Classification of malware persistence mechanisms using low-artifact disk instrumentation
作者: Jennifer Mankin , David Kaeli
DOI:
关键词: Malware analysis 、 Master boot record 、 Reboot 、 Instrumentation (computer programming) 、 Malware 、 Cryptovirology 、 Upload 、 Operating system 、 Computer security 、 Computer science 、 File system
摘要: The proliferation of malware in recent years has motivated the need for tools to analyze, classify, and understand intrusions. Current research analyzing focuses on labeling as malicious or benign, it with family variant belongs to. We argue that, addition providing coarse labels, is useful label by capabilities they employ. Capabilities can include keystroke logging, downloading a file from internet, modifying Master Boot Record, trojanizing system binary. Unfortunately, capability requires descriptive, high-integrity trace behavior, which challenging given complex stealth techniques that employ order evade analysis detection. In this thesis, we present DIONE, flexible rule-based disk I/O monitoring infrastructure. DIONE interposes between system-under-analysis its hard disk, intercepting accesses reconstructing high-level registry changes occur. evaluate accuracy performance show achieve 100% operations, penalty less than 2% many cases. Given trustworthy behavioral traces obtained convert system-level events capabilities. For this, use model checking, formal verification approach compares extracted specification. Since events, aim persistence capabilities—that is, sample mechanism uses not only persist but restart after boot. Windows service, commonly-employed used persist, load binary reboot, even dangerous code into kernel. installation boot, access service test our models over 1000 real-world samples, successfully identifies service-installing samples 99% time, loads 97% time. Moreover, demonstrate are able reads differentiate two types accesses. detect when installed, also successful because automatic program reboot. correctly identify patterns 4% mislabeled, an expert analyst would have difficulty identifying mislabeled
参考文章(57)
Giampaolo Fresi Roglia, Roberto Paleari, Lorenzo Martignoni, Danilo Bruschi, A fistful of red-pills: how to automatically generate procedures to detect CPU emulators WOOT'09 Proceedings of the 3rd USENIX conference on Offensive technologies. pp. 2- 2 ,(2009)
Fu Song, Tayssir Touili, Efficient Malware Detection Using Model-Checking formal methods. pp. 418- 433 ,(2012) , 10.1007/978-3-642-32759-9_34
Philippe Beaucamps, Isabelle Gnaedig, Jean-Yves Marion, Abstraction-Based Malware Analysis Using Rewriting and Model Checking Computer Security – ESORICS 2012. ,vol. 7459, pp. 806- 823 ,(2012) , 10.1007/978-3-642-33167-1_46
Fu Song, Tayssir Touili, LTL model-checking for malware detection tools and algorithms for construction and analysis of systems. pp. 416- 431 ,(2013) , 10.1007/978-3-642-36742-7_29
Brian Carrier, File system forensic analysis ,(2005)
N. Tawbi, M. Debbabi, J. Desharnais, Y. Lavoie, J. Bergeron, M. M. Erhioui, Static Detection of Malicious Code in Executable Programs ,(2000)
Michael Sikorski, Andrew Honig, Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software ,(2012)
Martina Lindorfer, Clemens Kolbitsch, Paolo Milani Comparetti, Detecting Environment-Sensitive Malware Lecture Notes in Computer Science. pp. 338- 357 ,(2011) , 10.1007/978-3-642-23644-0_18
Fred Kröger, Stephan Merz, Temporal logic and state systems Springer. pp. 436- ,(2008)
Ulrich Bayer, Christopher Kruegel, Engin Kirda, TTAnalyze: A Tool for Analyzing Malware Proceedings of the European Institute for Computer Antivirus Research Annual Conference,2006. ,(2006)