wenke lee david dagon georgia institute of technology l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Malware Repository Overview PowerPoint Presentation
Download Presentation
Malware Repository Overview

Loading in 2 Seconds...

play fullscreen
1 / 22

Malware Repository Overview - PowerPoint PPT Presentation


  • 327 Views
  • Uploaded on

Wenke Lee David Dagon Georgia Institute of Technology. Malware Repository Overview. Overview. How malware is collected and shared now Malfease’s service-oriented repository

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Malware Repository Overview' - andrew


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
wenke lee david dagon georgia institute of technology
Wenke Lee

David Dagon

Georgia Institute of Technology

Malware Repository Overview
overview
Overview
  • How malware is collected and shared now
  • Malfease’s service-oriented repository
    • Support for malware analysis, e.g., signature generation, and evaluation of intrusion/anomaly detection/prevention systems, etc.
    • Automated unpacking
current practices
Current Practices
  • Numerous private, semi-public malware collections
    • Need “trust” to join
    • “Too much sharing” often seen as competitive disadvantage
  • Analysis not shared
  • Incomplete collections: reflect sensor bias
    • Darknet-based collection
    • IRC surveillance
    • Honeypot-based collection
shortcomings
Shortcomings
  • Malware authors know and exploit weaknesses in data collection
  • Illuminating sensors
    • “Mapping Internet Sensors with Probe Response Attacks”, Bethencourt, et al., Usenix 2005
  • Automated victims updates
    • E.g., via botnets
solution service oriented repository
Solution:Service-Oriented Repository
  • Malfease uses hub-and-spoke model
    • Hub is central collection of malware
    • Spokes are analysis partners
  • Hub:
    • Malware, indexing, search
    • Static analysis: header extraction, icons, libraries
    • Metainfo: longitudinal AV scan results
  • Spoke:
    • E.g., dynamic analysis, unpacking, signatures, etc.
malware repo requirements
Malware Repo Requirements
  • Malware repos should not:
    • Help illuminate sensors
    • Serve as a malware distribution site
  • Malware repo should:
    • Help automate analysis of malware flood
    • Coordinate different analysts (RE gurus, Snort rule writers, etc.)
approaches
Approaches
  • Repository allows upload of samples
    • Downloads restricted to classes of users
  • Repository provides binaries and analysis
    • Automated unpacking
    • Win32 PE Header analysis
    • Longitudinal detection data
      • What did the AV tool know, and when did it know it?
    • Malware similarity analysis, family tree
    • Etc.
repository user classes
Repository User Classes
  • Unknown users
    • Scripts, random users, even bots
  • Humans
    • CAPTCHA-verified
  • Authenticated Users
    • Known trusted contributors
repository access control
Repository Access Control
  • Unknown users
    • Upload; view aggregate statistics
  • Humans
    • Upload; download analysis of their samples
  • Authenticated Users
    • Upload; download all; access analysis
static analysis example14
Static Analysis Example

Note search

ability

dynamic analysis
Dynamic Analysis

Unpacked binary

Available for Download,

Along with asm version

malware why pack
Malware: Why Pack?
  • Reduced malware size
  • Obfuscation transformation
    • Opaque binaries prevent pattern analysis
    • Invalid PE32 headers complicate RE
  • Increases response time
    • Unpacking often requires specialized skill sets
results
Results
  • Improved AV detection

10-40%

improved

AV detection

on “old” stuff

5.2K Samples

Claimed VX

AV Scan

6K

very old Samples

Unpacking

0.8K

Claimed “OK”

42

are now

claimed VX

AV ReScan

plan for cyber ta
Plan for Cyber-TA
  • Evaluation of various signature generation schemes
    • Development of new schemes
  • Development of signature ensemble scheme - automatically combine the attributes of signatures from different generation schemes
  • Evaluation of intrusion/anomaly detection systems
    • E.g., automatically generating mimicry/blending attacks based on malware
conclusion
Conclusion
  • Service-oriented repository
    • Support research in malware analysis and intrusion/anomaly detection/prevention
  • See malfease.oarci.net for details
  • Credits
    • David Dagon
    • Paul Vixie
    • Paul Royal
    • Mitch Halpin