1 / 24

Malware Packer

Malware Packer. Jenna Kallaher Costas Akrivoulis Raul Gonzalez. Project Goal. Defeat common off-the-shelf static/dynamic analysis done by unpackers. Project Goal. Defeat common off-the-shelf static/dynamic analysis done by unpackers Explore different approaches from prior groups.

daxia
Download Presentation

Malware Packer

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Malware Packer Jenna Kallaher Costas Akrivoulis Raul Gonzalez

  2. Project Goal Defeat common off-the-shelf static/dynamic analysis done by unpackers

  3. Project Goal Defeat common off-the-shelf static/dynamic analysis done by unpackers Explore different approaches from prior groups

  4. Previous Work Incremental Unpacking • Unpack/repack encrypted payload • Leave < 256 B of unencrypted payload in memory at any given time

  5. Our Approach Instruction Virtualization + Emulation

  6. Our Approach Malware Binary = Emulator + Payload Bytecode No Encryption, just Obfuscation

  7. Our Approach Malware Binary = Emulator + Payload Bytecode No Encryption, just Obfuscation Although we COULD add an encryption layer …

  8. In a Perfect World • Auto-generate new ISA (target) • Grok relationship (mapping) between ISAs • Lift native binary to an IR • Lower IR to target ISA • Auto-generate emulator for target ISA • Emulates native ISA from target ISA • Package malware as Emulator + Bytecode

  9. Facing Reality Working with binaries is difficult • Lifting native instructions to an IR in order to manipulate them can be hard • Disassembly issues, IR not rich enough to manipulate

  10. Facing Reality Working with binaries is difficult • Lifting native instructions to an IR in order to manipulate them can be hard • Disassembly issues, IR not rich enough to manipulate Instead we are: • Operating at the source level

  11. Facing Reality Generating an arbitrary ISA is difficult • Is it compatible with native (x86) ISA? • How do we know?

  12. Facing Reality Generating an arbitrary ISA is difficult • Is it compatible with native (x86) ISA? • How do we know? Instead we are: • Permuting the x86 ISA* *Harder than you might think

  13. Packer Architecture

  14. Techonologies mod_llvm.py translate.py reconfigure_llvm.py qemu_translator.py reconfigure_llvm.py

  15. Anti-RE Auto inserts Anti-RE protections to malware • Nice … (do not have to be baked into malware)

  16. Anti-RE Current Anti-RE inserted: • Anti-Debugging • Rogue 0xCC • 0xF1 • Anti-Virtualization • CPUID • VMWARE Magic # Detection

  17. Demo {"opcode_index": "0", "target_opcode":"0x40", "instruction":"MOV8ri", "llvm_helper":"MOV8ri:Ii8", "native_opcode":"0xB0"}, {"opcode_index": "0", "target_opcode":"0xB8", "instruction":"POP32r, "llvm_helper":"POP32r:I", "native_opcode":"0x58"}, {"opcode_index": "0", "target_opcode":"0xB8", "instruction":"POP16r", "llvm_helper":"POP16r:I", "native_opcode":"0x58"}, {"opcode_index": "0", "target_opcode":"0x48", "instruction":"MOV32ri", "llvm_helper":"MOV32ri:Ii32", "native_opcode":"0xB8"}, {"opcode_index": "0", "target_opcode":"0x48", "instruction":"MOV16ri", "llvm_helper":"MOV16ri:Ii16", "native_opcode":"0xB8"}, {"opcode_index": "0", "target_opcode":"0xB0", "instruction":"DEC32r", "llvm_helper":"DEC32r:I", "native_opcode":"0x48"}, {"opcode_index": "0", "target_opcode":"0xB0", "instruction":"DEC16r", "llvm_helper":"DEC16r:I", "native_opcode":"0x48"}, {"opcode_index": "0", "target_opcode": "0x58", "instruction":"INC16r", "llvm_helper":"INC16r:I", "native_opcode":"0x40"}, {"opcode_index": "0", "target_opcode": "0x58", "instruction":"INC32r", "llvm_helper":"INC32r:I", "native_opcode":"0x40"}

  18. Demo #include <stdio.h> extern int boo(void); int main() { printf(“Expecting 89\n”); int ret = boo(); printf(“Returned %d\n”, ret); return ret; } boo: movl $8, %eax inc %eax push %eax /* Push 9 on the stack */ movl $100, %ecx dec %ecx dec %ecx push %ecx /* Push 98 on the stack */ pop %ecx pop %eax sub %eax, %ecx xchg %eax, %ecx /* 98 - 9 = 89 */ ret

  19. GCC: Unmodified Clang: Translated

  20. Demo Jenna Kallaher Costas Akrivoulis Raul Gonzalez

  21. Limitations (of our approach) • Some opcodes will not be changed • There’s too many! • Some are too hard! • Exchanged opcodes are usually related • INC/DEC • PUSH/POP

  22. Limitations (of our approach) • No self-modifying code* • It hasn’t been compiled to our new ISA • Emulator can’t “understand” it • No Position Independent Executables (PIEs) • Only emulating .text section • ASLR throws off our compass *Support is possible (for future work)

  23. Future Work (next week) Goals: • Succesfully pack common programs • binutils/coreutils (ls + friends) • Collect performance metrics • Allow dynamically linked libraries

  24. Questions?

More Related