Cubismo: Decloaking Server-Side Malware Via Cubist Program Analysis

Cubismo: Decloaking Server-Side Malware Via Cubist Program Analysis

Cubismo: Decloaking Server-side Malware via Cubist Program Analysis Abbas Naderi-Afooshteh, Yonghwi Kwon, Anh Nguyen-Tuong, Mandana Bagheri-Marzijarani, and Jack W. Davidson Department of Computer Science, University of Virginia {abiusx;yongkwon;nguyen;mb3wz;jwd}@virginia:edu ABSTRACT 1 INTRODUCTION Malware written in dynamic languages such as PHP routinely Web-based malware, particularly server-side malware, is one employ anti-analysis techniques such as obfuscation schemes and of the most prevalent security threats nowadays. Numerous re- evasive tricks to avoid detection. On top of that, attackers use ports describe the prevalence of server-side malware. Sucuri, a firm automated malware creation tools to create numerous variants specializing in managed security and system protection, analyzed with little to no manual effort. 34,371 infected websites and reported that 71% of those contained This paper presents a system called Cubismo to solve this press- PHP-based, hidden backdoors [52]. Incapsula discovered that out ing problem. It processes potentially malicious files and decloaks of 500 infected websites detected on their network, the majority their obfuscations, exposing the hidden malicious code into multiple of them contained PHP malware [27]. Verizon’s 2017 Data Breach files. The resulting files can be scanned by existing malware detec- reported that a sizable number of web server compromises are a tion tools, leading to a much higher chance of detection. Cubismo means to an end, allowing attackers to set up for other targets [26]. achieves improved detection by exploring all executable statements This prevalence is in part because server-side malware is typ- of a suspect program counterfactually to see through complicated ically equipped with advanced anti-analysis and anti-debugging polymorphism, metamorphism and, obfuscation techniques and techniques such as obfuscation and metamorphism. These tech- expose any malware. niques are implemented using dynamic language features such as Our evaluation on a real-world data set collected from a commer- dynamic code generation (e.g., eval), creating several challenging cial web hosting company shows that Cubismo is highly effective analysis problems [25, 31]. in dissecting sophisticated metamorphic malware with multiple Detecting server-side malware is a hard problem. While there are layers of obfuscation. In particular, it enables VirusTotal to detect a handful of malware detection tools, most of them are signature- 53 out of 56 zero-day malware samples in the wild, which were based tools that are ineffective in detecting polymorphic and meta- previously undetectable. morphic malware. Specifically, the signatures are extracted from known malware samples and the given target malware by aggregat- CCS CONCEPTS ing particular patterns (e.g., byte patterns) and keywords found in the samples. The detectors then compare the signatures to identify • Security and privacy → Malware and its mitigation; Web malware. application security; Systems security. To avoid detection, server-side malware uses various obfuscation techniques, such as polymorphism and dynamic code generation, KEYWORDS to produce malware that has a different signature from the origi- PHP, Security, Malware, Obfuscation, Evasion, Counterfactual nal code. Moreover, attackers leverage various tools that generate Execution malware variants with little to no effort, also making the signature- based approaches less effective [40, 49, 55]. ACM Reference Format: From our experience in analyzing various real-world malware Abbas Naderi-Afooshteh, Yonghwi Kwon, Anh Nguyen-Tuong, Mandana samples, we have observed that many malware are equipped with Bagheri-Marzijarani, and Jack W. Davidson. 2019. Cubismo: Decloaking Server-side Malware via Cubist Program Analysis. In 2019 Annual Computer multiple obfuscation layers (e.g., constructing calls to eval() dy- Security Applications Conference (ACSAC ’19),December 9–13, 2019, San Juan, namically) and various evasive techniques (e.g., requiring a particu- PR, USA. ACM, New York, NY, USA, 14 pages. https://doi:org/10:1145/ lar input to trigger the malware). Obfuscation techniques enable 3359789:3359821 malware to thwart analysis and detection by static analysis tools, while evasive techniques hide malicious behaviors behind compli- cated logic to prevent dynamic analysis. Permission to make digital or hard copies of all or part of this work for personal or Moreover, we have observed that many malware samples found classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation in the wild turn out to be variants of the same family, but with dif- on the first page. Copyrights for components of this work owned by others than ACM ferent obfuscation techniques applied. Interestingly, while existing must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a malware detectors are not able to detect the obfuscated malware fee. Request permissions from [email protected]. variants, they do recognize deobfuscated malware samples, indicat- ACSAC ’19, December 9–13, 2019, San Juan, PR, USA ing that obfuscation techniques are effective at thwarting detection © 2019 Association for Computing Machinery. ACM ISBN 978-1-4503-7628-0/19/12...$15.00 tools in practice. https://doi:org/10:1145/3359789:3359821 ACSAC ’19, December 9–13, 2019, San Juan, PR, USA A. Naderi et al. As a result, we hypothesize that revealing malicious code hidden triggering the malware. PHP malware often checks a handful of con- behind anti-analysis techniques such as obfuscation and metamor- ditions (e.g., checking a particular input is provided by an attacker) phism is a key challenge in detection of server-side web malware. to decide whether to expose malicious behavior/logic. Moreover, Unfortunately, dynamic analysis or static analysis alone is not able PHP malware actively leverages PHP’s dynamic language features to handle this challenge. Specifically, dynamic analysis techniques (e.g., eval()) to make analysis difficult. From our study of real- can handle obfuscations but not evasive techniques. On the other world malware (§6), we find that the majority of existing malware hand, while static analysis can handle evasive tricks, it has difficulty detectors is unable to detect obfuscated malware, even if its original handling obfuscation. malware itself is already known to be malicious. We propose a fully automated system, Cubismo, that more effec- tively uncloaks sophisticated server-side malware by neutralizing 2.2 Challenges anti-analysis tricks such as obfuscation and metamorphism. Specif- In this section, we enumerate three major challenges in detecting ically, we aim to resolve parts of malware that hinder analysis and web server-side malware. These challenges motivate Cubismo’s detection. In particular, we identify blocks of code that are hiding design. their original intention (i.e., via obfuscation). We then resolve (i.e., counter) evasion tricks to expose hidden malicious logic (e.g., often Challenge 1: Multiple Layers of Obfuscation and Dynamic PHP malware heavily leverages obfuscation techniques, by executing the code). The exposed malicious code is then used to Constructs. often using multiple layers of obfuscations to thwart static analy- create new malware files by replacing the decoding and dynamic sis’s ability to recognize malicious code. As a result, many malware execution sequence with the deobfuscated code. detectors decide to simply flag obfuscated files as malware. How- Given a program, Cubismo1 analyzes the program to break it ever, this strategy suffers from false positives as there are benign into small pieces, reveals the real intentions of these pieces, then applications that use obfuscation techniques to protect intellectual reassembles the revealed intentions into the original program. The property (e.g., source code or key algorithms) [29, 62]. reassembled program essentially depicts the target program from PHP also supports various dynamic constructs that can cre- multiple perspectives to present diverse aspects of the target. We ate and modify program code introspectively (e.g., Reflection, call this analysis Cubist Program Analysis as inspired by cubist art eval() or include()). These dynamic constructs are commonly which aims to present a subject from a multitude of viewpoints to used in malware to implement obfuscation techniques. Moreover, show the piece in a greater context. PHP also provides methods to alter the current running program Our extensive evaluation results show that Cubismo is highly code, such as modifying and removing methods at runtime. This effective in revealing malicious code hidden behind sophisticated self-modification allows malware to delete or alter the critical code obfuscation and evasive techniques, boosting the effectiveness of ex- under analysis. Furthermore, PHP allows indirect and dynamic call- isting malware detectors to find 53 new zero-day malware samples. ing of functions (or methods) via a string variable that holds their The major contributions of this research are as follows: name. Such features make it further challenging to statically reason • A fully automated method for decloaking obfuscated code about the code. and exposing evasive malicious behavior, called Cubist Pro- In short, static analysis based techniques

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    14 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us