Transforming malicious code to ROP gadgets for antivirus evasion

This study advances research in offensive technology by proposing return oriented programming (ROP) as a means to achieve code obfuscation. The key inspiration is that ROP's unique structure poses various challenges to malware analysis compared to traditional shellcode inspection and detection. The proposed ROP-based attack vector provides two unique features: (i) the ability to automatically analyse and generate equivalent ROP chains for a given code, and (ii) the ability to reuse legitimate code found in an executable in the form of ROP gadgets. To this end, a software tool named ROPInjector was developed which, given any piece of shellcode and any legitimate executable file, it transforms the shellcode to its ROP equivalent re-using the available code in the executable and finally patches the ROP chain infecting the executable. After trying various combinations of evasion techniques, the results show that ROPInjector can evade nearly and completely all antivirus software employed in the online VirusTotal service, making ROP an effective ingredient for code obfuscation. This attack vector poses a serious threat which malicious actors can take advantage to perform cyber-attack campaigns.

[1]  Manos Antonakakis,et al.  SoK: The Challenges, Pitfalls, and Perils of Using Hardware Performance Counters for Security , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  Xukai Zou,et al.  Survey of return-oriented programming defense mechanisms , 2016, Secur. Commun. Networks.

[3]  Herbert Bos,et al.  Parallax: Implicit Code Integrity Verification Using Return-Oriented Programming , 2015, 2015 45th Annual IEEE/IFIP International Conference on Dependable Systems and Networks.

[4]  Ratan K. Guha,et al.  Detecting Obfuscated Viruses Using Cosine Similarity Analysis , 2007, First Asia International Conference on Modelling & Simulation (AMS'07).

[5]  Xueyang Wang,et al.  SIGDROP: Signature-based ROP Detection using Hardware Performance Counters , 2016, ArXiv.

[6]  Mathias Payer,et al.  malWASH: Washing Malware to Evade Dynamic Analysis , 2016, WOOT.

[7]  Martín Abadi,et al.  Control-flow integrity , 2005, CCS '05.

[8]  Salvatore J. Stolfo,et al.  Unsupervised Anomaly-Based Malware Detection Using Hardware Features , 2014, RAID.

[9]  Wei Zhang,et al.  ROPSentry: Runtime defense against ROP attacks using hardware performance counters , 2018, Comput. Secur..

[10]  Hovav Shacham,et al.  The geometry of innocent flesh on the bone: return-into-libc without function calls (on the x86) , 2007, CCS '07.

[11]  Lei Shi,et al.  ROPOB: Obfuscating Binary Code via Return Oriented Programming , 2017, SecureComm.

[12]  Kevin W. Hamlen,et al.  Frankenstein: Stitching Malware from Benign Binaries , 2012, WOOT.

[13]  C. Xenakis,et al.  ROPInjector : Using Return Oriented Programming for Polymorphism and Antivirus Evasion , 2015 .

[14]  Debin Gao,et al.  Software Watermarking using Return-Oriented Programming , 2015, AsiaCCS.

[15]  Jiang Ming,et al.  BinSim: Trace-based Semantic Binary Diffing via System Call Sliced Segment Equivalence Checking , 2017, USENIX Security Symposium.

[16]  Debin Gao,et al.  RopSteg: program steganography with return oriented programming , 2014, CODASPY '14.

[17]  Mathias Payer,et al.  Control-Flow Integrity , 2017, ACM Comput. Surv..

[18]  Camil Demetrescu,et al.  The ROP needle: hiding trigger-based injection vectors via code reuse , 2019, SAC.

[19]  Jared D. DeMott,et al.  Bypassing EMET 4.1 , 2015, IEEE Security & Privacy.

[20]  Hovav Shacham,et al.  Return-Oriented Programming: Systems, Languages, and Applications , 2012, TSEC.

[21]  Claudia Eckert,et al.  Persistent Data-only Malware: Function Hooks without Code , 2014, NDSS.

[22]  Moritz Contag,et al.  Syntia: Synthesizing the Semantics of Obfuscated Code , 2017, USENIX Security Symposium.