With thousands of new viruses and other malware threats surfacing every day, dynamic analysis techniques play a fundamental role in the automatic characterization and detection of malicious behaviors that undermine the security of computing systems. Modern malware has started however to adopt reconnaissance techniques that fingerprint the execution environment, looking for possible artifacts that could reveal the presence of a monitoring system in lieu of a plausible victim, and consequently hiding its true colors to elude detection and analysis.
In the arms race between malware writers and analysis systems, researchers and security firms have invested in stealth execution environments that use hardware virtualization and cloaked software configurations to execute and analyze malware dynamically. And yet, often new threats emerge that defeat such automatic analyses, requiring them to be manually dissected by expert analysts.
We propose a methodology for hardening automatic dynamic analysis to make it more robust against evasive malware. Our approach is unprecedented: using dynamic binary instrumentation, we look closely at each fingerprinting attempt made by a malicious program as it executes, and dynamically choose the best possible answer to provide, rewriting program behaviors that are instead fixed in extant solutions. Further novelty lies in the pivotal role of the human element in our methodology: we wish to boost the productivity of analysts that intervene to defeat unprecedented evasions, and we provide means to incorporate their findings in the automatic analysis system as part of a human-assisted feedback loop mechanism.
Preliminary experimental results suggest that our approach is well-equipped to deal with the more advanced evasion techniques from highly evasive malware that even sophisticated commercial solutions have recently struggled to deal with.
The project will be carried out as part of a joint effort with King's College London.
[Innovation]
The present project has the potential to bring timely contributions to the malware analysis theory and practice. The analysis of highly evasive malware is a compelling topic for both academic researchers and security professionals. Dozens of scientific articles have appeared in recent years describing manifold attack surfaces and methodologies for a malicious program to detect artifacts of an analysis environment [BY17]. At the same time, security vendors have striven to develop analysis solutions based on stealth virtualization technologies, which have been pioneered in the research community through virtual machine introspection (VMI) abstractions and facilities.
Using VMI it is possible to track the externally observable behavior of a sample, for instance the sequence of system calls in its execution. However, when attempting to extract high-level information from low-level sources, introspection incurs a so-called semantic gap: VMI tools may require deep knowledge of kernel data structures or other low-level details, which can be problematic on proprietary operating systems such as Windows. Furthermore, VMI to date is not as powerful or handy for the inspection of a sample as a traditional debugger, which for instance lets analysts alter the execution flow.
In the light of these considerations, we chose to build our BluePill architecture on top of dynamic binary instrumentation. A process-level DBI framework such as Pin [LCMPKLWRH05] is well-equipped for implementing a stealth execution environment that is easy to extend, and that an analyst can tweak to detect and react to unknown evasions or targeted environment checks, hopefully dodging many low-level details involving the underpinnings of the Windows kernel.
Also, while extant solutions for dynamic malware analysis do not account for the human factor, the role of analysts is pivotal in our approach. Following in the footsteps of a seminal work on augmenting autonomous cyber reasoning systems with human assistance from UC Santa Barbara, we propose a feedback loop mechanism where humanly crafted countermeasures for unprecedented evasions are incorporated into BluePill¿s automated analyses. We believe this can also pave the way to further investigation in optimizing the use of expensive and scarce human resources such as skilled malware analysts.
[Preliminary Results]
As part of the research activities carried out early this year at the SEASON (Software Analysis and Optimization) Lab at Sapienza University, we have prototyped a minimalistic version of BluePill targeting the VirtualBox virtualization technology and 32-bit PE32 Windows programs. We performed dynamic analysis of several highly evasive malware samples, including i) the Furtim malware [SO16], ii) the Olympic Destroyer that attacked the PyeongChang 2018 Winter Olympic Games computer networks, iii) the sophisticated BadRabbit ransomware that followed in the footsteps of NotPetya and WannaCry, and iv) a selection of packed samples that were obfuscated and made "evasive" using notable executable protectors such as VMProtect and Themida. Preliminary experimental results show that an implementation of BluePill still in its infancy could already dismantle all the evasion techniques featured in such samples. Our findings have been validated against technical reports written by highly trained security professionals.
[Scientific Impact]
The present project will be carried out in collaboration with a research group from King¿s College London with a strong publication record in top-ranked security venues such as ACM CCS, IEEE S&P, and ACM ACSAC, which we wish to target with the research results that we will achieve in this project.