software analysis & deobfuscation engine. page 2 project name: sade project members: faiza...

Software Analysis &

Deobfuscation Engine

Project Name: SADE

Project Members: Faiza Khalid, Komal Babar and Abdul Wahab

Project Supervisor

– Internal: Aisha Khalid

– External: Dr. Fauzan Mirza

Project Scope

Scope Statement

Development of a software analysis toolkit for windows executables that will bypass obfuscations to make actual code available for further analysis. The toolkit will be for security analysts and novice users with a little training.

Obfuscation Problem

Malware analysis is necessary for information security:

– Creating signatures

– Understanding attacks

Malware authors use code obfuscation techniques to hide their malicious code

The time of security analysts is expensive. Individual samples can take hours to analyze. Obfuscation costs reverse-engineers time:

– Complicates instruction sequences

– Disrupts control flow

– Makes algorithms difficult to understand

Manual obfuscation removal is a tedious and error-prone process

Need to automate the process of analysis to keep up.

Deobfuscation

Deobfuscated!Deobfuscated!

The packing obfuscation is the process of compressing and/or encrypting a program and adding a runtime decryption routine to it, such that the behavior of the original program is preserved. Tools that perform packing are called packers.

Packing is applied on legitimate software to reduce the size of executable files and to protect the intellectual property that is distributed with the code.

Malware authors use packing to by-pass detection and thwart analysis

– Packing hides the original malicious code

– Packing hinders code analysis

– Obfuscation hinders automation

– Automation is key to rapid analysis

Packing Obfuscation

A Packed Malware Binary

Address Space

.looplea eax, 0x4a0000lea ebx, 0x401000load ecx, ptr [r1]xor ecx, 0xffffffstore ptr[ecx], r2...jnz .xcall ptr[edi].xadd eax, 4add ebx, 4cmp eax, 0x4a1f88jnz .loopjmp 0x401000

Address Space

Entry Point

Entry Point

7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be

79 5e 80 89 08 27 c0 73 1c 88 48 6a d8

6a d0 56 4b fe 92 57 af 40 0c b6 f2 64

32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd

5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83

a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01

Unpacking Loop

JUMP

Original Binary

Packed Binary • Payload program is

mostly unchanged

Anti-Debugger Code

• Timing checks of various granularities

• Control flow obfuscation

• Code created in unpacking phase

• Control transfer to unpacked code

Unpacking loop

Packed code initially compressed or encrypted

A binary is packed if some portion of its code is not present until runtime

Anti-virus Tool Evasion

8 of 19

Unpack

loop

7a 77 0e 20

e9 3d e0 09

e8 68 c0 45

be 79 5e 80

89 08 27 c0

Unpack

loop

7a 77 0e 20

e9 3d e0 09

e8 68 c0 45

be 79 5e 80

89 08 27 c0

Signature

Signature

An

ti-V

iru

s T

oo

l

• Anti-virus tools recognize and unpack payloads of common packer tools

• Existing packers are modified to evade anti-virus tools at the rate of 10-15 per month[1]

• 80% of malware in the world is packed[2][3]

Unpack

loop

7a 77 0e 20

e9 3d e0 09

e8 68 c0 45

be 79 5e 80

89 08 27 c0

Unpackloop7a 77 0e 20

e9 3d e0 09

e8 68 c0 45

be 79 5e 80

89 08 27 c0

SignatureSignatur

e

[1] Virus Bulletin p. 11-13, A. Stepan, 2006[2] Press Release, McAfee Avert Labs, Nov. 2006[3] Malware Formation Stats, Panda Research, 2007

Unpack

loop

7a 77 0e 20

e9 3d e0 09

e8 68 c0 45

be 79 5e 80

89 08 27 c0Signatur

e

Unpackloop7a 77 0e 20

e9 3d e0 09

e8 68 c0 45

be 79 5e 80

89 08 27 c0

Signature

Common Attacker Tactic: Take a known malware binary and pack it with 10 layers of potentially different or proprietary packers. Symantec knows about 1145 families of packers, each of which can have multiple versions and they claim they can recognize/unpack about 100 of them. Malware signature size keeps growing with no end in sight.

Relevant Literature

“Renovo: A Hidden Code Extractor for Packed Executables”, presented at 5th ACM Workshop on Recurring Malcode (WORM 2007)

“Generic Unpacking How to handle modified or unknown PE Compression Engines” presented at Virus. Bulletin Conference 2005.

“OmniUnpack: Fast, Generic, and Safe Unpacking of Malware”, presented at 23rd ACSAC (Annual Computer Security Applications Conference) in Miami Beach FL USA (2007)

“PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware”, presented at 22nd ACSAC (2006)

Justification for project

The problem to generically unpack malware executables has been solved commercially but the competitive nature of the anti-virus software industry refrains them from publishing a solution.

Lack of a publicly available generic unpackers that can handle obfuscated binaries without knowing the exact packer used to pack it.

The growing epidemic of malware and the need to have more freely available tools to help in analyzing malware.

Objectives

Design and implementation of a technique to detect obfuscated windows executables and to dump their code without running the executable.

– Objective measurable by testing the implemented technique on sample packed exes and comparing results with published statistics of existing unpackers.

Design and develop a user-friendly interface to analyze the recovered executable code, the whole of the code might not be recovered and the recovered code might not necessarily be executable.

– Objective measurable by feedback of toolkit from beta testers.

Contribute to research in the domain of code obfuscation and malware analysis.

– Objective measurable by publication of research.

Scope of Project – Inclusions & Exclusions

We will not be developing an entire disassembler or a debugger but only a technique that can either attach itself to an already memory mapped process to uncover any hidden code or to load a process in memory and bypass any obfuscations to get to the hidden code once it is unpacked in memory.

The scope of the project only and only covers extracting the hidden code, any further analysis of the malware is future work left to security analysts.

This program can not in any way be deemed an equivalent of a debugger which has many complex functionalities, we need to perform only a small sub-task that debuggers performs i.e. to load executables and extract any hidden code, we won’t provide an environment to run or single step into the executable, just make the hidden code section available for analysis.

We intend to get the help of simple debugging tools and already published research in the field of obfuscated binaries and take a lead from already done work.

A: Studying PE (Portable Executable file format) F: Algorithm designB: Implementing PE identifier (i.e. portable executable analyzer) G: implement modulesC: Research already implemented generic Unpacking Techniques H: Test modulesD: Manually unpack executables obfuscated with different packers I: Integrate modules E: Identify general trends in unpacking J: User manual

Project Schedule – Gantt Chat

Software Analysis toolkit: SADE

Documentation

– Project Scope Statement

– Requirements Model, Analysis Model and Design Model

– WBS, project schedule, software development plan, software Implementation plan, software test plan

– Software Implementation description

– Final Project Report

– User Manual

Deliverables

THANK YOU!Any questions

software analysis & deobfuscation engine. page 2 project name: sade project members: faiza...

Documents