Analysis of Mixed-mode Malware - PowerPoint Presentation

1. Analysis of Mixed-mode MalwareChristoph Csallner, University of Texas at Arlington http://ranger.uta.edu/~csallner/ Joint work with: Shabnam AboughadarehThis material is based upon work supported by the National Science Foundation under Grants No. 1017305, 1117369, and 1527398. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation.

2. Well-known malware analysis tool: TEMU1VMUserKernelHOSTTEMU VMI DriverTEMU AnalysisSend OS state

3. Question: What if malware attacks the analysis tool, e.g., TEMU?2VMUserKernelHOSTTEMU VMI DriverTEMU Analysis ComponentAttackSend OS state

4. Mixed-mode malwarePhase 1: Modify OS kernel code/dataPhase 2: Payload uses modifications in attackSemantics determined by phase 1 successMalware analysis can only observe phase 2 if phase 1 succeedsBut phase 1 may corrupt malware analysis3

5. 41Dropper.exe2Function Modifier2.2: UnpatchZw1...Pointer to Zw1...Syscall tableMm12.1: HookDropper.exeZw1...Pointer to Zw1Syscall tableVMI Driver...Mm1VMI notificationVMIFunction ModifierUserKernel1: DropZw1’’: Call ZW1, hide Mal.exeCurrent process ≠ Mal.exeCurrent process = Mal.exeService A VMI DriverMm1Zw1’...Pointer to Zw1’...Syscall tableMal.exe33.1: Createnew process3.2: Call ZW1 Dropper.exeFalse VMIVMI DriverExample with TEMU-style in-guest analysis tool(VMI = VirtualMachineIntrospection)Preventing Dropperfrom running wouldprevent analyst fromobserving Mal.exe’smalicious behaviorVMI notification

6. Malware Analysis: State of the Art5Some componentsInside malware domainFully outside malware domainUser-onlyKernel-onlyBothEther[Georgia Tech]TEMU[UC Berkeley]Anubis (TTAnalyze)[UC SB et al.]d-Anubis[TU Vienna]WhatWhere

7. Example with malware analysis tool that does not analyze entire system6UserKernel1. Drop Rootkit(kernel-mode component)Mal.exe2. Call AService A3. Intercept the execution of system call Ain kernelService B4. Invoke system service BExecution path for service A

8. Concrete example: Ether7UserKernel1. Drop Rootkit(kernel-mode component)Mal.exe2. Call AService AService B4. Invoke system service BExecution path for service AEther logs AWhat Actually ExecutesAs before:Preventing Dropperfrom running wouldprevent analyst fromobserving Mal.exe’smalicious behavior

9. Malware Analysis8Some componentsInside malware domainFully outside malware domainUser-onlyKernel-onlyBothEther[Georgia Tech]TEMU[UC Berkeley]Anubis (TTAnalyze)[UC SB et al.]d-Anubis[TU Vienna]WhatWhereSEMU[UT Arlington]

10. SEMU: Completely outside the guest9QEMUVMUserKernelHOSTCodeDataSEMU VMI ComponentData: Name, addr, valueCode: Name, addrShadow Mem.ReverseEngineeringBefore malware execution

11. SEMU: Completely outside the guest10QEMUVMUserKernelHOSTCodeDataSEMU VMI ComponentSEMU Analysis ComponentData: Name, addr, valueCode: Name, addrShadow Mem.ReverseEng.After malware executionTrace logTrace AnalyzerAnalysis ReportTracing

12. Evaluation: SEMU is the only tool we tested that can fully analyze these mixed-mode malware samples:11DescriptionAffected ObjectOS fctKernelLOCUserLOCSlow-downModify sys callsKTHREADNo3701,68435.3Modify sys calls (MDL)SSDTYes4171,68438.7DKOM object hidingEPROCESSDRIVER_OBJECTNo9645128.2DKSM renamingEPROCESSNo11145120.6Privilege escalationEPROCESSNo014925.2User-mode unhookSSDTYes071029.1

13. Execution time -- Fine-grained VMI: Instruction tracing12Subjectw/o VMI [s]Ether SEMUFine VMI [s]Ether SEMU SlowdownEther SEMUEsinfo0.632.4220.5421.39 328Timezone0.050.794.4113.03 8716Whoami0.030.724.4919.8314927UPX0.329.0045.58322.6014135RAR a0.153.0745.16302.93 98

14. Inside-the-guest VMI in TEMU vs. Outside-the-guest VMI in SEMU13Subjectw/o VMI [s]TEMU SEMUCoarse VMI [s]TEMU SEMU SlowdownTEMU SEMUPsGetsid1.680.563.441.09 10595Pslist –t 3.191.034.691.31 4727Psinfo -s5.762.889.794.78 7066Coreinfo1.700.653.751.07 12163ListDLLs3.202.585.013.75 5745