docPolymorphic and Metamorphic Malware
download 
Report Transcription
Polymorphic and Metamorphic Malware
˝WetStone A Division of Allen Corporation Polymorphic & Metamorphic Malware Chet Chet Hosmer, Hosmer, Chief Chief Scientist Scientist Copyright 2007-2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Malware Impact Q4 Laqab/ Nickname Ism / Female First Name An Q5 Nasab/ Father Nasab/ Father Q3 Ancestor Laqab/ Nickname Husband First Q6 c Nasab/ Father An Q7 c r toQ 7-10’ s e Nasab/ Grandfather Q8 Q10-11’ Q10 Nasab/ Nasab/ Father Father Ancestor sto r Ancestor ab Q N tor 5-7’ asa s b e Nisba Q1 as ab Q0 Q2 Q2-5’ N s Na Kunya/ Title/ Adjective Ism / Male First Name Ancestor An ce A nc tor s e Nasab/ Father Nisba/ Last Nisba/ Last Husband First Q11 Q9 Nisba/ Last Source: NY Times and Washington Post 2 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Metamorphic / Polymorphic Malware Q4 Laqab/ FundamentalNickname Principles Nasab/ Father Ancestor Malware must obe defined semantically as the very Q r Q N r ’ r Na ’ as st toQ sto a ’ e s s b e c e is likely ab same Virus,AnWorm, Bot, Key Logger etc. to c c n A Q An Nasab/ exist in different physical forms Q7 Father Q2 Ancestor Q5 Nasab/ 7-10 s Na Grandfather Nasab/ Father 10-11’ Nisba Q0 Ism / Male First Name ab Kunya/ Title/ Adjective sto r 5-7 An ce 2-5 The techniques of polymorphism and Q10 Nasab/ Nasab/ Nasab/ change Nisba/ Last Father metamorphism of each instance of Ancestorthe form Father Father Q1 Nisba/ Last Ancestor software in orderLaqab/ to evade Q6 “pattern Q8matching” Q11 Nickname detection the detection and investigative Ism / Female during Husband Q3 First Name First process Husband First 3 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Q9 Nisba/ Last Overview and Definitions Q4 Nasab/ Father Polymorphic Malware Laqab/ Nickname Ancestor Q N loosely Qmeans: Polymorphism Na r tor tor sa s as toQ s e s b e c e ab n nc nc A A Q A “change the appearance of” Nasab/ Ancestor Q Father Q Nasab/ Ism / Male Q Kunya/ Title/ Nasab/ Mutation Engines are bundledGrandfather with the First Name Adjective Father Q code Nasab/ virus, worm or other self-propagating Nasab/ Nasab/ Nisba/ Last Father Ancestor Father 5-7’ 10-11’ Nisba ab sto r s Na 7 5 2 7-10’ An ce 2-5’ 10 Q0 Q1 Father Ancestor Q6include Common methods Laqab/ Ism / Female First Name Nickname Q8 Nisba/ Last Encryption Q3 Data appending / Data pre-pending Husband First 4 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Husband First Q9 Nisba/ Last Q11 Overview and Definitions Q4 Nasab/ Father Polymorphic Malware Laqab/ Nickname Q Limitations tor s ce 2-5’ N An Ancestor as ab c Q N tor 5-7’ asa s b e c r toQ 7-10’ s e Husband First Q3 Husband First 5 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Q9 Nisba/ Last sto r 10-11 Nisba ab Ism / Female First Name An ce An s Na Q ’ Nasab/ The decrypted code is essentially the same in Ancestor Q7 Father Q5 Nasab/ Ism / Male Q2 each case, thus memory based signature Kunya/ Title/ Grandfather Nasab/ First Name Adjective detection is Father possible Q10 Nasab/ Nasab/ Nasab/ Nisba/ Last Father Ancestor Father Q1 BlockFather hashing can be effective in identifying Q0 Nisba/ Last Q6 Ancestor Q Laqab/ 8 memory based remnants Q11 Nickname An Memory Block Hashing FILE Laqab/ Nickname Q4 Nasab/ Father Ancestor FILE1 Block 1 Ism / Female Block First 2Name …. Block n Q3 Laqab/ Nickname Q6 Ancestor Husband First ONEWAY CRYPTOGRAPHIC HASH FUNCTION Q9 Husband First 6 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED sto r Nisba ab Q0 An ce s Na AB-9E-27-46-2F Q2-5’ N rQ5-7’ Na r tor o t s s a toQ 7-10’ s ab 86-91-02-8C-B1 e ONEWAY CRYPTOGRAPHIC s sa e c e c n c b n A A Q10-11’ An AB-9E-27-46-2F HASH FUNCTION Nasab/ Ancestor Q786-91-02-8C-B1 Father Q Q Nasab/ 5 2 Ism / Male Kunya/ Title/ Grandfather Nasab/ First Name Adjective Father Q10 Nasab/ Nasab/ Nasab/ Nisba/ Last Father Ancestor Father Father Q F2-43-56-A4-22 Nisba/ Last 86-91-02-8C-B1 Q8E2-40-31-9A-8A AB-9E-27-46-2F Q11 86-91-02-8C-B1 AB-9E-27-46-2F 86-91-02-8C-B1 AB-9E-27-46-2F 86-91-02-8C-B1 86-91-02-8C-B1 AB-9E-27-46-2F 86-91-02-8C-B1 Nisba/ Last Memory Block Hashing Nasab/ Q4 ONEWAY CRYPTOGRAPHIC Laqab/ HASH FUNCTION Nickname Ancestor A ab An Block 1 Ancestor Q5 Nasab/ Block 2 Father Nasab/ Father Q3 Block 2 Ancestor Q6 Block n Laqab/ Nickname Husband First c Q N tor 5-7’ asa s b e r toQ 7-10’ s F2-43-56-A4-22 e c Q An86-91-02-8C-B1 E2-40-31-9A-8A 10-11’ Nasab/ Q7 86-91-02-8C-B1 AB-9E-27-46-2F Father Nasab/ AB-9E-27-46-2F 86-91-02-8C-B1 Grandfather AB-9E-27-46-2F 86-91-02-8C-B1 86-91-02-8C-B1 Q10 Nasab/ AB-9E-27-46-2F Nasab/ Nisba/ Last Father 86-91-02-8C-B1 Father Ancestor Q8 Nisba/ Last Q11 Husband First Q9 Nisba/ Last …. 7 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Nisba Ism / Female First Name as ab Q0 Q1 Q2 Q2-5’ N s Na Kunya/ Title/ Adjective Ism / Male First Name nc tor s e sto r Snapshot An ce Memory Code Father Overview and Definitions Q4 Nasab/ Father Metamorphic Malware Laqab/ Nickname Ancestor Q Malware: Metamorphic reNa r Na tor orQ “automatically Q o t s s t s a e s sa b ce nc ce b n n A A A codes itself each time it propagates or is Q Nasab/ Ancestor Q Father Q Nasab/ Ism / Male Q distributed” Kunya/ Title/ Grandfather Nasab/ First Name Adjective Father Q Nasab/ Simple Nasab/ techniques include: Nasab/ Nisba/ Last Father Ancestor Father sto r 10-11’ Nisba 7 ab 5 7-10’ s Na 2 5-7’ An ce 2-5’ 10 Q0 Q1 Father Nisba/ Last Q6 Ancestor Adding varying of NOP Q8 instructions Laqab/ lengths Q11 Nickname Ism / Female Husband Permuting use registersFirst Q3 First Name Adding useless instructions and loops within Q9 Husband Nisba/ Last First the code segments 8 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Overview and Definitions Q4 Nasab/ Father Metamorphic Malware Laqab/ Nickname Ancestor r Q N Q Na Advancedestotechniques include: tor sa as s b e c 2-5’ ab An c Father Reordering structures Q6 Ancestor Laqab/ InsertingNickname unused data types Ism / Female Husband First Name Q3 9 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED An ce Father Q8 Nisba/ Last First Husband First 10-11 Nisba Q1 An sto r Q ’ Nasab/ Function reordering Ancestor Q7 Father Q5 Nasab/ Ism / Male Q2 Grandfather Program flow modification Nasab/ First Name Father Q10 Nasab/ Nasab/ StaticNasab/ data structure modification Nisba/ Last Father Ancestor An ab Q0 c r toQ 7-10’ s e s Na Kunya/ Title/ Adjective 5-7’ Q9 Nisba/ Last Q11 Metamorphic Structure Q4 Laqab/ Nickname An Q5 Nasab/ Father Nasab/ Father Q3 Ancestor c Nasab/ Father An Q7 c r toQ 7-10’ s e Nasab/ Grandfather Nasab/ Nasab/ Father Father sto r Ancestor ab Q N tor 5-7’ asa s b e Q10 Nisba/ Last Nisba/ Last Q6 Ancestor Morphing Engine Q8Code Laqab/ Nickname Husband First 10 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Husband First Q9 Nisba/ Last Q10-11’ Nisba Ism / Female First Name as ab 1 Q2 Q2-5’ N s Na Q0 80% Q nc tor s e An ce A Kunya/ Title/ Adjective Ancestor Actual Malicious Code 20% Ism / Male First Name Nasab/ Father Q11 Morphing Engine Components Q4 Laqab/ Nickname Nasab/ Father Ancestor Disassembler Ism / Female First Name Q2 Ancestor Q5 c Nasab/ Father An Q7 Nasab/ Father c Nasab/ Grandfather sto r Permutor An r toQ 7-10’ s e Randomizing Inserter Q10 Nasab/ (code & data) Nasab/ Father Father Ancestor Q6 Ancestor Laqab/ Code Compressor Q3 Nickname Nasab/ Father Q8 Nisba/ Last Nisba/ Last Husband First AssemblerQ Husband First 11 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Q10-11’ Nisba Q1 ab Q N tor 5-7’ asa s b e ab Q0 as s Na Kunya/ Title/ Adjective Ism / Male First Name Q2-5’ N An ce A nc tor s e 9 Nisba/ Last Q11 Overview and Definitions Q4 Nasab/ Father Metamorphic Malware 2-5’ N An as ab c An c r toQ 7-10’ s e Q0 Q2 Code semantics Nasab/ Behavior Father Q5 Father Nasab/ Grandfather Nasab/ Nasab/ Father Father Q10 Q10-11’ Nisba Kunya/ Title/ Adjective Ism / Male First Name ab Nasab/ Engine Identification of Morphing Ancestor Q7 s Na An Q N tor 5-7’ asa s b e sto r Q Limitations tor s ce Ancestor An ce Laqab/ Nickname Nasab/ Nisba/ Last Ancestor Automated code identification and analysis of Father Q1 Nisba/ Last Q6or Ancestor memory snapshots analysisQ8of swap space Laqab/ Q11 Nickname Ism / Female Husband remnants Q3 First Name First Husband First 12 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Q9 Nisba/ Last Summary Threat Q4 Laqab/ Nickname Nasab/ Father Ancestor Polymorphicor Q and’ N Metamorphic malware are Q N r r ’ as st as toQ sto a ’ e s b e c e ab evolvingAn c c n A Q An Nasab/ Ancestor Q7 Q5 or Father Discovery postmortem is difficult Nasab/ Ism / Male Q2 in real-time Kunya/ Title/ Grandfather Nasab/ First Name Adjective Father being applied Limited resources Q10 Nasab/ Nasab/ 5-7 s Na Father Ancestor Q Impact on Law Enforcement Ancestor Q Q 1 Laqab/ Nickname 6 Father 8 Nisba/ Last Nisba/ Last IncidentQresponse is slow 3 Q9 of attacks is difficult Determining Husband the source Nisba/ Last First Prosecuting those involved is elusive Ism / Female First Name 13 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Husband First 10-11’ Nisba ab Q0 Nasab/ Father sto r 7-10 An ce 2-5 Q11 Solution Development Q4 Laqab/ Nickname Ism / Female First Name An Q5 Nasab/ Father Nasab/ Father Q3 Ancestor Laqab/ Nickname Husband First 14 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Q6 c Nasab/ Father An Q7 c r toQ 7-10’ s e Nasab/ Grandfather Q10 Nasab/ Nasab/ Father Father Ancestor Q8 sto r Ancestor ab Q N tor 5-7’ asa s b e Q10-11’ Nisba Q1 as ab Q0 Q2 Q2-5’ N s Na Kunya/ Title/ Adjective Ism / Male First Name Ancestor An ce A nc tor s e Nasab/ Father Nisba/ Last Nisba/ Last Husband First Q9 Nisba/ Last Q11 Solution Development Q4 Laqab/ Nickname Ism / Female First Name An Q5 Nasab/ Father Nasab/ Father Q3 Ancestor Laqab/ Nickname Husband First 15 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED Q6 c Nasab/ Father An Q7 c r toQ 7-10’ s e Nasab/ Grandfather Q10 Nasab/ Nasab/ Father Father Ancestor Q8 sto r Ancestor ab Q N tor 5-7’ asa s b e Q10-11’ Nisba Q1 as ab Q0 Q2 Q2-5’ N s Na Kunya/ Title/ Adjective Ism / Male First Name Ancestor An ce A nc tor s e Nasab/ Father Nisba/ Last Nisba/ Last Husband First Q9 Nisba/ Last Q11 Next Steps / Opportunity Q4 Nasab/ Father TechnologyLaqab/ Status Nickname Ancestor Alpha based technology is being validated at Q r Q ’ Na ’N r tor sa sto as toQ WetStonenceLabs s ’ s b e e ab c c n A A Q ’ An Nasab/ Beta technology scheduled for August 2008 Ancestor Q7 Father Q Q Nasab/ 5 2 Ism / Male Kunya/ Title/availability Grandfather Nasab/ First Name Adjective Father Q10 Nasab/ We are actively seeking state and local law Nasab/ Nasab/ Nisba/ Last Father Ancestor Father Father evaluators Q enforcement Q0 1 Nisba/ Last Ancestor 5-7 s Na Q6 Resulting Technology Husband Ism / Female First Name Q3 First Q8 Will be provided freeQ9to state and local law Husband Nisba/ Last enforcement through NIJ upon project First completion 16 Copyright 2008 WetStone Technologies, Inc ALL RIGHTS RESERVED 10-11 Nisba ab Laqab/ Nickname sto r 7-10 An ce 2-5 Q11
Similar documents
Antique Farm Tires
M.E. Miller Tire was founded in 1970
by my father Mahlon E. Miller, my brotherin-law Vernon Evers and myself.
From 1958 to 1969 Dad operated a