Malware Deception with Automatic Analysis and Generation of HoneyResource
Malware often contains many system-resource-sensitive condition checks to avoid any duplicate infection, make sure to obtain required resources, or try to infect only targeted computers, etc. If we are able to extract the system resource constraints from malware binary code, and manipulate the environment state as HoneyResource, we would then be able to deceive malware for defense purpose, e.g., immunize a computer from infections, or trick malware into believing something. Towards this end, this chapter introduces our preliminary systematic study and a prototype system, AutoVac, for automatically extracting the system resource constraints from malware code and generating HoneyResource (e.g., malware vaccines) based on the system resource conditions.
KeywordsMalware analysis Malware immunization Malware deception
An early version of this chapter appeared in ICDCS’13  . This research is partially supported by NSF (Grant No. CNS-0954096), AFOSR (Grant No. FA9550- 13-1-0077), and DARPA (Grant No. 12011593). All opinions, findings, and conclusions or recommendations expressed herein are those of the authors and do not necessarily reflect the views of NSF, AFOSR, or DARPA.
- 1.Anubis: Analyzing Unknown Binaries. https://seclab.cs.ucsb.edu/academic/projects/projects/anubis/.
- 2.DynamoRIO . http://dynamorio.org/.
- 3.malc0de. http://malc0de.com/database/.
- 5.Virustotal. https://www.virustotal.com/.
- 6.Zeus Trojan horse. http://en.wikipedia.org/wiki/Zeus_(Trojan_horse).
- 7.T. Avgerinos, E. Schwartz, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. of IEEE S&P 2010.Google Scholar
- 8.A.Zeller. Isolating cause-effect chains from computer programs. In Proc. of the 10th ACM SIGSOFT symposium on Foundations of Software Engineering, 2002.Google Scholar
- 9.U. Bayer, P. Milani, C. Hlauschek, C. Kruegel, and E. Kirda. Scalable, behavior-based malware clustering. In Proc. of NDSS’09, 2009.Google Scholar
- 10.D. Brumley, I. Jager, T. Avgerinos, and E. J. Schwartz. BAP: A binary analysis platform. In Proceedings of Computer Aided Verification (CAV), July 2011.Google Scholar
- 11.J. Caballero, P. Poosankam, C. Kreibich, and D. Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. of ACM CCS’09, 2009.Google Scholar
- 12.Davide Canali, Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. A quantitative study of accuracy in system call-based malware detection. In Proc. of International Symposium on Software Testing and Analysis, 2012.Google Scholar
- 13.L. Cavallaro, P. Saxena, and R. Sekar. On the limits of information flow techniques for malware analysis and containment. In DIMVA 2008.Google Scholar
- 14.M. Costa, J. Crowcroft, M. Castro, A. Rowstron, L. Zhou, L. Zhang, and P. Barham. Vigilante: End-to-end containment of internet worms. In Proc. of SOSP’05, pages 133–147, Brighton, United Kingdom, 2005.Google Scholar
- 15.M. Fredrikson, J. Somesh, M. Christodorescu, R. Sailer, and X. Yan. Synthesizing near-optimal malware specifications from suspicious behaviors. In Proc. of the 2010 IEEE Symposium on Security and Privacy, 2010.Google Scholar
- 16.S. T. King and P. M. Chen. Backtracking intrusions. In Proceedings of ACM Symposium on Operating Systems Principles, October 2003.Google Scholar
- 17.C. Kolbitsch, P. Milani Comparetti, C. Kruegel, E. Kirda, X. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security’09, 2009.Google Scholar
- 18.C. Kolbitsch, T. Holz, C. Kruegel, and E. Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In Proc. S&P’10, 2010.Google Scholar
- 19.J. Zico Kolter and Marcus A. Maloof. Learning to detect and classify malicious executables in the wild. J. Mach. Learn. Res., 7:2721–2744, December 2006.Google Scholar
- 20.A. Lanzi, D. Balzarotti, C. Kruegel, M. Christodorescu, and E. Kirda. Accessminer: using system-centric models for malware protection. In Proc. of the 17th ACM CCS, 2010.Google Scholar
- 21.Z. Lin, X. Zhang, and D. Xu. Automatic reverse engineering of data structures from binary execution. In Proceedings of the 17th Annual Network and Distributed System Security Symposium (NDSS’10), San Diego, CA, February 2010.Google Scholar
- 22.L. Martignoni, E. Stinsony, M. Fredrikson, S. Jhaz, and J. C.Mithchelly. A layered architecture for detecting malicious behaviors. In RAID 2008.Google Scholar
- 23.A. Moser, C. Kruegel, and E. Kirda. Exploring Multiple Execution Paths for Malware Analysis. In Proc. S&P’07, 2007.Google Scholar
- 24.M.Sharif, A. Lanzi, J. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In Proc. NDSS’08, 2008.Google Scholar
- 25.N.Johnson, J.Caballero, Z.Chen, S.McCamant, P.Poosankam, D.Reynaud, and D.Song. Differential slicing: Identifying causal execution differences for security applications. In Proceedings of the 2011 IEEE Symposium on Security and Privacy, 2011.Google Scholar
- 26.P. Porras, H. Saidi, and V. Yegneswaran. An Analysis of Conficker’s Logic and Rendezvous Points. http://mtc.sri.com/Conficker/, 2009.
- 27.I. Trestian, S. Ranjan, A. Kuzmanovic, and A. Nucci. Unconstrained Endpoint Profiling (Googling the Internet). In ACM SIGCOMM’08.Google Scholar
- 28.A. Wichmann and E. Gerhards-Padilla. Using infection markers as a vaccine against malware attacks. In Proc. of the 2nd workshop on Security of Systems and Software resiLiency, 2012.Google Scholar
- 29.J. Wilhelm and T. Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID’07, 2007.Google Scholar
- 30.H. Xin, C. Tzi-cker, and S. Kang G. Large-scale malware indexing using function-call graphs. In Proc CCS ’09, 2009.Google Scholar
- 31.Z. Xu, J. Zhang, G. Gu, and Z. Lin. Autovac: Towards automatically extracting system resource constraints and generating vaccines for malware immunization. In Proceedings of the 33rd International Conference on Distributed Computing Systems (ICDCS’13), Philadelphia, July 2013.Google Scholar
- 32.X.Wang, Z.Li, J.Xu, M.Reiter, C.Kil, and J.Choi. Packet vaccine: black-box exploit detection and signature generation. In Proc CCS’06, 2006.Google Scholar