Forensic Analysis of Toolkit-Generated Malicious Programs法医分析产生的恶意程序的工具包.pptVIP

Forensic Analysis of Toolkit-Generated Malicious Programs Yasmine Kandissounon TSYS School of Computer Science Columbus State University 2009 ACM Mid-Southeast Conference Gatlinburg, Tennessee November 12-13, 2009 State of the Threat (Jan – Jun 2009) Microsoft Security Intelligence Report : 115,854,807 infections in first half 2009 94,985,967 infections in second half 2008 ? An increase of about 22% (2008) AVTest Labs 15,000 to 20,000 new specimens analyzed each day. (4 times as many as in 2006, 15 times as many as in 2005) (ESET ) Talented teams of programmers Automated Malware Creation: W32.Evol, W32.Simile, W32.NGVCK, W32.VCL, etc. What Does the AV Industry Need? Automation (Szor 2005) The need for analysis by humans is a major bottleneck! Ability to quickly and accurately detect new malware. (Team Cymru, 2008) 1000 new samples submitted, only 37% detected by commercial AV products! Badly needs “good” Generic Signatures (Kaspersky Lab 2008) Windows Explorer was flagged as malicious AVIEN’s HARLEY (On average, current detection(using generic signatures) rates are no better than 70%-80%) Our Problem: Engine Generated Malware ENGINE VIRUS SAMPLE Variant1 Variant2 Variant n Variant3 Network Too many signatures challenge the detector Malware detector Signature Database (Virus Definitions) In Out Solution: Use Engine Signature ENGINE VIRUS SAMPLE Variant1 Variant2 Variant n Variant3 Internet Use one small piece of info about the engine to detect all of the variants. Malware detector Engine Signature In Out Network MALWARE GENERATION AS A HIDDEN MARKOV MODEL NOP * CALL JMP MOV Transition Matrix = Engine Signature(Choice of relevant instructions = 5 most frequent instructions) NOP MOV PUSH CALL JMP * NOP 0.00 0.33 0.33 0.00 0.00 0.33 MOV 0.21 0.29 0.14 0.21 0.00 0.07 PUSH 0.00 0.60 0.40 0.00 0.00 0.00 CALL 0.00 0.67 0.