[ Pobierz całość w formacie PDF ]
Hotliststrategy
⑨⑫
polymorphicviralbinarycode㉲䁏㥢䈮㈽
あ䘣习ㅻ
䙈丩㥔䀯䬡㽍℡㹰䩳䑌㼮㠦㕦㔡㤽 㹰䩳䑌㼮┻┭╥╪╆┣㠦㕦┻╳┿ℼ
∩
184-8795
℡䕬㕾䕔㸮㙢て㭔㑓て䭌䐮
4-2-1
␢⑩
䥔䀵┳ℼ╉㩮䀮㔻㵑䁶乽㈽⑆⑪™┽╕╈┦┧┢ぅ㥦㈽⑤䙱䙉㈽㠡㵐㉲䁏㉳䡲㔻㵑⑈
⑆䔬䵑⑬⑫⑨␦⑊⑃℣䭜佀䨸⑇
ATP(automatedtheoremproving)
㱪䬡⑲䵑⑆
polymorphic
viralbinarycode
⑲㉲䁏™㠡㵐㔻㵑㩆㠽䀭⑤㡺丨䀭⑲㠡䘤⑫②䩽䬡佀⑲䑳う⑫℣䑳う┷┹╆
╠⑇™䕹㉁䉥䙾
(equalitysubstitution)
⑊⑉㱪䬡⑲䵑⑆═┤╊╪┳ℼ╉⑩䥼㥦╫ℼ╁╳㤽䈤⑈║
╩╡ℼ┿⑲㠡㵐⑫℣⑆™
look-ahead
㜿㝗㬻䁯丬⑇␢⑫
hotliststrategy
⑲䵑⑆™㠡㵐╗╭┻┹
⑲㥢䈮㈽⑫䩽䬡⑲㰨℣䤾㉁㱂㠳⑇™╬┸┹┿㱯习ㅾ
hotlist
⑲䀸䀮™㝗㬻㝏╬┸┹┿
(EAX,ECX,EBX,EDX)
㹇䕀⑲䕶⑆⑫⑈⑨⑪㉲䁏㥢䈮㈽⑫㝫㉌⑲䙀℣
Fasterparameterdetectionofpolymorphicviralbinarycode
usinghotliststrategy
RuoAndo
NationalInstituteofInformationandCommunicationTechnology,TracableNetworkGroup
4-2-1Nukui-Kitamachi,Koganei,
Tokyo184-8795Japan
ruo@nict.go.jp
AbstractMaliciousmobilecodehasbecomemoresophisticated.Softwareencryptionandobfuscation
areappliedforevadingsignaturemachingbasedscanning.InthispaperweproposeaATP(automated
theoremproving)basedanalysisofpolymorphicviralbinarycode.Structureandparameteraredetected
bytheoremprover.Indetectionprocess,weapplyalook-aheadheuristicscalledhotliststrategyfor
fasterequalitysubstitution.Inexperiment,wediscussthee®ectivenessofthisstrategybynumerical
outputoftheoremprover.Itisshownthathotlistgroup(EAX,ECX,EBX,EDX)reducesthenumber
ofgeneratedclausescomparedwithhotlistgroup(EDI,ESI,EBP,EDP).
1
②
┦╏┦⅋㹬⑇䩔㵐⑬⑫™⑬⑩㱪䬡
䉐™㩆㠽䀭⑲㠡䘤™䨬习⑤佀㕲⑲䑳㘡⑫䩽
䬡佀㍎丩⑬⑆⑊℣䭜佀䨸⑇™㰫䘰䑪䵽㹚
䱀⅊
AutomatedTheoremProving
⅋㔻㵑⑲䵑
⑆™䙱䙉㈽⑬䥼㥦╫ℼ╁╳⑲㭽⑄═┤╊╪┳ℼ
╉㉲䁏╗╭┻┹⑲䑪㰰㈽⑫℣™
Look-ahead
㜿㝗㬻䁯丬ぬ⑄⑇␢⑫
Hotliststrategy
⑲䵑
⑆™㉲䁏⑫㝗㬻┳┹╈⑲㩯㠺⑫䩽䬡⑲䑳う
⑫℣
䥔䀵┳ℼ╉㩮䀮㔻㵑䁶乽㈽⑆⑪™㙡䜯™┽
╕╈┦┧┢ぅ㥦㈽⑈䙱䙉㈽™㠡㵐⑈㉲䁏⑲㉳䡲
⑫②䵸䵑⑬⑆⑫℣㉲䁏⑈㠡㵐™╇═╃┬
⑤╡╢╪┨╇┣┿⑲䵑⑆™┽╕╈┦┧┢䙢䥴㠡
㨺╝┤╳╈⑲䁟䍖™⍁⍐⍉⑤䥼㥦㑘㽴║╩╡ℼ
┿㠡㵐⑲㥔␦™䉐㹝⑨⑃⑆䔬䁚⑊㱪䬡せ⑊
⑫℣②™㉲䁏㱔⑨⑃⑆™䉐㹝㡇䴭㱪䬡⅊╎
2Polymorphicviralcode
3.2
║╩╡ℼ┿㠡㵐
║╩╡ℼ┿㠡㵐™䕹㉁䉥䙾⅊
equalitysub-
stitution
⅋㱪䬡⑲䵑⑫℣䕹㉁䉥䙾™╇╢
┸╥╬ℼ┷╧╳⑈║╩╢┸╥╬ℼ┷╧╳⌲⑄␢
⑪™䑳う┷┹╆╠⑇⑬⑩⑲䨻䵑⑫℣
┷┰╋╁╣╞╃╁╳┰⑲㉳䡲⑫䥔䀵┳ℼ╉™
polymorphic(
䈿㝁⅋⑈
metamorphic(
䩑䀮⅋⌲㱯
习⑇㡆⑬⑫℣㰫⑩⑲ぅ㥦㈽⑫┳ℼ╉⑲
polymor-
phic
™䙱䙉㈽⑫┳ℼ╉⑲
metamorphic
⅊䩑䀮⅋⑲
䨬习⑬⑫™ぅ㥦㈽⑬┳ℼ╉™䑌㹯䥼㥦╫ℼ
╁╳③䙱䙉㈽⑬⑫②™
polymorhic
⑈␦䵑㡬™
metamorphic
③㑞②⑆㭈⑯⑬⑫⑈䈿℣㐶䁷䘰
㩮™䨣㽴㑘㽴⑤⍁⍐⍉⑇㤽䀮⑬™䥔䀵┳ℼ╉
⑲㩮䀮⑫䈦™⑬⑩⑲䙱䙉㈽⑆㠡㵐㉳䡲⑲㭮
⑫℣䤽⌱⑈⌲™
Win32.Metaphor
⑈␦┦┣╫
┹⑆™
GetModuleHandleA
⑈␦䈾╗╭┻
┹╏╳╉╩⑲㱨䙀⑫⍁⍐⍉㡆㵐䙱䙉㈽
⑬乣⑇␢⑫℣㰡™╝╪╢ℼ╕┣╃┯┦┣╫┹③
⑄䥼㥦╫ℼ╁╳┢┻╳╖╩┳ℼ╉乣⑲㰨℣
䥼㥦㑘㽴⑲㤽䀮⑫║╩╡ℼ┿™╚┤╭ℼ╉䔾䅷™
䥼㥦㠰™䨬㑴┫┦╳┿™╫ℼ╗㭏䕀┢╉╬┹⌴
⑄⑇␢⑫℣
fact:f(g(x),x).
fact:equal(g(a),b).
conclusionf(b,a).
fact:equal(data_16e,514Bh).
fact:mov(reg(ah),const(data_16e),63,
time(1)).
conclusion:
mov(reg(ah),const(514Bh),63,time(1)).
㹥™╇╢┸╥╬ℼ┷╧╳䔬䵑乣⑲㰨③
⑇␢⑫℣
equal
䁡╇╢┸╥╬ℼ┿⑈㡆⑬™䩑㽴
䑪㽴䍍䉥䙾⑲㵨䵽⑫℣
setAaddress_of_payload
setBkey
setCaddress_loop_start
setDcounter
fact:mov(reg(ah),const(2Ch),162,time(1)).
fact:mov(reg(bx),reg(ah),300,time(1)).
fact:xor(reg(dx),reg(bx),431,time(1)).
/*decrypter*/
-mov(reg(x),const(y),z,time(1))|
x=const(y,z).
conclusion:
decrypter(reg(dx),key(const(2Ch,162),
431,time(1)).
address_loop_start
payload_transfer(A)
decryptor(B)
parload_transfer(A)
branch(D)
goto_start(C)
㹥™║╩╢┸╥╬ℼ┷╧╳䔬䵑乣⑲㰨③
⑇␢⑫℣⑬⑩╇╢┸╥╬ℼ┷╧╳⑇㵨䵽⑇
⑊℣╇╢┸╥╬ℼ┷╧╳㡺丨䀭™║╩╢┸╥
╬ℼ┷╧╳㐰䄴䀭⑲㭖㡾③⑇␢⑪™䑳う┷
┹╆╠⑇║╩╢┸╥╬ℼ┷╧╳⑲║╩╡ℼ┿㠡㵐
䥔㉄㝧⑇␢⑫™䘱㱪䬡䑌㹯™䀩㡦䙱
㹬㥧䈿℣
3
䑳う㱪䬡
3.1
㤽䈤㠡㵐
㽞⌱™䑳う㱪䬡⑲㰨℣䑳う┷┹╆╠⑇™
㩇㵩™═┤╊╪┳ℼ╉⑩™┪╚╩╳╉⑈┪
╗┳ℼ╉⑲㠡㵐⑫℣䍪㵐┪╚┳ℼ╉⑲™╇ℼ
┿䔾䅷⑈䈾䰿乡䨬习⑫℣ぬ䩽⑇™┪╗╩
╳╉⑲╬┸┹┿䅈䩑㐹⑆™╇ℼ┿䔾䅷䰿
乡㹰䩳⑈䅈㥧⑯⑆║╩╡ℼ┿䁟䑪㠡㵐⑲㥔
␦℣㩝™╚┤╭ℼ╉䔾䅷䰿乡㜲䍪㵐③㉄
䜽⑇␢⑫℣䈾┪╗┳ℼ╉⑈™╬┸┹┿㹰䩳
⑩™䨬㑴™╫ℼ╗䰿乡㠡㵐⑲㥔␦℣䭜㱪䬡™
䩂乳㵨䵽䔬③⑈⑊⑃⑆⑫℣
4Hotliststrategy
䄰䁡⑇㵒⑨␦™㉲䁏㤽䈤⑈║╩╡ℼ┿
㠡㵐⌲⑄䨬⑩⑬⑫℣举㱔␦⑁™㝗㬻┳┹╈
䉧䠾⑲䁪②⑫║╩╡ℼ┿㠡㵐⑇␢⑪™
㥢䈮㈽™㉲䁏㑯䄴䉎䀭䜽⑲䉧㨸ㄦ⑫℣䭜
佀䨸⑇™
Hotliststrategy
⑈㡆⑬⑫㝗㬻䁯丬⑲
3movdword1,0h
3movcdx,dword1
3movdword2,edx
3movedp,dword2
2movedi,32336C65h
2 leaeax,[edi]
1movesi,0A624540h
1 oresi,4670214Bh
2 leaedi,[eax]
2movdword4,cid
3movedx,ebp
3movdword5,edx
1movdwrod3,esi
4movedx,o®setdword3
4 pushedx
5movdword6,o®setGetModuleHandleA
5 pushdword6
5 popdwprd7
5movedx,dword7
5 calldwordptrds:0[edx]
1movdword3,6E72654Bh
2movdword4,32336C65h
3movdword5,0h
4 pusho®setdword3
5 callds:GetModuleHandleA
䤽
1:AssemblycodeofGetModuleHandleA
API.
䤽
2:ObfuscatedassemblycodeofGetModule-
HandleAAPI
䵑⑆™║╩╡ℼ┿㠡㵐㥢䈮㈽⑲㥔␦℣
Hotlist
strategy
™
Wos
⑨⑃⑆䑳う⑬③⑇™䕹㉁
䉥䙾™䙃
paramodulation
⑨⑫㽤佀㡺丨㈽
䵑⑩⑬⑫③⑇␢⑫℣
⑨⑃⑆™㝗㬻┳┹╈䩑㈽⑫℣⑇™䑪䵽
㹚䱀㑯⑉╬┸┹┿㹇䕀⑲䕶⑆⑫⑲䁟䑪
⑫②™
Hotlist
⑲㩮䀮⑫℣
#hotlistgroupI:
calculationregisters
list(hot).
ax=const(x,y).bx=const(x,y).
cx=const(x,y).dx=const(x,y).
end_of_list.
4.1Moufangidentityproblem
Look-ahead
㜿㝗㬻䁯丬⑇␢⑫
hotliststrategy
䴭㡺䀭㰨⑬䱤䉪™
Moufangidentityprob-
lem
␢⑫℣䙢⌱⑄™
#hotlistgroupII:
memoryregisters
list(hot).
di=const(x,y).si=const(x,y).
bi=const(x,y).bp=const(x,y).
end_of_list.
Moufang1:(x*y)*(z*x)=(x*(y*z))*x
Moufang2:(x*y)*z)*y=x*(y*(z*y))
Moufang3:x*(y*(x*z))=((x*y)*x)*z)
Moufang1
⑩
Moufang3
⑲䘳㵐⑫™
hot
liststrategy
䴭㡺⑇␢⑫⑈㰨⑬⑆⑫℣䐾
㑑䔪␦⑈™
paramoudlation
䌵㩷㼼⑄
⑆™
right(left)solvable
x¤rs
(
x;y
)=
y
⑊⑉
㠶䈧䔪⑊䁡䔬䵑⑲䴥䁨⑫䩽䬡⑇␢⑫⑈䅛䑪
⑬⑫℣
䤾㉁㱂㠳⑇™⌸⑄╬┸┹┿⑬⑬⑄⑆
hotlist
⑲㩮䀮™㝗㬻╬┸┹┿⑈™╡╢╪䅠㩮╬
┸┹┿⌲⑄┰╫ℼ╗㥧⑯⑆⌲⑄
hotlist
⑲㩮䀮℣
4.2 ╛╃╈╪┹╈䀸䀮
5䤾㉁㱂㠳
䑳う┷┹╆╠⑇™╇ℼ┿䔾䅷⑲䑉䁗™║╩╡ℼ
┿㠡㵐⑲㥔␦㩝™⑉╬┸┹┿㹇䕀⑲䕶⑆⑫
䤾㉁㱂㠳⑇™⌲䁡⑇㵒㤽䀮
polymorphic
viralbinarycode
⑲™䀸䀮™㤽䈤⑈║╩╡ℼ┿
BINARY CODE
OPCODE DETECTION
OPERAND DETECTION
TRANSFER
INSTRUCTION
DETECTION
OTHER INSTRUCTION
DETECTION
DISASSEMBLE
REGISTER
PAYLOAD
TRANSFER
DETECTION
LOOP /
BRANCH
DETECTION
PARAMETER
SETTING
DETECTION
DECIPHER
DETECTION
㽞
1:
䑳う㉲䁏┷┹╆╠
㠡㵐⑲㥔™㝗㬻┳┹╈⑲䈬䑪℣䀸䀮┳ℼ
╉㱯习お㈼⌴⑄⑇␢⑫℣
TypeA(noweighting) TypeA(withweighting)
HOTLISTallclausesHOTLISTallclauses
noheat 915 noheat 707
EAX 677 EAX 677
EBX 670 EBX 602
ECX 799 ECX 541
EDX 756 EDX 540
EDI 1078 EDI 822
ESI 1055 ESI 801
EBI 1055 EBI 801
EBP 1055 EBP 801
GroupI 468 GroupI 366
GroupII 1510 GroupII 1206
²
┿┤╗⌱℧╇ℼ┿䔾䅷
mov
䰿乡⑲䵑⑫℣
²
┿┤╗⌲℧䥼㥦㑖䁜┢╉╬╃┷╳┰⑲䵑⑫℣
²
┿┤╗⌳℧╚┤╭ℼ╉䔾䅷
xchg
䰿乡⑲䵑
⑫℣
²
┿┤╗⌴℧╇ℼ┿䔾䅷┹┿╃┯䅠㩮䰿乡⑲
䵑⑫℣
䤽
3:HotliststrategiesforTypeA.Paramodu-
lationfordetectingparametersintoregisterE*is
speededupbyhotlist.Weset10hotlistsforeach
registerandtwogroups.
䤽⌳⑩⌶™⌴㱯习┳ℼ╉㉲䁏™䄰
䁡⑇㵒⌱⌰㱯习
hotlist
⑲䔬䵑㝫㉌⑲㰨
③⑇␢⑫℣╝╪╢ℼ╕┣╃┯┳ℼ╉䀸䀮
䵰㽴⑲䵑⑫℣⑈⑩䅛䑪⑬⑫⑨␦™⌸
㱯习䌱ぬ╬┸┹┿⑄⑆䀸䀮
hotlist
㡺㉌™䀸䀮⑬┳ℼ╉⑨⑃⑆せ⑊⑫℣㝗㬻㝏
╬┸┹┿
(EAX,ECX,EBX,EDX)
⑈╡╢╪䅠㩮㝏
╬┸┹┿
(ESI,EDI,EBP,EBI)
⌲⑄┰╫ℼ╗
⑨⑃⑆㩮䀮
hotlists
⑄⑆™⌴㱯习
┳ℼ╉⑆⑆™㝗㬻㝏╬┸┹┿㹇䕀⑲
䕶⑆䩽™⑨⑪㉲䁏㥢䈮㈽⑫㝫㉌⑲䙀℣
6
⑈②⑈㨣㡥㉝䉪
䥔䀵┳ℼ╉㩮䀮㔻㵑䁶乽㈽⑆⑪™┽╕╈┦┧
┢ぅ㥦㈽⑈䙱䙉㈽™㠡㵐㉲䁏㉳䡲㔻㵑⑈⑆䔬
䵑⑬⑆⑫℣⑬⑩㱪䬡䉐⑆™㩆㠽䀭⑲
䴿™䨬习™㡺㉌佀㕲⑲䴿⑫䩽䬡佀㍎丩⑬
⑆⑊℣䭜佀䨸⑇™㰫䘰䑪䵽㹚䱀⅊
Automated
TypeB(noweighting) TypeB(withweighting)
HOTLISTallclausesHOTLISTallclauses
noheat 1592 noheat 769
EAX 915 EAX 605
EBX 1561 EBX 494
ECX 497 ECX 490
EDX 519 EDX 593
EDI 1921 EDI 1164
ESI 1724 ESI 843
EBI 1724 EBI 685
EBP 1724 EBP 685
GroupI 463 GroupI 242
GroupII 2422 GroupII 1807
TypeD(noweighting) TypeD(withweighting)
HOTLISTallclausesHOTLISTallclauses
noheat 1877 noheat 801
EAX 1444 EAX 587
EBX 1675 EBX 587
ECX 870 ECX 599
EDX 1877 EDX 737
EDI 7406 EDI 1462
ESI 2028 ESI 876
EBI 2028 EBI 876
EBP 2028 EBP 876
GroupI 563 GroupI 259
GroupII 8186 GroupII 1891
䤽
4:HotliststrategiesforTypeB.
䤽
6:HotliststrategiesforTypeD.
TypeC(noweighting) TypeC(withweighting)
HOTLISTallclausesHOTLISTallclauses
noheat 976 noheat 604
EAX 1018 EAX 605
EBX 720 EBX 494
ECX 946 ECX 490
EDX 976 EDX 593
EDI 1592 EDI 1164
ESI 1272 ESI 843
EBI 1114 EBI 685
EBP 1114 EBP 685
GroupI 738 GroupI 463
GroupII 2284 GroupII 1807
lag,ISBN2-287-23939-1,2005.
[2]DiomidisSpinellis,”Reliableidenticationof
bounded-lengthvirusesisNP-complete”,IEEE
TransactionsonInformationTheory,2000.
[3]PeterSzorandPeterFerrie,”HuntingforMeta-
morphic”,VirusBulletinConference,2001.
[4]StephenPearce,”ViralPolymorphism”,paper
submittedforGSECversion1.4b,2003.
[5]MichalisPolychronakis,KostasG.Anagnos-
takisandEvangelosP.Markatos,”Network
levelpolymorphicshellcodedetectionusingem-
ulation”,DetectionofIntrusionsandMalware
andVulnerabilityAssessment(DIMVA),2006.
䤽
5:HotliststrategiesforTypeC.
TheoremProving
⅋㔻㵑⑲䵑⑆™䙱䙉㈽⑬
䥼㥦╫ℼ╁╳⑲㭽⑄═┤╊╪┳ℼ╉㉲䁏╗╭┻┹
䑪㰰㈽⑲㥔⑃℣䑳う㱪䬡⑇™䕹㉁䉥䙾⑊⑉䑪
䵽㹚䱀㱪䬡⑲䵑⑆═┤╊╪┳ℼ╉⑩䥼㥦╫ℼ
╁╳㤽䈤⑈║╩╡ℼ┿⑲㠡㵐⑫℣⑆™㠡㵐
╗╭┻┹⑆™
Look-aheadstrategy
⑈⑄
⑇␢⑫
Hotliststrategy
⑲䔬䵑™㝗㬻┳┹╈⑲㩯
㠺⑫䩽䬡⑲䑳う℣䤾㉁㱂㠳⑇™╬┸┹┿
ㅾ⑆⌱⌰
hotlist
⑲䀸䀮™㠡㵐㉡䑸⑇䀸䀮
⑬⑫䁡㽴⑲㰨℣⑬⑨⑪™䀸䀮⑬┳ℼ
╉㑘⑆™║╩╡ℼ┿㠡㵐⑄⑆╡╢╪䅠
㩮㝏╬┸┹┿⑨⑪㝗㬻㝏╬┸┹┿㹇䕀⑲䕶⑆
⑫⑈㠡㵐㥢䈮㈽⑫⑈䱀⑩⑊⑃℣
[6]MihaiChristodorescu,SomeshJha,Sanjit
A.Seshia,DawnSong,RandalE.Bryant,
”Semantics-AwareMalwareDetection”,IEEE
SecurityandPrivacy,2005.
[7]MihaiChristodorescuandSomeshJha,”Static
AnalysisofExecutablestoDetectMali-
ciousPatterns”,USENIXSecuritySymposium,
2003.
[8]HaoChen,DrewDean,andDavidWagner,
”ModelcheckingonemillionlinesofCcode”,
AnnualNetworkandDistributedSystemSecu-
ritySymposium(NDSS),2004.
㬲㥍䨸㠥
[1]Computerviruses: fromtheorytoapplica-
tions.IRISInternationalseries,SpringerVer-
[9]O.Sheyner,J.Haines,S.Jha,R.Lippmann,and
J.M.Wing,”AutomatedGenerationandAnal-
[ Pobierz całość w formacie PDF ]
