Cobra: fine-grained malware analysis using stealth localized-executions

Fine-grained code analysis in the context of malware is a complex and challenging task that provides insight into malware code-layers (polymorphic/metamorphic), its data encryption/decryption engine, its memory layout etc., important pieces of information that can be used to detect and counter the malware and its variants. Current research in fine-grained code analysis can be categorized into static and dynamic approaches. Static approaches have been tailored towards malware and allow exhaustive fine-grained malicious code analysis, but lack support for self-modifying code, have limitations related to code-obfuscations and face the undecidability problem. Given that most if not all malware employ self-modifying code and code-obfuscations, poses the need to analyze them at runtime using dynamic approaches. However, current dynamic approaches for fine-grained code analysis are not tailored specifically towards malware and lack support for multithreading, self-modifying/self-checking code and are easily detected and countered by ever-evolving anti-analysis tricks employed by malware. To address this problem, we propose a powerful dynamic fine-grained malicious code analysis framework, codenamed Cobra, to combat malware that are becoming increasingly hard to analyze. Our goal is to provide a stealth, efficient, portable and easy-to-use framework supporting multithreading, self-modifying/self-checking code and any form of code obfuscation in both user- and kernel-mode on commodity operating systems. Cobra cannot be detected or countered and can be dynamically and selectively deployed on malware specific code-streams while allowing other code-streams to execute as is. We also illustrate the framework utility by describing our experience with a tool employing Cobra to analyze a real-world malware

[1]  Mourad Debbabi,et al.  Static analysis of binary code to isolate malicious behaviors , 1999, Proceedings. IEEE 8th International Workshops on Enabling Technologies: Infrastructure for Collaborative Enterprises (WET ICE'99).

[2]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[3]  Derek Bruening,et al.  Efficient, transparent, and comprehensive runtime code manipulation , 2004 .

[4]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[5]  Christian S. Collberg,et al.  Watermarking, Tamper-Proofing, and Obfuscation-Tools for Software Protection , 2002, IEEE Trans. Software Eng..

[6]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[7]  Karl N. Levitt,et al.  MCF: a malicious code filter , 1995, Comput. Secur..

[8]  Amit Vasudevan,et al.  SPiKE: engineering malware analysis tools using unobtrusive binary-instrumentation , 2006, ACSC.

[9]  Mourad Debbabi,et al.  Detection of Malicious Code in Cots Software: A Short Survey , 1999 .

[10]  Mary Lou Soffa,et al.  Retargetable and reconfigurable software dynamic translation , 2003, International Symposium on Code Generation and Optimization, 2003. CGO 2003..

[11]  L. Spitzner,et al.  Honeypots: Tracking Hackers , 2002 .

[12]  Somesh Jha,et al.  Detecting Manipulated Remote Call Streams , 2002, USENIX Security Symposium.

[13]  Amit Vasudevan,et al.  Stealth breakpoints , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[14]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[15]  Harish Patil,et al.  Pin: building customized program analysis tools with dynamic instrumentation , 2005, PLDI '05.

[16]  Koen De Bosschere,et al.  DIOTA: Dynamic Instrumentation, Optimization and Transformation of Applications , 2002, PACT 2002.

[17]  Steve R. White,et al.  An Undetectable Computer Virus , 2000 .

[18]  Saumya K. Debray,et al.  Obfuscation of executable code to improve resistance to static disassembly , 2003, CCS '03.

[19]  Nicholas Nethercote,et al.  Valgrind: A Program Supervision Framework , 2003, RV@CAV.

[20]  Christopher Krügel,et al.  Static Disassembly of Obfuscated Binaries , 2004, USENIX Security Symposium.

[21]  Intel Corportation,et al.  IA-32 Intel Architecture Software Developers Manual , 2004 .

[22]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[23]  Gary McGraw,et al.  Attacking Malicious Code: A Report to the Infosec Research Council , 2000, IEEE Software.

[24]  Gregory Wroblewski,et al.  General Method of Program Code Obfuscation , 2002 .

[25]  Brian Chess,et al.  Improving computer security using extended static checking , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[26]  Xuejia Lai,et al.  A Proposal for a New Block Encryption Standard , 1991, EUROCRYPT.

[27]  Christian S. Collberg,et al.  A Taxonomy of Obfuscating Transformations , 1997 .

[28]  Vesselin Bontchev Methodology of computer anti-virus research , 1998 .

[29]  Nadia Tawbi,et al.  Dynamic Monitoring of Malicious Activity in Software Systems , 2000 .

[30]  Vern Paxson,et al.  Bro: a system for detecting network intruders in real-time , 1998, Comput. Networks.

[31]  Andy Oram,et al.  Getting to Know gdb , 1996 .

[32]  Arun Lakhotia,et al.  Analysis and detection of computer viruses and worms: an annotated bibliography , 2002, SIGP.

[33]  Peter Szor,et al.  The Art of Computer Virus Research and Defense , 2005 .

[34]  Dawson R. Engler,et al.  Using programmer-written compiler extensions to catch security holes , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[35]  David A. Wagner,et al.  MOPS: an infrastructure for examining security properties of software , 2002, CCS '02.

[36]  B CohenFrederick Operating system protection through program evolution , 1993 .

[37]  Daniel Le Métayer,et al.  Verification of control flow based security properties , 1999, Proceedings of the 1999 IEEE Symposium on Security and Privacy (Cat. No.99CB36344).

[38]  Atsuko Miyaji,et al.  Software Obfuscation on a Theoretical Basis and Its Implementation , 2003, IEICE Transactions on Fundamentals of Electronics Communications and Computer Sciences.

[39]  Jack W. Davidson,et al.  Protection of software-based survivability mechanisms , 2001, 2001 International Conference on Dependable Systems and Networks.

[40]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[41]  Matt Bishop,et al.  Checking for Race Conditions in File Accesses , 1996, Comput. Syst..

[42]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[43]  Roger M. Needham,et al.  TEA, a Tiny Encryption Algorithm , 1994, FSE.

[44]  David A. Wagner,et al.  A Secure Environment for Untrusted Helper Applications , 1996, USENIX Security Symposium.