polymorphic and metamorphic malware - black hat · metamorphic / polymorphic malware fundamental...
TRANSCRIPT
˝WetStoneA Division of Allen Corporation
Copyright 2007-2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Polymorphic & Metamorphic Malware
Chet Hosmer, Chief Scientist
Polymorphic & Metamorphic MalwarePolymorphic & Metamorphic Malware
Chet Hosmer, Chief ScientistChet Hosmer, Chief Scientist
2Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Malware ImpactMalware ImpactMalware Impact
Source: NY Times and Washington Post
3Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Metamorphic / Polymorphic MalwareMetamorphic / Polymorphic MalwareMetamorphic / Polymorphic Malware
Fundamental PrinciplesMalware must be defined semantically as the very same Virus, Worm, Bot, Key Logger etc. is likely to exist in different physical forms
The techniques of polymorphism and metamorphism change the form of each instance of software in order to evade “pattern matching”detection during the detection and investigative process
Fundamental PrinciplesMalware must be defined semantically as the very same Virus, Worm, Bot, Key Logger etc. is likely to exist in different physical forms
The techniques of polymorphism and metamorphism change the form of each instance of software in order to evade “pattern matching”detection during the detection and investigative process
4Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Overview and DefinitionsOverview and DefinitionsOverview and Definitions
Polymorphic MalwarePolymorphism loosely means:“change the appearance of”Mutation Engines are bundled with the virus, worm or other self-propagating code
Common methods include EncryptionData appending / Data pre-pending
Polymorphic MalwarePolymorphism loosely means:“change the appearance of”Mutation Engines are bundled with the virus, worm or other self-propagating code
Common methods include EncryptionData appending / Data pre-pending
5Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Overview and DefinitionsOverview and DefinitionsOverview and Definitions
Polymorphic MalwareLimitations
The decrypted code is essentially the same in each case, thus memory based signature detection is possibleBlock hashing can be effective in identifying memory based remnants
Polymorphic MalwareLimitations
The decrypted code is essentially the same in each case, thus memory based signature detection is possibleBlock hashing can be effective in identifying memory based remnants
6Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Memory Block HashingMemory Block HashingMemory Block Hashing
FILE
ONEWAY CRYPTOGRAPHICHASH FUNCTION
AB-9E-27-46-2F86-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
F2-43-56-A4-2286-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
E2-40-31-9A-8A86-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
FILE
ONEWAY CRYPTOGRAPHICHASH FUNCTION
AB-9E-27-46-2F86-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
Block 1
Block 2
….
Block n
7Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
F2-43-56-A4-2286-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
E2-40-31-9A-8A86-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
Memory CodeSnapshot
ONEWAY CRYPTOGRAPHICHASH FUNCTION
AB-9E-27-46-2F86-91-02-8C-B1AB-9E-27-46-2F86-91-02-8C-B1
Block 1
Block 2
….
Block n
Block 2
Memory Block HashingMemory Block HashingMemory Block Hashing
8Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Overview and DefinitionsOverview and DefinitionsOverview and Definitions
Metamorphic MalwareMetamorphic Malware: “automatically re-codes itself each time it propagates or is distributed”Simple techniques include:
Adding varying lengths of NOP instructionsPermuting use registersAdding useless instructions and loops within the code segments
Metamorphic MalwareMetamorphic Malware: “automatically re-codes itself each time it propagates or is distributed”Simple techniques include:
Adding varying lengths of NOP instructionsPermuting use registersAdding useless instructions and loops within the code segments
9Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Overview and DefinitionsOverview and DefinitionsOverview and Definitions
Metamorphic MalwareAdvanced techniques include:
Function reorderingProgram flow modificationStatic data structure modification
Reordering structuresInserting unused data types
Metamorphic MalwareAdvanced techniques include:
Function reorderingProgram flow modificationStatic data structure modification
Reordering structuresInserting unused data types
10Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Metamorphic StructureMetamorphic StructureMetamorphic Structure
Actual Malicious Code
Morphing Engine Code
20%
80%
11Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Morphing Engine ComponentsMorphing Engine ComponentsMorphing Engine Components
Disassembler
Permutor
Randomizing Inserter (code & data)
Code Compressor
Assembler
12Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Overview and DefinitionsOverview and DefinitionsOverview and Definitions
Metamorphic MalwareLimitations
Identification of Morphing EngineCode semanticsBehavior
Automated code identification and analysis of memory snapshots or analysis of swap space remnants
Metamorphic MalwareLimitations
Identification of Morphing EngineCode semanticsBehavior
Automated code identification and analysis of memory snapshots or analysis of swap space remnants
13Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
SummarySummarySummaryThreat
Polymorphic and Metamorphic malware are evolvingDiscovery in real-time or postmortem is difficultLimited resources being applied
Impact on Law EnforcementIncident response is slowDetermining the source of attacks is difficultProsecuting those involved is elusive
ThreatPolymorphic and Metamorphic malware are evolvingDiscovery in real-time or postmortem is difficultLimited resources being applied
Impact on Law EnforcementIncident response is slowDetermining the source of attacks is difficultProsecuting those involved is elusive
14Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Solution DevelopmentSolution DevelopmentSolution Development
15Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Solution DevelopmentSolution DevelopmentSolution Development
16Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED
Q0
Q2
Q1
Q3
Q4
Q5Q7
Q8
Q10
Q11
Q9
Q6
Kunya/ Title/ Adjective
Ism / Female First Name
Ism / Male First Name
Laqab/ Nickname
Ancestor
Nasab/ Father
Nasab/ Father
Ancestor
Husband First Nisba/ Last
Nisba/ Last
Nasab/ Grandfather
Nasab/ Father
Nasab/ Father
Ancestor
Nasab/ Father
Laqab/ Nickname Husband
First
Ancestor
Nasab/ Father
Nisba/ Last
Q2-5’ Q5-7’ Q7-10’Q10-11’
Ancestor
Nisba
Ancestor
Ancestor
Ance
stor
Nasab
Nasab
Nasab
Next Steps / OpportunityNext Steps / OpportunityNext Steps / OpportunityTechnology Status
Alpha based technology is being validated at WetStone LabsBeta technology scheduled for August 2008 availabilityWe are actively seeking state and local law enforcement evaluators
Resulting TechnologyWill be provided free to state and local law enforcement through NIJ upon project completion
Technology StatusAlpha based technology is being validated at WetStone LabsBeta technology scheduled for August 2008 availabilityWe are actively seeking state and local law enforcement evaluators
Resulting TechnologyWill be provided free to state and local law enforcement through NIJ upon project completion