Professional Documents
Culture Documents
Knowledge
Dr Fabio Pierazzi
https://fabio.pierazzi.com
@fbpierazzi
© Crown Copyright, The National Cyber Security Centre
2021. This information is licensed under the Open
Government Licence v3.0. To view this licence, visit
http://www.nationalarchives.gov.uk/doc/open-
government-licence/.
Malware/Malicious code
3
Outline
A Taxonomy of Malware
Malware Analysis
Malware Detection
Malware Response
4
A Taxonomy of
Malware
A Taxonomy of Malware
6
Malware Taxonomy: Dimensions
7
Malware Taxonomy: Dimensions
(4) Auto-Spreading?
– Does it spread automatically, or does the infection happen through
user actions? (e.g., emails)
(6) Coordinated?
– Is it part of a coordinated network (e.g., botnets)?
8
Taxonomy: Examples
9
Malicious Activities
By Malware
Malicious Activities
11
The Cyber Kill Chain
12
The Cyber Kill Chain
Action on objectives
13
Underground Eco-system
Organized Cyber-crime
– Support full malware lifecycle
Development
Deployment
Operations
Monetization
– Specialized roles
Plausible deniability
More effective malware
14
Action Objectives
Toolkits
– Easy-to-use automated tools (e.g., keyloggers)
Campaigns
– Large-scale attacks (e.g., botnet)
– Long-running
15
Malware Analysis
Why Malware Analysis?
Benefits include:
– Understand intended malicious
activities
– Useful to attribution
– Understand and predict
trends/scope of malware
attacks
17
Acquiring Malware Data
Legal/Ethical Responsibilities
– Avoid damage
– Share responsibly
18
Static Analysis
Pros
– Better coverage of behaviors
– Safe
Limitations
– Overestimates behaviors
– Weak to obfuscation
19
Dynamic Analysis
Pros
– You see actual behavior
– (Relatively) language-independent
Limitations
– Underestimates behavior (coverage,
triggers)
– Safety and Live-Environment
20
Other Analysis Techniques
Fuzzing
– Randomised input to programs
– To discover vulnerabilities/bugs/crashes
– Also trigger malware behavior
– Limitation: code coverage
Symbolic Execution
– It treats variables and equations as symbols and formulas that can potentially
express all program paths
– Limitation: Convergence (needs to execute end-to-end, one at a time)
Concolic Execution
– Combines Concrete and Symbolic Execution.
– Online Concolic Execution: forking on all feasible branches
21
Analysis Environments
Internet?
Live C&C?
Dedicated environment for
Dynamic Analysis
– Results/Cost Trade-Off.
Cost
– Analysis Time
– Manual Human Effort
Other aspects:
– Safety
– Live-environment
22
Common Environments
Machine Emulator
– Code-based architecture
emulation
Type 2 Hypervisor
Ease of Use
– Runs in host OS, provides
Visibility
virtualisation service for hardware
Type 1 Hypervisor
– Runs directly on system hardware
Bare-metal machine
– No virtualisation
23
Safety and Live-Environments
Internet?
Live C&C?
Safety
– The malware may do malicious
actions. Can we allow it?
Also legal implications
– Virtualized network environments
Live-environment
– Does the malware exhibit
intended malicious behaviors?
Network connectivity
Real users on the machine
C&C/update servers online
24
Anti-Analysis and Evasion Techniques
25
Malware Detection
Malware Detection Objective
27
Evasion and Countermeasures
Evading signature-based
misuse detection
– Packing
– Polymorphism
– Update routine
28
Detection of Malware Attacks
30
ML-based Malware Detection
ML Limitations:
– Challenging Feature Engineering
– Adversarial attacks
– Costly labeling for malware
Deep Learning: poor
explainability
31
Evasion of ML-based Malware Detection
Mimicry Attack
– Evasion
– Recreate normal behavior (e.g., Partial countermeasures
sequence of system calls) • Ensemble of models
– Polymorphic blending attack of • Robust optimization
network traffic • Forget learning of old
samples (against
poisoning)
Targeted noise injection
– Poisoning: “garbage in, garbage out”
32
Concept Drift
Solutions:
– Active Learning
– Online Learning
33
Malware Response
Malware Response
Attribution
– Identify malware authors
35
Disrupt Malware Operations
36
Attribution
37
Conclusion
Conclusion
39
Cyber Security Body of
Knowledge
Dr Fabio Pierazzi
https://fabio.pierazzi.com
@fbpierazzi