Secure and advanced unpacking using computer emulation

The purpose of this article is firstly to present a secure unpacker which is specifically designed for a security analyst when studying viruses but also any anti-virus scanner. Such a tool is in fact required when assessing security requirements of an anti-virus scanner through a black box approach. During testing of anti-virus software, a security analyst needs to build virus populations required for several penetration tests. Virus unpacking is a first mandatory step before gaining the ability to apply obfuscation transformation or any information extraction algorithm on a viral set. A secure unpacker is also useful when checking security robustness against reverse engineering of any packed or protected security product. Several static and dynamic analysis tools already implement unpacking algorithms, but these often require human intervention and are not well designed to automatically unpack such a dangerous program as a virus. A new algorithm for automatically unpacking encrypted viruses is presented in this paper. Forensics techniques to reconstruct an unpacked executable and advanced heuristics are also presented in order to decrypt more sophisticated self-protected Malwares. We present several detection techniques which are specifically designed to deceive virtual machine monitors and discuss the security of our tool against these low-level viral attacks. Our secure unpacker figures among a set of several tools. We then present in this paper a proof-of-concept human analysis framework which implements most standard components of an anti-virus scanner (real-time scanner, emulator engine) and in addition proposes a reliable system for automatically gaining information about a virus and its interaction with the OS executive (stealth native API hooking), but focuses on human decision as a detection process without the same resource limitation constraint as product oriented anti-virus scanners. This framework is used as a basis/reference for the comparative analysis of security aspects of anti-virus scanners and deals with the robustness of their driver stack and the efficiency of their de-obfuscation and unpacking algorithms.

[1]  Jens Tröger,et al.  Specification-driven dynamic binary translation , 2005 .

[2]  Mark Russinovich,et al.  Inside Microsoft Windows 2000 , 2000 .

[3]  Joanna Rutkowska Detecting Windows Server Compromises with Patchfinder 2 , 2004 .

[4]  Péter Ször MEMORY SCANNING UNDER WINDOWS NT , 1999 .

[5]  Eric Filiol,et al.  Strong Cryptography Armoured Computer Viruses Forbidding Code Analysis: the Bradley Virus 1 , 2004 .

[6]  Eric Filiol,et al.  A statistical model for undecidable viral detection , 2007, Journal in Computer Virology.

[7]  Andreas Schuster,et al.  Searching for processes and threads in Microsoft Windows memory dumps , 2006, Digit. Investig..

[8]  S. Katzenbeisser,et al.  Malware Normalization , 2005 .

[9]  Mark Russinovich,et al.  Microsoft Windows Internals, Fourth Edition: Microsoft Windows Server(TM) 2003, Windows XP, and Windows 2000 (Pro-Developer) , 2004 .

[10]  Cynthia E. Irvine,et al.  Analysis of the Intel Pentium's Ability to Support a Secure Virtual Machine Monitor , 2000, USENIX Security Symposium.

[11]  Alfred V. Aho,et al.  Efficient string matching , 1975, Commun. ACM.

[12]  Mark Russinovich,et al.  Microsoft Windows Internals : Microsoft Windows Server 2003, Windows XP, and Windows 2000 , 2005 .

[13]  Herbert Bos,et al.  Argos: an emulator for fingerprinting zero-day attacks for advertised honeypots with automatic signature generation , 2006, EuroSys.

[14]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX ATC, FREENIX Track.

[15]  李幼升,et al.  Ph , 1989 .

[16]  Greg Hoglund,et al.  Rootkits: Subverting the Windows Kernel , 2005 .

[17]  Sébastien Josse,et al.  How to Assess the Effectiveness of your Anti-virus? , 2006, Journal in Computer Virology.

[18]  Fred Cohen,et al.  Computer viruses—theory and experiments , 1990 .

[19]  Georgios Portokalidis,et al.  ZERO HOUR WORM DETECTION AND CONTAINMENT USING HONEYPOTS , 2004 .

[20]  Gary Nebbett Windows NT/2000 Native API Reference , 2000 .

[21]  Eric Filiol,et al.  On the possibility of practically obfuscating programs towards a unified perspective of code protection , 2007, Journal in Computer Virology.

[22]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[23]  Peter Ferrie Attacks on Virtual Machine Emulators , 2007 .