software analysis & deobfuscation engine. page 2 project name: sade project members: faiza...
TRANSCRIPT
Page 2
Project Name: SADE
Project Members: Faiza Khalid, Komal Babar and Abdul Wahab
Project Supervisor
– Internal: Aisha Khalid
– External: Dr. Fauzan Mirza
Project Scope
Page 3
Scope Statement
Development of a software analysis toolkit for windows executables that will bypass obfuscations to make actual code available for further analysis. The toolkit will be for security analysts and novice users with a little training.
Page 4
Obfuscation Problem
Malware analysis is necessary for information security:
– Creating signatures
– Understanding attacks
Malware authors use code obfuscation techniques to hide their malicious code
The time of security analysts is expensive. Individual samples can take hours to analyze. Obfuscation costs reverse-engineers time:
– Complicates instruction sequences
– Disrupts control flow
– Makes algorithms difficult to understand
Manual obfuscation removal is a tedious and error-prone process
Need to automate the process of analysis to keep up.
Page 6
The packing obfuscation is the process of compressing and/or encrypting a program and adding a runtime decryption routine to it, such that the behavior of the original program is preserved. Tools that perform packing are called packers.
Packing is applied on legitimate software to reduce the size of executable files and to protect the intellectual property that is distributed with the code.
Malware authors use packing to by-pass detection and thwart analysis
– Packing hides the original malicious code
– Packing hinders code analysis
– Obfuscation hinders automation
– Automation is key to rapid analysis
Packing Obfuscation
Page 7
A Packed Malware Binary
Address Space
.looplea eax, 0x4a0000lea ebx, 0x401000load ecx, ptr [r1]xor ecx, 0xffffffstore ptr[ecx], r2...jnz .xcall ptr[edi].xadd eax, 4add ebx, 4cmp eax, 0x4a1f88jnz .loopjmp 0x401000
Address Space
Entry Point
Entry Point
7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be
79 5e 80 89 08 27 c0 73 1c 88 48 6a d8
6a d0 56 4b fe 92 57 af 40 0c b6 f2 64
32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd
5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83
a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01
Unpacking Loop
JUMP
Original Binary
Packed Binary • Payload program is
mostly unchanged
Anti-Debugger Code
• Timing checks of various granularities
• Control flow obfuscation
• Code created in unpacking phase
• Control transfer to unpacked code
Unpacking loop
Packed code initially compressed or encrypted
A binary is packed if some portion of its code is not present until runtime
Page 8
Anti-virus Tool Evasion
8 of 19
Unpack
loop
7a 77 0e 20
e9 3d e0 09
e8 68 c0 45
be 79 5e 80
89 08 27 c0
Unpack
loop
7a 77 0e 20
e9 3d e0 09
e8 68 c0 45
be 79 5e 80
89 08 27 c0
Signature
Signature
An
ti-V
iru
s T
oo
l
• Anti-virus tools recognize and unpack payloads of common packer tools
• Existing packers are modified to evade anti-virus tools at the rate of 10-15 per month[1]
• 80% of malware in the world is packed[2][3]
Unpack
loop
7a 77 0e 20
e9 3d e0 09
e8 68 c0 45
be 79 5e 80
89 08 27 c0
Unpackloop7a 77 0e 20
e9 3d e0 09
e8 68 c0 45
be 79 5e 80
89 08 27 c0
SignatureSignatur
e
[1] Virus Bulletin p. 11-13, A. Stepan, 2006[2] Press Release, McAfee Avert Labs, Nov. 2006[3] Malware Formation Stats, Panda Research, 2007
Unpack
loop
7a 77 0e 20
e9 3d e0 09
e8 68 c0 45
be 79 5e 80
89 08 27 c0Signatur
e
Unpackloop7a 77 0e 20
e9 3d e0 09
e8 68 c0 45
be 79 5e 80
89 08 27 c0
Signature
Common Attacker Tactic: Take a known malware binary and pack it with 10 layers of potentially different or proprietary packers. Symantec knows about 1145 families of packers, each of which can have multiple versions and they claim they can recognize/unpack about 100 of them. Malware signature size keeps growing with no end in sight.
Page 9
Relevant Literature
“Renovo: A Hidden Code Extractor for Packed Executables”, presented at 5th ACM Workshop on Recurring Malcode (WORM 2007)
“Generic Unpacking How to handle modified or unknown PE Compression Engines” presented at Virus. Bulletin Conference 2005.
“OmniUnpack: Fast, Generic, and Safe Unpacking of Malware”, presented at 23rd ACSAC (Annual Computer Security Applications Conference) in Miami Beach FL USA (2007)
“PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware”, presented at 22nd ACSAC (2006)
Page 10
Justification for project
The problem to generically unpack malware executables has been solved commercially but the competitive nature of the anti-virus software industry refrains them from publishing a solution.
Lack of a publicly available generic unpackers that can handle obfuscated binaries without knowing the exact packer used to pack it.
The growing epidemic of malware and the need to have more freely available tools to help in analyzing malware.
Page 11
Objectives
Design and implementation of a technique to detect obfuscated windows executables and to dump their code without running the executable.
– Objective measurable by testing the implemented technique on sample packed exes and comparing results with published statistics of existing unpackers.
Design and develop a user-friendly interface to analyze the recovered executable code, the whole of the code might not be recovered and the recovered code might not necessarily be executable.
– Objective measurable by feedback of toolkit from beta testers.
Contribute to research in the domain of code obfuscation and malware analysis.
– Objective measurable by publication of research.
Page 12
Scope of Project – Inclusions & Exclusions
We will not be developing an entire disassembler or a debugger but only a technique that can either attach itself to an already memory mapped process to uncover any hidden code or to load a process in memory and bypass any obfuscations to get to the hidden code once it is unpacked in memory.
The scope of the project only and only covers extracting the hidden code, any further analysis of the malware is future work left to security analysts.
This program can not in any way be deemed an equivalent of a debugger which has many complex functionalities, we need to perform only a small sub-task that debuggers performs i.e. to load executables and extract any hidden code, we won’t provide an environment to run or single step into the executable, just make the hidden code section available for analysis.
We intend to get the help of simple debugging tools and already published research in the field of obfuscated binaries and take a lead from already done work.
Page 13
A: Studying PE (Portable Executable file format) F: Algorithm designB: Implementing PE identifier (i.e. portable executable analyzer) G: implement modulesC: Research already implemented generic Unpacking Techniques H: Test modulesD: Manually unpack executables obfuscated with different packers I: Integrate modules E: Identify general trends in unpacking J: User manual
Project Schedule – Gantt Chat
Page 14
Software Analysis toolkit: SADE
Documentation
– Project Scope Statement
– Requirements Model, Analysis Model and Design Model
– WBS, project schedule, software development plan, software Implementation plan, software test plan
– Software Implementation description
– Final Project Report
– User Manual
Deliverables