Classification of malware persistence mechanisms using low-artifact disk instrumentation

The proliferation of malware in recent years has motivated the need for tools to analyze, classify, and understand intrusions. Current research in analyzing malware focuses on labeling malware as malicious or benign, or labeling it with the family or variant it belongs to. We argue that, in addition to providing coarse family labels, it is useful to label malware by the capabilities they employ. Capabilities can include keystroke logging, downloading a file from the internet, modifying the Master Boot Record, and trojanizing a system binary. Unfortunately, labeling malware by capability requires a descriptive, high-integrity trace of malware behavior, which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis, we present DIONE, a flexible rule-based disk I/O monitoring and analysis infrastructure. DIONE interposes between a system-under-analysis and its hard disk, intercepting disk accesses and reconstructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of DIONE, and show that it can achieve 100% accuracy in reconstructing file system operations, with a performance penalty less than 2% in many cases. Given the trustworthy behavioral traces obtained by DIONE, we convert file system-level events to high-level capabilities. For this, we use model checking, a formal verification approach that compares a model extracted from a behavioral trace to a given specification. Since we use DIONE traces of file system and registry events, we aim to label persistence capabilities—that is, we label a sample by the mechanism it uses not only to persist on disk, but to restart after a system boot. We model the Windows service, a commonly-employed capability used by malware to persist, load a binary after reboot, and even load dangerous code into the kernel. We model the installation of a Windows service, the system boot, and the file access of the service binary. We test our models on over 1000 real-world malware samples, and show that it successfully identifies service-installing malware samples over 99% of the time, and malware that loads that service over 97% of the time. Moreover, we demonstrate that we are able to use traces of disk reads to differentiate between two types of file accesses. We show that we can not only detect when a persistence mechanism is installed, but also that the persistence mechanism is successful because we detect the automatic load of the program binary after a system reboot. We correctly identify file access types from disk access patterns with less than 4% of samples mislabeled, and demonstrate that even an expert analyst would have difficulty correctly identifying the mislabeled accesses.

[1]  Christopher Krügel,et al.  A quantitative study of accuracy in system call-based malware detection , 2012, ISSTA 2012.

[2]  Christopher Krügel,et al.  Scalable, Behavior-Based Malware Clustering , 2009, NDSS.

[3]  Tayssir Touili,et al.  Pushdown Model Checking for Malware Detection , 2012, TACAS.

[4]  Christopher Krügel,et al.  AccessMiner: using system-centric models for malware protection , 2010, CCS '10.

[5]  Min Gyung Kang,et al.  Emulating emulation-resistant malware , 2009, VMSec '09.

[6]  Arun Lakhotia,et al.  Static verification of worm and virus behavior in binary executables using model checking , 2003, IEEE Systems, Man and Cybernetics SocietyInformation Assurance Workshop, 2003..

[7]  John C. Mitchell,et al.  Characterizing Bots' Remote Control Behavior , 2007, DIMVA.

[8]  Michael Meier,et al.  Measuring similarity of malware behavior , 2009, 2009 IEEE 34th Conference on Local Computer Networks.

[9]  Wenke Lee,et al.  Secure and Flexible Monitoring of Virtual Machines , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).

[10]  Bill Blunden The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System , 2009 .

[11]  Eugene H. Spafford,et al.  The design and implementation of tripwire: a file system integrity checker , 1994, CCS '94.

[12]  Felix C. Freiling,et al.  Toward Automated Dynamic Malware Analysis Using CWSandbox , 2007, IEEE Secur. Priv..

[13]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[14]  Tayssir Touili,et al.  LTL Model-Checking for Malware Detection , 2013, TACAS.

[15]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[16]  Christopher Krügel,et al.  Detecting kernel-level rootkits through binary analysis , 2004, 20th Annual Computer Security Applications Conference.

[17]  Martina Lindorfer,et al.  Detecting Environment-Sensitive Malware , 2011, RAID.

[18]  David Kaeli,et al.  Virtual machine monitor-based lightweight intrusion detection , 2011, OPSR.

[19]  Jules Desharnais,et al.  Static Detection of Malicious Code in Executable Programs , 2000 .

[20]  Tayssir Touili,et al.  Efficient Malware Detection Using Model-Checking , 2012, FM.

[21]  Tal Garfinkel,et al.  VMwareDecoupling Dynamic Program Analysis from Execution in Virtual Environments , 2008, USENIX Annual Technical Conference.

[22]  Patrick D. McDaniel,et al.  Rootkit-resistant disks , 2008, CCS.

[23]  Carsten Willems,et al.  Automatic analysis of malware behavior using machine learning , 2011, J. Comput. Secur..

[24]  Lorenzo Martignoni,et al.  A Fistful of Red-Pills: How to Automatically Generate Procedures to Detect CPU Emulators , 2009, WOOT.

[25]  Kazuhiko Kato,et al.  Hypervisor-based prevention of persistent rootkits , 2010, SAC '10.

[26]  Jean-Yves Marion,et al.  Abstraction-Based Malware Analysis Using Rewriting and Model Checking , 2012, ESORICS.

[27]  Stephan Merz,et al.  Temporal Logic and State Systems , 2008, Texts in Theoretical Computer Science. An EATCS Series.

[28]  Stefan Katzenbeisser,et al.  Proactive Detection of Computer Worms Using Model Checking , 2010, IEEE Transactions on Dependable and Secure Computing.

[29]  U. Bayer,et al.  TTAnalyze: A Tool for Analyzing Malware , 2006 .

[30]  Erez Zadok,et al.  Selective Versioning in a Secure Disk System , 2008, USENIX Security Symposium.

[31]  Wenke Lee,et al.  Ether: malware analysis via hardware virtualization extensions , 2008, CCS.

[32]  Fabrice Bellard,et al.  QEMU, a Fast and Portable Dynamic Translator , 2005, USENIX Annual Technical Conference, FREENIX Track.

[33]  David Brumley,et al.  BitShred: feature hashing malware for scalable triage and semantic analysis , 2011, CCS '11.

[34]  Corinna Cortes,et al.  Support-Vector Networks , 1995, Machine Learning.

[35]  Christopher Krügel,et al.  Behavior-based Spyware Detection , 2006, USENIX Security Symposium.

[36]  Craig A. N. Soules,et al.  Storage-based Intrusion Detection: Watching Storage Activity for Suspicious Behavior , 2003, USENIX Security Symposium.

[37]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[38]  Stefan Katzenbeisser,et al.  Detecting Malicious Code by Model Checking , 2005, DIMVA.

[39]  Peng Li,et al.  On Challenges in Evaluating Malware Clustering , 2010, RAID.

[40]  Carsten Willems,et al.  Learning and Classification of Malware Behavior , 2008, DIMVA.

[41]  Somesh Jha,et al.  Testing malware detectors , 2004, ISSTA '04.

[42]  Samuel T. King,et al.  Detecting past and present intrusions through vulnerability-specific predicates , 2005, SOSP '05.

[43]  Yi-Min Wang,et al.  Detecting stealth software with Strider GhostBuster , 2005, 2005 International Conference on Dependable Systems and Networks (DSN'05).

[44]  Subbarayan Venkatesan,et al.  Forensic analysis of file system intrusions using improved backtracking , 2005, Third IEEE International Workshop on Information Assurance (IWIA'05).

[45]  Andrew Honig,et al.  Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software , 2012 .

[46]  Fabian Monrose,et al.  Trail of bytes: efficient support for forensic analysis , 2010, CCS '10.

[47]  Tal Garfinkel,et al.  A Virtual Machine Introspection Based Architecture for Intrusion Detection , 2003, NDSS.

[48]  Andrew Warfield,et al.  Xen and the art of virtualization , 2003, SOSP '03.

[49]  Heng Yin,et al.  Panorama: capturing system-wide information flow for malware detection and analysis , 2007, CCS '07.

[50]  Somesh Jha,et al.  Semantics-aware malware detection , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[51]  Salvatore J. Stolfo,et al.  Anomaly Detection in Computer Security and an Application to File System Accesses , 2005, ISMIS.

[52]  Mu Zhang,et al.  V2E: combining hardware virtualization and softwareemulation for transparent and extensible malware analysis , 2012, VEE '12.

[53]  Zhuoqing Morley Mao,et al.  Automated Classification and Analysis of Internet Malware , 2007, RAID.

[54]  Somesh Jha,et al.  Static Analysis of Executables to Detect Malicious Patterns , 2003, USENIX Security Symposium.

[55]  Xu Chen,et al.  Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).