Malware Behavior Comportamento De Programas Maliciosos
Total Page:16
File Type:pdf, Size:1020Kb
Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Campinas 2012 i ii Universidade Estadual de Campinas Faculdade de Engenharia El´etrica e de Computa¸c~ao Andr´eRicardo Abed Gr´egio Malware Behavior Comportamento de Programas Maliciosos Doctorate thesis presented to the School of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor in Electrical Engineering. Concentration area: Computer Engineering. Tese de doutorado apresentada `aFaculdade de Engenharia El´etrica e de Computa¸c~ao como parte dos requisitos exigidos para a obten¸c~aodo t´ıtulo de Doutor em Engenharia El´etrica. Area´ de concentra¸c~ao: Engenharia de Computa¸c~ao. Orientador (Tutor): Prof. Dr. Mario Jino Co-orientador (Co-Tutor): Prof. Dr. Paulo Licio de Geus Este exemplar corresponde `avers~aofinal da tese defendida pelo aluno, e orientada pelo Prof. Dr. Mario Jino. Campinas 2012 iii FICHA CATALOGRÁFICA ELABORADA PELA BIBLIOTECA DA ÁREA DE ENGENHARIA E ARQUITETURA - BAE - UNICAMP Grégio, André Ricardo Abed G861c Comportamento de programas maliciosos / André Ricardo Abed Grégio. --Campinas, SP: [s.n.], 2012. Orientador: Mario Jino. Coorientador: Paulo Licio de Geus. Tese de Doutorado - Universidade Estadual de Campinas, Faculdade de Engenharia Elétrica e de Computação. 1. Redes de computadores - Medidas de segurança. 2. Tecnologia da informação - Segurança. 3. Software - Segurança. 4. Virus de computador. 5. Taxonomia. I. Jino, Mario, 1943-. II. Geus, Paulo Licio de, 1956-. III. Universidade Estadual de Campinas. Faculdade de Engenharia Elétrica e de Computação. IV. Título. Título em Inglês: Malware behavior Palavras-chave em Inglês: Computer networks - Security measures, Information technology - Security, Software - Security, Computer virus, Taxonomy Área de concentração: Engenharia de Computação Titulação: Doutor em Engenharia Elétrica Banca examinadora: Mario Jino, Eleri Cardozo, Ricardo Dahab, Adriano Mauro Cansian, Luiz Fernando Rust da Costa Carmo Data da defesa: 28-11-2012 Programa de Pós Graduação: Engenharia Elétrica iv v vi To my Family. vii viii Acknowledgments I would like to thank my advisors, Professors Paulo L´ıcio de Geus and Mario Jino, for support- ing me during the past years, listening to my frequent complaints and giving me freedom to pursue my goals. Their advice and ideas were essential not only to glue the pieces of this thesis together, but to allow me to grow as a scientist and as a better person. I thank the Brazilian Government, my employer, for investing in me as a researcher. I thank my former Bachelor and Masters research advisors, Professor Adriano Mauro Can- sian and Dr. Rafael Duarte Coelho dos Santos, for their friendship and for always standing by my side since I met them. I also thank Otavio Carlos Cunha da Silva for the very same reasons. They prevented me from \roundhouse kicking" people on the road. =] I also thank my friends, students and research colleagues for all the support, chit-chatting, laughs, coding, paper writing, hamburger eating and the late night coffee time, mainly Vitor Monte Afonso, Dario Sim~oes Fernandes Filho, Victor Furuse Martins, Isabela Liane de Oliveira, Roberto Alves Gallo Filho, Henrique Kawakami, Eduardo Ellery and Alexandre Or Cansian Baruque. If I forgot anyone, I am sorry, it is just because my cache is volatile... I finally thank my family, especially my wife Fabiana, my brother (N^e), my dad (Bastian) and my mom (Jamile). Their support, patience, love and friendship make my life more meaningful. ix x Oh, so they have Internet on computers now! Homer Simpson xi xii Resumo Ataques envolvendo programas maliciosos (malware) s~aoa grande amea¸caatual `aseguran¸cade sistemas. Assim, a motiva¸c~ao desta tese ´eestudar o comporta- mento de malware e como este pode ser utilizado para fins de defesa. O principal mecanismo utilizado para defesa contra malware ´eo antiv´ırus (AV). Embora seu prop´osito seja detectar (e remover) programas maliciosos de m´aquinas infectadas, os resultados desta detec¸c~aoprov^eem, para usu´arios e analistas, informa¸c~oes insufi- cientes sobre o processo de infec¸c~ao realizado pelo malware. Al´emdisso, n~ao h´aum padr~ao de esquema de nomenclatura para atribuir, de maneira consistente, nomes de identifica¸c~aopara exemplares de malware detectados, tornando dif´ıcil a sua clas- sifica¸c~ao. De modo a prover um esquema de nomenclatura para malware e melhorar a qualidade dos resultados produzidos por sistemas de an´alise din^amica de malware, prop~oe-se, nesta tese, uma taxonomia de malware com base nos comportamentos potencialmente perigosos observados durante v´arios anos de an´alise de exemplares encontrados em campo. A meta principal desta taxonomia ´eser clara, de simples manuten¸c~aoe extens~ao, e englobar tipos gerais de malware (worms, bots, spyware). A taxonomia proposta introduz quatro classes e seus respectivos comportamentos de alto n´ıvel, os quais representam atividades potencialmente perigosas. Para avali´a-la, foram utilizados mais de 12 mil exemplares ´unicos de malware pertencentes a difer- entes classes (atribu´ıdas por antiv´ırus). Outras contribui¸c~oesprovenientes desta tese incluem um breve hist´orico dos programas maliciosos e um levantamento das taxono- mias que tratam de tipos espec´ıficos de malware; o desenvolvimento de um sistema de an´alise din^amica para extrair perfis comportamentais de malware; a especializa- ¸c~ao da taxonomia para lidar com exemplares de malware que roubam informa¸c~oes (stealers), conhecidos como bankers, a implementa¸c~ao de ferramentas de visualiza- ¸c~ao para interagir com tra¸cos de execu¸c~aode malware e, finalmente, a introdu¸c~ao de uma t´ecnica de agrupamento baseada nos valores escritos por malware na mem´oria e nos registradores. Palavras-chave: Seguran¸cade Redes e Computadores. Comportamento de Progra- mas Maliciosos. An´alise Din^amica de Malware. Taxonomia de Malware. Classifi- ca¸c~aode Malware. Visualiza¸c~aode Dados de Seguran¸ca. xiii xiv Abstract Attacks involving malicious software (malware) are the major current threats to systems security. The motivation behind this thesis is to study malware behavior with that purpose. The main mechanism used for defending against malware is the antivirus (AV) tool. Although the purpose of an AV is to detect (and remove) ma- licious programs from infected machines, this detection usually provides insufficient information for users and analysts regarding the malware infection process. Further- more, there is no standard naming scheme for consistently labeling detected malware, making the malware classification process harder. To provide a meaningful naming scheme, as well as to improve the quality of results produced by dynamic analysis systems, we propose a malware taxonomy based on potentially dangerous behav- iors observed during several years of analysis of malware found in the wild. The main goal of the taxonomy is, in addition to being simple to understand, extend and maintain, to embrace general types of malware (e.g., worms, bots, spyware). Our behavior-centric malware taxonomy introduces four classes and their respective high-level behaviors that represent potentially dangerous activities. We applied our taxonomy to more than 12 thousand unique malware samples from different classes (assigned by AV scanners) to show that it is useful to better understand malware infections and to aid in malware-related incident response procedures. Other con- tributions of our work are: a brief history of malware and a survey of taxonomies that address specific malware types; a dynamic analysis system to extract behavioral profiles from malware; specialization of our taxonomy to handle information stealers known as bankers; proposal of visualization tools to interact with malware execution traces and, finally, a clustering technique based on values that malware writes into memory or registers. Keywords: Network and Computer Security. Malicious Programs Behavior. Mal- ware Dynamic Analysis. Malware Taxonomy. Malware Classification. Security Data Visualization. xv xvi List of Figures 3.1 Behavioral matrix based on our taxonomy. 32 3.2 Behavioral matrix for M[DU;BI]:S[CS]......................... 33 3.3 Mapping sets of behaviors to their classes and the security principles they violate. 34 4.1 Framework's overall architecture. 38 4.2 Steps to pinpoint suspicious behavior. 40 4.3 Overview of the samples distribution over the classes plus \None". 45 4.4 Distribution of samples among the possible combinations of classes. 45 4.5 Amount of samples distributed over multiple classes (percentages rounded up). 46 4.6 Percentage of samples that presented each of the compiled behaviors. 46 4.7 Discriminant behavior's matrix for Allaple. 48 4.8 Discriminant behavior's matrix for Swizzor. 49 4.9 Discriminant behavior's matrix for Atraps. 49 4.10 Discriminant behavior's matrix for Crypt. 49 4.11 Discriminant behavior's matrix for Virut. 51 4.12 Discriminant behavior's matrix for Hupigon. 52 4.13 Screenshot of a Porndialer sample execution. 53 4.14 Discriminant behavior's matrix for Expiro. 53 4.15 Behaviors exhibited by AV-\UNDECIDED" samples. 54 4.16 Behaviors exhibited by AV-\CLEAN" samples. 55 5.1 Additional Internet banking authentication factors . 59 5.2 A successful phishing message. 61 5.3 Banker screen to steal token value. 62 5.4 Distraction screens to allow an attacker to steal online banks while the user waits. 62 5.5 Banker screen to steal all values from the user's password table. 63 5.6 Overview of BanDIT. 65 5.7 Percentage of banker samples per presented behavior. 68 5.8 BanDIT's identification results . 70 5.9 Screenshot of BanDIT's Web site. 71 6.1 Timeline and Magnifier tool representing malicious events. 80 6.2 Sequence of selected events (user and automatic). 80 xvii 6.3 Behavioral spirals for `Pincav' (a) and `Zbot' (b). 82 6.4 Three `Allaple' worm variants. 83 6.5 Visual behavior extracted from four malware families.