Capturing Malware Propagations with Code Injections and Code-Reuse Attacks

Defending against malware involves analysing large amounts of suspicious samples. To deal with such quantities we rely heavily on automatic approaches to determine whether a sample is malicious or not. Unfortunately, complete and precise automatic analysis of malware is far from an easy task. This is because malware is often designed to contain several techniques and countermeasures specifically to hinder analysis. One of these techniques is for the malware to propagate through the operating system so as to execute in the context of benign processes. The malware does this by writing memory to a given process and then proceeds to have this memory execute. In some cases these propagations are trivial to capture because they rely on well-known techniques. However, in the cases where malware deploys novel code injection techniques, rely on code-reuse attacks and potentially deploy dynamically generated code, the problem of capturing a complete and precise view of the malware execution is non-trivial. In this paper we present a unified approach to tracing malware propagations inside the host in the context of code injections and code-reuse attacks. We also present, to the knowledge of the authors, the first approach to identifying dynamically generated code based on information-flow analysis. We implement our techniques in a system called Tartarus and match Tartarus with both synthetic applications and real-world malware. We compare Tartarus to previous works and show that our techniques substantially improve the precision for collecting malware execution traces, and that our approach can capture intrinsic characteristics of novel code injection techniques.

[1]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[2]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[3]  Guillaume Bonfante,et al.  CoDisasm: Medium Scale Concatic Disassembly of Self-Modifying Binaries with Overlapping Instructions , 2015, CCS.

[4]  Zhenkai Liang,et al.  BitBlaze: A New Approach to Computer Security via Binary Analysis , 2008, ICISS.

[5]  Jan Gustafsson,et al.  The Mälardalen WCET Benchmarks: Past, Present And Future , 2010, WCET.

[6]  Heng Yin,et al.  DroidScope: Seamlessly Reconstructing the OS and Dalvik Semantic Views for Dynamic Android Malware Analysis , 2012, USENIX Security Symposium.

[7]  Hovav Shacham,et al.  When good instructions go bad: generalizing return-oriented programming to RISC , 2008, CCS.

[8]  Heng Yin,et al.  Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform , 2014, ISSTA 2014.

[9]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[10]  Heng Yin,et al.  DECAF: A Platform-Neutral Whole-System Dynamic Binary Analysis Platform , 2017, IEEE Transactions on Software Engineering.

[11]  Hovav Shacham,et al.  Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage , 2009, EVT/WOTE.

[12]  Angelos D. Keromytis,et al.  ROP payload detection using speculative code execution , 2011, 2011 6th International Conference on Malicious and Unwanted Software.

[13]  Heng Yin,et al.  Dynamic Spyware Analysis , 2007, USENIX Annual Technical Conference.

[14]  Claudia Eckert,et al.  Persistent Data-only Malware: Function Hooks without Code , 2014, NDSS.

[15]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[16]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[17]  Byung-Gon Chun,et al.  TaintDroid: An Information-Flow Tracking System for Realtime Privacy Monitoring on Smartphones , 2010, OSDI.

[18]  Zhenkai Liang,et al.  Jump-oriented programming: a new class of code-reuse attack , 2011, ASIACCS '11.

[19]  Davide Balzarotti,et al.  ROPMEMU: A Framework for the Analysis of Complex Code-Reuse Attacks , 2016, AsiaCCS.

[20]  Heng Yin,et al.  Renovo: a hidden code extractor for packed executables , 2007, WORM '07.

[21]  David Korczynski RePEconstruct: reconstructing binaries with self-modifying code and import address table destruction , 2016, 2016 11th International Conference on Malicious and Unwanted Software (MALWARE).

[22]  Herbert Bos,et al.  Size Does Matter: Why Using Gadget-Chain Length to Prevent Code-Reuse Attacks is Hard , 2014, USENIX Security Symposium.

[23]  Wenke Lee,et al.  PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[24]  Ernest Foo,et al.  Integrity verification of user space code , 2013 .

[25]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[26]  Ahmad-Reza Sadeghi,et al.  Stitching the Gadgets: On the Ineffectiveness of Coarse-Grained Control-Flow Integrity Protection , 2014, USENIX Security Symposium.

[27]  Lok K. Yan,et al.  SoK : On the Soundness and Precision of Dynamic Taint Analysis , 2017 .

[28]  Somesh Jha,et al.  OmniUnpack: Fast, Generic, and Safe Unpacking of Malware , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[29]  George Candea,et al.  The S2E Platform: Design, Implementation, and Applications , 2012, TOCS.

[30]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[31]  Claudia Eckert,et al.  Counteracting Data-Only Malware with Code Pointer Examination , 2015, RAID.