The First Step Towards Modeling Unbreakable Malware

Tiantian Ji Binxing Fang Xiang Cui∗ [email protected] [email protected] [email protected] Key Laboratory of Trustworthy Key Laboratory of Trustworthy Cyberspace Institute of Advanced Distributed Computing and Service Distributed Computing and Service Technology, Guangzhou University (BUPT), Ministry of Education, (BUPT), Ministry of Education, Guangzhou, China Beijing University of Posts and Beijing University of Posts and Telecommunications Telecommunications Beijing, China Beijing, China Zhongru Wang Jiawen Diao Tian Wang [email protected] Key Laboratory of Trustworthy Key Laboratory of Trustworthy Chinese Academy of Cyberspace Distributed Computing and Service Distributed Computing and Service Studies (BUPT), Ministry of Education, (BUPT), Ministry of Education, Beijing, China Beijing University of Posts and Beijing University of Posts and Telecommunications Telecommunications Beijing, China Beijing, China WeiQiang Yu (Beijing DigApis Technology Co., Ltd Beijing, China ABSTRACT KEYWORDS Constructing stealthy malware has gained increasing popularity Unbreakable Malware, Accurate identification, Intent concealment among cyber attackers to conceal their malicious intent. Never- theless, the constructed stealthy malware still fails to survive the ACM Reference Format: reverse engineering by security experts. Therefore, this paper mod- Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian eled a type of malware with an “unbreakable” security attribute- Wang, and WeiQiang Yu. 2020. The First Step Towards Modeling Unbreak- unbreakable malware (UBM), and made a systematical probe into able Malware. In xxx. ACM, New York, NY, USA, 13 pages. https://doi.org/ xxx this new type of threat through modeling, method analysis, experiments, evaluation and anti-defense capacity tests. Specifically, we first formalized the definition of UBM and analyzed its security attributes, put forward two core features that are essential for 1 INTRODUCTION realizing the “unbreakable” security attribute, and their relevant Malware comes in various forms, including viruses, worms, remote tetrad for evaluation. Then, we worked out and implemented four access Trojans , bots, ransomware, etc. Since the Morris worm ap- algorithms for constructing UBM, and verified the “unbreakable” peared in 1988, malware has demonstrated its destructiveness and security attribute based on our evaluation of the abovementioned started to cause international concern. In recent years, cybersecu- two core features. After that, the four verified algorithms were em- rity companies and media have released many reports on major ployed to construct UBM instances, and by analyzing their volume cybersecurity incidents, most of which actually focus on malware increment and anti-defense capacity, we confirmed real-world ap- analysis. Undoubtedly, malware accounts for a thorny problem in arXiv:2008.06163v2 [cs.CR] 13 Nov 2020 plicability of UBM. Finally, to address the new threats incurred by cyberspace security [5]. UBM to the cyberspace, this paper explored some possible defense As the lasting arms race featuring cyberattack and defense is measures, with a view to establishing defense systems against UBM entering a new stage, many malware programs attempt to conceal attacks. their existence and malicious intent, and thus are called “stealthy malware” (SM for short). This type of malware stands a chance ten times higher than conventional malware to launch a successful Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed attack [17]. A recent report [3] estimates that SM-based attacks for profit or commercial advantage and that copies bear this notice and the full citation account for 35% of all attacks at present, and the attacks in the first on the first page. Copyrights for components of this work owned by others than ACM half of 2019 alone, for example, increased by 364%. It is not hard to must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a see that constructing stealthy malware has become a trend. fee. Request permissions from [email protected]. Despite the lots of studies invested into construction and im- arxiv ’20, 2020, xxx provement of stealthy malware, the malware’s malicious intent still © 2020 Association for Computing Machinery. ACM ISBN xxx...$xxx risks being uncovered. For example, the Stuxnet worm, a notori- https://doi.org/xxx ous stealthy malware program, has been constructed only aimed at arxiv ’20, 2020, xxx Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian Wang, and WeiQiang Yu attacking industrial control systems that are installed with some par- volume increment and successfully avoid the detection of almost ticular software and hardware. Another noted example of stealthy all antivirus engines, thereby verifying the high-threat combat malware is the DarkHotel spyware which incorporates a function capacity of UBM. to detect virtual machines, sandbox environment and antivirus 5) To defend against the security threats incurred by UBM, this engines. These environments are not the target environments of paper has identified the vulnerabilities of UBM during thetwo DarkHotel, and only in the case where they are not detected will the links of its construction: “target attribute designation” and “func- spyware perform its malicious acts. Analysis of the Stuxnet worm tioning stages”, and explored some possible defense solutions, and DarkHotel spyware, however, reveals that their attack targets, with a vision to enhance UBM-oriented security defense. malicious intent and attack methods are all hardcoded in malware files. The security defenders can employ static analysis to conduct 2 BACKGROUND AND RELATED WORK complete reverse engineering of such malware, which is the major This section presents relevant research work. In view of some exist- challenge that stealthy malware engineers face at present. ing problems in constructing stealthy malware, the research back- DeepLocker [6], a malware that IBM Research proposed on Black ground, related work, and our UBM modeling views are introduced Hat 2018, was the first proof-of-concept of the new type of mal- in this section. ware that this paper is devoted to. Before an attack is unleashed, the DeepLocker realizes the perfect “unbreakable” attribute with the help of AI technologies, i.e., even if its codes are available as 2.1 Basic concepts open source, its malicious intent remains stealthy. Moreover, in an To conduct accurate UBM modeling, this paper first defines relevant actual attack case, the malware BIOLOAD coded by the APT group concepts as follows: FIN7, based on the attribute of “computer name” and hashing, also • attempted to attain this “unbreakable” attribute. BIOLOAD once D1 Malicious Payload: Independent files or code segments again proves that unbreakable malware can be employed as a novel that harbor malicious intent, like the code segments in Not- advanced technique to launch attacks in real-world application. Petya that perform the function of erasing the hard drive. In this connection, this paper modeled a type of UnBreakable Mal- Moreover, in this paper, the plaintext attack payload is termed ware (UBM) and analyzed it in an all-round manner through mod- plain payload (denoted as “pp”), while the corresponding en- eling, method analysis, experiments, evaluation and anti-defense crypted ciphertext attack payload is termed cipher payload capacity tests. The main contributions of this paper are as follows: (denoted as “cp”). • D2 Malicious Intent: Intent carried by the malicious pay- 1) This paper, for the first time, proposed the concept of UBM and load to pinpoint its attack target, technique, act, purpose, modeled it formally. The UBM abandons the “if this, then that” etc. Common malicious intent includes intelligence stealing, target identification algorithm that the existing stealthy malware data encryption, hard-drive erasure, data shredding and so depends on, displacing it with a new algorithm that is able to pre- on. • cisely perceive a (or a type of) target environment; meanwhile, D3 Target Attribute: The attribute designated by an at- it conceals its malicious intent. In this way, a common malware tacker. In this paper, we use T to denote a target attribute can be equipped with the “unbreakable” security attribute, thus sample, and its corresponding non-target attribute sample are able to defend against reverse engineering completely. is denoted as 푇 ; the set of target attribute samples and that 2) This paper proposed two core features – non-enumerability and of the non-target attribute samples together constitute the definiteness, which are essential for realizing the “unbreakable” input space X of the UBM. In this paper, the UBM estab- security attribute. Further, a tetrad to evaluate the two core fea- lishes a “one-to-one” or “one type-to-one” mapping relation tures was put forward in this paper through formalized definition between the target attribute sample and the key. This paper and analysis. The malware that meets the constraint conditions defines the target attribute used for “one-to-one” mapping for this tetrad is able to survive forward analysis and reverse as the target attribute of uniqueness, e.g., a specific file or engineering. Thereby, the two core features work to ensure the a specific computer name; and the target attribute used for realization of the “unbreakable” security attribute in a thorough “one type-to-one” mapping is defined as the target attribute manner. of unique-typedness, e.g., the facial images of Tom Cruise. 3) Based on the formalized definition of UBM and research on its security attributes, this paper then proposed an architecture for 2.2 Triggering conditions for stealthy malware constructing UBM, and found four algorithms to realize the two attacks functions of “accurate identification” and “intent concealment”. Before an attack is unleashed, the malware seeks stealthiness by hid- Also, by implementing these four algorithms and evaluating ing its malicious intent. An attack will be launched if and only if the their security, this paper confirmed that the UBM Discriminator stealthy malware meets some specific attack triggering conditions. constructed based on the four algorithms had incorporated this By the attack triggering condition, this paper divides the attack “unbreakable” security attribute, as is in conformity with the implementation mechanism of existing stealthy malware into two standard for UBM construction. types: target environment detection-based implementation, and 4) Based on the four algorithms and the UBM six-tuple, this paper complex logic judgment-based implementation. has constructed four actual UBMs. Evaluation of the applicability of these programs proved that UBM can realize an unperceivable • Target environment detection The First Step Towards Modeling Unbreakable Malware arxiv ’20, 2020, xxx

Existing stealthy malware determines whether to unleash an attack ATT&CK [13], we found that such information can be easily at- by detecting and judging whether the target environment meets its tained through reverse engineering or network monitoring. To put anticipation. Detectable indicators include the residential country, it another way, the defender can utilize such information to break language, operation system (version) and system performance of the attack triggering conditions and thereby uncover the malicious the current host computer. For instance, only when a specific plat- intent. form or an operation system (version) is found as expected can the Accordingly, this paper discards the “if this, then that” design malware for Stuxnet, Duqu, Gauss and Flame execute a malicious idea, and replaces it with the two functions of “accurate identi- attack [2]. fication” and “intent concealment”. This not only makes ithard Furthermore, researchers have proposed various sandbox de- to access the information for ascertaining the attack triggering tection techniques [1, 7, 9] to help design the attack triggering conditions, but ensures that the malicious payload will not be de- conditions, and conducted comprehensive detection and evaluation coded even when the code of the malware is available as open of various sandbox features to determine whether the current host source (because the malicious payload encrypted based on this is computer environment is the sandbox environment. If it is detected hard-to-get information). In this way, the malicious intent is made as the sandbox environment, the malware will not work or attempt “unbreakable”. to make the system break down. Only in a non-sandbox environment can the malware be triggered off to unleash an attack, and this non-sandbox environment is actually the target environment of the stealthy malware. 2.3 Attack Mechanism of DeepLocker In this section, we take DeepLocker as an example of UBM and explore its mechanism to help for modeling UBM for research. As shown in Figure 2, DeepLocker uses a deep neural network (DNN) model to accurately identify the target attributes and conceal the intent of the malicious payload. The two core functions are implemented through the two processes – concealment and unlocking. During concealment, DeepLocker uses the DNN to conduct dynamic concealment of the symmetric key, i.e., the key will not be hardcoded into the malware, while the input received is taken as a basis for the DNN to determine whether to generate the key or not. During concealment, the key is employed to encrypt a plain Figure 1: Execution Flow of stealthy malware payload into a cipher payload, so the DNN’s concealment of the key means successful concealment of the malicious intent. A DNN model can help implement our concealment of malicious intent • Complex logic judgment mainly because with its well-trained classification function based One dynamic analysis of malware can only cover one execution on the data sets of target attributes and of non-target attributes, it path, so complex logic structures are designed for various types can implement accurate identification of the target attributes. of stealthy malware to conceal their execution branches of the Correspondingly, during unlocking, the DNN first accurately malicious payload. Unleashing a malicious attack depends on the identifies the target attribute (as shown by the facial image ofTom execution of the complex logic branches. For example, magic bytes Cruise in Figure 2) to assist generating the key for decoding the or string matching, stalling loop and infinite loop all fall into the cipher payload, and then unleashes an attack. In this way, the “if category of complex logic judgment [16]. this, then that” design idea is displaced. This type of stealthy malware that launches attacks based on Based on the attack mechanism of DeepLocker, this paper analy- complex logic judgment, as presented in the above examples, has ses further the main reasons for its “unbreakable” security attribute made it a challenge in the detection process of symbolic execution from the perspective of a security defender: [12], fuzz testing [18] and other dynamic analysis tasks. As a con- First, the target attribute cannot be ascertained by brute-force tra- sequence, complex logic judgment-based design is popular among versal . The target attribute is assigned as controlled by the attacker, attackers. who can make use of specific pictures, files, videos, audios, phys- To sum up, in constructing the two attack triggering conditions, ical environment, software environment, user action, geographic we will end up with the judgment “Is this a target”, no matter how location, and so on. The defender neither knows the type of the complex the target environment or logic judgment is. As shown in target attribute, nor has any means to match the specific target Figure 1, both of the two attack triggering conditions worked out attribute. It is challenging to conduct brute-force traversal of the in this paper are in line with the “if this, then that” design idea, i.e., target attribute, as hard as or even harder than to crack the AES-128 as long as the judgment condition “Is this a target” is satisfied, the algorithm, and this is an unreachable hashrate for current electronic malicious attack will be triggered and unleashed. computers. Thereby, from the perspective of forward decryption , as This design, however, has its limitations: The information used the target attribute cannot be ascertained by brute-force traversal, to crack the attack triggering conditions is always hardcoded in the trigger cannot be activated; consequently, the cipher payload the malware or transmitted via the command and control (C&C) cannot be decrypted and executed, and the malicious intent cannot channel. By analyzing the study case of some actual attacks in be identified by the defender. arxiv ’20, 2020, xxx Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian Wang, and WeiQiang Yu

Figure 2: Execution flow of DeepLocker and its concealment and unlocking operations

Second, the cryptographic algorithm’s key strength is at least Therefore, hereinafter, the “encryption key” and “decryption key” 128 bits, which is a crucial indicator to measure the security level were jointly called “key” and denoted by “푘푒푦”. Its corresponding of a cryptographic algorithm. Even if DeepLocker is open source, wrong key was denoted by “푘푒푦”. its built-in cipher payload cannot be reversely cracked, mainly in Assumption 4: From a realistic perspective, this paper assumed that the DeepLocker takes the AES-128 algorithm by default and that all relevant adversarial attack-and-defense processes related has a key strength of 128 bits, and the defender cannot obtain any to malware were placed in an electronic computer environment, information by analyzing the open source DeepLocker to crack for instead of a quantum computer environment. the key. Therefore, key guessing is the only solution for reverse decryption, but no existing techniques are capable of guessing a 3.2 Formalized definition of UBM key with 128 bits strength. To sum up, we conclude that the “unbreakable” attribute of UBM Based on the above assumptions, this paper provided a formalized is determined by two functions – “accurate identification” and “in- definition of UBM. tent concealment”. On this basis, hereinafter, we perform modeling • Model Define: UBM (UnBreakable Malware). The UBM, com- of the highly stealthy malware and analyze its attributes in the prised of a six-tuple, refers to a type of malware with the “un- following sections. breakable” security attribute, denoted as UBM={Discriminator, Unb, Judger, Decryptor, cp, BenCode}. 3 FORMALIZED MODELING OF Discriminator: A Discriminator realizes the two core functions UNBREAKABLE MALWARE of “accurate identification” and “intent concealment”, and con- 3.1 Assumptions for modeling verts the input space X into possibleKey, denoted as Discriminator: → Modeling inevitably depends on specific assumptions. To explicitly 푋 푝표푠푠푖푏푙푒퐾푒푦. It incorporates the two mapping relations of express the functions and action scope of UBM, this paper made 푇 → 푘푒푦 and 푇 → 푘푒푦. The function is expressed as 푝표푠푠푖푏푙푒퐾푒푦 = the following assumptions: 퐷푖푠푐푟푖푚푖푛푎푡표푟 (푋), and then 푘푒푦 = 퐷푖푠푐푟푖푚푖푛푎푡표푟 (푇 ) and 푘푒푦 = Assumption 1: To demonstrate that the UBM has the “unbreak- 퐷푖푠푐푟푖푚푖푛푎푡표푟 (푇 ). For the target attribute of uniqueness, the Dis- able” security attribute, the UBM in this paper was placed in a criminator represents a tuple of itself, denoted as 퐷푖푠푐푟푖푚푖푛푎푡표푟 = cooperative adversarial environment. Advanced antivirus engines {퐷푖푠푐푟푖푚푖푛푎푡표푟 }; for the target attribute of unique-typedness, the were deployed on the perimeter of the network and on the victim Discriminator represents a two-tuple, denoted as 퐷푖푠푐푟푖푚푖푛푎푡표푟 = host computer for defense, and high-caliber reverse engineers for {푓퐶표푙푙푒푐푡표푟,퐷푖푠푐푟푖푚푖푛푎푡표푟 }. security were allowed to be present to stay vigilant. fCollector: The feature collector. Aimed at the target attribute Assumption 2: As for the application scenario, we assumed that of unique-typedness, the fCollector extracts the main feature infor- the location of the target was unknown, and the UBM had to seek its mation of the target attribute, helping the Discriminator to map a attack target by castnet communication. One real-world example of type of target attributes to a unique stable key. casenet communication is intranet translation that malware usually Unb: The intrinsic and “unbreakable” security attribute of the employs to seek a target in a physically-isolated private network UBM. This attribute entails two core features of the malware–“non- or organization. enumerability” and “definiteness”, and it is denoted as Unb={non- Assumption 3: During UBM construction, even though the enumerability, definiteness}. malicious payload supports both symmetric and asymmetric en- non-enumerability: The input space and output space are too cryption, this paper only assumed symmetric encryption as the big to be traversed in a brute-force manner. All input and output algorithm to help construct the UBM, because the asymmetric en- spaces mentioned in this paper refer to the input and output spaces cryption complicates UBM design and features a low encryption- of the Discriminator. That is, the input space X consists of 푇 and 푇 , decryption speed without bringing additional security benefits. and the output space possibleKey comprises 푘푒푦 and 푘푒푦. The First Step Towards Modeling Unbreakable Malware arxiv ’20, 2020, xxx

definiteness: The algorithm that processes inputs of the corre- The target attribute of uniqueness has only one corresponding lation engine features definiteness. That is, the same input orthe target sample in the input space, so as shown in Formula (2), the same type of inputs, if fed into the engine for multiple times, will value of 푃푖푛 depends on the number of total samples in the input yield the same output. space. These two core features (non-enumerability and definiteness) The target attribute of unique-typedness has only one specific are manifested as the functions of “accurate identification” and type of target samples in the input space. As shown in Formula (3), “intent concealment” in malware implementation. Thus, the security in the input space, we denote the complexity of target samples attribute of UBM depends on the Discriminator for realization. is denoted as 푂 (푡푎푟푔푒푡 푐푙푎푠푠), and the complexity of total sam- Judger: The security attribute judging function, which works ples as 푂 (푡표푡푎푙 푐푙푎푠푠푒푠). Then, 푃푖푛 is the ratio of 푂 (푡푎푟푔푒푡 푐푙푎푠푠) to ensure that the implementation of the Discriminator realizes the to 푂 (푡표푡푎푙 푐푙푎푠푠푒푠). Suppose each class has the same number of security attributes of UBM. It takes the Discriminator as the input, samples, then the value of 푃푖푛 will be dependent on the size of the and outputs the tuple for evaluating the Discriminator, denoted as sample class space in the input space. 푒푣푎 = 퐽푢푑푔푒푟 (퐷푖푠푐푟푖푚푖푛푎푡표푟). In the output space, 푃표푢푡 is used to express the possibility of eva: A constraint tuple that evaluates the Discriminator, ex- enumerated targets. The target object that we enumerate is a key, pressed as Formula (1), where x, y, z and w represent the critical which is unique. Thus, as shown in Formula (4), the value of 푃표푢푡 values to meet the evaluation standards. These values are specified will be dependent on the number of total samples in the output by the attacker as per the actual attack scenario, attack demand space. What’s more, as the key is in the plain text format, we sup- and attack capacity. Only when the eva evaluation standards are pose the cipher payload is open source, then the number of total met will the Discriminator be considered qualified for constructing samples in the output space will be dependent on the key strength. the UBM. b) Definiteness 푒푣푎 = {푃푖푛 ≤ 푥, 푃표푢푡 ≤ 푦, 푃푠푡푎 ≥ 푧, 푃푎푐푐 ≤ 푤} (1) Definiteness helps to ensure the quality of the key generated by the Discriminator. In this paper, a high-quality key is termed a Decryptor: The Decryptor takes the cipher payload and possi- “stable key”. To generate stable key, this paper divides “definiteness” bleKey as inputs and attempts to decode the cipher payload. It is further into two important probability attributes for formalized def- denoted as 퐷푒푐푟푦푝푡표푟 = {푘푒푦퐽푢푑푔푒푟,푑푒푐퐹푢푛푐}. inition. They are “key stability” and “key accessibility”, respectively keyJudger: The key judgment mechanism. It judges whether a denoted as 푃 and 푃 . possibleKey is a 푘푒푦; when the possibleKey is a 푘푒푦, it will interrupt 푠푡푎 푎푐푐 the execution of the Decryptor. ○1 Key stability decFunc: A decryption function. If and only if a possibleKey is This paper prescribes the following essential requirements for a key can the decFunc convert the cipher payload into the plain key stability: most of the positive samples must have the same cor- payload, which is denoted as: 푝푝 = 푑푒푐퐹푢푛푐(푐푝, 푘푒푦); otherwise, responding key within an acceptable scope of fault tolerance. In this the decFunc will not produce any output, thereby lowering the risk paper, the target attribute input samples are positive samples, while of UBM’s being detected. those non-target attribute samples are called negative samples. cp: The cipher payload. It represents encrypted plain payload, Hereby, we have the formalized definition of 푃푠푡푎, as shown which is obtained through encryption of the key generated by the in Formula (5), and 푃푠푡푎 comes out as a probability. When 푃푠푡푎 Discriminator based on the target attribute sample T. approaches 0, the key has extremely low stability; when 푃푠푡푎 ap- BenCode: A benign functional code. The UBM, if not detected, proaches 1, the key has good stability. inserts the malicious code into the BenCode to circumvent detection In Formula (5), 푆푖 refers to the i-th possibleKey mapped with by an antivirus engine. One common example of BenCode is video positive samples, and 푚푆푖 refers to the count of 푆푖 , i.e., the number conferencing software. of positive samples that correspond to the same possibleKey. A larger 푚푆 means higher stability of 푆푖 . Thus, we chose the maximum value 3.3 The two core features 푖 푚푆푥 , and took the corresponding 푆푥 as the key. Thereby, 푃푠푡푎 would As specified in the formalized definition of UBM, “non-enumerability” be the ratio of the number of samples of the corresponding key to and “definiteness” are the two core features to satisfy the “unbreak- the number of all positive samples. Therefore, the bigger 푃푠푡푎 is, the able” security attribute (i.e., Unb). Table 1 presents the formalized more stable the key will be, as is more in line with the requirements analysis of these two features in different scenarios. in this paper. a) Non-enumerability ○2 Key accessibility This paper gave a formalized definition of non-enumerability ina This paper had the following essential requirements for key accessi- reversed manner. That is, this paper provided a formalized definition bility: Most of the negative samples should not be able to generate a of the possibility to enumerate the target objects, and a smaller key (i.e., the accessibility of key approaches 0) within an acceptable possibility of enumeration would mean higher non-enumerability. scope of fault tolerance. The enumerated object(s) in the input space was (were) one In this paper, 푃푎푐푐 has a formalized definition as shown in For- or one type of target sample in correspondence with the target mula (6). As with 푃푠푡푎, 푃푎푐푐 also comes out as a probability. When attribute. In this paper, the enumerability in the input space is 푃푎푐푐 approaches 0, the negative samples can hardly be mapped to denoted as 푃푖푛. As shown in Formula (2) and (3), 푃푖푛 is the ratio of the key; when it approaches 1, almost all negative samples can be the number of target samples to that of total samples. mapped to the key through the Discriminator. arxiv ’20, 2020, xxx Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian Wang, and WeiQiang Yu

Table 1: Formalized definitions of non-enumerability and definiteness

푈푛푏 non-enumerability definiteness 푇 Input space Output space Key stability Key accessibility

푡푎푟푔푒푡 푠푎푚푝푙푒 푃 = 푖푛 푡표푡푎푙 푠푎푚푝푙푒푠 uniqueness 1 푡푎푟푔푒푡 푠푎푚푝푙푒 = 푃표푢푡 = ( ) Í푛 (( ⊙ ) ∗ ) 푡표푡푎푙 푠푎푚푝푙푒푠 푡표푡푎푙 푠푎푚푝푙푒푠 푚푎푥 푚푆0 ,푚푆1 ,푚푆2 , . . . ,푚푆푛 푖=0 푆푖 푘푒푦 푚푆푖 푃푠푡푎 = Í푛 푃푎푐푐 = Í푛 (2) 1 푚푆 푚푆 = 푖 푖 푖 푖 푡표푡푎푙 푠푎푚푝푙푒푠 (5) (6) 푡푎푟푔푒푡 푠푎푚푝푙푒 푃 = (4) 푖푛 푡표푡푎푙 푠푎푚푝푙푒푠 unique-typeness 푂 (푡푎푟푔푒푡 푐푙푎푠푠) = 푂 (푡표푡푎푙 푐푙푎푠푠푒푠) (3)

(a) Concealment of malicious intent

(b) Unlocking of malicious intent

Figure 3: Architecture for UBM construction

In Formula (6), 푆푖 refers to the i-th output mapped from negative 3.4 UBM construction architecture samples. If 푆푖 is the same as the key, the key is accessible, and 푆푖 Based on the formalized definition of UBM and our research on its is an accessible sample. Otherwise, the key is not accessible, and security attributes, we proposed an architecture for UBM construc- Í푛 (( ⊙ ) ∗ ) 푆푖 is an inaccessible sample. Accordingly, 푖=0 푆푖 푘푒푦 푚푆푖 tion. It comprises two processes of malicious intent concealment represents the count of accessible samples. 푃푎푐푐 is the ratio of the and unlocking, as shown in Figure 3. count of all accessible samples to that of all negative samples. The During the concealment proccess, the attacker assigns the target smaller 푃푎푐푐 is, the less accessible the key will be, as is more in line attribute in the input space X, and uses a Discriminator in confor- with the requirements in this paper. mity with the UBM construction criteria to generate a key. The encryptor, with the key and the plain payload as its input, outputs the cipher payload and thereby conceals the malicious intent. The First Step Towards Modeling Unbreakable Malware arxiv ’20, 2020, xxx

In the unlocking process, the UBM does not know its attack The experiment was performed on the Windows platform, though target, so the built-in Discriminator takes possible attribute sam- the construction of UBM can also be fulfilled on Linux or other ples as the input, and outputs possibleKey to perform decryption platforms. Besides, when constructing the UBM, we used the AES over and over again. Because of its accurate identification function, symmetric encryption algorithm, in which the secret key length when the Discriminator identifies the target attribute, the condi- employed equals to the secret key strength. As a 128-bit key is hard tion 푝표푠푠푖푏푙푒퐾푒푦 = 푘푒푦 is satisfied, after which the cipher payload to crack, we made sure that the output key should be at least 128 can be decrypted and the plain payload can be generated. Mean- bits long when constructing the Discriminator . while, because of the intent concealment function of the Discrim- inator, when it has not identified the target attribute, the output 4.1 Value transfer algorithm 푝표푠푠푖푏푙푒퐾푒푦 = 푘푒푦 , thereby concealing the key. In this case, as The value transfer algorithm is the most simple and direct approach there is no way to decrypt the cipher payload, concealment of key to convert the target attribute into a key. It constructs the Discrim- is equivalent to concealment of the malicious intent. inator by combination, splicing, clipping, value assignment and other operations, and establishes a mapping from the target attribute to the key. In this paper, we chose SSID as the target attribute. As SSID can set be set at any length within the (0, 256] bit zone, we used the combined information of SSID and GUID to generate the key, as specified in formula (7). where 푘푒푦푤푙푎푛 refers to the key for encrypting and decrypt- ing the malicious payload, 푙푒푛(푆푆퐼퐷) refers to the length of SSID, 푘푒푦푙푒푛(푆푆퐼퐷) (푆푆퐼퐷) is part of the key generated by SSID, and 푘푒푦128−푙푒푛(푆푆퐼퐷) (퐺푈 퐼퐷) is part of the key generated by GUID, and “+” denotes “combination” or “splicing”. Specifically, Formula (7) provides two different schemes togen- Figure 4: Execution Flow of UBM erate the key, depending on the length of SSID:

푘푒푦푙푒푛(푆푆퐼퐷) (푆푆퐼퐷) + 푘푒푦128−푙푒푛(푆푆퐼퐷) (퐺푈 퐼퐷), (푖) 푘푒푦 = (7) Figure 4 shows the implementation flow of the UBM when the 푤푙푎푛 푚푑5(푆푆퐼퐷), (푖푖) target attribute is identified. In comparison with the SM implementation flow (Figure 1), UBM replaces the “if this, then that” (i). When the SSID length <=128 bits, we would use all SSID bi- attack-triggering idea with the realization of the Discriminator’s nary representations as part of the key, and the remaining functions – “accurate identification” and “intent concealment”. To part of the 128 bits would be supplemented by the key gener- realize these two functions, the following requirements must be met: ated by GUID. In this case, the final key is a combination of (1) The input space of the Discriminator should be non-enumerable. GUID and SSID information. (2) In the mapping relation implemented by the Discriminator, the (ii). When the SSID length >128 bits, we performed md5 comput- key will be output when and only when the input is the target ing on SSID to generate a 128-bit key. attribute. (3) The input space should also be non-enumerable; in other words, the output key must be at least 128-bit strong. When these three requirements are met, the UBM will be unbreakable and survive both forward analysis or reverse engineering. This clearly demonstrates the necessity of “non-enumberabilty” and “definiteness”. To sum up, the focus of UBM construction is on the Discriminator. Based on the attribute judgment function, this paper explored and found the four algorithms that could support construction of the Figure 5: Value transfer algorithm based Discriminator Discriminator (Figure 3): ○1 Value transfer algorithm; ○2 Typical Hash algorithm; ○3 Binary deep neural network; and ○4 Perceptual Finally, we constructed a value transfer Discriminator based on Hash algorithm. In the following experiments in this paper, we Formula (7). As shown in Figure 5, when the Discriminator detects would first construct a Discriminator with the abovementioned two that the current host computer is located in the target network core functions based on these four algorithms for construction of environment (labeled “target SSID”), the key will be generated by the UBM. the value transfer algorithm. It should be noted that the type of target attributes corresponding 4 EXPERIMENT to the value transfer Discriminator are generally short texts. In Table 2 shows the tuples of four UBMs. Based on the above-mentioned addition to SSID, the texts can also be a hard disk serial number or four algorithms (Figure 3) that were used to construct the Discrimi- a computer name that marks the physical environment of the host nator, we constructed the UBMs to conduct further performance computer. They can also be taken as target attributes to construct evaluation. Discriminator. arxiv ’20, 2020, xxx Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian Wang, and WeiQiang Yu

Table 2: Tuples for modeling four UBM

UBM={Discriminator, Unb, Judger, Decryptor, cp, BenCode} Number Discriminator Unb eva←Judger Decryptor cp BenCode

휑 = 푃퐾퐶푆7푃푎푑푑푖푛푔 ○1 1 Value transfer algorithm  푃 ≤  −  푖푛 128  훿 = 퐴퐸푆 128  2   1   ≤  In this paper, 푃표푢푡 128 2 휑 = 푃퐾퐶푆7푃푎푑푑푖푛푔 a.exe in trick- In this paper,   ○2 Typical hash algorithm  푃푠푡푎 = 1 bot is taken BenCode is   훿 = 퐴퐸푆 − 256  푃푎푐푐 = 0 as pp, while realized as Unbreakable   cp represents a simple 휑 = 푃퐾퐶푆7푃푎푑푑푖푛푔 the encrypted pop-out ○3 Binary deep neural network  1   푃푖푛 ≤  훿 = 퐴퐸푆 − 128 output of Dis- program.  2128   1  criminator.  ≤  푃표푢푡 128 2 휑 = 푃퐾퐶푆7푃푎푑푑푖푛푔   ○4 Perceptual hash algorithm  푃푠푡푎 ≥ 95%   훿 = 퐴퐸푆 − 128 푃푎푐푐 ≤ 0.5%  

4.2 Typical hash algorithm 4.3 Binary deep neural network The key generation scheme (ii) provided by Formula (7) is designed The binary classification deep neural network (“B-DNN” for short) based on a typical hash algorithm, which includes sha1, sha256, model is implemented, aimed at the target attribute of the unique- sha512, aside from md5. These algorithms have some salient fea- typedness. During its implementation, the input space should be tures: First, the target attribute in these algorithms can be short provided with a type of high-quality target attribute samples set and text objects in the value transfer algorithm, or part of the long text a type of high-quality non-target attribute samples set to meet the (no shorter than 128 bits) included in some specific files in a victim demand for B-DNN training. A well-trained B-DNN can establish a host computer. Second, these algorithms can convert the target “multiple-to-one” mapping relationship between one type of target attributes into unbreakable secret key of different lengths. For in- samples and the stable key. stance, md5, sha1, sha256 and sha512 algorithms can respectively Thus, we first constructed a binary classification sample set. convert the following secret key lengths: 128 bits, 160 bits, 256 bits Specifically, we designated the facial images of Tom Cruise asthe and 512 bits. To highlight these two features, this paper took some target attributes, and those that were not his facial images as the specific files as the target attributes and constructed a Discriminator non-target attributes. Figure 7 shows some examples of a type of based on the sha256 algorithm, as shown in Formula (8): target attribute samples.

푘푒푦ℎ푎푠ℎ = 푠ℎ푎256(푡퐹푖푙푒) (8)

where tFile refers to a designated target file, and sha256() can be realized by the sha256() method in the hashlib, and thus 푘푒푦ℎ푎푠ℎ is the key generated based on the target file. As the example shown in Figure 6, the APT1 report titled Appendix C (Digital) - The Malware Figure 7: Examples of a type of facial images of Tom Cruise Arsenal.pdf is the designated target file; if the Discriminator takes this file as the input, the output key will be: 0xe22e8ccf50d9e0013688 Then, we trained the B-DNN model using the prepared sample 229ffbffb4bc3a77e6e46b23726fd83925ba5899af3e. set to realize the binary classification and achieve accurate identification of the target attributes. Meanwhile, in Discriminator construction, concealment of malicious intent is realized by concealing the key. Therefore, in the B-DNN model in this paper, the key was dynamically concealed in a specific hidden layer. Moreover, this designated hidden was designed to have at least 128 neurons so that the output key could be no shorter than 128 bits to defend against reverse decryption. After repeated adjustment, training and testing, we obtained a Figure 6: Typical hash algorithm based Discriminator B-DNN model (Figure 8). In the figure, Conv refers to the convolu- tional layer, Relu refers to the activation layer, which is implemented based on the rectified linear unit function; Pool refers to the pooling The First Step Towards Modeling Unbreakable Malware arxiv ’20, 2020, xxx

(a) 퐼0 (b) not 퐼0

Figure 10: Target images for Perceptual hash based Discrim- inator

Thereby, for a type of target attribute samples, the B-DNN based Discriminator could produce a stable output, i.e., the stable key. Take for example the facial image of Tom Cruise shown in Figure 9; we fi- Figure 8: Unfolded layers of B-DNN nally obtained the stable key: 0x5c3871870e3c50f469dd86aeed38f7ed.

4.4 Perceptual hash algorithm layer, AffineX refers to the fully-connected layer, with X indicat- ing the number of neurons within. For example, Affine128 refers The perceptual hash algorithm generates a “fingerprint” charac- to a fully-connected layer with 128 neurons. The Dropout layer ter string for each image and then compares the fingerprints: a serves to prevent overfitting, and Softmax, the last layer, performs higher similarity between the fingerprints indicates more resem- normalization and classification. blance between the corresponding images. One notable feature At last, we built a B-DNN based Discriminator (Figure 9): Layers of this algorithm is that it generates the fingerprint for a type of 0-17 in the model form the feature collector fCollector, and Layers similar images. When an attacker designates a specific image, the 18-25 constitute the Discriminator. When the image of Tom Cruise perceptual hash algorithm can generate different embeddings for is taken as the input, fCollector will first collect the features, and this image and keep their perceptual hash values the same. This the output of the fully-connected layer is taken as high dimension considerably facilitates coordinated adversarial attacks and helps feature vector representation, which will then be input into the circumvent detection of signatures and hashes by the defenders so Discriminator to identify whether the input image is the target that other bots will remain hidden when one bot is detected. attribute. Suppose we denote a type of images with perceptual hashes as {퐼0, 퐼1, 퐼2, . . . , 퐼푛}, and when one target image 퐼0 is designated, other images of the same type {퐼1, 퐼2, . . . , 퐼푛 } are usually man-made. Figure 10 presents an example: Sub-fig. (a) shows a target image designated by the text, i.e., the image of the Microsoft Word program. We slightly altered (a) to generate Sub-fig. (b) while maintaining their visual resemblance. They had distinct sha256 hash values but the same perceptual hash value. Therefore, both sub-figs. (a) and (b) can be taken as the target image and be accurately identified by the perceptual hash-based Discriminator. In this paper, we constructed a Discriminator based on the perceptual hash algorithm (Figure 11). As with the B-DNN based Dis- criminator, this Discriminator is also aimed at the target attribute of unique-typedness and comprises fCollector and Discriminator. The fCollector, with the two functions of “image graying” and “image size adjustment”, collects the main features of an input image and outputs a 9*9 gray image as the feature image. Then, the Dis- criminator calculates the row hash and column hash of the feature image before outputting a hash image and a column hash image, Figure 9: B-DNN Based Discriminator both of a size of two 8*8. These two output images correspond to two 64-bit hash calculation results, which are then combined Specifically, the Discriminator will produce output for Affine128 into a 128-bit output. An example is shown in Figure 11: the tar- (Layer 18 shown in Figure 8), and the established B-DNN has stable get image 퐼0 in Figure 10 is input into the Discriminator, and the representation on this output, i.e., it corresponds to a type of target output is a 128-bit key, which is represented in hexadecimal as: attribute samples, and the 128-bit outputs on this layer are very 0xd4e8e8aa8c94d4d4ffc04b6b6baab680. similar. Then, we use the bucketization mechanism to process these To judge whether these four Discriminators constructed above similar outputs to achieve a stable output. For example, both 0.995 meet the requirements for UBM construction, we designed quali- and 0.998 were output as 1, 0.0006 and 0.0001 were output as 0. tative constraints on the “unbreakable” security attribute 푈푛푏 of arxiv ’20, 2020, xxx Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian Wang, and WeiQiang Yu

For value transfer based Discriminator and typical hash based Discriminator, the input target attribute samples are text no shorter than 128 bits. There are no constraints on the content of the textual inputs, so the difficulty of traversing these inputs in the binary space 푙푒푛(푡푎푟푔푒푡 푠푎푚푝푙푒) 128 will surely satisfy 푃푖푛 = 1/2 ≤ 1/2 , where 푙푒푛(푡푎푟푔푒푡푠푎푚푝푙푒) refers to the binary length of the target attribute sample. It should be noted that the file type’s target attributes also fall into the category of text. For B-DNN based Discriminator and perceptual hash based Dis- Figure 11: Perceptual hash algorithm based Discriminator criminator, the input attribute samples were a type of images. When used to constructed the UBM, these two algorithms established a the UBM according to Table 2. That is, we specified the four crit- “multiple-to-one” mapping relation between a specific type of im- ical values x, y, z and w in the tetrad eva. Then, we specified the ages and key no shorter than 128 bits, and generated the different evaluation standards for non-enumerability of 푃푖푛 and 푃표푢푡 as the outputs for different types of images. Since the enumeration space 128 constraint, and the evaluation standards for definiteness of 푃푠푡푎 and of the key were at least 2 large, the number of corresponding 128 푃푎푐푐 as the constraints. As per the formalized definition of UBM, types of images surely exceeded 2 , which met the standard . 푈푛푏 is a two-tuple consisting of the two core features. That is to say, To sum up, the input and output spaces of all the four Discrimina- only when the malware constructed by the Discriminator meets the tors constructed in this paper met the requirement of “unbreakable” evaluation standards of these two core features can it be defined as non-enumerability. UBM, i.e., malware with the “unbreakable” security attribute 푈푛푏. To sum up, in order to construct the UBM, we would first evaluate 5.2 Evaluation of definiteness the two core features of “non-enumerability” and “definiteness” in the upcoming text. The Discriminators constructed based on the value transfer algorithm and typical hash algorithm establishes a “one-to-one” map- 5 EVALUATION ping relation between the target attribute and the key, and there is only one positive sample that corresponded to the target attribute. This paper evaluated the Discriminators by the following four as- Therefore, according to Table 2, 푃 and 푃 must be 1 and 0. pects: (a) non-enumerability, (b) definiteness, (c) UBM volume in- 푠푡푎 푎푐푐 Using Formula (5), we obtained that 푃 was 1:1, which indi- crement, and (d) actual adversarial defense capability. Evaluation of 푠푡푎 cates a 100% probability for “key stability”. As shown in the non- the first two is a security evaluation ofthe Discriminator to judge enumerability evaluation, the input space comprised of positive whether the discriminator meets the criteria for UBM construction; and negative samples was infinitely large, which means that the evaluation of the latter two is a fact evaluation of the applicability number of negative samples corresponding to non-target attributes of the UBM. In other words, by evaluating (c) and (d), we could was no less than 2128. Therefore, according to Formula (6) and the measure the UBM’s capacity to survive antivirus engines and sound “one-to-one” definite mapping relation, 푃 ≤ 0/2128 = 0, i.e., the alarms for security defense. 푎푐푐 “key accessibility” probability was 0. 5.1 Evaluation of non-enumerability The Discriminators constructed based on B-DNN and the perceptual hash algorithms establish a “multiple-to-one” mapping between As per the standard for generating 128-bit unbreakable key, we the target attributes and the key. As shown by the eva tuple in Ta- 2128 set the limit of the infinite traversal at . Thus, as shown in ble 2, we set an acceptable range of fault tolerance, requiring that Table 2, the enumeration space in both the input and output spaces 푃푠푡푎 ≥ 95% and 푃푎푐푐 ≤ 0.5%. 2128 in this paper had to exceed . From the perspective of reverse For the B-DNN based Discriminator, the input space is finite. definition, both of the two non-enumerability indicators 푃푖푛 and According to Formula (5) and (6), if the requirements for key stabil- ≤ 1/2128 푃표푢푡 were set as in this paper. ity and accessibility requirements can be satisfied in a finite input In this paper, all the four Discriminators output key no shorter space, then they can also be satisfied in an actual input space that is than 128 bits, and the key length was equivalent to the key strength infinitely large. Therefore, for the B-DNN based Discriminator, the because we used the AES algorithm. The Discriminator constructed finite input space was created by the Tom Cruise’s facial images based on the typical hash algorithm output 256-bit key, and accord- 256 128 data set (contains 1317 positive samples) and non-Tom Cruise’s ing to Formula (4), 푃표푢푡 = 1/2 < 1/2 ; the rest three Discrimi- 128 facial images data set (contains 1757 negative samples). Finally, this nators generated 128-bit key, and the corresponding 푃표푢푡 = 1/2 . Discriminator achieved a 푃푠푡푎 of 98.5%, and a 푃푎푐푐 of 0, which met That is to say, all of the four Discriminators met the standards for the evaluation standard for “definiteness”. unbreakable non-enumerability in the output space. Particularly, for the Discriminator created based on the percep- • Input space tual hash algorithm, all images in a same type of samples, except As indicated by Formula (2) and (3), to realize the unbreakable the initially designated image 퐼0, are inputs controlled and ma- non-enumerability in the input space, the total number of input liciously tweaked by the attacker, and they are invisible to the 128 samples should be at least 2 for the target attribute of unique- defender. The only visible image is the image 퐼0 in the input space. ness; and for the target attribute of unique-typedness, the total In this logic, though the discriminator built based on the perceptual number of input sample types should be no less than 2128. hash algorithm is for the target attribute of unique-typedness, the The First Step Towards Modeling Unbreakable Malware arxiv ’20, 2020, xxx

“multiple-to-one” mapping relation it establishes is in essence equiv- library, so the model can be saved to a very small size, making the alent to a “one-to-one” mapping relation. Then, by using Formula (5) final total volume increment stay at only 4.27 MB. Compared with and (6), the 푃푠푡푎 was 1 and the 푃푎푐푐 was 0. that of a benign function program, this volume is still unlikely to To sum up, the four Discriminators built in this paper all satisfied raise the defender’s suspicion. the requirements of “key stability” and “key accessibility”, so they Given the analyses of volume increment above, the range of showed “definiteness”. The results of non-enumerability evaluation volume increment of the four UBMs built in this paper was [0.99 also revealed that they met the standards. In other words, all the MB, 4.27 MB], and the larger the volume of the benign function four Discriminators fulfilled the “unbreakable” security attributes program was, the less likely the UBM would be detected as suspi- and hence met the standards for constructing the UBM. Then, based cious. Therefore, in actual attack scenarios, selecting proper benign on the tuples presented in Table 2, we constructed four UBMs in function programs is necessary according to the acceptable range this paper: ○1 value transfer-based UBM, ○2 typical hash-based of malware volume increments when constructing the UBM. UBM, ○3 B-DNN based UBM, and ○4 perceptual hash-based UBM.

5.3 UBM volume increment 5.4 Actual anti-defense capability To minimize the chance of being suspected during malware attacks, From the perspective of adversarial attack and defense, the attacker the UBM volume increment must be considered. The UBM volume conceals the malware to survive or circumvent the detection of the increment is defined as the combined volume of the rest four tuples defender’s antivirus engine, thereby creating a chance to launch among the six UBM tuples except for BenCode and Unb. attacks. To better demonstrate the actual attack performance of the First, the benign function code BenCode implemented in this UBM, we used antivirus engines deployed on the cloud and on the paper was a simple “Hello, world” pop-out. We packed the benign host computer to test the anti-defense capacity of our constructed function codes into an executable application, whose volume was UBMs. One antivirus engine on the host computer and nearly 100 20723 KB, i.e., circa 20.24 MB. antivirus engines on the cloud were employed to conduct detection. Table 3 shows the volume increment of the four UBMs obtained Especially VirusTotal [4], which integrates most of the well-known based on the volume of BenCode. Specifically, these UBMs were anti-virus engines, can perform static analysis or dynamic detection. divided into two categories: UBMs constructed based on methods Therefore, the detection result delivered by VirusTotal is convincing, other than neural networks ("NN" for short), and those constructed and the same is true for ThreatBook [14], as shown in Table 4. based on NN. The former is a “code-is-implementation” method. As mentioned before, the plain payload used in this paper is Their UBM volume increment comes from the increase of codes a.exe in trickbot. When it was downloaded to the host computer or due to the construction of Discriminator, Judger and Decryptor, uploaded to the cloud detection engine, the antivirus engine on the and the dynamic link library that these codes rely on during the host computer would immediately scan and clean it. The VirusTotal program packing process. We refer to this kind of UBM volume employed on the cloud side conducted detection using 72 antivirus increment as “code volume increment”. Construction of the latter engines, 57 of which detected plain payloads as “malicious”. Among category of UBM relies on training the neural network, adjusting the 25 antivirus engines in ThreatBook, nine detected plain payloads model parameters, and saving of the architecture, which will bring as “malicious” and marked their threat level as “malicious”. in additional volume increment. In this paper, we refer to this kind Unlike the plain payload, the cipher payload was identified as of increment as “non-code volume increment”. “secure” files by antivirus engines both on the host computer and In Table 3, the “code volume increment” and “non-code volume the cloud. Moreover, as shown in Table 4, the four complete and increment” columns sum up the total volume increment brought releasable UBMs constructed in this paper have also been detected. about by Discriminator, Judger and Decryptor. There is another The result shows that almost all four UBMs were identified as “safe”. type of increment: the free volume increment brought about by the Therefore, we could conclude that even when the UBM or the cipher cipher payload cp. As the type, function, or representation of the payload was open source, the defender still could not find a way cipher payload varies, the volume of the free volume increment to crack the malicious intent hidden in the malware by forward differs. In this connection, we analyzed the volumes of payloads or reverse analysis methods. Finally, it should be noted that in labeled “malicious” in the public cloud sandbox and concluded that Table 4, as the file size upper limit was set at 20 MB on ThreatBook, the volume of almost half of payloads is smaller than 1 MB. As while our uploaded UBM exceeded this limit, so we did not use the stated in Table 2, when constructing the UBM, we took the a.exe engines on ThreatBook to test our constructed UBMs. in trickbot as the malicious payload, whose volume stayed at 452 To sum up, by evaluating the four aspects of the constructed KB before and after encryption. Compared with the volume of a UBMs, i.e., the non-enumerability, definiteness, UBM volume in- benign function program, the volume of the payload is negligible. crement and actual anti-defense capability, we confirmed the se- Finally, based on the data recorded in Table 3, we reached the curity benefits of UBM. To be specific, by evaluating the“non- following conclusion: The non-NN method brought about little enumerability” and “key stability and key accessibility” of the UBMs, volume increment when used to construct the malware. Thus, it we verified their “unbreakable” security attribute; evaluation of would make the malware less likely to be suspected by the defender their “UBM volume increment” and “actual anti-defense capabil- in actual applications. As for the NN method, the network model ity” attested that the UBMs could conceal the malicious intent and that used to construct the B-DNN based UBM in this paper was survive/circumvent detection by almost all available well-known artificially built without relying on the open source TensorFlow antivirus engines for the time being. arxiv ’20, 2020, xxx Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Jiawen Diao, Tian Wang, and WeiQiang Yu

Table 3: Volume increment of UBMs

Code Non-code Total Volume of *** based UBM volume increment volume increment volume increment cipher payload Value transfer algorithm 21740KB-20723KB 0 0.99MB Non-NN method Typical hash algorithm 21738KB-20723KB 0 0.99MB Perceptual hash algorithm 23245KB-20723KB 0 2.46MB 452KB NN method B-DNN 23247KB-20723KB model: 1850KB 4.27MB

Table 4: Detection results of antivirus engines Based on the malware attack chain [5], we focused on malware concealment capability of our constructed UBMs before an attack Antivirus plain cipher was unleashed, while the two stages of “effect” and “command UBM engine payload payload and control” were not considered. However, even if the UBM has achieved nearly complete concealment before launching an attack, Host huorong Kill immediately 0 risk 0 risk it will still be subject to detection by process behavior-based [10, 15] ○1 : 1/72 and malicious traffic-based8 [ , 11] detections after launching the attack. Therefore, the defender can defend against the UBM by VirusTotal 57/72 0/61 ○2 : 1/71 Cloud real-time scanning and removal of malicious behaviors. ○3 : 1/70

○4 : 1/71 7 CONCLUSION AND FUTURE WORK ThreatBook 9/25 0/25 – For the first time, this paper proposed the concept of unbreakable

Note: ○1 Value transfer algorithm based UBM, ○2 Typical hash algorithm based UBM, ○3 B-DNN based malware – UBM, and made a systematic probe into it through mod- UBM, ○4 Perceptual hash algorithm based UBM. eling, method analysis, experiments, evaluation and anti-defense tests. Compared with existing methods, we built UBM and thus summarized the features of this type of malware: any malware that 6 DEFENSE AGAINST UNBREAKABLE satisfies the two core features of “non-enumerability” and “definite- MALWARE ness” possesses the “unbreakable” security attribute. By formalized modeling, research on security attributes, archi- In this section, we probed into possible defense measures based on tecture building, and exploration of evaluation standards, we con- analysis of vulnerabilities of UBM revealed during target attribute structed UBM instances based on four algorithms. In the experi- designation and in the functioning stages, with a vision to address ments, we verified the “unbreakable” security attribute of the con- new security threats incurred by UBM. structed UBMs through security evaluation; meanwhile, by evaluat- • Vulnerability incurred by target attribute designation ing the applicability of the UBM, we confirmed that UBM is a novel high-threat attack technique. That is, it has a volume increment In the input space of the Discriminator, there were various types that is hardly perceivable, and can get away with the detection by of target attributes that can be designated and connected to the nearly one hundred antivirus engines deployed locally or on the victim host computer, such as the software environment, physical cloud. environment, user behavior and geographic location, as shown in Moreover, we have explored possible defense solutions to attacks Figure 3. By selecting proper target attributes, the defender can of UBM and uncovered some of its defects. In future work, we will have two possible defense solutions. try to repair these defects and improve the performance of UBM. First, from the perspective of security defense, the intrinsic at- More importantly, we will invest more to explore defense solutions tributes of the victim, such as computer name and user name, can against this type of advanced “unbreakable” malware. be utilized. In the input space, these intrinsic attributes help to ensure non-enumerability; on the defender’s side, however, calling these attributes can be taken as features that helps to detect UBM. REFERENCES As for the second solution, when the designated target attribute [1] Jeremy Blackthorne, Alexei Bulazel, Andrew Fasano, Patrick Biernat, and Bülent Yener. 2016. AVLeak: Fingerprinting Antivirus Emulators through Black-Box is a specific file or image, this type of target attributes willseea Testing. In 10th USENIX Workshop on Offensive Technologies, WOOT 16, Austin, TX, considerable traversal space in the victim host computer (this space USA, August 8-9, 2016, Natalie Silvanovich and Patrick Traynor (Eds.). USENIX Association. https://www.usenix.org/conference/woot16/workshop-program/ is a subset of the input space). In this case, the Discriminator needs presentation/blackthorne to frequently execute “read” operations (loading pictures frequently, [2] Thomas M. Chen and Saeed Abu-Nimeh. 2011. Lessons from Stuxnet. Computer for instance) in an attempt to decrypt the malicious payload. On 44, 4 (2011), 91–93. https://doi.org/10.1109/MC.2011.115 [3] David Clement. 2019. 2019 Midyear Security Roundup: Evasive Threats, Pervasive the defender’s side, these frequent operations are aberrant behavior Effects. Technical Report. https://documents.trendmicro.com/assets/rpt/rpt- and can be taken as a feature for the detection of UBM. evasive-threats-pervasive-effects.pdf [4] google [n. d.]. VirusTotal. Retrieved August 18, 2020 from https://www.virustotal. • Vulnerability incurred in the functioning stage com/gui/home/upload The First Step Towards Modeling Unbreakable Malware arxiv ’20, 2020, xxx

[5] Tiantian Ji, Binxing Fang, Xiang Cui, Zhongru Wang, Ruiling Gan, Yu Han, 137–153. https://doi.org/10.1007/978-3-319-73951-9_7 and Weiqiang Yu. 2020. Research on deep learning-powered malware attack [12] Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, and defense techniques. Chinese Journal of Computers 43, 13 (May 2020), 1–29. Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel, and Giovanni Vi- http://cjc.ict.ac.cn/online/bfpub/jtt-202058150207.pdf gna. 2016. Driller: Augmenting Fuzzing Through Selective Symbolic Exe- [6] Dhilung Kirat, Jiyong Jang, and Marc Ph. Stoecklin. 2018. Deeplocker cution. In 23rd Annual Network and Distributed System Security Symposium, - concealing targeted attacks with ai locksmithing. In Black Hat NDSS 2016, San Diego, California, USA, February 21-24, 2016. The Internet Soci- USA, 2018, Las Vegas, USA, August 4-9, 2018. informatech, 3873–3878. ety. http://wp.internetsociety.org/ndss/wp-content/uploads/sites/25/2017/09/ https://www.blackhat.com/us-18/briefings/schedule/index.html#deeplocker--- driller-augmenting-fuzzing-through-selective-symbolic-execution.pdf concealing-targeted-attacks-with-ai-locksmithing-11549 [13] The MITRE Corporation 2015–2020. MITRE ATT&CK. Retrieved August 18, [7] Clemens Kolbitsch, Engin Kirda, and Christopher Kruegel. 2011. The power of 2020 from https://attack.mitre.org/ procrastination: detection and mitigation of execution-stalling malicious code. [14] ThreatBook [n. d.]. Threatbook cloud sandbox. Retrieved August 18, 2020 from In Proceedings of the 18th ACM Conference on Computer and Communications https://s.threatbook.cn/ Security, CCS 2011, Chicago, Illinois, USA, October 17-21, 2011, Yan Chen, George [15] Shun Tobiyama, Yukiko Yamaguchi, Hajime Shimada, Tomonori Ikuse, and Danezis, and Vitaly Shmatikov (Eds.). ACM, 285–296. https://doi.org/10.1145/ Takeshi Yagi. 2016. Malware Detection with Deep Neural Network Using Process 2046707.2046740 Behavior. In 40th IEEE Annual Computer Software and Applications Conference, [8] Gonzalo Marín, Pedro Casas, and Germán Capdehourat. 2019. Deep in the Dark - COMPSAC Workshops 2016, Atlanta, GA, USA, June 10-14, 2016. IEEE Computer Deep Learning-Based Malware Traffic Detection Without Expert Knowledge. In Society, 577–582. https://doi.org/10.1109/COMPSAC.2016.151 2019 IEEE Security and Privacy Workshops, SP Workshops 2019, San Francisco, CA, [16] Tushar Ubale and Ankit Kumar Jain. 2020. Survey on DDoS Attack Techniques USA, May 19-23, 2019. IEEE, 36–42. https://doi.org/10.1109/SPW.2019.00019 and Solutions in Software-Defined Network. In Handbook of Computer Networks [9] Najmeh Miramirkhani, Mahathi Priya Appini, Nick Nikiforakis, and Michalis and Cyber Security, Principles and Paradigms, Brij B. Gupta, Gregorio Martínez Polychronakis. 2017. Spotless Sandboxes: Evading Malware Analysis Systems Pérez, Dharma P. Agrawal, and Deepak Gupta (Eds.). Springer, 389–419. https: Using Wear-and-Tear Artifacts. In 2017 IEEE Symposium on Security and Privacy, //doi.org/10.1007/978-3-030-22277-2_15 SP 2017, San Jose, CA, USA, May 22-26, 2017. IEEE Computer Society, 1009–1024. [17] Qi Wang, Wajih Ul Hassan, Ding Li, Kangkook Jee, Xiao Yu, Kexuan Zou, Jungh- https://doi.org/10.1109/SP.2017.42 wan Rhee, Zhengzhang Chen, Wei Cheng, Carl A. Gunter, and Haifeng Chen. [10] Matilda Rhode, Pete Burnap, and Kevin Jones. 2018. Early-stage malware pre- 2020. You Are What You Do: Hunting Stealthy Malware via Data Provenance diction using recurrent neural networks. Comput. Secur. 77 (2018), 578–594. Analysis. In 27th Annual Network and Distributed System Security Symposium, https://doi.org/10.1016/j.cose.2018.05.010 NDSS 2020, San Diego, California, USA, February 23-26, 2020. The Internet So- [11] Homayoun Sajad, Ahmadzadeh Marzieh, Hashemi Sattar, Dehghantanha Ali, and ciety. https://www.ndss-symposium.org/ndss-paper/you-are-what-you-do- Khayami Raouf. 2018. BoTShark: A deep learning approach for botnet traffic hunting-stealthy-malware-via-data-provenance-analysis/ detection. In Cyber Threat Intelligence, Dehghantanha Ali, Conti Mauro, and [18] Micha? Zalewski. 2015–2020. American fuzzy lop. Retrieved August 18, 2020 Dargahi Tooska (Eds.). Advances in Information Security, Vol. 70. Springer, Cham, from https://lcamtuf.coredump.cx/afl/