Transcript Evolvable Malware

Evolvable Malware
Sadia Noreen, Sahafq Murtaza, M. Zubair Shafiq, Muddassar Farooq
National University of Computer and Emerging Sciences (FAST-NUCES)
Next Generation Intelligent Networks Research Center (nexGIN RC)
Islamabad, 44000, Pakistan
1
Citations
Sadia Noreen, Shafaq Murtaza, M. Zubair Shafiq,
Muddassar Farooq.
1. Evolvable Malware. In Proceedings of the Genetic and
Evolutionary Computation Conference(GECCO), ACM Press,
2009.
2. Using Formal Grammar and Genetic Operators to Evolve
Malware. In Recent Advances in Intrusion Detection (RAID),
Springer LNCS, 2009.
2
2
Relevance of Computer Malware to ALife
• ALife: Studies the logic of living systems in
artificial environment
• Evolution: Property of ALife
• Malware, if considered to be alive, must possess
the fundamental property of ALife – evolution.
3
3
Objectives
• To provide an abstract representation that
maps all the features of malware— Bagle
• To evolve the malware – evolution in its true
sense.
• To test the evolved malware using anti-virus
software.
4
4
Finally
Virus
Created!!!
5
5
Evolvable Malware Framework
New Malware
Crossover
Mutation
Malware
database
GA Module
Code Generation
Module
Output
Malware
Test Module
6
6
Abstract Representation
Feature
Description
Date
The date checked by Bagle to (de)activate its process.
Application
The application used to conceal Bagle
Port Number
Port opened by Bagle to send or receive commands
Attachment
Name of the attachment used by the Bagle
Websites
Bagle contact the websites to inform about the infection
Domain
Bagle ignores to email itself to the domains specified
Email Body
Contains the email body of Bagle
Email Subject
Specifies the subject of the email
Registry Variable
Contains the name of the registry variable used by the Bagle
Virus Name
Name of the Bagle shown in the task manager
File Extension
File extensions to be searched in fixed directories
Process Terminated
Process terminated by Bagle
Attachment Extension
Specifies the extension of the attachment
P2P Propagation
Names used by Bagle to copy itself to peer computers
7
Experimental Setup (2)
GA Parameters:
Population Size=500
Crossover Rate=0.75
Mutation Rate=0.005
# of Generations=500
8
8
Experimental Results
9 9
Criteria Satisfied
GECCO 2009 – Anonymous Reviewer Comments
• “The paper is very interesting and well written overall and definitely worth to
be published.”
• “I found the paper quite interesting. Further research is most welcomed.”
D: The result is publishable in its own right as a new scientific result
independent of the fact that the result was mechanically created.
10
10
Criteria Satisfied
Polymorphic Engine
Virus Code
Encryption
Routine
Decryption
Routine
Metamorphic Engines
Virus Code
Virus Code
.
.
.
NOP
Our Engine
Virus Code
Genetic
Operators
Virus Code
E: The result is equal to or better than the most recent human-created
solution to a long-standing problem for which there has been a
succession of increasingly better human-created solutions.
11
11
Criteria Satisfied
Result is better than the result that was considered as an achievement so far…
• Polymorphic and metamorphic engines produce viruses that belong to the same
class i.e. the evolved viruses are the variants of the same class e.g. Bagle.a,
Bagle.b etc.
• The viruses produced by our engine do not belong to just one class i.e. the
evolved viruses may belong to the different classes of malware e.g. Bagle class,
W32.Sality etc.
F: The result is equal to or better than a result that was considered an
achievement in its field at the time it was first discovered.
12
12
Criteria Satisfied
Reverse Engineering of a class of malware
• Analyzing the disassembled code of a class of malware and extracting the
features of our interest was a challenging task.
• There has always been a talk about malware evolution by applying genetic
operators but there was no comprehensive achievement since the difficulty
level of the problem domain was very high.
G: The result solves a problem of indisputable difficulty in its field.
13
13
Human Competitive?
• Evolve malware without human intervention
• Produces new variants of malware within NO
TIME as compared to virus writer
14
14
Impact
• The result is of great importance in security
research
• Antivirus product – Testing against zero day
attacks
• Evolving software
15
15