This talk was given at DEF CON 2010 by Jeremy Chiu, Benson Wu, and Wayne Huang https://www.defcon.org/html/defcon-18/dc-18-speakers.html#Huang For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports. The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis. Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis. By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find. Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.

1. 0BOX ANALYZER:AFTERDARK RUNTIME FORENSICS FOR AUTOMATED MALWARE ANALYSIS AND CLUSTERING JEREMY CHIU, ARMORIZE TECHNOLOGIES BENSON WU, ARMORIZE TECHNOLOGIES WAYNE HUANG, ARMORIZE TECHNOLOGIES 2010-0801

2. About Us Jeremy Chiu (aka Birdman), from Taiwan, Security Researcher, X-Solve Lab Armorize, currently Malware Analyst at Armorize Technologies. His research work is focused on Malware behavior analysis, reverse engineering and development of automatic malware inspection and forensics tools. He has spoken at some security conferences, SySCAN TW(09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07) Benson Wu, PhD, CSSLP, ECSP, from Taiwan, currently Director of RD and Product Line at Armorize Technologies. Wayne Huang, also from Taiwan, cofounder, President and CTO at Armorize Technologies @waynehuang

3. 惡 Malware, Botnet

4. 肉雞

5. Wow! Anti-XXX

6. Popular Sandbox Detection Methods VM/Emulator Detection IDT,LDT Base address Detection Device Detection CPUID, MAC Address, Hard Disk Model, PCI Device VM Backdoor command Windows/Environment Detection Specific Service/Process Name Detection SSDT/API Hooking Detection Windows Production ID Detection

7. Defeating AntiVirus/HIPS Attacking The Monitors Restore SSDT HooK Unload Notify Routine of Process, Thread, Image, Registry Unload File System Filter Restore FSD Hook Unload TDIFilter Remove NTFS attached Devices Bypassing The Recovery System Raw Disk Access

8. MalwareBehavior Analysis Network Based Approach Monitor DNS/IP Query Traffic Analysis Host Based Approach VM + ProcMon/FileMon… Cwsandbox,anubis,joebox,threatexpert,norman

9. Malware Runtime Forensics Runtime Forensics focus on the environment after Malware had executed, it has the following advantages: No Monitors No Hooking No Unpacking Nothing to be defeated!

10. Which Features We Focused? When Malware interacts with the surrounding environment, it leaves toolmarks, which could be features for behavior modeling. There are three main aspects of features: Installation Remnants Memory Layout Symptoms of Malicious Behavior

11. Inspecting the Process Search Process List For Hidden Process Check ScanPspCidTable Scan EPROCESS Structure Search Service List Scan SCM Table (Service Control Manager) Inspect Process Fetch DLL List from LDR Analyze the memory layout and the structures of process Scan Code Block (Stealth Code) Disassemble the Suspicious Code

12. Identify the Suspicious DLLs LoadLibrary() No straightforward evidence to show the injected DLLs Especially in forensics approach, we only got the final snapshot of the infected environment First, identify the explicitly linked DLL Check LDR，Scan Import Table Also, search PE Image Memory Scan Process Implicitly linked DLL-A DLL-Malware DLL-B DLL-C

14. PE Packer Signature Checking

15. Code Disassembly

16. Strings Extraction

17. File Inspection (for hidden file)Malware Process Malicious Module 1 Malicious Module 2 Malicious Module 3

18. Case 1: Bifrost (彩虹橋) Bifrost variant from China Stealth Code Injection 請問 ??

19. Case 2: GhostNet (鬼網) From China www.nartv.org/mirror/shadows-in-the-cloud.pdf Bot Command ….

20. Case 3: dnf666.net Mass SQL attack Mar 7th2010 http://202.109.143.XX:81/ma.exe (still alive), the online game password Stealer http://blog.armorize.com/2010/06/dnf-group-is-back-mass-sql-injections.html

21. Case 4: Zeus Bot

22. Zeus Bot Reference: http://en.wikipedia.org/wiki/Zeus_(trojan_horse) "Zeus: King of the Bots" . Symantec. Retrieved February 20, 2010. Botnet size = 3.6 million

23. Malware Clustering

24. Why Clustering …Obvious! Group 2 Group 1

25. Malware Similarity Matrix A similarity matrix is a matrix of scores which express the similarity between two data points.

26. Build The Malware Similarity Matrix Feature Extraction: Installation Remnants Memory Layout Behavior Evidence Malware Vi ->{ S(i,0), S(i,1) ..S(i,n)} F = {Fa, Fb, Fc} Forensics Report Malware Similarity

27. Zer0-Box Automated Malware Analysis and Clustering System Malware Forensics Zer0-Box Malware Forensics Engine Malware Malware Similarity Matrix Forensics Report Malware Clustering Group 1 Group 2 Group 3

28. Experiment – Live Sample Test 408 Malware Live Samples, All the samples were collected in the wild (2010-07-08, from HackAlert and www.malwaredomainlist.com) Norton: 81/408 = 19.8% Avira: 204/408 = 52.4% ….. 408 malware

29. Examine the first block After K-means Clustering: Examine this block

30. Take a look at the first block The color patterns can be grouped into 4 smaller blocks.

31. Hey! Are you here? @_@

32. Wow~ Zeus Bot ? Based on anti-virus (Aa) report, some tested samples in this block are named to Zbot.

33. Manually Verify the Version of Zeus To identify Zeus_V1 and Zeus_V2, we searched the bot command strings in these samples. Zeus V1 Patterns Resetgrab, Sethomepage, Unblock_url, Getcerts … Zeus V2 Patterns user_ftpclients_get, user_homepage_set, user_url_unblock, user_certs_get …

34. The Famous Zeus Bot Family! From this graph, we could know there are 4 Zeus Bot variants, including 3 variants of V2 and 1 variant of V1. V2 V2 V2 V1

35. Experimental Results Among 408Malware samples, we manually verified and found 52 Zeus Bot instances. After automated clustering, these 52 Zeus Bot instances got clustered into 4 groups – 1 group of V1 variant, and 3 groups of V2 variants. Comparing our clustering results and Anti-virus results,26 out of 52 Zeus Bot instances are correctly named after Zbot by Anti-Virus. In this test set, our true positive rate for Zeus bot instances are 100% while anti-virus tools are only 50%. With these Zeus clusters, we can apply automated Malware classification and detection for known and unknown Zeus variants.

36. There are more Malware Families Vundo Family? Bagle Family ?

37. Conclusion Traditional Hooking-Based Monitor approach can hardly defeat anti-analysis techniques used by modern advanced Malware. Instead, usingMalware Runtime Forensics techniques can extract significant features and assure the accuracy and precision of clustering. The experimental results justify that the malware analysis system can be fully automated, does not require human interpretation, and automated clustering effectively resolves the issue of numerous unknown variants.

38. Thank You and Q&A Q&A

39. Abstract The problem with current Malware analysis tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis. Our approach -- an afterDark analyzer that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. Since analysis is done post mortem, it is very hard for malware to detect the analysis. By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique is very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.