Forecasting Malware Capabilities from Cyber Attack Memory Images

Forecasting Malware Capabilities from Cyber Attack Memory Images

Forecasting Malware Capabilities From Cyber Attack Memory Images Omar Alrawi*, Moses Ike*, Matthew Pruett, Ranjita Pai Kasturi, Srimanta Barua, Taleb Hirani, Brennan Hill, Brendan Saltaformaggio Georgia Institute of Technology Abstract analyst, slowing down the investigation and giving the attackers an advantage. The remediation of ongoing cyber attacks relies upon To automate incident response, symbolic execution is timely malware analysis, which aims to uncover promising for malware code exploration, but lacks the malicious functionalities that have not yet executed. prior attack execution state which may not be Unfortunately, this requires repeated context switching re-achievable after-the-fact (e.g., concrete inputs from between different tools and incurs a high cognitive load C&C activity). Environment-specific conditions, such as on the analyst, slowing down the investigation and expected C&C commands, limit dynamic and concolic giving attackers an advantage. We present , Forecast techniques (e.g., [3]–[14]) from predicting inaccessible a post-detection technique to enable incident responders capabilities. In addition, these techniques depend on to automatically predict capabilities which malware dissecting a standalone malware binary or running it in have staged for execution. is based on a Forecast a sandbox. However, malware are known to delete their probabilistic model that allows to discover Forecast binary or lock themselves to only run on the infected capabilities and also weigh each capability according to machine (hardware locking). Worse still, researchers its relative likelihood of execution (i.e., forecasts). found that fileless malware incidents (i.e., only resides leverages the execution context of the Forecast in memory) continue to rise [1], [15], [16]. ongoing attack (from the malware’s memory image) to guide a symbolic analysis of the malware’s code. We Having access to the right execution context is necessary to guide malware into revealing its performed extensive evaluations, with 6,727 real-world malware and futuristic attacks aiming to subvert capabilities. Malware internally gather inputs from environment-specific sources, such as the registry, Forecast, showing the accuracy and robustness in predicting malware capabilities. network, and environment variables, in order to make behavior decisions [11], [17], [18]. Therefore, an ideal and practical input formulation for malware can be 1 Introduction adapted from this internal execution state in memory bearing the already-gathered input artifacts. It turns Cyber attack response requires countering staged out that anti-virus and IDS already collect memory malware capabilities (i.e., malicious functionalities images of a malicious process after detecting it [19]–[21]. which have not yet executed) to prevent further A malware memory image contains this internal damages [1], [2]. Unfortunately, predicting malware concrete execution state unique to the specific attack capabilities post-detection remains manual, tedious, and instance under investigation. error-prone. Currently, analysts must repeatedly carry During our research, we noticed that if we can out multiple triage steps. For example, an analyst will animate the code and data pages in a memory image, often load the binary into a static disassembler and and perform a forward code exploration from that perform memory forensics, to combine static and captured snapshot, then we can re-use these early dynamic artifacts. This painstaking process requires concrete execution data to infer the malware’s next context switching between binary analysis and forensic steps. Further, by analyzing how these concrete inputs tools. As such, it incurs a high cognitive load on the induce paths during code exploration, we can predict which paths are more likely to execute capabilities *Authors contributed equally. based on the malware’s captured execution state. Based on this idea, we propose seeding the symbolic 2 Overview exploration of a malware’s pre-staged paths with concrete execution state obtained via memory image This section presents the challenges and benefits of forensics. Through this, we overcome the previous combining the techniques of memory image forensics painstaking and cognitively burdensome process that an and symbolic analysis. Using the DarkHotel incident [2] analyst must undertake. as a running example, we will show how incident We present Forecast, a post-detection technique to responders can leverage Forecast to expedite their enable incident responders to forecast what capabilities investigation and remediate a cyber attack. are possible from a captured memory image. Forecast ranks each discovered capability according to its probability of execution (i.e., forecasts) to enable Running Example - DarkHotel APT. DarkHotel analysts to prioritize their remediation workflows. To is an APT that targets C-level executives through spear phishing [2]. Upon infection, DarkHotel deletes its calculate this probability, Forecast weighs each path’s relative usage of concrete data. This approach is binary from the victim’s file system, communicates with based on a formal model of the degree of concreteness a C&C server, injects a thread into Windows Explorer, and ultimately exfiltrates reconnaissance data. When an (or DC (s)) of a memory image execution state (s). Starting from the last instruction pointer (IP) value in IDS detects anomalous activities on an infected host, an end-host agent captures the suspicious process memory the memory image, Forecast explores each path by symbolically executing the CPU semantics of each (i.e., DarkHotel’s), terminates its execution, and generates a notification. At this point, incident instruction. During this exploration, Forecast models how the mixing of symbolic and concrete data responders must quickly understand DarkHotel’s influences path generation and selection. Based on this capabilities from the different available forensic sources mixing, a “concreteness” score is calculated for each (network logs, event logs, memory snapshot, etc.) to state along a path to derive forecast percentages for prevent further damages. each discovered capability. DC (s) also optimizes Dynamic techniques [11]–[14] may require an active symbolic analysis by dynamically adapting loop bounds, C&C, which may have been taken down, to induce a handling symbolic control flow, and pruning paths to malware binary to reveal its capabilities. Because reduce path explosion. DarkHotel only resides in memory, these techniques, To automatically identify each capability, we which work by running the malware in a sandbox, 1 developed several modular capability analysis plugins: cannot be applied. With only the memory image, an Code Injection, File Exfiltration, Dropper, Persistence, analyst can use a forensic tool, such as Volatility [24], Key & Screen Spying, Anti-Analysis, and C&C URL to “carve out” the memory image code and data pages. Connection. Each plugin defines a given capability in Based on the extracted code pages, symbolic analysis terms of API sequences, their arguments, and how their can simulate the malware execution in order to explore input and output constraints connect each API. all potential paths. Unfortunately, existing symbolic Forecast plugins are portable and can easily be tools require a properly formatted binary and are not extended to capture additional capabilities based on the optimized to work with memory images [7], [22], [23]. target system’s APIs. It is worth noting that Ideally, an analyst can manually project these code Forecast’s analysis only requires a forensic memory fragments into symbolic analysis and source concrete image, allowing it to work for fileless malware, making values from the data pages to tell which code branch it well-suited for incident response. leads to a capability. However, this back-and-forth We evaluated Forecast with memory images of process of “stitching up” code with extracted memory 6,727 real-world malware (including packed and artifacts, involves context switching between symbolic unpacked) covering 274 families. Forecast renders execution and the forensic tool. This places a very high accurate capability forecasts compared to reports cognitive burden on the analyst. An analyst must also produced manually by human experts. Further, we show handle challenges such as path explosion, API call that Forecast is robust against futuristic attacks that simulation [4], [22], [25]–[27], and concretizing API aim to subvert Forecast. We show that Forecast’s arguments (e.g., attacker’s URL), which may not be post-detection forecasts are accurately induced by early statically accessible in the memory image. Lastly, an concrete inputs. We empirically compared Forecast analyst must manually inspect APIs along each path to to S2E [6], angr [22], and Triton [23] and found that infer high-level capabilities. Forecast outperforms them in identifying capabilities and reducing path explosion. Forecast is available 1Forensic memory images are not re-executable due to being online at: https://cyfi.ece.gatech.edu/. “amputated” from the original operating system and hardware. 1 2 3 4 5 6 CODE 31% Code Injection EAX, EBX, �# CPUECX, STATE EDX, �" Parser EIP, ESP, 15% ESI, EDI, � EFLAGS % �$ File Exfiltration DATA Augmented 54% Symbolic API & Probability Capability-Relevant C&C URL Memory Execution Exploration Assignment Paths Argument Capability Plugin Image Context Constraints Analysis Context-Aware Memory Forensics Probabilistic Symbolic Analysis Capability Forecast

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    18 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us