Transcript Malware Repository Requirements - Cyber-TA

Malware Repository Overview
Wenke Lee
David Dagon
Georgia Institute of Technology
Overview
• How malware is collected and shared now
• Malfease’s service-oriented repository
– Support for malware analysis, e.g., signature
generation, and evaluation of
intrusion/anomaly detection/prevention
systems, etc.
– Automated unpacking
Current Practices
• Numerous private, semi-public malware
collections
– Need “trust” to join
– “Too much sharing” often seen as competitive
disadvantage
• Analysis not shared
• Incomplete collections: reflect sensor bias
– Darknet-based collection
– IRC surveillance
– Honeypot-based collection
Shortcomings
• Malware authors know and exploit
weaknesses in data collection
• Illuminating sensors
– “Mapping Internet Sensors with Probe Response
Attacks”, Bethencourt, et al., Usenix 2005
• Automated victims updates
– E.g., via botnets
Solution:
Service-Oriented Repository
• Malfease uses hub-and-spoke model
– Hub is central collection of malware
– Spokes are analysis partners
• Hub:
– Malware, indexing, search
– Static analysis: header extraction, icons, libraries
– Metainfo: longitudinal AV scan results
• Spoke:
– E.g., dynamic analysis, unpacking, signatures, etc.
Malware Repo Requirements
• Malware repos should not:
– Help illuminate sensors
– Serve as a malware distribution site
• Malware repo should:
– Help automate analysis of malware flood
– Coordinate different analysts (RE gurus, Snort
rule writers, etc.)
Approaches
• Repository allows upload of samples
– Downloads restricted to classes of users
• Repository provides binaries and analysis
– Automated unpacking
– Win32 PE Header analysis
– Longitudinal detection data
• What did the AV tool know, and when did it know it?
– Malware similarity analysis, family tree
– Etc.
Overview
Repository User Classes
• Unknown users
– Scripts, random users, even bots
• Humans
– CAPTCHA-verified
• Authenticated Users
– Known trusted contributors
Repository Access Control
• Unknown users
– Upload; view aggregate statistics
• Humans
– Upload; download analysis of their samples
• Authenticated Users
– Upload; download all; access analysis
Basic User View
Analysis Page for Sample
Static Analysis Example
Static Analysis Example
Note search
ability
Dynamic Analysis
Unpacked binary
Available for Download,
Along with asm version
Malware: Why Pack?
• Reduced malware size
• Obfuscation transformation
– Opaque binaries prevent pattern analysis
– Invalid PE32 headers complicate RE
• Increases response time
– Unpacking often requires specialized skill sets
Polyunpack: Work Flow
Unpacking Heuristic
Unpacking Example
Results
• Improved AV detection
6K
very old
Samples
AV Scan
0.8K
Claimed “OK”
5.2K
Samples
Claimed
VX
10-40%
improved
AV
detection
on “old” stuff
Unpacking
AV
ReScan
42
are now
claimed VX
Plan for Cyber-TA
• Evaluation of various signature generation
schemes
– Development of new schemes
• Development of signature ensemble scheme automatically combine the attributes of signatures
from different generation schemes
• Evaluation of intrusion/anomaly detection
systems
– E.g., automatically generating mimicry/blending attacks
based on malware
Conclusion
• Service-oriented repository
– Support research in malware analysis and
intrusion/anomaly detection/prevention
• See malfease.oarci.net for details
• Credits
– David Dagon
– Paul Vixie
– Paul Royal
– Mitch Halpin