Visualizing Compiled Executables Visualizing Compiled - VizSec

Visualizing Compiled Executables Visualizing Compiled - VizSec

Visualizing Compiled Executables  Visualizing Compiled Executables for Malware Analysis Daniel Quist Lorie Liebrock New Mexico Tech  Los Alamos Natio...

1MB Sizes 0 Downloads 9 Views

Recommend Documents

Visualizing Terror:
and the Charleston church shooting. While both case studies can be regarded as domestic U.S. terrorism, only the former

Visualizing DNS Datasets for Alert-driven Threat Analysis - VizSec
Visualizing DNS Datasets for Alert-driven Threat Analysis. Rosa Romero-Gomez, Yacin Nadji, Panagiotis ... DNSMON [3] has

Visualizing Music
Jul 20, 2011 - had their music launched on the Madden NFL 2004 Xbox game, while ... and screen-enabled mobile music plat

Compiled Lucknow
307. Lucknow. Gosaiganj. Gosaiganj. Kevali. 4903017. Asha Devi. Anil Kumar. Pooran Kheda, Ramdeen purwa. 760. 308. Luckn

Compiled Sonebhadra
2. Sonebhadra. Babhani. Babhani. Bhishur. 7201002. ANAR KALI. ANIL KUMAR. KORCHI. 3300. 3. Sonebhadra. Babhani. Babhani.

Visualizing Apostolic Succession
ily from the Arabian peninsula to the Americas.1 Seminary students receive bookmarks showing a timeline of peoples and e

compiled Firozabad
N.gulal. 2707047. Manesh Devi. Rajesh Kumar. N.Gulal. 1400. 649. Firozabad. Madanpur. Madanpur. Nanemau. 2707048. Manju

Visualizing multi-channel networks
Visualizing multi-channel networks. Paweł Antemijczuk. Technical University of Denmark. DTU Compute. Matematiktorvet. 3

Visualizing Hubble Data - HubbleSite
science data: separate black and white (grayscale) images made through different filters. ... Apply color. Subsequent st

Compiled Auraiya
Kamlesh Devi. Putti lal. Ganesh Ganj. 1646. 175. Auraiya. Bidhuna. Bidhuna. Hardu. 0506030. Kanchanlata. Vinay kumar. No

Visualizing Compiled Executables  Visualizing Compiled Executables for Malware Analysis

Daniel Quist Lorie Liebrock New Mexico Tech  Los Alamos National Laboratory

Overview Explanation of Problem p Overview of Reverse Engineering Process Related Work Related Work Visualization for Reverse Engineering VERA Architecture VERA Architecture Case Study: Mebroot User Study d Contributions

Explanation of Problem Explanation of Problem • Reverse Reverse engineering is a difficult and esoteric  engineering is a difficult and esoteric skill to learn • Most new reversers struggle with  understanding overall structure understanding overall structure • K Knowing where to start is the most difficult  i h i h diffi l task

Reverse Engineering Process Reverse Engineering Process Setup an Isolated Environment p

Co omplexity In ncreases

Initial Analysis and Execution y

Deobfuscation / Software Dearmoring / Software Dearmoring

Disassembly / Code‐level Disassembly / Code level analysis analysis

Identify Relevant and Interesting  Features

• VMWare, Xen, Virtual PC • Dedicated Hardware Dedicated Hardware • Sysinternals, CWSandbox • Look for OS State Changes Look for OS State Changes • Files, registry, network • Unpacking • Debuggers, Saffron, Ether • IDA Pro • OllyDbg Oll Db • Experience based • Newbies bi have trouble with this h bl i h hi

Addressing the Situation Addressing the Situation Setup an Isolated Environment Setup an Isolated Environment

Complexity Increases

Initial Analysis and Execution Initial Analysis and Execution

Deobfuscation / Software Dearmoring / Software Dearmoring

Disassembly / Code level analysis Disassembly / Code‐level analysis

Identify Relevant and Interesting Features Identify Relevant and Interesting  Features

Packing and Encryption Packing and Encryption • Self Self‐modifying modifying code code – Small decoder stub – Decompress the main executable p – Restore imports

• Play  Play “tricks” tricks  with the executable with the executable – OS Loader is inherently lazy (efficient) – Hide the imports p – Obscure relocations – Use bogus values for various unimportant fields g p

Normal PE File Normal PE File

Packed PE File Packed PE File

Related Work Related Work

IDA Pro ‐ Graphing Crossreferences IDA Pro  Graphing Crossreferences

• Illustrates Relationship of Function Calls • Magenta represents imported API calls • Black represents module subroutines

IDA Pro – Visualization Problems IDA Pro  Visualization Problems

Firefox Initialization

• Some graphs are useless • Some graphs are too complex S h l • No indication of heavily executed portions • Obfuscated code is gibberish

idag.exe (IDA Pro) overview

Alex Dragulescu – MyDoom Visualization

http://www.sq.ro/malwarez.php

Visualization for Reverse Engineering Visualization for Reverse Engineering • Identify major program functional areas de t y ajo p og a u ct o a a eas – Initialization – Main loops – Communications / organizational structure

• Deobfuscation D bf ti / dearmoring /d i – Identify packing loops – Find self‐modifying code Find self modifying code

• Take  Take “intuition” intuition  out of the reversing process out of the reversing process

Enabling Technology: Ether Enabling Technology: Ether • Patches to the Xen Hypervisor yp • Instruments a Windows system • Base modules available – Instruction tracing – API tracing – Unpacking

• “Ether: Malware Analysis via Hardware  Virtualization Extensions”  Dinaburg, Royal, Sharif, Lee ACM CCS 2008 ACM CCS 2008

Ether System Architecture Ether System Architecture

Linux Dom0 Management OS VM Disk Image

Instrumented Windows XP SP2

Ether  Management  Tools Xen Hypervisor with Ether Patches Ring ‐1

Visualizing Executables for Reversing  and Analysis d l • OpenGL OpenGL rendering of dynamic program  rendering of dynamic program execution • Vertices represent addresses Vertices represent addresses • Edges represent execution from one address  to another h • Thicker edges represent multiple executions • Colors to help identify type of code

Graph Preview Graph Preview

VERA Architecture VERA Architecture

Ether Analysis System

OGDF

OpenGL

Gengraph

VERA

Open Graph Display Framework ‐ Handles all layout and arrangement of the graphs ‐ Similar to Graphviz Works with large datasets ‐ Works with large datasets

Vertices (Addresses) Vertices (Addresses) • Basic blocks – Fundamental small grouping of  code – Reduces data size Reduces data size – Useful for large commercial  programs

• Instructions I t ti – Useful for small programs – Greater aesthetic value Greater aesthetic value – Larger datasets can produce  useless graphs

Edges (Transition) Edges (Transition) • Transitions between addresses • Thicker lines represent more  executions – Easy identification of loops – Find heavy concentration of  Find heavy concentration of execution

• Multiple edges from a node  li l d f d represent decision point

Colors • Yellow – Normal uncompressed low Normal uncompressed low‐entropy entropy  section data • Dark Green – Dark Green Section not present in the  Section not present in the packed version • Light Purple Li h P l – SizeOfRawData Si OfR D = 0 0 • Dark Red – High Entropy  • Light Red – Instructions not in the packed exe Lime Green – Operands don Operands don’tt match match • Lime Green 

Netbull Virus (Not Packed) Virus (Not Packed)

Netbull Zoomed View Zoomed View

UPX

UPX ‐ OEP UPX 

ASPack

FSG

MEW

Case Study: Mebroot Case Study: Mebroot • Took latest Mebroot sample from Offensive  p Computing collection • Analyzed inside of VERA Analyzed inside of VERA • Seemed to be idling for long periods of time Seemed to be idling for long periods of time • Actually executed based on network traffic • Hybrid user mode / kernel malware

Mebroot – Initial Busy Loop Initial Busy Loop

• Initial analysis shows decoder for driver • Sits for 30 minutes waiting for us to get bored • Moves on to the rest of the program

Mebroot – After Busy Loop After Busy Loop

Mebroot – Entire View Entire View Main Unpacking Loop

30 Minute Busy Loop

Initialization Kernel Code Insertion

User Study User Study • Students Students had just completed week long  had just completed week long reverse engineering course • Analyzed two packed samples of the Netbull Analyzed two packed samples of the Netbull Virus with UPX and MEW • Asked to perform a series of tasks based on  Ak d f i f k b d the typical reverse engineering process • Asked about efficacy of visualization tool

User Study: Tasks Performed User Study: Tasks Performed • Find Find the original entry point (OEP) of the  the original entry point (OEP) of the packed samples • Execute the program to look for any  Execute the program to look for any identifying output • Identify portions of the executable: Id if i f h bl – Packer code – Initialization – Main loops

Results of User Study Results of User Study

Selected Comments Selected Comments • “Wonderful Wonderful way to visualize analysis and to  way to visualize analysis and to better focus on areas of interest” • “Fantastic tool. This has the potential to  significantly reduce analysis time ” significantly reduce analysis time. • “It rocks. Release ASAP.” “I k R l ASAP”

Recommendations for improvement Recommendations for improvement • Need Need better way to identify beginning and end  better way to identify beginning and end of loops • Many loops overlap and become convoluted • Be able to enter memory address and see  b i bl k h basic blocks that match h

Future Work Future Work • • • • • •

General GUI / bug fixes General GUI / bug fixes Highlight temporal nature of execution Memory access visualization i li i System call integration Function boundaries Interactivity with unpacking process Interactivity with unpacking process

Conclusion • Overall Overall process for analyzing and reverse  process for analyzing and reverse engineering malware is shortened • Program phases readily identified • Integration with existing tools • Preliminary user study shows tool holds  promise for speeding up reverse engineering

Questions? • Source Source, tools, and latest slides can be found  tools and latest slides can be found at: http://www offensivecomputing net http://www.offensivecomputing.net • If you use the tool, please give feedback If you use the tool please give feedback • Contact info: [email protected]