Automatic Generation of Remediation Procedures for Malware

Transcription

Automatic Generation of Remediation
Procedures for Malware Infections
Roberto Paleari, Lorenzo Martignoni, Emanuele Passerini,
Drew Davidson, Matt Fredrikson, Jon Giffin, Somesh Jha
Università degli Studi di Milano, Università degli Studi di Udine,
University of Wisconisn, Georgia Institute of Technology
19th USENIX Security Symposium
Remediation of a system infected by a malware
R. Paleari et al.
Automatic Generation of Remediation Procedures for Malware Infections
2
Why not just blocking the malware before the infection?
AV not installed
Signatures not up-to-date
Signatures not available
R. Paleari et al.
2
AV not installed
To reinstall the system or to remediate the infection?
R. Paleari et al.
2
AV not installed
To reinstall the system or to remediate the infection?
R. Paleari et al.
2
A sample malware
1. Generates random file and key names
file = "po" + rand() + rand() + rand() + ".exe"
key = rand() % 2 ? "qv" : "vq"
2. Drop malicious exe
c:\windows\ + file
3. Start the new exe at boot
KEY LOCAL MACHINE + ...\Windows\CurrentVersion\Run\ +
key, file
4. Infect system dll
user32.dll
5. Hijack network traffic
c:\windows\system32\drivers\etc\hosts,
www.google.com, www.citibank.com
6. Delete main exe
R. Paleari et al.
3
Sound and complete remediation of malware infection
key = rand() % 2 ? "qv" : "vq"
Remove malicious exe
c:\windows\ + file
Remove registry key
key, file
Restore original dll
user32.dll
Remove malicious mappings
6. Delete main exe
R. Paleari et al.
4
Hardness of sound and complete remediation
The code of
is typically obfuscated and an analysis of the
potential behaviors is very difficult
The behavior of
is typically non-deterministic
No clue on the state of the system before the infection because
remediation is performed a posteriori
R. Paleari et al.
5
Hardness of sound and complete remediation
key = rand() % 2 ? "qv" : "vq"
Guess file name
c:\windows\ + file
Guess file name and key
key, file
Guess proper dll to recover
user32.dll
Guess original mappings
6. Delete main exe
R. Paleari et al.
5
Are AVs good at remediating malware infections?
R. Paleari et al.
6
Are AVs good at remediating malware infections?
More or less . . .
[Passerini et al., DIMVA 2008]
R. Paleari et al.
6
Seeking sound and complete remediation
R. Paleari et al.
7
s1
R. Paleari et al.
7
Create
c:\windows\powxv.exe
s1
R. Paleari et al.
s10
7
Create
s1
s10
s100
Given s10 , and without knowing s1 , our goal is to obtain s100 by
reverting all and only the modifications caused by
R. Paleari et al.
7
Create
s1
s10
s100
s20
s200
Create
c:\windows\pozwk.exe
s2
The approach must work for any si ∈ S
(c:\windows\po*.exe)
R. Paleari et al.
7
Create
s1
s10
s100
s30
s300
s20
s200
Create
c:\windows\pooig.exe
s3
Create
c:\windows\pozwk.exe
s2
The approach must work for any si ∈ S
(c:\windows\po*.exe)
R. Paleari et al.
7
Our approach for sound and complete remediation
1. Construct R: the infection relation of
2. Construct R−1 : the remediation procedure for
3. Run R−1 on the infected system
R. Paleari et al.
8
Construction based on dynamic analysis
Over-approximation of the behaviors observed
R. Paleari et al.
8
Reverts all possible effects of the infection
R. Paleari et al.
8
Reverts all possible effects of the infection
Constraint-based detection of system resources affected by
Deletes resources created during the infection
Restores resources modified during the infection
Creates resources removed during the infection
R. Paleari et al.
8
C1
C2
C1
S3
S2
S1
S4
C2
C3
Remediation
procedure
generation
C3
Cluster
generalization
Behavior
monitoring
B1
High-level
behavior
analysis
R. Paleari et al.
B2
B3
Behavior
clustering
B4
9
R
C1
C2
C1
S3
S2
S1
S4
C2
C3
Remediation
procedure
generation
C3
Cluster
generalization
Behavior
monitoring
B1
High-level
behavior
analysis
R. Paleari et al.
B2
B3
Behavior
clustering
B4
9
C1
C2
C1
S3
S2
S1
S4
C2
C3
Remediation
procedure
generation
C3
Cluster
generalization
Behavior
monitoring
B1
High-level
behavior
analysis
R. Paleari et al.
B2
B3
B4
Behavior
clustering
R−1
9
High-level behavior extraction
C1
C2
C1
S3
S2
S1
S4
C2
C3
Remediation
procedure
generation
C3
Cluster
generalization
Behavior
monitoring
B1
High-level
behavior
analysis
R. Paleari et al.
B2
B3
Behavior
clustering
B4
10
Behaviors of interest
Creation/infection/deletion of files and registry keys
Drop and execute/auto-start
R. Paleari et al.
11
The malware is run in multiple VMs with different configurations
(to exercise the largest set of program paths and behaviors)
R. Paleari et al.
11
S 1 = s1 , . . . , sn
S 2 = s1 , . . . , sn
S 3 = s1 , . . . , sn
S 4 = s1 , . . . , sn
S 5 = s1 , . . . , sn
System calls and arguments are traced
(using VM introspection)
R. Paleari et al.
11
S 1 = s1 , . . . , sn
B 1 = b1 , . . . , bk
S 2 = s1 , . . . , sn
B 2 = b1 , . . . , bk
S 3 = s1 , . . . , sn
B 3 = b1 , . . . , bk
S 4 = s1 , . . . , sn
B 4 = b1 , . . . , bk
S 5 = s1 , . . . , sn
B 5 = b1 , . . . , bk
High-level behaviors and the corresponding system’s state
transitions are extracted from the trace
[Martignoni et al., RAID 2008]
R. Paleari et al.
11
Behavior summary
DropAndAutostart(”c:\. . . \powxv.exe”, data, ”. . . \Run\vq”, ”powxv.exe”)
FileCreation(”. . . \powxv.exe”, data)
RegistryCreation(”. . . \Run\vq”, ”powxv.exe”)
FileDeletion(”c:\malware.exe”)
FileInfection(”. . . \etc\hosts”, ”67.42. . . ”, data)
Behavior graph
DropAndAutostart
FileCreation
RegistryCreation
s2
s1
s3
s4
R. Paleari et al.
FileDeletion
s13
s11
s41
s14
12
Behavior generalization
C1
C2
C1
S3
S2
S1
S4
C2
C3
Remediation
procedure
generation
C3
Cluster
generalization
Behavior
monitoring
B1
High-level
behavior
analysis
R. Paleari et al.
B2
B3
Behavior
clustering
B4
13
Behavior clustering
Behavior clustering identifies elements of distinct traces
{B 1 , . . . , B m } that correspond to the same malicious activity
An admissible clustering for a given set of traces is a set of
behavior sets {C1 , C2 , . . . , Cn } that satisfies two conditions:
1. All behaviors in a given cluster Ci have the same type
2. The clustering partitions the set of all events in every execution
trace (no behavior is in more than one cluster, and each behavior
is in some cluster)
R. Paleari et al.
14
Behavior clustering
Clustering performed on behavior graphs (non-determinism in a
malicious program typically affects the summary of the
behavior, but not the low-level operations used to achieve the
behavior)
Graphs compared for isomorphism
Normalization applied before comparison (sequential syscalls
are merged, killed syscalls are dropped, . . . )
R. Paleari et al.
15
Dealing with non-determinism: behavior generalization
Output of clustering (Ci )
DropAndAutostart("c:\windows\poagp.exe",data,"...\Run\vq","poagp.exe")
DropAndAutostart("c:\windows\pobxz.exe",data,"...\Run\vq","pobxz.exe")
DropAndAutostart("c:\windows\pocra.exe",data,"...\Run\qv","pocra.exe")
DropAndAutostart("c:\windows\pomfq.exe",data,"...\Run\vq","pomfq.exe")
DropAndAutostart("c:\windows\pommp.exe",data,"...\Run\qv","pommp.exe")
DropAndAutostart("c:\windows\popwz.exe",data,"...\Run\qv","popwz.exe")
DropAndAutostart("c:\windows\pouwk.exe",data,"...\Run\vq","pouwk.exe")
R. Paleari et al.
16
How to deal with slightly different behaviors?
DropAndAutostart("c:\windows\pojsh.exe",data,"...\Run\vq","pojsh.exe")
DropAndAutostart("c:\windows\poeuj.exe",data,"...\Run\qv","poeuj.exe")
R. Paleari et al.
16
How to deal with slightly different behaviors?
DropAndAutostart("c:\windows\pojsh.exe",data,"...\Run\vq","pojsh.exe")
DropAndAutostart("c:\windows\poeuj.exe",data,"...\Run\qv","poeuj.exe")
Transform a cluster into a generalized behavior summary
R. Paleari et al.
16
All behaviors in the cluster have the same “prototype”
Each argument of the behavior is independent from the others
Each argument can be canonicalized into a string
The generalization of each argument can be seen as the
generalization of a set of strings
The generalization of a set of strings can be accomplished by
constructing an automaton that accepts a superset of the set
of strings
R. Paleari et al.
17
A1
R. Paleari et al.
18
q
b
m
c
:
\
w
i
n
...
p
o
d
c
w
x
f
m
z
q
p
.
e
x
e
g
a
r
u
k
w
Construct minimal (probabilistic) FSA
that accepts all strings in A1
R. Paleari et al.
18
q
b
m
c
:
\
w
i
n
...
p
o
d
c
w
x
f
m
z
q
p
.
e
x
e
g
a
r
u
k
w
Identify dense single-entry-single-exit regions of the FSA
(regions affected by non-determinism)
R. Paleari et al.
18
q
b
m
c
:
\
w
i
n
...
p
o
w
x
f
m
z
q
p
[[:alpha:]]{3}
g
d
.
e
x
e
a
c
r
u
k
w
Apply generalization rules to dense SESE regions
(rules based on the length of paths, type of symbols, . . . )
R. Paleari et al.
18
c:\windows\po[[:alpha:]]{3}.exe
Transform FSA into a regular expression
R. Paleari et al.
18
Finally comes R
DropAndAutostart("c:\windows\po[[:alpha:]]{3}.exe",
data, "...\Run\(vq|qv)", "po[[:alpha:]]{3}.exe")
R. Paleari et al.
19
Remediation procedures generation
C1
C2
C1
S3
S2
S1
S4
C2
C3
Remediation
procedure
generation
C3
Cluster
generalization
Behavior
monitoring
B1
High-level
behavior
analysis
R. Paleari et al.
B2
B3
Behavior
clustering
B4
20
Remediation procedures in action
Newly-created resources: remove resources created by
Infected resources: restore resources tampered by
Deleted resources
R. Paleari et al.
21
Use constraints on arguments to identify the resources to remove
FileCreation(file, data): remove file if its content
matches data
DropAndAutostart(file, data, key, regdata): remove
file and key if both exist, their content matches respectively
data and regdata, and the basename of file and regdata is
the same
Deleted resources
R. Paleari et al.
21
Use constraints on arguments to identify the resources to remove
FileCreation(file, data): remove file if its content
matches data
DropAndAutostart(file, data, key, regdata): remove
file and key if both exist, their content matches respectively
data and regdata, and the basename of file and regdata is
the same
Same approach used to identify newly-created resources
Use pristine regions of the file to identify the version to restore
Applicable only to system files and keys
Deleted resources
R. Paleari et al.
21
Experimental evaluation
Setup & methodology
Prototype for Microsoft Windows XP
Evaluation of over 200 malware samples
For each sample:
1. Monitored 3 executions in 4 distinct environments
2. Generated remediation procedures
3. Infected 25 test environments and ran the generated procedure
Goals
Quantify false-positives & false-negatives (procedure affects a
resources not involved with the infection or misses a resources
not involved with the infection)
Compare completeness of remediation procedures available in
the best commercial AVs against ours
R. Paleari et al.
22
Experimental evaluation: false-positives
Only one case, caused by a very generic regular expression
(.*.exe)
R. Paleari et al.
23
Experimental evaluation: false negatives
100
% activities reverted
80
60
40
20
0
Files
Files
(primary)
(ancillary)
Our approach
R. Paleari et al.
Reg. keys
(primary)
Nod32
Reg. keys
(ancillary)
Panda
Processes
Processes
(primary)
(ancillary)
Kaspersky
24
Experimental evaluation: false negatives
100
% activities reverted
80
60
98% vs. 82%
40
20
0
Files
Files
(primary)
(ancillary)
Our approach
R. Paleari et al.
Reg. keys
(primary)
Nod32
Reg. keys
(ancillary)
Panda
Processes
Processes
(primary)
(ancillary)
Kaspersky
24
Limitations
Dynamic behavior-based analysis can give incomplete results
Attackers may try to induce very aggressive behavior
generalization
Only a subset of modified resources can be properly restored
Deleted resources cannot be restored
R. Paleari et al.
25
Conclusions
R. Paleari et al.
26
Automatic Generation of Remediation
Procedures for Malware Infections
Thank you!
Any questions?
Lorenzo Martignoni
[email protected]

Automatic Generation of Remediation Procedures for Malware

Transcription

Similar documents

Presentation 8 - Environmental issues and remediation_Beldowski

Security Liaison Meeting

learn more

Evasive Tactics: Terminator RAT | FireEye Blog

Real World Protection and Remediation Testing Report

Ransomware Variants Are Lurking “In the V-Shadows”

What We`ve Seen in Q2 2015

Read More - Energenie

Detecting Malware With Memory Forensics