malware detection with multiple features
DESCRIPTION
slides presented at Univ of Cambridge, UKTRANSCRIPT
![Page 1: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/1.jpg)
Malware Analysis With MultipleFeatures
Muhammad Najmi Ahmad ZabidiInternational Islamic University Malaysia
UKSIM 2012Emmanuel College
University of Cambridge, United Kingdom
28-30th March 2012
Muhammad Najmi UKSIM 2012 1/39
![Page 2: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/2.jpg)
About
• I am a research grad student in Universiti TeknologiMalaysia, Skudai, Johor Bahru, Malaysia
• My current employer is International Islamic UniversityMalaysia, Kuala Lumpur
• Research area - malware detection, narrowing onWindows executables
Muhammad Najmi UKSIM 2012 2/39
![Page 3: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/3.jpg)
Disclaimer
This presentation is as extension of the previous industry talksthat I presented in Hack In The Box 2011, Kuala Lumpur. Somecontents are based from the previous talk.
Muhammad Najmi UKSIM 2012 3/39
![Page 4: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/4.jpg)
Malware in short
• is a software
• maliciousness is defined on the risks exposed to the user
• sometimes, when in vague, the term ‘‘PotentiallyUnwanted Program/Application’’ (PUP/PUA) being used
Muhammad Najmi UKSIM 2012 4/39
![Page 5: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/5.jpg)
Methods of detections
• Static analysis
• Dynamic analysis
Muhammad Najmi UKSIM 2012 5/39
![Page 6: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/6.jpg)
This talk is more static analysis
Muhammad Najmi UKSIM 2012 6/39
![Page 7: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/7.jpg)
Analysis of strings
• Important, although not foolproof
• Find interesting calls first
• Considered static analysis, since no executing of thebinary
Muhammad Najmi UKSIM 2012 7/39
![Page 8: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/8.jpg)
Methods to find interesting strings
• Use strings command (on *NIX systems)
• Editors
• Checking with Import Address Table (IAT)
Muhammad Najmi UKSIM 2012 8/39
![Page 9: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/9.jpg)
Python
• a scripting language
• a robust, powerful programming language
Muhammad Najmi UKSIM 2012 9/39
![Page 10: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/10.jpg)
My Python scripts
• Based from several existing Python scripts - malwareanalyzer, zerowine sandboxes,PE scanner
• I merged them and modified some parts so that it will beable to produce single page of report
• This tool is needed for my research work(biggerobjective) - I am using Machine Learning method formalware detection.
• Analysis of the binary while it is still packed
Muhammad Najmi UKSIM 2012 10/39
![Page 11: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/11.jpg)
Components of pi-ngaji
Muhammad Najmi UKSIM 2012 11/39
![Page 12: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/12.jpg)
Stuffs to look at
• ‘‘Interesting’’ Application Programming Interface-API calls
• Virtual Machine(VM) detector
• Outbound connect, especiall Internet Relay Chat-IRCcommands. Possibbly a member of botnets
• XOR’ed values (addition from the previous talk in HITBKUL 2011)
Muhammad Najmi UKSIM 2012 12/39
![Page 13: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/13.jpg)
python-pefile module
• Written by Ero Carrera
• python-pe provides quite a number of functions
• Everything can be dumped by print pe.dump_info()
Muhammad Najmi UKSIM 2012 13/39
![Page 14: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/14.jpg)
Regular Expression search using re
import re provides regexp capability to find strings in thebinary This array of calls INTERESTING_CALLS =["CreateMutex"...], provides ranges of calls to be fetchedThe following fetched the represented stringsfor calls in INTERESTING_CALLS:
if re.search(calls, line):if not calls in performed:
print "[+] Found an Interesting call to: ",callsperformed.append(calls)
Muhammad Najmi UKSIM 2012 14/39
![Page 15: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/15.jpg)
API calls
• Application Programming Interface - API calls• We use and compare the original API calls embedded inthe script by Joxean, and later use the API calls proposedby [Altaher et al., 2011]
• used Information Gain for feature (API calls) ranking
Muhammad Najmi UKSIM 2012 15/39
![Page 16: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/16.jpg)
Looking at Dynamic Link Library -DLL
Some DLLs are interesting to look at, they contain functionsthat me be used for malicious activities. For e.g: Kernel32.dll,provides ‘‘low-level operating system functions for memorymanagement and resource handling"
Muhammad Najmi UKSIM 2012 16/39
![Page 17: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/17.jpg)
Contents of kernel32.dll
1. CopyFileA2. CopyFileExA3. CopyFileExW4. CopyFileW5. CreateFileA6. CreateFileW7. DeleteFileA8. DeleteFileW9. MoveFileA10. MoveFileExA11. MoveFileExW12. MoveFileW13. MoveFileWithProgressA14. MoveFileWithProgressW15. OpenFile16. ReadFile17. ReadFileEx18. ReadFileScatter19. ReplaceFile20. ReplaceFileA21. ReplaceFileW22. WriteFile23. WriteFileEx24. WriteFileGather
Source: [Marhusin et al., 2008]
Muhammad Najmi UKSIM 2012 17/39
![Page 18: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/18.jpg)
Using Python PE
import hashlibimport timeimport binasciiimport stringimport os, sysimport commandsimport pefileimport peutilsimport string
pe = pefile.PE(sys.argv[1])print "DLL \t\t API NAME"for imp in pe.DIRECTORY_ENTRY_IMPORT:
print imp.dllfor api in imp.imports:
print "\t\t%s" %api.name
Muhammad Najmi UKSIM 2012 18/39
![Page 19: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/19.jpg)
najmi@vostro:~/rogue-av$ avgscan BestAntivirus2011.exeAVG command line Anti-Virus scannerCopyright (c) 2010 AVG Technologies CZ
Virus database version: 271.1.1/3943Virus database release date: Fri, 07 Oct 2011 14:34:00 +08:00
BestAntivirus2011.exe Trojan horse FakeAlert.ACN
Files scanned : 1(1)Infections found : 1(1)PUPs found : 0Files healed : 0Warnings reported : 0Errors reported : 0najmi@vostro:~/rogue-av$ md5sum BestAntivirus2011.exe7f0ba3e7f57327563f0ceacbd08f8385 BestAntivirus2011.exe
Muhammad Najmi UKSIM 2012 19/39
![Page 20: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/20.jpg)
$ python ../dll-scan.py BestAntivirus2011.exeDLL API NAMEADVAPI32.dllUSER32.dllKERNEL32.dllole32.dllOLEAUT32.dllGDI32.dllCOMCTL32.dllSHELL32.dllWININET.dllWSOCK32.dll
NoneNoneNoneNoneNoneNoneNoneNone
Muhammad Najmi UKSIM 2012 20/39
![Page 21: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/21.jpg)
Anti Virtual Machine Malware
"Red Pill":"\x0f\x01\x0d\x00\x00\x00\x00\xc3","VirtualPc trick":"\x0f\x3f\x07\x0b","VMware trick":"VMXh","VMCheck.dll":"\x45\xC7\x00\x01","VMCheck.dll for VirtualPC":"\x0f\x3f\x07\x0b\xc7\x45\xfc\xff\xff\xff\xff","Xen":"XenVMM", # Or XenVMMXenVMM"Bochs & QEmu CPUID Trick":"\x44\x4d\x41\x63","Torpig VMM Trick": "\xE8\xED\xFF\xFF\xFF\x25\x00\x00\x00\xFF
\x33\xC9\x3D\x00\x00\x00\x80\x0F\x95\xC1\x8B\xC1\xC3","Torpig (UPX) VMM Trick": "\x51\x51\x0F\x01\x27\x00\xC1\xFB\xB5\xD5\x35
\x02\xE2\xC3\xD1\x66\x25\x32\xBD\x83\x7F\xB7\x4E\x3D\x06\x80\x0F\x95\xC1\x8B\xC1\xC3"
Source: ZeroWine source code
Muhammad Najmi UKSIM 2012 21/39
![Page 22: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/22.jpg)
Strings detector
Muhammad Najmi UKSIM 2012 22/39
![Page 23: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/23.jpg)
Detect Anti VMs
$python comp-detect.py vm-detect-malware/bfe00ca2aa27501cb4fd00655435555dDLL API NAMEWS2_32.dllKERNEL32.dllUSER32.dllGDI32.dllole32.dll
CoCreateInstance
[+]Detecting Anti Debugger Tricks...
***Detected trick TWX (TRW detection)
***Detected trick isDebuggerPresent (Generic debugger detection)
***Detected trick TRW (TRW detection)
[+]Detecting VM tricks..
***Detected trick VirtualPc trick
***Detected trick VMCheck.dll for VirtualPC
Analyzing registry...Check whether this binary is a bot...Analyzing interesting calls..[+] Found an Interesting call to: CreateMutex[+] Found an Interesting call to: GetEnvironmentStrings[+] Found an Interesting call to: LoadLibraryA[+] Found an Interesting call to: GetProcAddress[+] Found an Interesting call to: IsDebuggerPresent
Muhammad Najmi UKSIM 2012 23/39
![Page 24: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/24.jpg)
Detect Bots, Detect DebuggerDetector
Analyzing 013a6dd86261acc7f9907740375ad9daDLL API NAMEKERNEL32.dllUSER32.dllADVAPI32.dllMSVCRT.dllGDI32.dllole32.dllSHELL32.dll
DuplicateIconDetecting VM existence...
No trick detected.Analyzing registry...Check whether this binary is a bot...[+] Malware Seems to be IRC BOT: Verified By String : Port[+] Malware Seems to be IRC BOT: Verified By String : SERVICE[+] Malware Seems to be IRC BOT: Verified By String : LoginAnalyzing interesting calls..[+] Found an Interesting call to: LoadLibraryA[+] Found an Interesting call to: GetProcAddress[+] Found an Interesting call to: IsDebuggerPresent[+] Found an Interesting call to: http://
Muhammad Najmi UKSIM 2012 24/39
![Page 25: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/25.jpg)
With registry addition
Analyzing e665297bf9dbb2b2790e4d898d70c9e9
Analyzing registry...[+] Malware is Adding a Key at Hive: HKEY_LOCAL_MACHINE^G^@Label11^@^A^AÃR^Nreg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ImageFile Execution Options\Rx.exe" /v debugger /t REG_SZ /d %systemrot%\repair\1sass.exe /f^M
....
[+] Malware Seems to be IRC BOT: Verified By String : ADMIN[+] Malware Seems to be IRC BOT: Verified By String : LIST[+] Malware Seems to be IRC BOT: Verified By String : QUIT[+] Malware Seems to be IRC BOT: Verified By String : VERSIONAnalyzing interesting calls..[+] Found an Interesting call to: FindWindow[+] Found an Interesting call to: LoadLibraryA[+] Found an Interesting call to: CreateProcess[+] Found an Interesting call to: GetProcAddress[+] Found an Interesting call to: CopyFile[+] Found an Interesting call to: shdocvw
Muhammad Najmi UKSIM 2012 25/39
![Page 26: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/26.jpg)
Checking entropy
• Looking at randomness in the binary
• Entropy - referring to Shannon’sentropy[Lyda and Hamrock, 2007]
• If the score is X>0 and X<1 or X>7, it is being denoted assuspicious
• python-pefile modules provides get_entropy() functionfor this
Muhammad Najmi UKSIM 2012 26/39
![Page 27: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/27.jpg)
PE sections to look for
TEXTDATA.idata.rdata.reloc.rsrc.tls
Muhammad Najmi UKSIM 2012 27/39
![Page 28: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/28.jpg)
Binary file structure
Figure: Structure of a file[Pietrek, 1994]
Muhammad Najmi UKSIM 2012 28/39
![Page 29: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/29.jpg)
Figure: PE components, simplified
Muhammad Najmi UKSIM 2012 29/39
![Page 30: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/30.jpg)
print "\n[+]Now check for binary entropy.."for sec in pe.sections:
#s = "%-10s %-12s %-12s %-12s %-12f" % (s = "%-10s %-12s" %(’’.join([c for c in sec.Name if c in string.printable]),
sec.get_entropy())if sec.SizeOfRawData == 0 or (sec.get_entropy() > 0
and sec.get_entropy() < 1) or sec.get_entropy() > 7:s += "[SUSPICIOUS]"
print "",s
Muhammad Najmi UKSIM 2012 30/39
![Page 31: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/31.jpg)
Checking entropy. . .
[+]Now check for binary entropy..%s .text 6.84045277182%s rdata 0.0 [SUSPICIOUS]%s .data 7.99566735324[SUSPICIOUS]%s .ice 6.26849761461
Muhammad Najmi UKSIM 2012 31/39
![Page 32: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/32.jpg)
Figure: pi-ngaji flow
Muhammad Najmi UKSIM 2012 32/39
![Page 33: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/33.jpg)
Results
Table: API calls detection for pi-ngaji
API calls Number of hits over 23 samplesGetSystemTimeAsFileTime 1SetUnhandledExceptionFilter 1GetCurrentProcess 3TerminateProcess 1LoadLibraryExW 0GetVersionExW 0GetModuleFileNameW 0GetTickCount 2SetLastError 2GetCurrentProcessId 2GetModuleHandleW 2LoadLibraryW 0InterlockedExchange 1UnhandledExceptionFilter 2FreeLibrary 6GetCurrentThreadId 3QueryPerformanceCounter 1CreateFileW 0InterlockedCompareExchange 0UnmapViewOfFile 0GetProcAddress 12
Muhammad Najmi UKSIM 2012 33/39
![Page 34: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/34.jpg)
Table: Anti VM and Anti Debugger Detection for pi-ngaji
VM/Debugger Tricks Number of hitsRedPill 1VMCheck 2VMWare trick 1IsDebuggerPresent 1TRW 4TRX 3
Muhammad Najmi UKSIM 2012 34/39
![Page 35: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/35.jpg)
Pro
pi-ngaji strengths
• Works offline, no need to submit to honeypot/dynamicanalysis *yet*
• Could be automated and generate reports - via UNIX pipefor e.g
• Runs on relatively secure environment - *Linux - wherewin32 could not possibly execute
Muhammad Najmi UKSIM 2012 35/39
![Page 36: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/36.jpg)
Cons
Weakness
• Could not possibly handles obfuscated binaries.. too badyou have to execute it to get all the API/activities
Muhammad Najmi UKSIM 2012 36/39
![Page 37: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/37.jpg)
Get in touch!
najmi.zabidi @ gmail.comhttp://mypacketstream.blogspot.com
Muhammad Najmi UKSIM 2012 37/39
![Page 38: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/38.jpg)
Special thanks
Thanks to Joxean and Beenu Arora
Muhammad Najmi UKSIM 2012 38/39
![Page 39: Malware Detection With Multiple Features](https://reader036.vdocument.in/reader036/viewer/2022062313/557cbcd2d8b42a1b0c8b4f70/html5/thumbnails/39.jpg)
Bibliography
Altaher, A., Ramadass, S., and Ali, A. (2011).
Computer Virus Detection Using Features Ranking and Machine Learning.Australian Journal of Basic and Applied Sciences, 5(9):1482--1486.
Lyda, R. and Hamrock, J. (2007).
Using entropy analysis to find encrypted and packed malware.Security & Privacy, IEEE, 5(2):40--45.
Marhusin, M. F., Larkin, H., Lokan, C., and Cornforth, D. (2008).
An Evaluation of API Calls Hooking Performance.In Proc. Int. Conf. Computational Intelligence and Security CIS ’08, volume 1, pages 315--319.
Pietrek, M. (1994).
Peering Inside the PE: A Tour of the Win32 Portable Executable File Format.http://msdn.microsoft.com/en-us/library/ms809762.aspx.
Muhammad Najmi UKSIM 2012 39/39