Please enable JavaScript.
Coggle requires JavaScript to display documents.
2008 - Automatically Identifying Trigger-based Behavior (Information…
2008 - Automatically Identifying Trigger-based Behavior
Contribution
Has demonstrate that automatic analysis is trigger-based behavior in malware is possible
Develop a technique for analyzing trigger-based behavior with
Does not need source code
Information
Approach
Automatically identifying trigger-based behavior in malware
MineSweeper
Mixed Execution Engine
Perform concolic execution and creates the path predicate
Convert x86 into IR since x86 is too complex for symbolic execution
Dynamic binary instrumentation
Analyst don't have access to the source code
QEMU
Mixed Execution Engine build on top of QEMU
For each instruction to be executed, the Engine checks whether the instructions reads any input from trigger type, if so, engine assign the location fresh symbolic variables
Concolic execution
For each instruction issued, we first need to decide whether each operand is symbolic or not
Trigger inputs are represented symbolically, and instructions that depend upon the trigger inputs operate on symbolic values, and are executed symbolically.
Trigger type specification
e.g. time, system events, network inputs, or any library
or system call.
Or monitoring possible inputs to the program e.g system calls and library calls
For each trigger type that the user defines, he needs to specify where in memory the trigger inputs will be stored so that the Mixed Execution Engine can properly assign symbolic variables during mixed execution
Solver
Construct assignment / trigger values to determine if it is feasible and construct an assignment that makes the path predicates to be true
Path Selector
Decides which path among the set of feasible paths should be explored next
Use different heuristic, e.g. breadth-first, depth-first search, etc.
Runner
Executes the sample in an emulated environment with the trigger value produced by the solver
Intercept any calls to specific trigger type and replace the returned answer with given trigger values
Given a piece of potentially malicious code and a list of trigger types of interest, we automatically explore as many different code paths as possible to
Trigger behavior
Code section executed only executed when its trigger condition is met
Trigger condition
Satisfiable formula/condition and that allows for the execution of a code section
Trigger type
e.g. system time, system events, network and keyboard
inputs, and return values from library or system calls
Trigger input
Input from trigger type of interest
Trigger value
Values of the trigger inputs satisfying the trigger condition
Concolic execution
Concrete and symbolic execution
Symbolic execution
Concrete execution
Steps
Given a malicious program, user select trigger type of interest from existing list or define their own
Conduct concolic execution to explore different exection path
Builds up symbolic expression and constraints as it executes
When it runs into a conditional jump depending on symbolic input. it will generate two path predicates, continuing with true branch and negation path continuing with false branch
Two path predicate is given to a solver to see which one is feasible, feasible path are added to set of path to be explored further.
Solver return the generated trigger values to make the trigger condition true
Select next path from set of feasible path to be furthered explored, process goes back to the 2nd step to continue concolic execution along chosen path and continue until running into an conditional jump again
Approach then executes the program concretely using trigger values
Conclusion
Path predicate: Formula that the trigger inputs need
to satisfy in order for the code execution to go down that path
Evaluation
NetSky
MyDoom
Perfect Keylogger
TFN: Tribe Flood Network
Goal
Problem
Certain malicious code will only be executed when certain trigger condition are met (trigger-based behavior) and cause real problem
Analysis with only a single approach will missed executing the hidden code
Objective