Professional Documents
Culture Documents
“He will win who knows when to fight and when not
to fight... He will win who, prepared himself, waits to
take the enemy unprepared. Hence the saying: If
you know the enemy and know yourself, you need
not fear the result of a hundred battles. If you know
yourself but not the enemy, for every victory gained
you will also suffer a defeat. If you know neither the
enemy nor yourself, you will succumb in every
battle.” [Sun-Tsu]
Stefano Zanero
The malware problem
3
Stefano Zanero
Antivirus detection ratio...
4
Stefano Zanero
5
Stefano Zanero
The analysis issue
6
Stefano Zanero
Static vs. dynamic approaches
7
+ Complete analysis
- “Dormant” code
Stefano Zanero
Our Approach
8
Stefano Zanero
REANIMATOR 9
Stefano Zanero
REANIMATOR 10
Stefano Zanero
Dynamic Behavior Identification
11
Stefano Zanero
Dynamic Behavior Identification
12
Stefano Zanero
Behavior Detection Examples
13
Stefano Zanero
Extracting Genotype Models
14
Stefano Zanero
Extracting Genotype Models: Goals
15
Stefano Zanero
Slicing
16
Stefano Zanero
Filtering
17
Stefano Zanero
Filtering Techniques
18
Exclusive instructions:
set of instructions that manipulate tainted data every time
they are executed
utility functions are likely to be also invoked on untainted
data
Stefano Zanero
Germination
19
Stefano Zanero
Finding Dormant Functionality
20
Stefano Zanero
Finding Dormant Functionality
21
Stefano Zanero
Evaluation
22
Stefano Zanero
Accuracy
23
Stefano Zanero
Accuracy
24
Stefano Zanero
MOSS Comparison
25
Stefano Zanero
MOSS Comparison
26
Potential False Negatives
Potential False Positives
Stefano Zanero
Accuracy Results
27
No false positives
genotype model match always corresponds to presence of code
implementing the behavior
Stefano Zanero
Robustness
28
Stefano Zanero
In-the-Wild Detection
29
4 datasets
irc_bots: 10238 IRC bots
packed_bots: 4523 packed IRC bots
pushdo: 77 pushdo binaries (dropper, typically drops spam
engine cutwail)
allaple: 64 allaple binaries (network worm)
Stefano Zanero
In-the-Wild Detection
30
B: Behavior observed in dynamic analysis.
S,D: Functionality detected by Reanimator
Stefano Zanero
Beagle
31
Stefano Zanero
Beagle: overview
32
Stefano Zanero
Beagle: how do we define a behavior
33
Stefano Zanero
Beagle: our dataset
34
Stefano Zanero
Beagle: some global results
35
Stefano Zanero
Beagle: breakdown of changes on behaviors
36
Gamarue family
Distribution of
similarity
Stefano Zanero
Beagle: some of the insights
37
Stefano Zanero
Malware classification
38
Classification by antivirus
vendors completely unreliable
We demonstrated this by
analyzing naming
inconsistencies among them
Stefano Zanero
Classifying malware by structural and
39
behavioral features
Stefano Zanero
Conclusions
40
Stefano Zanero
Thanks for your attention!
41
stefano.zanero@polimi.it
Stefano Zanero