executables - virus bulletin · ms dos tb pe signature stub coff file header optional header ......
TRANSCRIPT
![Page 1: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/1.jpg)
PE‐Probe: Leveraging Packer Detection and Morphological p gInformation to Detect Malicious Portable ExecutablesPortable Executables
M. Zubair Shafiq, S. Momina Tabish, Muddassar Farooq
Next Generation Intelligent Networks Research Center (nexGIN RC)National University of Computer and Emerging Sciencesy p g g
Islamabad, Pakistanhttp://www.nexginrc.org/
1
![Page 2: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/2.jpg)
AgendaAgendaProjects’ Introduction
Motivation & Problem Statement
d l i
Motivation & Problem Statement
Proposed Solution
Results
Q/A
2
![Page 3: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/3.jpg)
Its in your Hands, like its inyour Eyes and Face
It is believed that keystrokes of people are distinct from each other just likeare distinct from each other just like their faces, finger prints, and eyes
Doesn’t require any extra hardware for identification
3
![Page 4: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/4.jpg)
User Authentication SystemUser Authentication System
4
![Page 5: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/5.jpg)
IMS Security ChallengesIMS Security Challenges
IP Multimedia Subsystem (IMS)
&Next Generation
Service Delivery PlatformService Delivery Platform
5
![Page 6: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/6.jpg)
Malware DetectionMalware DetectionSignature Based:
Malware DetectionMalware Detection
Malware DetectionMalware Detection
. Detection on the basis of known byte sequences
Signature Signature Non‐SignatureNon‐
Signature
. Unable to detect new malware. Regular updates requiredg
BasedgBased Signature
BasedSignature Based
required
StaticStatic DynamicDynamic Non‐Signature Based:. Detection on the basis of
After‐ExecutionAfter‐
Execution In‐ExecutionIn‐Execution
smarter features. Able to detect new malware
6
ExecutionExecution . Regular updates may not be necessary
![Page 7: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/7.jpg)
Malware DetectionMalware DetectionStatic Detection:
Malware DetectionMalware DetectionStatic Detection:. Detection on the basis of file as residing on secondary storage
Malware DetectionMalware Detection
secondary storage. Prone to techniques such as code‐obfuscationSignature Signature Non‐
SignatureNon‐
SignaturegBasedgBased Signature
BasedSignature Based
Dynamic Detection:. Detection on the basis of run time behavior (a
StaticStatic DynamicDynamic
run‐time behavior (a more direct look). Resilient to techniques such as code obfuscation
After‐ExecutionAfter‐
Execution In‐ExecutionIn‐Execution
7
. High processing overhead
ExecutionExecution
![Page 8: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/8.jpg)
Malware DetectionMalware DetectionMalware DetectionMalware Detection
After‐Execution Detection:. Forensic Analysis
Malware DetectionMalware Detection
Forensic Analysis. Lower processing overhead
Signature Signature Non‐SignatureNon‐
SignaturegBasedgBased Signature
BasedSignature Based
In‐Execution i
StaticStatic DynamicDynamic
Detection:. End user tool. High processing After‐
ExecutionAfter‐
Execution In‐ExecutionIn‐Execution
8
overheadExecutionExecution
![Page 9: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/9.jpg)
MotivationMotivation
9
![Page 10: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/10.jpg)
Motivation(2)Motivation(2)
In Year 2008 Only [11]
•5 491 new software vulnerabilities•5,491 new software vulnerabilities •1.6 million new malware signatures •245 million new attacks 1 T illi d ll i•1 Trillion dollar in revenues
10
![Page 11: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/11.jpg)
Motivation(3)Motivation(3)
Norton AV Command AV McAfee AV
Chernobyl‐1.4 Not detected Not detected Not detected
F0sf0r0 Not detected Not detected Not detected
Hare Not detected Not detected Not detected
Z0mbie 6 b Not detected Not detected Not detectedZ0mbie‐6.b Not detected Not detected Not detected
11
![Page 12: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/12.jpg)
Motivation(4)Motivation(4)
Issues with Commercial Anti‐virus software
•Cannot detect ne mal are•Cannot detect new malware•Size of signature database cannot scaleg•Signatures are evaded by code
bf ti t h i ( h ki )obfuscation techniques (such as packing)
12
![Page 13: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/13.jpg)
Motivation(5)Motivation(5)
Packing of Malware [12]
•50% ne mal are are simpl re packed•50% new malware are simply re‐packed versions of known malware
92% l ki t h i•92% malware use packing techniques
13
![Page 14: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/14.jpg)
Motivation(6)Motivation(6)
Non‐signature based Malware Detection SchemesSchemes
M hi l l d•Machine‐level code•Disassembled codeDisassembled code•Static calls from disassembled code•Run‐time API calls
14
![Page 15: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/15.jpg)
Motivation(7)Motivation(7)
Issues with Non‐signature based Schemes
•High run‐time computational complexityHi h f l l t•High false alarm rates
•Low reliability (e.g. crash, halt, evasion)y ( g , , )
15
![Page 16: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/16.jpg)
Problem Statement
16
![Page 17: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/17.jpg)
P bl St t tProblem Statement
•Non signature based solution•Non‐signature based solution•Low run‐time complexity•Low false alarmsR b t t P ki•Robustness to Packing
•Must not use an unpacker for detectionMust not use an unpacker for detection
17
![Page 18: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/18.jpg)
PE File
MS D S b
PE file Header
MS Dos Stub
PE file HeaderExecutable section
Read‐only sectionExisting non signature based
Writable section
Existing non signature based Schemes are based on this area of PE file
Read/Write section
18
![Page 19: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/19.jpg)
MS DOS t b
PE Signature
MS DOS stub
COFF file Header
Optional HeaderStandard FieldsStandard Fields
Window Specific fieldsData directories
Section Table
Section 1
RVA /
Section 2
Section 3
/Pointe
Section n
ers
19
![Page 20: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/20.jpg)
List of Features from PE fileList of Features from PE file
20
![Page 21: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/21.jpg)
PE MinerPE Miner
21
![Page 22: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/22.jpg)
Architecture of PE-Probe
22
![Page 23: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/23.jpg)
Distribution of Number of standard sections
23
![Page 24: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/24.jpg)
Distribution of Number of entries in Import Address Table
24
![Page 25: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/25.jpg)
Distribution of Entropy of PE Header
25
![Page 26: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/26.jpg)
Architecture of PE-Probe
26
![Page 27: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/27.jpg)
Structural features for non-packed PE files
27
![Page 28: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/28.jpg)
Distribution plot for “major linker version” feature
28
![Page 29: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/29.jpg)
Architecture of PE-Probe
29
![Page 30: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/30.jpg)
KL Divergence of features of packed/non-packed PE files
30
![Page 31: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/31.jpg)
Structural features for packed PE files
31
![Page 32: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/32.jpg)
Results
32
![Page 33: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/33.jpg)
Dataset – Offensive Computing
33
![Page 34: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/34.jpg)
Classification MetricsClassification Metrics
34
![Page 35: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/35.jpg)
Accuracy of PE-Probe
35
![Page 36: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/36.jpg)
The processing overheads in (seconds/file)
J48 NB RIPPER
SMO IBK J48 NB RIPPER
SMOR R
TRAINING TESTINGPE‐ ‐ 0.0008 0.001 0.269 0.199 0.032 0.001 0.002 0.002 0.002Miner(RFR)
PE‐Miner(PCA)
‐ 0.007 0.001 0.264 0.179 0.035 0.001 0.001 0.001 0.002
PE‐Miner(HWT)
‐ 0.007 0.001 0.252 0.147 0.032 0.001 0.002 0.001 0.002
McBoost 0 021 0 004 1 305 1 122 0 218 0 010 0 007 0 005 0 022McBoost ‐ 0.021 0.004 1.305 1.122 0.218 0.010 0.007 0.005 0.022
Strings ‐ 0.009 0.002 0.799 0.838 0.163 0.003 0.003 0.002 0.003
36
![Page 37: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/37.jpg)
Forensic InformationForensic Information
37
![Page 38: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/38.jpg)
PE‐Miner
38
![Page 39: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/39.jpg)
Conficker Detected as aBackdoor
39
![Page 40: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/40.jpg)
Evolvable Malware Framework
40
![Page 41: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/41.jpg)
ConclusionConclusion• PE Structural Information can be leveraged to detect malware
• Packing Robustness
M hi L i Cl ifi l k d• Machine Learning Classifiers can learn packed and non‐packed models
• Robustness and Evasion analysis in accompanying PE‐Miner paper in RAID 2009accompanying PE‐Miner paper in RAID 2009.
• Zero day detection of Conficker
41
![Page 42: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/42.jpg)
ACKNOWLEDGEMENTACKNOWLEDGEMENT
• Special thanks to National ICT R&D for funding this project. p j
42
![Page 43: Executables - Virus Bulletin · MS DOS tb PE Signature stub COFF file Header Optional Header ... Distribution plot for “major linker version” feature 28. Architecture of PE-Probe](https://reader031.vdocuments.site/reader031/viewer/2022020303/5b91898a09d3f2f8508bc3ff/html5/thumbnails/43.jpg)
QUESTIONSQUESTIONS
For further information and research papers, visit http://www.nexginrc.org
43