SlideShare a Scribd company logo

Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques

F
Fabio Rosato

The document discusses a master's thesis by Fabio Rosato focused on countering sandbox evasion techniques used by malware through symbolic execution. It categorizes malware evasion techniques, evaluates the performance of tools like angr and paranoid fish, and highlights the importance of symbolic execution in identifying malicious behavior that evades detection. Contributions include a high-level categorization of evasive techniques and a study of Windows API interaction patterns related to malware detection.

Software
Related topics:
Malware Analysis Guide
1 of 37
Downloaded 14 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Intro Evasion Study Extension Evaluation Conclusions Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques Fabio Rosato Advisors: Camil Demetrescu, Daniele Cono D’Elia October 24, 2017 Master of Science in Engineering in Computer Science 1 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Malicious software - An ever growing threat 2 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Malware analysis Static analysis Dynamic analysis 3 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); 3 int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); 3 int z = y * 2 + x 7 if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); 3 int z = y * 2 + x 7 if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x λ * 2 + 1 if (z == 13) { return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x λ * 2 + 1 if (z == 13) { Forking! return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x λ * 2 + 1 if (z == 13) { Forking! return ERROR; £ ¢   ¡if λ * 2 + 1 == 13 } else { return SUCCESS; £ ¢   ¡if λ * 2 + 1 != 13 } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution of malware Symbolic execution applications have been practically exclusively confined to general software testing, with excellent results. The ability to potentially cover all possible execution paths and subsequently identify the corresponding concrete input values that would elicit them, make it an ideal instrument for the study of the trigger-based behaviors extremely common in malware. 6 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem Malware evasion defined Malware evasion The set of techniques employed by malware to avoid being detected by an automated dynamic analysis product. An evasive malware is a malware that exhibits no malicious behavior in a sandbox, but that infects the intended target. if observed: act_innocent() else: do_bad_things() 7 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: malware evasion categorization Evasion Proactive-Attack Instruction-based Time-based Reactive-Detection Reverse-Turing-Tests Time-based Hardware-based Artifact-based File-system Process OS 9 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs OS artifacts detection Registry key presence RegOpenKeyEx RegOpenKeyEx Registry key value RegQueryValueEx User name GetUserName Process enumeration CreateToolhelp32Snapshot Windows FindWindow 10 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs Process artifacts detection Hooks - Injected DLLs GetModuleHandle IsDebuggerPresent OutputDebugStringDebugging CheckRemoteDebuggerPresent 11 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs File system artifacts detection GetFileAttributes File system artifact presence CreateFile Execution path GetModuleFileName GetLogicalDriveStrings Common file names GetFileAttributes 12 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs Hardware-based detection Single-CPU GetSystemInfo Small amount of RAM GlobalMemoryStatusEx DeviceIoControl Small drive size GetDiskFreeSpaceEx CPUID fingerprinting CPUID Network adapter details GetAdaptersAddresses 13 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs Time-based detection GetTickCount Sleep patched Sleep Uptime GetTickCount RDTSC timing RDTSC Network adapter details GetAdaptersAddresses Reverse Turing tests Mouse movement GetCursorPos 14 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Angr: an open source python framework for analyzing binaries that combines both static and dynamic symbolic analysis (http://angr.io/). 15 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Paranoid Fish Kasidet malware Extension evaluation - Paranoid Fish Paranoid Fish: open source tool that demonstrates several techniques employed by malware families to detect whether they are being executed in an analysis environment, be it a debugger, a VM, or a sandbox. 57 different checking functions Unaided Aided by extension 17 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Paranoid Fish Kasidet malware Extension evaluation - Kasidet Kasidet malware: backdoor, gathers information and communicates with a C&C server, allowing a remote attacker to take over the infected machine by exchanging files with the server and executing shell commands. Sample de1af0e97e94859d372be7fcf3a5daa5. 17 different detective evasion functions Unaided Aided by extension 18 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Conclusions - Summary Thesis focus: improving the applicability of symbolic execution to the malware domain by patching evasion techniques. Contributions: high level categorization of evasive techniques Windows API interaction patterns study for the most widespread detective evasion techniques Angr anti-evasion extension 19 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
Intro Evasion Study Extension Evaluation Conclusions Thesis, slides, and code are all available at https://github.com/fabros/angr-antievasion Thank you! Fabio Rosato rosato.1565173@studenti.uniroma1.it 20 / 20 Fabio Rosato M.Sc. Engineering in Computer Science

More Related Content

PDF
Malicious ELF Binaries: A Landscape
Marcus Botacin
 
PDF
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
PDF
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Marcus Botacin
 
PDF
Using Grammar Extracted from Sample Inputs to Generate Effective Fuzzing Files
CSCJournals
 
PPTX
A software fault localization technique based on program mutations
Tao He
 
DOC
Testing survey by_directions
Tao He
 
PDF
[Tho Quan] Fault Localization - Where is the root cause of a bug?
Ho Chi Minh City Software Testing Club
 
PDF
Azure Machine Learning tutorial
Giacomo Lanciano
 
Malicious ELF Binaries: A Landscape
Marcus Botacin
 
Near-memory & In-Memory Detection of Fileless Malware
Marcus Botacin
 
Analysis, Anti-Analysis, Anti-Anti-Analysis: An Overview of the Evasive Malwa...
Marcus Botacin
 
Using Grammar Extracted from Sample Inputs to Generate Effective Fuzzing Files
CSCJournals
 
A software fault localization technique based on program mutations
Tao He
 
Testing survey by_directions
Tao He
 
[Tho Quan] Fault Localization - Where is the root cause of a bug?
Ho Chi Minh City Software Testing Club
 
Azure Machine Learning tutorial
Giacomo Lanciano
 

Similar to Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques (20)

PDF
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
PDF
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
DOCX
robust malware detection for iot devices using deep eigen space learning
Venkat Projects
 
PDF
How do we detect malware? A step-by-step guide
Marcus Botacin
 
PPTX
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Chris Theisen
 
PDF
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
PPTX
MINI PROJECT s.pptx
arjunchithanoor
 
PDF
Effective Fault-Localization Techniques for Concurrent Software
Sangmin Park
 
PPTX
Topic 1. Intro.pptx;n;b;jvljvlvlvlv''ojoj
khoiclever
 
PDF
Classifying IoT malware delivery patterns for attack detection
Fabrizio Farinacci
 
PDF
Monitoring Systems & Binaries
Marcus Botacin
 
PPTX
Reverse Engineering 101
ysurer
 
PDF
Análise de malware com suporte de hardware
Marcus Botacin
 
PPT
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
PDF
PhD Welcome Day 2014
Andrea Avancini
 
PDF
Conducting Experiments on the Software Architecture of Robotic Systems (QRARS...
Ivano Malavolta
 
PPT
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
PDF
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
PDF
Mc afee conectando las piezas
Software Guru
 
PDF
Malware Analysis Tips and Tricks.pdf
Yushimon
 
Among Viruses, Trojans, and Backdoors:Fighting Malware in 2022
Marcus Botacin
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
robust malware detection for iot devices using deep eigen space learning
Venkat Projects
 
How do we detect malware? A step-by-step guide
Marcus Botacin
 
Approximating Attack Surfaces with Stack Traces [ICSE 15]
Chris Theisen
 
On the Security of Application Installers & Online Software Repositories
Marcus Botacin
 
MINI PROJECT s.pptx
arjunchithanoor
 
Effective Fault-Localization Techniques for Concurrent Software
Sangmin Park
 
Topic 1. Intro.pptx;n;b;jvljvlvlvlv''ojoj
khoiclever
 
Classifying IoT malware delivery patterns for attack detection
Fabrizio Farinacci
 
Monitoring Systems & Binaries
Marcus Botacin
 
Reverse Engineering 101
ysurer
 
Análise de malware com suporte de hardware
Marcus Botacin
 
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
PhD Welcome Day 2014
Andrea Avancini
 
Conducting Experiments on the Software Architecture of Robotic Systems (QRARS...
Ivano Malavolta
 
Fuzzing 101 Webinar on Zero Day Management
Codenomicon
 
GPThreats-3: Is Automated Malware Generation a Threat?
Marcus Botacin
 
Mc afee conectando las piezas
Software Guru
 
Malware Analysis Tips and Tricks.pdf
Yushimon
 
Ad

Recently uploaded (20)

PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PPTX
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
PDF
Nekopoi APK 2025 free lastest update
umarali35kp
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PDF
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Reimagine Home Health with the Power of Agentic AI​
AutomationEdge Technologies
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Odoo POS Development Services by CandidRoot Solutions
CandidRoot Solutions Private Limited
 
Nekopoi APK 2025 free lastest update
umarali35kp
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Audit Checklist Design Aligning with ISO, IATF, and Industry Standards — Omne...
rohnjim07
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
How to Choose the Right IT Partner for Your Business in Malaysia
Asian Business Services & Technologies
 
AI in Product Development-omnex systems
omnex systems
 
Introduction to Artificial Intelligence
lohedi9363
 
Ad

Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques

  • 1. Intro Evasion Study Extension Evaluation Conclusions Symbolic Execution of Malicious Software: Countering Sandbox Evasion Techniques Fabio Rosato Advisors: Camil Demetrescu, Daniele Cono D’Elia October 24, 2017 Master of Science in Engineering in Computer Science 1 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 2. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Malicious software - An ever growing threat 2 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 3. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Malware analysis Static analysis Dynamic analysis 3 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 4. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 5. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); 3 int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 6. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); 3 int z = y * 2 + x 7 if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 7. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Concrete execution - Example int foo() { int x = 1; int y = read_int(); 3 int z = y * 2 + x 7 if (z == 13) { return ERROR; } else { return SUCCESS; } } 4 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 8. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 9. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x if (z == 13) { return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 10. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x λ * 2 + 1 if (z == 13) { return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 11. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x λ * 2 + 1 if (z == 13) { Forking! return ERROR; } else { return SUCCESS; } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 12. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution - Example int foo() { int x = 1; int y = read_int(); λ int z = y * 2 + x λ * 2 + 1 if (z == 13) { Forking! return ERROR; £ ¢   ¡if λ * 2 + 1 == 13 } else { return SUCCESS; £ ¢   ¡if λ * 2 + 1 != 13 } } 5 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 13. Intro Evasion Study Extension Evaluation Conclusions Malware analysis Symbolic execution Symbolic execution of malware Symbolic execution applications have been practically exclusively confined to general software testing, with excellent results. The ability to potentially cover all possible execution paths and subsequently identify the corresponding concrete input values that would elicit them, make it an ideal instrument for the study of the trigger-based behaviors extremely common in malware. 6 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 14. Intro Evasion Study Extension Evaluation Conclusions Definition Problem Malware evasion defined Malware evasion The set of techniques employed by malware to avoid being detected by an automated dynamic analysis product. An evasive malware is a malware that exhibits no malicious behavior in a sandbox, but that infects the intended target. if observed: act_innocent() else: do_bad_things() 7 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 15. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 16. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 17. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 18. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 19. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 20. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 21. Intro Evasion Study Extension Evaluation Conclusions Definition Problem The problem with malware evasion Evasive checks represent critical branching points 8 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 22. Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: malware evasion categorization Evasion Proactive-Attack Instruction-based Time-based Reactive-Detection Reverse-Turing-Tests Time-based Hardware-based Artifact-based File-system Process OS 9 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 23. Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs OS artifacts detection Registry key presence RegOpenKeyEx RegOpenKeyEx Registry key value RegQueryValueEx User name GetUserName Process enumeration CreateToolhelp32Snapshot Windows FindWindow 10 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 24. Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs Process artifacts detection Hooks - Injected DLLs GetModuleHandle IsDebuggerPresent OutputDebugStringDebugging CheckRemoteDebuggerPresent 11 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 25. Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs File system artifacts detection GetFileAttributes File system artifact presence CreateFile Execution path GetModuleFileName GetLogicalDriveStrings Common file names GetFileAttributes 12 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 26. Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs Hardware-based detection Single-CPU GetSystemInfo Small amount of RAM GlobalMemoryStatusEx DeviceIoControl Small drive size GetDiskFreeSpaceEx CPUID fingerprinting CPUID Network adapter details GetAdaptersAddresses 13 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 27. Intro Evasion Study Extension Evaluation Conclusions Evasion categorization API pattern study Contribution: common Windows API interaction patterns Category Check Involved APIs Time-based detection GetTickCount Sleep patched Sleep Uptime GetTickCount RDTSC timing RDTSC Network adapter details GetAdaptersAddresses Reverse Turing tests Mouse movement GetCursorPos 14 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 28. Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Angr: an open source python framework for analyzing binaries that combines both static and dynamic symbolic analysis (http://angr.io/). 15 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 29. Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 30. Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 31. Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 32. Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 33. Intro Evasion Study Extension Evaluation Conclusions Contribution: Angr anti-evasion extension Constrain the symbolic exploration to pass the evasive detection checks 16 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 34. Intro Evasion Study Extension Evaluation Conclusions Paranoid Fish Kasidet malware Extension evaluation - Paranoid Fish Paranoid Fish: open source tool that demonstrates several techniques employed by malware families to detect whether they are being executed in an analysis environment, be it a debugger, a VM, or a sandbox. 57 different checking functions Unaided Aided by extension 17 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 35. Intro Evasion Study Extension Evaluation Conclusions Paranoid Fish Kasidet malware Extension evaluation - Kasidet Kasidet malware: backdoor, gathers information and communicates with a C&C server, allowing a remote attacker to take over the infected machine by exchanging files with the server and executing shell commands. Sample de1af0e97e94859d372be7fcf3a5daa5. 17 different detective evasion functions Unaided Aided by extension 18 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 36. Intro Evasion Study Extension Evaluation Conclusions Conclusions - Summary Thesis focus: improving the applicability of symbolic execution to the malware domain by patching evasion techniques. Contributions: high level categorization of evasive techniques Windows API interaction patterns study for the most widespread detective evasion techniques Angr anti-evasion extension 19 / 20 Fabio Rosato M.Sc. Engineering in Computer Science
  • 37. Intro Evasion Study Extension Evaluation Conclusions Thesis, slides, and code are all available at https://github.com/fabros/angr-antievasion Thank you! Fabio Rosato rosato.1565173@studenti.uniroma1.it 20 / 20 Fabio Rosato M.Sc. Engineering in Computer Science