicado
02/09/2019
Como Citar
BOTACIN, Marcus; GRÉGIO, André; DE GEUS, Paulo.
Malware Variants Identification in Practice. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 29-42.
DOI: https://doi.org/10.5753/sbseg.2019.13960.