|
 ABSTRACT
Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.
REFERENCES
Note: OCR errors may be found in this Reference List extracted from the full text article. ACM has opted to expose the complete List rather than only correct and linked references.
| |
1
|
|
| |
2
|
|
| |
3
|
M. Christodorescu and S. Jha. Static Analysis of Executables to Detect Malicious Patterns. USENIX Security Symposium, pages 169--186, August 2003.
|
| |
4
|
|
| |
5
|
|
| |
6
|
F. Cohen. Computer viruses: Theory and experiments. In 7th DoD/NBS Computer Security Conference Proceedings, pages 240--263, September 1984.
|
| |
7
|
N. Copernicus. On the Revolutions of Heavenly Spheres. (Available from Prometheus Books, Amherst, New York), 1543.
|
| |
8
|
|
| |
9
|
|
 |
10
|
Jedidiah R. Crandall , Zhendong Su , S. Felix Wu , Frederic T. Chong, On deriving unknown vulnerabilities from zero-day polymorphic and metamorphic worm exploits, Proceedings of the 12th ACM conference on Computer and communications security, November 07-11, 2005, Alexandria, VA, USA
[doi> 10.1145/1102120.1102152]
|
| |
11
|
J.R. Crandall, S.F. Wu, and F.T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In DIMVA, 2005.
|
| |
12
|
D. Dagon, X. Qin, G. Gu, W. Lee, J.B. Grizzard, J.G. Levine, and H.L. Owen. Honeystat: Local worm detection using honeypots. In RAID, pages 39--58, 2004.
|
| |
13
|
|
| |
14
|
|
| |
15
|
eEye Digital Security. Advisories and Alerts: .ida Code Red Worm, July 2001.
|
| |
16
|
J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig, and L. van Doorn. Remote virtual machine monitor detection. Presented at the ARO-DARPA-DHS Special Workshop on Botnets, June, 2006.
|
| |
17
|
Tal Garfinkel , Ben Pfaff , Jim Chow , Mendel Rosenblum , Dan Boneh, Terra: a virtual machine-based platform for trusted computing, Proceedings of the nineteenth ACM symposium on Operating systems principles, October 19-22, 2003, Bolton Landing, NY, USA
|
| |
18
|
T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Network and Distributed System Security Symposium, 2003.
|
| |
19
|
T. Garfinkel and M. Rosenblum. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. Tenth Workshop on Hot Topics in Operating Systems (HotOS), June 2005.
|
| |
20
|
|
| |
21
|
Diwaker Gupta , Kenneth Yocum , Marvin McNett , Alex C. Snoeren , Amin Vahdat , Geoffrey M. Voelker, To infinity and beyond: time warped network emulation, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
[doi> 10.1145/1095810.1118605]
|
| |
22
|
|
| |
23
|
|
| |
24
|
|
| |
25
|
Samuel T. King , Peter M. Chen , Yi-Min Wang , Chad Verbowski , Helen J. Wang , Jacob R. Lorch, SubVirt: Implementing malware with virtual machines, Proceedings of the 2006 IEEE Symposium on Security and Privacy (S&P'06), p.314-327, May 21-24, 2006
[doi> 10.1109/SP.2006.38]
|
| |
26
|
S.T. King, G.W. Dunlap, and P.M. Chen. Operating System Support for Virtual Machines. In USENIX Security Symposium, 2003.
|
| |
27
|
S.T. King, Z.M. Mao, D.G. Lucchetti, and P.M. Chen. Enriching Intrusion Alerts through Multi-Host Causality. Network and Distributed System Security Symposium, February 2005.
|
| |
28
|
E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Usenix Security Symposium, 2006.
|
| |
29
|
|
| |
30
|
|
| |
31
|
C. Kruegel,W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In USENIX Security Symposium, 2004.
|
| |
32
|
|
| |
33
|
|
| |
34
|
LURHQ Threat Intelligence Group. Key Dates in Past and Present Sober Variants. http://www.lurhq.com/soberdates.html.
|
| |
35
|
Richard P. Martin , Amin M. Vahdat , David E. Culler , Thomas E. Anderson, Effects of communication latency, overhead, and bandwidth in a cluster architecture, Proceedings of the 24th annual international symposium on Computer architecture, p.85-97, June 01-04, 1997, Denver, Colorado, United States
|
| |
36
|
|
| |
37
|
M. Ringgaard. Sanos source, 2002.
|
| |
38
|
|
| |
39
|
|
| |
40
|
Arvind Seshadri , Mark Luk , Elaine Shi , Adrian Perrig , Leendert van Doorn , Pradeep Khosla, Pioneer: verifying code integrity and enforcing untampered code execution on legacy systems, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
41
|
|
| |
42
|
|
| |
43
|
S. Sidiroglou, J. Ioannidis, A.D. Keromytis, and S.J. Stolfo. An Email Worm Vaccine Architecture. ISPEC, 2005.
|
| |
44
|
|
| |
45
|
J. E. Smith and R. Nair. Virtual Machines - Versatile Platforms for Systems and Processes. Morgan Kaufmann, 2005.
|
| |
46
|
|
| |
47
|
|
| |
48
|
|
| |
49
|
VMware. Timekeeping in VMware Virtual Machines.
|
| |
50
|
Michael Vrable , Justin Ma , Jay Chen , David Moore , Erik Vandekieft , Alex C. Snoeren , Geoffrey M. Voelker , Stefan Savage, Scalability, fidelity, and containment in the potemkin virtual honeyfarm, Proceedings of the twentieth ACM symposium on Operating systems principles, October 23-26, 2005, Brighton, United Kingdom
|
| |
51
|
|
| |
52
|
|
| |
53
|
|
| |
54
|
Commmon Malware Enumeration (CME) (Home Page). http://cme.mitre.org/.
|
| |
55
|
"Decompiled Source For Ms Rpc Dcom Blaster Worm". http://www.governmentsecurity.org/archive/t4726.html.
|
| |
56
|
Scapy. http://www.secdev.org/projects/scapy/.
|
| |
57
|
Symantec Security Response - search for malware description. http://securityresponse.symantec.com/.
|
|
Adobe Acrobat
QuickTime
Windows Media Player
Real Player
Pdf
D.4