150 likes | 282 Views
Software Analysis & Deobfuscation Engine. Project Scope. Project Name: SADE Project Members: Faiza Khalid , Komal Babar and Abdul Wahab Project Supervisor Internal: A i sha Khalid External : Dr. Fauzan Mirza. Scope Statement.
E N D
Software Analysis & Deobfuscation Engine
Project Scope • Project Name: SADE • Project Members: Faiza Khalid, Komal Babar and Abdul Wahab • Project Supervisor • Internal: Aisha Khalid • External: Dr. Fauzan Mirza
Scope Statement Development of a software analysis toolkit for windows executables that will bypass obfuscations to make actual code available for further analysis. The toolkit will be for security analysts and novice users with a little training.
Obfuscation Problem • Malware analysis is necessary for information security: – Creating signatures – Understanding attacks • Malware authors use code obfuscation techniques to hide their malicious code • The time of security analysts is expensive. Individual samples can take hours to analyze. Obfuscation costs reverse-engineers time: • Complicates instruction sequences • Disrupts control flow • Makes algorithms difficult to understand • Manual obfuscation removal is a tedious and error-prone process • Need to automate the process of analysis to keep up.
Deobfuscation Deobfuscated!
Packing Obfuscation • The packing obfuscation is the process of compressing and/or encrypting a program and adding a runtime decryption routine to it, such that the behavior of the original program is preserved. Tools that perform packing are called packers. • Packing is applied on legitimate software to reduce the size of executable files and to protect the intellectual property that is distributed with the code. • Malware authors use packing to by-pass detection and thwart analysis • Packing hides the original malicious code • Packing hinders code analysis • Obfuscation hinders automation • Automation is key to rapid analysis
7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 73 1c 88 48 6a d8 6a d0 56 4b fe 92 57 af 40 0c b6 f2 64 32 f5 07 b6 66 21 0c 85 a5 94 2b 20 fd 5b 95 e7 c2 16 90 14 8a 14 26 60 d9 83 a1 37 1b 2f b9 51 84 02 1c 22 8e 63 01 A Packed Malware Binary A binary is packed if some portion of its code is not present until runtime Original Binary Packed Binary • Payload program is mostly unchanged Address Space Address Space Entry Point • Timing checks of various granularities • Control flow obfuscation • Code created in unpacking phase Entry Point .loop lea eax, 0x4a0000 lea ebx, 0x401000 load ecx, ptr [r1] xor ecx, 0xffffff store ptr[ecx], r2 ... jnz .x call ptr[edi] .x add eax, 4 add ebx, 4 cmp eax, 0x4a1f88 jnz .loop jmp 0x401000 Anti-Debugger Code Unpacking loop Unpacking Loop Packed code initially compressed or encrypted JUMP • Control transfer to unpacked code
Unpack loop Unpack loop Signature Unpack loop Signature Unpack loop Unpack loop Unpack loop Signature Signature Signature Signature 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 7a 77 0e 20 e9 3d e0 09 e8 68 c0 45 be 79 5e 80 89 08 27 c0 Anti-virus Tool Evasion • Anti-virus tools recognize and unpack payloads of common packer tools • Existing packers are modified to evade anti-virus tools at the rate of 10-15 per month[1] • 80% of malware in the world is packed[2][3] Common Attacker Tactic: Take a known malware binary and pack it with 10 layers of potentially different or proprietary packers. Symantec knows about 1145 families of packers, each of which can have multiple versions and they claim they can recognize/unpack about 100 of them. Malware signature size keeps growing with no end in sight. Anti-Virus Tool [1] Virus Bulletin p. 11-13, A. Stepan, 2006 [2] Press Release, McAfee Avert Labs, Nov. 2006 [3] Malware Formation Stats, Panda Research, 2007 8 of 19
Relevant Literature “Renovo: A Hidden Code Extractor for Packed Executables”, presented at 5th ACM Workshop on Recurring Malcode (WORM 2007) “Generic Unpacking How to handle modified or unknown PE Compression Engines” presented at Virus. Bulletin Conference 2005. “OmniUnpack: Fast, Generic, and Safe Unpacking of Malware”, presented at 23rd ACSAC (Annual Computer Security Applications Conference) in Miami Beach FL USA (2007) “PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware”, presented at 22nd ACSAC (2006)
Justification for project • The problem to generically unpack malware executables has been solved commercially but the competitive nature of the anti-virus software industry refrains them from publishing a solution. • Lack of a publicly available generic unpackers that can handle obfuscated binaries without knowing the exact packer used to pack it. • The growing epidemic of malware and the need to have more freely available tools to help in analyzing malware.
Objectives • Design and implementation of a technique to detect obfuscated windows executables and to dump their code without running the executable. • Objective measurable by testing the implemented technique on sample packed exes and comparing results with published statistics of existing unpackers. • Design and develop a user-friendly interface to analyze the recovered executable code, the whole of the code might not be recovered and the recovered code might not necessarily be executable. • Objective measurable by feedback of toolkit from beta testers. • Contribute to research in the domain of code obfuscation and malware analysis. • Objective measurable by publication of research.
Scope of Project – Inclusions & Exclusions • We will not be developing an entire disassembler or a debugger but only a technique that can either attach itself to an already memory mapped process to uncover any hidden code or to load a process in memory and bypass any obfuscations to get to the hidden code once it is unpacked in memory. • The scope of the project only and only covers extracting the hidden code, any further analysis of the malware is future work left to security analysts. • This program can not in any way be deemed an equivalent of a debugger which has many complex functionalities, we need to perform only a small sub-task that debuggers performs i.e. to load executables and extract any hidden code, we won’t provide an environment to run or single step into the executable, just make the hidden code section available for analysis. • We intend to get the help of simple debugging tools and already published research in the field of obfuscated binaries and take a lead from already done work.
Project Schedule –Gantt Chat A: Studying PE (Portable Executable file format) F: Algorithm design B: Implementing PE identifier (i.e. portable executable analyzer) G: implement modules C: Research already implemented generic Unpacking Techniques H: Test modules D: Manually unpack executables obfuscated with different packers I: Integrate modules E: Identify general trends in unpacking J: User manual
Deliverables • Software Analysis toolkit: SADE • Documentation • Project Scope Statement • Requirements Model, Analysis Model and Design Model • WBS, project schedule, software development plan, software Implementation plan, software test plan • Software Implementation description • Final Project Report • User Manual
Any questions THANK YOU!