Análise Comportamental de Código Malicioso Através da Monitoração de Chamadas de Sistema e Tráfego de Rede
Resumo
Código malicioso (malware) disseminado através da Internet—vírus, worms, trojans—é a maior ameaça atual à segurança da informação e um negócio lucrativo para criminosos. Há abordagens para analisar malware que monitoram suas ações durante a execução em ambiente controlado, permitindo identificar comportamentos maliciosos. Neste artigo, propõe-se uma ferramenta de análise comportamental de malware não intrusiva, a qual amplia a análise a exemplares que contornam as abordagens atuais e corrige alguns problemas presentes nestas, preenchendo assim uma lacuna na área.
Referências
Balzarotti, D., Cova, M., Karlberger, C., Kruegel, C., Kirda, E. and Vigna, G. (2010) “Efficient detection of split personalities in malware”, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd.
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., and Kruegel, C. (2009), “A View on Current Malware Behaviors”, Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET). USA, April.
Bayer, U., Kruegel, C. and Kirda, E. (2006). “TTanalyze: A Tool for Analyzing Malware”, Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), 2006, pp. 180–192.
Bellard, F. (2005) “QEMU, a fast and portable dynamic translator”, In Proceedings of the Annual Conference on USENIX Annual Technical Conference, USENIX Association, p. 41-41.
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M. and Wang, L. (2010). “On the Analysis of the Zeus Botnet Crimeware Toolkit”. In the Proceedings of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010, Aug 17-19, Ottawa, ON, Canada, IEEE Press.
Blunden, B. (2009), “The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System”, Jones and Bartlett Publishers, Inc, 1th edition.
Choi, Y., Kim, I., Oh, J. and Ryou, J. (2008). “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD)”, Proceedings of the International Symposium on Computer Science and its Applications, p.28-31, October 13-15, 2008.
Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008). “Ether: Malware analysis via hardware virtualization extensions”. In In Proceedings of The 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, VA, October 2008.
Father, H. (2004) “Hooking Windows API-Technics of Hooking API Functions on Windows”, CodeBreakers J., vol.1, no.2, [link].
Franklin, J., Paxson, V., Perrig, A. and Savage, S. (2007). “An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants”. In Conference on Computer and Communications Security (CCS), 2007.
Garfinkel, T. and Rosenblum, M. (2003) “A virtual machine introspection based architecture for intrusion detection”, In Proc. Network and Distributed Systems Security Symposium, p 191-206.
Hoglund, G. and Butler, J. (2005), “Rootkits: Subverting the Windows Kernel”, AddisonWesley Professional, 1th edition. Holz, T., Engelberth, M. and Freiling, F. (2008). “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones”. Reihe Informatik TR-2008-006, University of Mannheim, 2008.
JoeBox. (2010). http://www.joebox.org/, 2010.
Kang, M. G., Poosankam, P., and Yin, H., (2007). “Renovo: A hidden code extractor for packed exe-cutables”. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM 2007).
Kong, J. (2007), “Designing BSD Rootkits”, No Starch Press, 1th edition.
Leder, F. and Werner, T. (2009). “Know your enemy: Containing conficker”. http://www.honeynet.org/papers/. The Honeynet Project & Research Alliance.
Martignoni, L., Christodorescu, M., and Jha, S. (2007). “Omniunpack: Fast, generic, and safe unpack-ing of malware”. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.
Microsoft PECOFF (2008), “Microsoft Portable Executable and Common Object File Format Specification”, [link], March 2008.
Moser, A., Kruegel, C., and Kirda, E., (2007). “Limits of Static Analysis for Malware Detection”, In ACSAC, pages 421--430. IEEE Computer Society.
SecureList (2007), Net-Worm.Win32.Allaple.a, Kaspersky Labs, http://www.securelist.com/en/descriptions/old145521, August 2007.
SoftPanorama (2009), Network Worm Allaple.B, [link], December 2009.
Song , D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P. and Saxena, P. (2008). “BitBlaze: A New Approach to Computer Security via Binary Analysis”, Proceedings of the 4th International Conference on Information Systems Security, December 16-20, 2008, Hyderabad, India.
Willems, C., Holz, T. and Freiling, F. (2007). "Toward Automated Dynamic Malware Analysis Using CWSandbox," IEEE Security and Privacy, vol. 5, no. 2, pp. 32-39, Mar./Apr. 2007.
Yegneswaran, V., Saidi, H., Porras, P. (2008). “Eureka: A framework for enabling static analysis on malware”. Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, Georgia Institute of Technology, April 2008.
Bayer, U., Habibi, I., Balzarotti, D., Kirda, E., and Kruegel, C. (2009), “A View on Current Malware Behaviors”, Usenix Workshop on Large-scale Exploits and Emergent Threats (LEET). USA, April.
Bayer, U., Kruegel, C. and Kirda, E. (2006). “TTanalyze: A Tool for Analyzing Malware”, Proc. 15th Ann. Conf. European Inst. for Computer Antivirus Research (EICAR), 2006, pp. 180–192.
Bellard, F. (2005) “QEMU, a fast and portable dynamic translator”, In Proceedings of the Annual Conference on USENIX Annual Technical Conference, USENIX Association, p. 41-41.
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M. and Wang, L. (2010). “On the Analysis of the Zeus Botnet Crimeware Toolkit”. In the Proceedings of the Eighth Annual Conference on Privacy, Security and Trust, PST'2010, Aug 17-19, Ottawa, ON, Canada, IEEE Press.
Blunden, B. (2009), “The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System”, Jones and Bartlett Publishers, Inc, 1th edition.
Choi, Y., Kim, I., Oh, J. and Ryou, J. (2008). “PE File Header Analysis-Based Packed PE File Detection Technique (PHAD)”, Proceedings of the International Symposium on Computer Science and its Applications, p.28-31, October 13-15, 2008.
Dinaburg, A., Royal, P., Sharif, M., and Lee, W. (2008). “Ether: Malware analysis via hardware virtualization extensions”. In In Proceedings of The 15th ACM Conference on Computer and Communications Security (CCS 2008), Alexandria, VA, October 2008.
Father, H. (2004) “Hooking Windows API-Technics of Hooking API Functions on Windows”, CodeBreakers J., vol.1, no.2, [link].
Franklin, J., Paxson, V., Perrig, A. and Savage, S. (2007). “An Inquiry Into the Nature and Causes of the Wealth of Internet Miscreants”. In Conference on Computer and Communications Security (CCS), 2007.
Garfinkel, T. and Rosenblum, M. (2003) “A virtual machine introspection based architecture for intrusion detection”, In Proc. Network and Distributed Systems Security Symposium, p 191-206.
Hoglund, G. and Butler, J. (2005), “Rootkits: Subverting the Windows Kernel”, AddisonWesley Professional, 1th edition. Holz, T., Engelberth, M. and Freiling, F. (2008). “Learning More About the Underground Economy: A Case-Study of Keyloggers and Dropzones”. Reihe Informatik TR-2008-006, University of Mannheim, 2008.
JoeBox. (2010). http://www.joebox.org/, 2010.
Kang, M. G., Poosankam, P., and Yin, H., (2007). “Renovo: A hidden code extractor for packed exe-cutables”. In Proceedings of the 2007 ACM Workshop on Recurring Malcode (WORM 2007).
Kong, J. (2007), “Designing BSD Rootkits”, No Starch Press, 1th edition.
Leder, F. and Werner, T. (2009). “Know your enemy: Containing conficker”. http://www.honeynet.org/papers/. The Honeynet Project & Research Alliance.
Martignoni, L., Christodorescu, M., and Jha, S. (2007). “Omniunpack: Fast, generic, and safe unpack-ing of malware”. In Proceedings of the Annual Computer Security Applications Conference (ACSAC), 2007.
Microsoft PECOFF (2008), “Microsoft Portable Executable and Common Object File Format Specification”, [link], March 2008.
Moser, A., Kruegel, C., and Kirda, E., (2007). “Limits of Static Analysis for Malware Detection”, In ACSAC, pages 421--430. IEEE Computer Society.
SecureList (2007), Net-Worm.Win32.Allaple.a, Kaspersky Labs, http://www.securelist.com/en/descriptions/old145521, August 2007.
SoftPanorama (2009), Network Worm Allaple.B, [link], December 2009.
Song , D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M. G., Liang, Z., Newsome, J., Poosankam, P. and Saxena, P. (2008). “BitBlaze: A New Approach to Computer Security via Binary Analysis”, Proceedings of the 4th International Conference on Information Systems Security, December 16-20, 2008, Hyderabad, India.
Willems, C., Holz, T. and Freiling, F. (2007). "Toward Automated Dynamic Malware Analysis Using CWSandbox," IEEE Security and Privacy, vol. 5, no. 2, pp. 32-39, Mar./Apr. 2007.
Yegneswaran, V., Saidi, H., Porras, P. (2008). “Eureka: A framework for enabling static analysis on malware”. Technical Report SRI-CSL-08-01 Computer Science Laboratory and College of Computing, Georgia Institute of Technology, April 2008.
Publicado
11/10/2010
Como Citar
FERNANDES FILHO, Dario S.; GRÉGIO, André R. A.; AFONSO, Vitor M.; SANTOS, Rafael D. C.; JINO, Mário; GEUS, Paulo L. de.
Análise Comportamental de Código Malicioso Através da Monitoração de Chamadas de Sistema e Tráfego de Rede. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 10. , 2010, Fortaleza.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2010
.
p. 311-324.
DOI: https://doi.org/10.5753/sbseg.2010.20596.
