AUTOVAC: Towards Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization

Malware often contains many system-resourcesensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware code, and manipulate the environment state as vaccines, we would then be able to immunize a computer from infections. Towards this end, this paper provides the first systematic study and presents a prototype system, AUTOVAC, for automatically extracting the system resource constraints from malware code and generating vaccines based on the system resource conditions. Specifically, through monitoring the data propagation from system-resource-related system calls, AUTOVAC automatically identifies the environment related state of a computer. Through analyzing the environment state, AUTOVAC automatically generates vaccines. Such vaccines can be then injected into other computers, thereby being immune from future infections from the same malware or its polymorphic variants. We have evaluated AUTOVAC on a large set of real-world malware samples and successfully extracted working vaccines for many families including high-profile Conficker, Sality and Zeus. We believe AUTOVAC represents an appealing technique to complement existing malware defenses. Keywords-Dynamic malware analysis, environment constraint, vaccine.

[1]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[2]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[3]  A. Zeller Isolating cause-effect chains from computer programs , 2002, SIGSOFT '02/FSE-10.

[4]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[5]  Dawn Xiaodong Song,et al.  Dispatcher: enabling active botnet infiltration using automatic protocol reverse-engineering , 2009, CCS.

[6]  Elmar Gerhards-Padilla,et al.  Using Infection Markers as a Vaccine against Malware Attacks , 2012, 2012 IEEE International Conference on Green Computing and Communications.

[7]  David Brumley,et al.  All You Ever Wanted to Know about Dynamic Taint Analysis and Forward Symbolic Execution (but Might Have Been Afraid to Ask) , 2010, 2010 IEEE Symposium on Security and Privacy.

[8]  Kang G. Shin,et al.  Large-scale malware indexing using function-call graphs , 2009, CCS.

[9]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[10]  Tzi-cker Chiueh,et al.  A Forced Sampled Execution Approach to Kernel Rootkit Identification , 2007, RAID.

[11]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[12]  Marcus A. Maloof,et al.  Learning to Detect and Classify Malicious Executables in the Wild , 2006, J. Mach. Learn. Res..

[13]  Somesh Jha,et al.  Synthesizing Near-Optimal Malware Specifications from Suspicious Behaviors , 2010, 2010 IEEE Symposium on Security and Privacy.

[14]  R. Sekar,et al.  On the Limits of Information Flow Techniques for Malware Analysis and Containment , 2008, DIMVA.

[15]  Jun Xu,et al.  Packet vaccine: black-box exploit detection and signature generation , 2006, CCS '06.

[16]  Miguel Castro,et al.  Vigilante: end-to-end containment of internet worms , 2005, SOSP '05.

[17]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[18]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[19]  David Brumley,et al.  BAP: A Binary Analysis Platform , 2011, CAV.

[20]  Stephen McCamant,et al.  Differential Slicing: Identifying Causal Execution Differences for Security Applications , 2011, 2011 IEEE Symposium on Security and Privacy.

[21]  Samuel T. King,et al.  Backtracking intrusions , 2003, SOSP '03.

[22]  Christopher Krügel,et al.  A quantitative study of accuracy in system call-based malware detection , 2012, ISSTA 2012.

[23]  Aleksandar Kuzmanovic,et al.  Unconstrained endpoint profiling (googling the internet) , 2008, SIGCOMM '08.

[24]  David Ferbrache BSc A Pathology of Computer Viruses , 1992, Springer London.