SlideShare uma empresa Scribd logo

Detecting Environment-Sensitive Malware

FFRI, Inc.
FFRI, Inc.

- An environment-sensitive malware are in the wild. - Host fingerprinting is a type of execution environment detection that complicates automated malware analysis on sandbox and signature matching. - VME(Virtual Machine Environment) detection is yet another sandbox evasion technique. - These techniques are enough to complicate automated malware analysis and malware signature matching. - We must polish up robust automated malware analysis method against malware mass-production.

Tecnologia
1 de 14
Baixar para ler offline
FFRI,Inc. 1 Monthly Research A survey of Environment-Sensitive Malware FFRI, Inc http://www.ffri.jp Ver 2.00.01
FFRI,Inc. Background • A damage is increasing by MITB(Man-in-the-Browser) malware such as “Citadel” – The Citadel targets money of online banking users • Citadel-like malware restricts malicious behavior except infected host to evade dynamic analysis[1] • We explain execution environment detection techniques and its countermeasures 2
FFRI,Inc. Why malware switched behavior? • Malware builders are sold on the Internet – Its make easier to build MITB malware(e.g., SpyEye) • “Malware operator” is not the same person with “Malware builder developer” • Malware builder developers are afraid that security vendor’s rounds up the malware manufactured by their builder – Developer does not want: • To clearly indicate malware behavior using automated dynamic analysis • To create effective signature for detecting malware that generated by their builder 3
FFRI,Inc. Environment-sensitive malware • These malware detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host – To avoid behavior based malware detection[2] 4
FFRI,Inc. Execution environment detection techniques • Host fingerprinting – Identifying the host using host unique value – Detecting infected host or not • Virtual Machine Environment(VME) Detection – Detecting host’s execution environment which running on virtual machines 5
FFRI,Inc. Host Fingerprinting • Embedding infected host’s unique value into execution binary 6 Malware (Dropper) Unpacker Malicious code Self-rewriting when original malware execution Malware? Unpacker Malicious code with host unique value Different signature pattern
FFRI,Inc. Examples of Host Unique Value Category Environment Unique Values Hardware *GUID(Disk), MAC address(NIC), etc. System OS Product ID, Computer(NetBIOS) Name, Registry entry, etc. Application *Execution path, Username, etc. Network IP address(external check) 7 *Discovered in Citadel malware
FFRI,Inc. In the real malware • The Citadel malware (captured at 2013 later) – Getting GUID on system drive using the GetVolumeInformationA() – Comparing running host’s GUID value and embedded infected host’s value – Process executes malicious code if GUID values are consistent 8 Malware Unpacker Malicious code Infected host’s GUID(packed) Unpacked GUID Format: {XXXXXXXX-XXXX-XXXX-XXXXXXXX} Unpack
FFRI,Inc. Behavior of host unique value inconsistency • For example: – Process termination – Running fake(or harmless) code *We forecast that developers may implement advanced packing algorithm with host unique value in the future 9
FFRI,Inc. Anti host fingerprinting • Adding some rules of heuristic detection engine – Some APIs calling potential of host fingerprinting execution such as the GetVolumeInformation(), GeVolumeNameByHandle() , GetAdaptersAddresses() • Full environment emulation – Camouflaging the infected host’s unique value • Overriding API return value using system call proxy • In device emulation • Symbolic execution[3] – Predicate transformation semantics – Generating comprehensive test/trace automatically 10
FFRI,Inc. VME(Virtual Machine Environment) Detection • 2% of observed malware over the world since 2013 have implemented VME detection logic[5] • Approaches of VME detection[4][5][6] – Using virtual device feature bugs – Using VME specific resources – Using virtualized graphical environment features – Measuring timing and overheads • Anti VME detection – Looking at p.10 • Similar anti-host fingerprinting 11
FFRI,Inc. Conclusions • An environment-sensitive malware are in the wild • Host fingerprinting is a type of execution environment detection that complicates automated malware analysis on sandbox and signature matching • VME(Virtual Machine Environment) detection is yet another sandbox evasion technique • These techniques are enough to complicate automated malware analysis and malware signature matching • We must polish up robust automated malware analysis method against malware mass-production 12
FFRI,Inc. References • [1]: Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed) http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called- citadel-evading-traditional-sandboxes • [2]: Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment- sensitive malware. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357. http://dx.doi.org/10.1007/978-3-642-23644-0_18 • [3]: Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring Multiple Execution Paths for Malware Analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP '07). IEEE Computer Society, Washington, DC, USA, 231-245. http://dx.doi.org/10.1109/SP.2007.17 • [4] slabbed-or-not/github , 2014.05.25(viewed) https://github.com/kaniini/slabbed-or-not • [5]: Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed) http://aurelien.wail.ly/publications/hip-2013-slides.html • [6]: Kang Li, Xiaoning Li. Comprehensive Virtual Appliance Detection. Black Hat Asia 1014. http://www.blackhat.com/docs/asia-14/materials/Li/Asia-14-Li-Comprehensive-Virtual-Appliance- Detection.pdf 13
FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter: @FFRI_Research 14

Recomendados

CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerJames Haughom Jr
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Bug Finding - K.K.Mookhey
Bug Finding - K.K.MookheyBug Finding - K.K.Mookhey
Bug Finding - K.K.Mookheyamiable_indian
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attackCysinfo Cyber Security Community
 
MR201402 effectiveness of unknown malware classification by logistic regressi...
MR201402 effectiveness of unknown malware classification by logistic regressi...MR201402 effectiveness of unknown malware classification by logistic regressi...
MR201402 effectiveness of unknown malware classification by logistic regressi...FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationFFRI, Inc.
 
MR201403 consideration and evaluation of using fuzzy hashing
MR201403 consideration and evaluation of using fuzzy hashingMR201403 consideration and evaluation of using fuzzy hashing
MR201403 consideration and evaluation of using fuzzy hashingFFRI, Inc.
 

Recomendados

CyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerCyCon 2019 - A Day in the Life of a Reverse Engineer
CyCon 2019 - A Day in the Life of a Reverse EngineerJames Haughom Jr
 
Basic Malware Analysis
Basic Malware AnalysisBasic Malware Analysis
Basic Malware AnalysisAlbert Hui
 
Bug Finding - K.K.Mookhey
Bug Finding - K.K.MookheyBug Finding - K.K.Mookhey
Bug Finding - K.K.Mookheyamiable_indian
 
Dll preloading-attack
Dll preloading-attackDll preloading-attack
Dll preloading-attackCysinfo Cyber Security Community
 
MR201402 effectiveness of unknown malware classification by logistic regressi...
MR201402 effectiveness of unknown malware classification by logistic regressi...MR201402 effectiveness of unknown malware classification by logistic regressi...
MR201402 effectiveness of unknown malware classification by logistic regressi...FFRI, Inc.
 
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)
Black Hat USA 2016 Pre-Survey (FFRI Monthly Research 2016.6)FFRI, Inc.
 
MR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationMR201404 building secure linux application with privilege separation
MR201404 building secure linux application with privilege separationFFRI, Inc.
 
MR201403 consideration and evaluation of using fuzzy hashing
MR201403 consideration and evaluation of using fuzzy hashingMR201403 consideration and evaluation of using fuzzy hashing
MR201403 consideration and evaluation of using fuzzy hashingFFRI, Inc.
 
Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Manufacturing Compromise The Emergence of Exploit-as-a-Service
Manufacturing Compromise The Emergence of Exploit-as-a-ServiceManufacturing Compromise The Emergence of Exploit-as-a-Service
Manufacturing Compromise The Emergence of Exploit-as-a-ServiceJITENDRA KUMAR PATEL
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptxMuhammadRehan856177
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Web application security
Web application securityWeb application security
Web application securityrandhawa121985
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 

Mais conteúdo relacionado

Semelhante a Detecting Environment-Sensitive Malware

Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFFRI, Inc.
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareSai Kesavamatham
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablowISSA LA
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)FFRI, Inc.
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineLastline, Inc.
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 
Manufacturing Compromise The Emergence of Exploit-as-a-Service
Manufacturing Compromise The Emergence of Exploit-as-a-ServiceManufacturing Compromise The Emergence of Exploit-as-a-Service
Manufacturing Compromise The Emergence of Exploit-as-a-ServiceJITENDRA KUMAR PATEL
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovEric Vanderburg
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent ThreatsESET
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsInvincea, Inc.
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Maksim Shudrak
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...Andrew Morris
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industryRoberto Sponchioni
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaAlphageeks
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareNatraj G
 
Web application security
Web application securityWeb application security
Web application securityrandhawa121985
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maalHarsimran Walia
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicJulia Yu-Chin Cheng
 

Semelhante a Detecting Environment-Sensitive Malware (20)

Freeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware AliveFreeze Drying for Capturing Environment-Sensitive Malware Alive
Freeze Drying for Capturing Environment-Sensitive Malware Alive
 
IOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshareIOCs for modern threat landscape-slideshare
IOCs for modern threat landscape-slideshare
 
Issa jason dablow
Issa jason dablowIssa jason dablow
Issa jason dablow
 
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
TENTACLE: Environment-Sensitive Malware Palpation(PacSec 2014)
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with LastlineReacting to Advanced, Unknown Attacks in Real-Time with Lastline
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 
Manufacturing Compromise The Emergence of Exploit-as-a-Service
Manufacturing Compromise The Emergence of Exploit-as-a-ServiceManufacturing Compromise The Emergence of Exploit-as-a-Service
Manufacturing Compromise The Emergence of Exploit-as-a-Service
 
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnovDetecting Intrusions and Malware - Eric Vanderburg - JurInnov
Detecting Intrusions and Malware - Eric Vanderburg - JurInnov
 
Advanced Persistent Threats
Advanced Persistent ThreatsAdvanced Persistent Threats
Advanced Persistent Threats
 
Detection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day ThreatsDetection and Analysis of 0-Day Threats
Detection and Analysis of 0-Day Threats
 
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
Fuzzing malware for fun & profit. Applying Coverage-Guided Fuzzing to Find Bu...
 
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
BSidesCharleston2014 - Ballin on a Budget: Tracking Chinese Malware Campaigns...
 
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industrySeminario-15-04-2015-IT_professions_in_the_anti-malware_industry
Seminario-15-04-2015-IT_professions_in_the_anti-malware_industry
 
Do You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez MetulaDo You Write Secure Code? by Erez Metula
Do You Write Secure Code? by Erez Metula
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Basic Dynamic Analysis of Malware
Basic Dynamic Analysis of MalwareBasic Dynamic Analysis of Malware
Basic Dynamic Analysis of Malware
 
Web application security
Web application securityWeb application security
Web application security
 
I haz you and pwn your maal
I haz you and pwn your maalI haz you and pwn your maal
I haz you and pwn your maal
 
Honeycon2016-honeypot updates for public
Honeycon2016-honeypot updates for publicHoneycon2016-honeypot updates for public
Honeycon2016-honeypot updates for public
 

Mais de FFRI, Inc.

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMFFRI, Inc.
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) FFRI, Inc.
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...FFRI, Inc.
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) FFRI, Inc.
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) FFRI, Inc.
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)FFRI, Inc.
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...FFRI, Inc.
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)FFRI, Inc.
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)FFRI, Inc.
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) FFRI, Inc.
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)FFRI, Inc.
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...FFRI, Inc.
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)FFRI, Inc.
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...FFRI, Inc.
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)FFRI, Inc.
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)FFRI, Inc.
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)FFRI, Inc.
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...FFRI, Inc.
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShellFFRI, Inc.
 

Mais de FFRI, Inc. (20)

Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARMAppearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
Appearances are deceiving: Novel offensive techniques in Windows 10/11 on ARM
 
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017) TrustZone use case and trend (FFRI Monthly Research Mar 2017)
TrustZone use case and trend (FFRI Monthly Research Mar 2017)
 
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
Android Things Security Research in Developer Preview 2 (FFRI Monthly Researc...
 
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017) An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
An Overview of the Android Things Security (FFRI Monthly Research Jan 2017)
 
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016) Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
Black Hat Europe 2016 Survey Report (FFRI Monthly Research Dec 2016)
 
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
An Example of use the Threat Modeling Tool (FFRI Monthly Research Nov 2016)
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
Introduction of Threat Analysis Methods(FFRI Monthly Research 2016.9)
 
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
Black Hat USA 2016 Survey Report (FFRI Monthly Research 2016.8)
 
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7) About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
About security assessment framework “CHIPSEC” (FFRI Monthly Research 2016.7)
 
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
Black Hat Asia 2016 Survey Report (FFRI Monthly Research 2016.4)
 
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
ARMv8-M TrustZone: A New Security Feature for Embedded Systems (FFRI Monthly ...
 
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
CODE BLUE 2015 Report (FFRI Monthly Research 2015.11)
 
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
Latest Security Reports of Automobile and Vulnerability Assessment by CVSS v3...
 
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
Black Hat USA 2015 Survey Report (FFRI Monthly Research 201508)
 
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
A Survey of Threats in OS X and iOS(FFRI Monthly Research 201507)
 
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
Security of Windows 10 IoT Core(FFRI Monthly Research 201506)
 
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
Trend of Next-Gen In-Vehicle Network Standard and Current State of Security(F...
 
Malwarem armed with PowerShell
Malwarem armed with PowerShellMalwarem armed with PowerShell
Malwarem armed with PowerShell
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Detecting Environment-Sensitive Malware

  • 1. FFRI,Inc. 1 Monthly Research A survey of Environment-Sensitive Malware FFRI, Inc http://www.ffri.jp Ver 2.00.01
  • 2. FFRI,Inc. Background • A damage is increasing by MITB(Man-in-the-Browser) malware such as “Citadel” – The Citadel targets money of online banking users • Citadel-like malware restricts malicious behavior except infected host to evade dynamic analysis[1] • We explain execution environment detection techniques and its countermeasures 2
  • 3. FFRI,Inc. Why malware switched behavior? • Malware builders are sold on the Internet – Its make easier to build MITB malware(e.g., SpyEye) • “Malware operator” is not the same person with “Malware builder developer” • Malware builder developers are afraid that security vendor’s rounds up the malware manufactured by their builder – Developer does not want: • To clearly indicate malware behavior using automated dynamic analysis • To create effective signature for detecting malware that generated by their builder 3
  • 4. FFRI,Inc. Environment-sensitive malware • These malware detect the execution environment and do not engage in malicious behavior when the current host differs from the infected host – To avoid behavior based malware detection[2] 4
  • 5. FFRI,Inc. Execution environment detection techniques • Host fingerprinting – Identifying the host using host unique value – Detecting infected host or not • Virtual Machine Environment(VME) Detection – Detecting host’s execution environment which running on virtual machines 5
  • 6. FFRI,Inc. Host Fingerprinting • Embedding infected host’s unique value into execution binary 6 Malware (Dropper) Unpacker Malicious code Self-rewriting when original malware execution Malware? Unpacker Malicious code with host unique value Different signature pattern
  • 7. FFRI,Inc. Examples of Host Unique Value Category Environment Unique Values Hardware *GUID(Disk), MAC address(NIC), etc. System OS Product ID, Computer(NetBIOS) Name, Registry entry, etc. Application *Execution path, Username, etc. Network IP address(external check) 7 *Discovered in Citadel malware
  • 8. FFRI,Inc. In the real malware • The Citadel malware (captured at 2013 later) – Getting GUID on system drive using the GetVolumeInformationA() – Comparing running host’s GUID value and embedded infected host’s value – Process executes malicious code if GUID values are consistent 8 Malware Unpacker Malicious code Infected host’s GUID(packed) Unpacked GUID Format: {XXXXXXXX-XXXX-XXXX-XXXXXXXX} Unpack
  • 9. FFRI,Inc. Behavior of host unique value inconsistency • For example: – Process termination – Running fake(or harmless) code *We forecast that developers may implement advanced packing algorithm with host unique value in the future 9
  • 10. FFRI,Inc. Anti host fingerprinting • Adding some rules of heuristic detection engine – Some APIs calling potential of host fingerprinting execution such as the GetVolumeInformation(), GeVolumeNameByHandle() , GetAdaptersAddresses() • Full environment emulation – Camouflaging the infected host’s unique value • Overriding API return value using system call proxy • In device emulation • Symbolic execution[3] – Predicate transformation semantics – Generating comprehensive test/trace automatically 10
  • 11. FFRI,Inc. VME(Virtual Machine Environment) Detection • 2% of observed malware over the world since 2013 have implemented VME detection logic[5] • Approaches of VME detection[4][5][6] – Using virtual device feature bugs – Using VME specific resources – Using virtualized graphical environment features – Measuring timing and overheads • Anti VME detection – Looking at p.10 • Similar anti-host fingerprinting 11
  • 12. FFRI,Inc. Conclusions • An environment-sensitive malware are in the wild • Host fingerprinting is a type of execution environment detection that complicates automated malware analysis on sandbox and signature matching • VME(Virtual Machine Environment) detection is yet another sandbox evasion technique • These techniques are enough to complicate automated malware analysis and malware signature matching • We must polish up robust automated malware analysis method against malware mass-production 12
  • 13. FFRI,Inc. References • [1]: Analyzing Environment-Aware Malware, Lastline, 2014.05.25(viewed) http://labs.lastline.com/analyzing-environment-aware-malware-a-look-at-zeus-trojan-variant-called- citadel-evading-traditional-sandboxes • [2]: Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting environment- sensitive malware. In Proceedings of the 14th international conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338-357. http://dx.doi.org/10.1007/978-3-642-23644-0_18 • [3]: Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring Multiple Execution Paths for Malware Analysis. In Proceedings of the 2007 IEEE Symposium on Security and Privacy (SP '07). IEEE Computer Society, Washington, DC, USA, 231-245. http://dx.doi.org/10.1109/SP.2007.17 • [4] slabbed-or-not/github , 2014.05.25(viewed) https://github.com/kaniini/slabbed-or-not • [5]: Aurélien Wailly. Malware vs Virtualization The endless cat and mouse play, 2014.05.25(viewed) http://aurelien.wail.ly/publications/hip-2013-slides.html • [6]: Kang Li, Xiaoning Li. Comprehensive Virtual Appliance Detection. Black Hat Asia 1014. http://www.blackhat.com/docs/asia-14/materials/Li/Asia-14-Li-Comprehensive-Virtual-Appliance- Detection.pdf 13
  • 14. FFRI,Inc. Contact Information E-Mail : research—feedback@ffri.jp Twitter: @FFRI_Research 14