Forecasting Malware Capabilities From Cyber Attack Memory Images

The remediation of ongoing cyber attacks relies upon timely malware analysis, which aims to uncover malicious functionalities that have not yet executed. Unfortunately, this requires repeated context switching between different tools and incurs a high cognitive load on the analyst, slowing down the investigation and giving attackers an advantage. We present Forecast, a post-detection technique to enable incident responders to automatically predict capabilities which malware have staged for execution. Forecast is based on a probabilistic model that allows Forecast to discover capabilities and also weigh each capability according to its relative likelihood of execution (i.e., forecasts). Forecast leverages the execution context of the ongoing attack (from the malware’s memory image) to guide a symbolic analysis of the malware’s code. We performed extensive evaluations, with 6,727 real-world malware and futuristic attacks aiming to subvert Forecast, showing the accuracy and robustness in predicting malware capabilities.

[1]  V. N. Venkatakrishnan,et al.  HOLMES: Real-Time APT Detection through Correlation of Suspicious Information Flows , 2018, 2019 IEEE Symposium on Security and Privacy (SP).

[2]  Herbert Bos,et al.  Howard: A Dynamic Excavator for Reverse Engineering Data Structures , 2011, NDSS.

[3]  Joe Grand,et al.  A hardware-based memory acquisition procedure for digital investigations , 2004, Digit. Investig..

[4]  Barton P. Miller,et al.  Hybrid Analysis and Control of Malware , 2010, RAID.

[5]  Saumya Debray,et al.  Symbolic Execution of Obfuscated Code , 2015, CCS.

[6]  Christopher Krügel,et al.  Effective and Efficient Malware Detection at the End Host , 2009, USENIX Security Symposium.

[7]  Zhongshu Gu,et al.  GUITAR: Piecing Together Android App GUIs from Memory Images , 2015, CCS.

[8]  Christopher Krügel,et al.  Identifying Dormant Functionality in Malware Programs , 2010, 2010 IEEE Symposium on Security and Privacy.

[9]  George Candea,et al.  S2E: a platform for in-vivo multi-path analysis of software systems , 2011, ASPLOS XVI.

[10]  Zhongshu Gu,et al.  DSCRETE: Automatic Rendering of Forensic Information from Memory Images via Application Logic Reuse , 2014, USENIX Security Symposium.

[11]  Zhenkai Liang,et al.  BitScope: Automatically Dissecting Malicious Binaries , 2007 .

[12]  Xuxian Jiang,et al.  Mapping kernel objects to enable systematic integrity checking , 2009, CCS.

[13]  Xiangyu Zhang,et al.  Automatic Reverse Engineering of Data Structures from Binary Execution , 2010, NDSS.

[14]  Xuxian Jiang,et al.  Data-Centric OS Kernel Malware Characterization , 2014, IEEE Transactions on Information Forensics and Security.

[15]  Xiangyu Zhang,et al.  Screen after Previous Screens: Spatial-Temporal Recreation of Android App Displays from Memory Images , 2016, USENIX Security Symposium.

[16]  Alexander Pretschner,et al.  Code obfuscation against symbolic execution attacks , 2016, ACSAC.

[17]  David Brumley,et al.  Enhancing symbolic execution with veritesting , 2014, ICSE.

[18]  Davide Balzarotti,et al.  SoK: Deep Packer Inspection: A Longitudinal Study of the Complexity of Run-Time Packers , 2015, 2015 IEEE Symposium on Security and Privacy.

[19]  Dawson R. Engler,et al.  Execution Generated Test Cases: How to Make Systems Code Crash Itself , 2005, SPIN.

[20]  Stefano Zanero,et al.  Jackdaw: Towards Automatic Reverse Engineering of Large Datasets of Binaries , 2015, DIMVA.

[21]  Xiangyu Zhang,et al.  Tipped Off by Your Memory Allocator: Device-Wide User Activity Sequencing from Android Memory Images , 2018, NDSS.

[22]  Heng Yin,et al.  MACE: high-coverage and robust memory analysis for commodity operating systems , 2014, ACSAC '14.

[23]  Ruian Duan,et al.  TARDIS: Rolling Back The Clock On CMS-Targeting Cyber Attacks , 2020, 2020 IEEE Symposium on Security and Privacy (SP).

[24]  Zhilei Xu,et al.  Tracking Rootkit Footprints with a Practical Memory Analysis System , 2012, USENIX Security Symposium.

[25]  Christopher Krügel,et al.  SOK: (State of) The Art of War: Offensive Techniques in Binary Analysis , 2016, 2016 IEEE Symposium on Security and Privacy (SP).

[26]  Dawson R. Engler,et al.  EXE: automatically generating inputs of death , 2006, CCS '06.

[27]  Sarfraz Khurshid,et al.  Symbolic execution for software testing in practice: preliminary assessment , 2011, 2011 33rd International Conference on Software Engineering (ICSE).

[28]  Fei Peng,et al.  X-Force: Force-Executing Binary Programs for Security Applications , 2014, USENIX Security Symposium.

[29]  David Brumley,et al.  Unleashing Mayhem on Binary Code , 2012, 2012 IEEE Symposium on Security and Privacy.

[30]  Felix C. Freiling,et al.  A survey of main memory acquisition and analysis techniques for the windows operating system , 2011, Digit. Investig..

[31]  Xiao Yu,et al.  You Are What You Do: Hunting Stealthy Malware via Data Provenance Analysis , 2020, NDSS.

[32]  Christopher Krügel,et al.  Dynamic Analysis of Malicious Code , 2006, Journal in Computer Virology.

[33]  Hyun-il Lim Detecting Malicious Behaviors of Software through Analysis of API Sequence k-grams , 2016 .

[34]  Christopher Krügel,et al.  Efficient Detection of Split Personalities in Malware , 2010, NDSS.

[35]  Koushik Sen,et al.  DART: directed automated random testing , 2005, PLDI '05.

[36]  Gianluca Stringhini,et al.  ATTACK2VEC: Leveraging Temporal Word Embeddings to Understand the Evolution of Cyberattacks , 2019, USENIX Security Symposium.

[37]  Meng Xu,et al.  QSYM : A Practical Concolic Execution Engine Tailored for Hybrid Fuzzing , 2018, USENIX Security Symposium.

[38]  Stephen McCamant,et al.  Path-exploration lifting: hi-fi tests for lo-fi emulators , 2012, ASPLOS XVII.

[39]  Zhendong Su,et al.  Steering symbolic execution to less traveled paths , 2013, OOPSLA.

[40]  Zhenkai Liang,et al.  Automatically Identifying Trigger-based Behavior in Malware , 2008, Botnet Detection.

[41]  Koushik Sen,et al.  CUTE: a concolic unit testing engine for C , 2005, ESEC/FSE-13.

[42]  Christopher Krügel,et al.  Exploring Multiple Execution Paths for Malware Analysis , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[43]  Vitaly Chipounov,et al.  Selective Symbolic Execution , 2009 .

[44]  Somesh Jha,et al.  A Layered Architecture for Detecting Malicious Behaviors , 2008, RAID.

[45]  Zhongshu Gu,et al.  VCR: App-Agnostic Recovery of Photographic Evidence from Android Device Memory Images , 2015, CCS.

[46]  Roberto Baldoni,et al.  Assisting Malware Analysis with Symbolic Execution: A Case Study , 2017, CSCML.

[47]  Christopher Krügel,et al.  Inspector Gadget: Automated Extraction of Proprietary Gadgets from Malware Binaries , 2010, 2010 IEEE Symposium on Security and Privacy.

[48]  James C. King,et al.  Symbolic execution and program testing , 1976, CACM.

[49]  Guofei Gu,et al.  AUTOVAC: Automatically Extracting System Resource Constraints and Generating Vaccines for Malware Immunization , 2013, 2013 IEEE 33rd International Conference on Distributed Computing Systems.

[50]  Karl N. Levitt,et al.  SELECT—a formal system for testing and debugging programs by symbolic execution , 1975 .

[51]  George Candea,et al.  Efficient state merging in symbolic execution , 2012, Software Engineering.

[52]  Brendan Dolan-Gavitt,et al.  Tappan Zee (north) bridge: mining memory accesses for introspection , 2013, CCS.

[53]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[54]  Ding Li,et al.  NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage , 2019, NDSS.

[55]  Daniel Marino,et al.  Tactical Provenance Analysis for Endpoint Detection and Response Systems , 2020, 2020 IEEE Symposium on Security and Privacy (SP).