Close
About
FAQ
Home
Collections
Login
USC Login
Register
0
Selected
Invert selection
Deselect all
Deselect all
Click here to refresh results
Click here to refresh results
USC
/
Digital Library
/
University of Southern California Dissertations and Theses
/
Enabling symbolic execution string comparison during code-analysis of malicious binaries
(USC Thesis Other)
Enabling symbolic execution string comparison during code-analysis of malicious binaries
PDF
Download
Share
Open document
Flip pages
Contact Us
Contact Us
Copy asset link
Request this asset
Transcript (if available)
Content
ENABLING SYMBOLIC EXECUTION STRING COMPARISON DURING CODE-ANALYSIS OF MALICIOUS BINARIES by Abdulla Alwabel A Dissertation Presented to the FACULTY OF THE USC GRADUATE SCHOOL UNIVERSITY OF SOUTHERN CALIFORNIA In Partial Fulfillment of the Requirements for the Degree DOCTOR OF PHILOSOPHY (COMPUTER SCIENCE) May 2020 Copyright 2020 Abdulla Alwabel Dedication To my mother, father, and siblings. ii Acknowledgments This thesis is a result of ideas born out of discussion and skills acquired by working closely with talented individuals, and support from friends and family! I start by expressing my deepest gratitude to Dr.Ted Faber, whom I have considered my mentor. It was an honor that I had the opportunity to work under his supervision for some time. I acquired a great deal of knowledge, as well as honed my skills. Further, it was one of the most pleasurable experiences in my life. Ted continued supporting me afterward, every time I face a challenge, he was always there to help me stand up on my feet. I thank my academic adviser Prof. Clifford Neuman for all the effort he had put so that I can continue working on my favorite projects. Apart from the academic and technical skills I acquired while working with Dr.Neuman, he helped me to improve my communication skills and taught me to win people. I also thank my committee member Prof.William Halfond who provided insightful feedback and significantly contributed to my research. I am grateful to Prof.Raghavendra for the time and effort he put into serving my committee. During my tenure in graduate school, I had the privilege to work with talented people. I thank Dr.John Heidemann - a highly skilled researcher - for the support he provided. I will never forget the good deeds he’d done to me. I was blessed to work closely with Dr.Jelena Mirković - an expert in security. Dr.Mirkovic’s iii insights and feedback had a significant impact on shaping my dissertation. I thank Mr.Goran Scuric for his guidance and support during hard times. I am much indebted to him. I thank my parents for the non-stopping support they have been providing to me. My father taught me that by practicing and persistence, you could acquire any skill you desire! I thank my friend Fahad Al-Dheelan for his immense support during the last year of my graduate school - which was the hardest. Fahad helped big times on many levels. When I was a Ph.D. student, I had to cope up with tragic events. Those times were the toughest in my entire life. However, I was lucky that I had such great friends who were there for me. I am much indebted to my friend Sultan Alfarhood for his generous support. Although he was busy with his Ph.D., Sultan dedicated a significant amount of time to listen and guide me through hard times. I also thank Mohammed Alshammari for helping me find my way out of an academic challenge. I appreciate all the support and help from my friend Meshal Alfarhood. One of the most enjoyable activities during my Ph.D. was being a teaching assistant under Dr.Andrew Goodney. I enjoyed teaching first-year students how to program. Andrew believed in my skills and helped me build my confidence, espe- cially in teaching. He helped me when I needed time to focus on my dissertation. I will never forget his support. IthankDr.SimonWooforhisencouragementandprayers. Simonevenprovided me access to computing resources. I thank Prateek and Nikita Jaipuria for their support during my Ph.D. iv Contents Dedication ii Acknowledgments iii List of Tables viii List of Figures xiii Abstract xv 1 Introduction 1 1.1 Thesis Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Literature Review 5 2.1 Dynamic Malware Analysis . . . . . . . . . . . . . . . . . . . . . . 6 2.1.1 Dynamic taint analysis . . . . . . . . . . . . . . . . . . . . . 7 2.1.2 Multi-Path Exploration . . . . . . . . . . . . . . . . . . . . . 9 2.2 Transparency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 2.3 Malware Communication . . . . . . . . . . . . . . . . . . . . . . . . 16 2.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 3 Symbolically Executing Malware 19 3.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.2 Approach Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 3.3 Mode 1: Controlled Forking Module . . . . . . . . . . . . . . . . . . 22 3.4 Mode 2: Inference Module . . . . . . . . . . . . . . . . . . . . . . . 23 3.4.1 Learning mode . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.4.2 Comparator . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 3.4.3 String Finder . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.4.4 Seperator Finder . . . . . . . . . . . . . . . . . . . . . . . . 31 3.4.5 Resetting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 3.5 Symbolic Memory Address . . . . . . . . . . . . . . . . . . . . . . . 37 3.5.1 Byte Replacements . . . . . . . . . . . . . . . . . . . . . . . 39 v 3.5.2 Configurable Tables . . . . . . . . . . . . . . . . . . . . . . 41 3.5.3 Formatting Table . . . . . . . . . . . . . . . . . . . . . . . . 43 3.5.4 Space finding . . . . . . . . . . . . . . . . . . . . . . . . . . 45 3.5.5 Switch Statement Table . . . . . . . . . . . . . . . . . . . . 46 3.5.6 Tables used in known algorithms . . . . . . . . . . . . . . . 47 3.5.7 Handling lookup tables . . . . . . . . . . . . . . . . . . . . . 48 3.6 Other Constructs . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3.7 Evaluation Methodology . . . . . . . . . . . . . . . . . . . . . . . . 53 3.7.1 Experiment Machines & Configuration . . . . . . . . . . . . 54 3.7.2 Result Representation . . . . . . . . . . . . . . . . . . . . . 55 3.8 Microbenchmark . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 3.8.1 Category1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 3.8.2 Category2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 3.8.3 Category3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62 3.8.4 Category4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.8.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66 3.9 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67 4 Implementation 68 4.1 The Impersonator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 4.2 The Inspector . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70 4.2.1 ApiIntercept . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 4.2.2 CFG Searcher . . . . . . . . . . . . . . . . . . . . . . . . . . 77 4.2.3 StackTracer . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 5 Progress branch and initial phase of processing 86 5.1 Scouting Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 5.1.1 Detecting Data Type . . . . . . . . . . . . . . . . . . . . . . 88 5.1.2 Setting constraints . . . . . . . . . . . . . . . . . . . . . . . 93 5.1.3 Order of processing . . . . . . . . . . . . . . . . . . . . . . . 98 5.2 Constraining to a single value . . . . . . . . . . . . . . . . . . . . . 99 5.3 Non-progress branches . . . . . . . . . . . . . . . . . . . . . . . . . 101 5.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101 6 Malware scraping the web and checking the local environment 106 6.1 Network input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106 6.1.1 Geolocation . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 6.1.2 Token finder . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 6.1.3 Confirmation code . . . . . . . . . . . . . . . . . . . . . . . 115 6.2 Environment artifacts . . . . . . . . . . . . . . . . . . . . . . . . . 116 6.2.1 Usernames . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 vi 6.2.2 Computernames . . . . . . . . . . . . . . . . . . . . . . . . . 119 6.2.3 Running processes . . . . . . . . . . . . . . . . . . . . . . . 119 6.2.4 Loadeds Modules . . . . . . . . . . . . . . . . . . . . . . . . 122 6.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 7 Highly Structured File Formats 129 7.1 JSON . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 7.2 XML . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135 7.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 8 Understanding communication protocols’ format 143 8.1 IRC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146 8.2 Analysis of Symmi . . . . . . . . . . . . . . . . . . . . . . . . . . . 148 8.3 KD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 8.4 Autoit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 8.5 Infostealer.bancos . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 8.6 Msil.cassiopeia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157 8.7 Pmkfrsucinas and Kazy . . . . . . . . . . . . . . . . . . . . . . . . . 159 8.8 IP address as keywords . . . . . . . . . . . . . . . . . . . . . . . . . 161 8.9 Other Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 8.10 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 9 Conclusion and Future Work 168 9.1 Future Work and Limitations . . . . . . . . . . . . . . . . . . . . . 168 9.2 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171 Reference List 173 A Extracted Data from Malware 181 vii List of Tables 3.1 Name and hash of some samples used in symbolic memory address discussion. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 3.2 Lookup table and a snippet of code from Mydoom . . . . . . . . . . 39 3.3 Encoding conversion tables . . . . . . . . . . . . . . . . . . . . . . . 39 3.4 Encoding conversion statistics . . . . . . . . . . . . . . . . . . . . . 39 3.5 Strtok populated table with values 0-0x7f . . . . . . . . . . . . . . . 41 3.6 Strtok analysis: (left) a summary of a table populated with tab and space, (middle) a code snippet to populate a table, and (right) a code to use the table . . . . . . . . . . . . . . . . . . . . . . . . . . 42 3.7 Table to validate a regular expression. partial lookup table (left) , (right) code snippet of a function uses the table in Razy. . . . . . . 42 3.8 Formatting table in windows . . . . . . . . . . . . . . . . . . . . . . 44 3.9 Formatting table statistics . . . . . . . . . . . . . . . . . . . . . . . 45 3.10 KD spacing table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 3.11 Table used in switch statement . . . . . . . . . . . . . . . . . . . . 47 3.12 Example of case conversion codes . . . . . . . . . . . . . . . . . . . 49 3.13 Example of leveraging stepovers to position separators . . . . . . . 52 viii 3.14 Category1: Two sequential keyword comparisons. ResultsareshownintheorderofCAT1_T1, CAT1_T2, CAT1_T3, and CAT1_T4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.15 Category1: 60 sequential keyword comparisons. Results are shown in the order of CAT1_T1, and CAT1_T5. . . . . 59 3.16 Category2 : Results are shown in the order of CAT2_T1, and CAT2_T2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 3.17 Category3 : Results are shown in the order of CAT3_T1, and CAT3_T2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 3.18 Category4 : Results are shown in the order of CAT4_T1, and CAT4_T2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1 General system parameters . . . . . . . . . . . . . . . . . . . . . . . 69 4.2 ApiIntercept parameters - sym. is an abbreviation of symbolic . . . 73 4.3 Functions modeled symbolically. Two models of strtok, one of them is mere emulation (not modeled symbolically) . . . . . . . . . . . . 73 4.4 Injection point as APIs . . . . . . . . . . . . . . . . . . . . . . . . . 74 4.5 Constraint parameter: symbol definition (top), profile number and range of values representing system constraint (bottom) . . . . . . . 74 4.6 CFGSearcher parameters . . . . . . . . . . . . . . . . . . . . . . . . 80 4.7 StackTracer parameters . . . . . . . . . . . . . . . . . . . . . . . . . 84 5.1 Detected binary file signatures . . . . . . . . . . . . . . . . . . . . . 89 5.2 Detected text file formats . . . . . . . . . . . . . . . . . . . . . . . 89 5.3 Malware searches for different types independently . . . . . . . . . 90 5.4 Detected lookup tables . . . . . . . . . . . . . . . . . . . . . . . . . 92 5.5 Breakdown of malware using API . . . . . . . . . . . . . . . . . . . 93 ix 5.6 Summary of experiments information . . . . . . . . . . . . . . . . . 94 5.7 Detected text file formats after adjusting the path constraint . . . . 95 5.8 Effect of eliminating whitespaces . . . . . . . . . . . . . . . . . . . 97 5.9 Breakdown of malware using⊕ for string length . . . . . . . . . . . 98 5.10 Effect of setting constraints to eliminate 80 h . . . . . . . . . . . . . 103 5.11 Generated Messages from scouting module . . . . . . . . . . . . . . 104 5.12 Running time for extracting Cryptowall 3.0 keys . . . . . . . . . . . 105 5.13 Extracted keys from RATs (first 10 bytes) . . . . . . . . . . . . . . 105 5.14 Decrypted network traces from CryptoWall 3.0 . . . . . . . . . . . . 105 6.1 Enumerated geolocation strings used by malware . . . . . . . . . . 108 6.2 Geolocation samples using sliding window parsing approach . . . . 110 6.3 Extracted tokens from malware scraping the web . . . . . . . . . . 113 6.4 Enumerated confirmation code . . . . . . . . . . . . . . . . . . . . . 115 6.5 Usernames by malware to detect sandboxes . . . . . . . . . . . . . . 117 6.6 Enumerated computernames from malware . . . . . . . . . . . . . . 118 6.7 Enumerated browsers and legitimate softwares . . . . . . . . . . . . 122 6.8 Enumerated malware name and system processes . . . . . . . . . . 123 6.9 Processes associated with Antiviruses . . . . . . . . . . . . . . . . . 124 6.10 Processes associated with Sandboxes . . . . . . . . . . . . . . . . . 125 6.11 Added behavior obtained by running enumerated legitimate processes . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 6.12 Distribution of unique valid process names generated per samples . 127 6.13 Malware checking loaded modules . . . . . . . . . . . . . . . . . . . 128 7.1 URL and sample breakdown for JSON installation instructions . . . 131 7.2 Generated Tags, and running time and states . . . . . . . . . . . . 131 x 7.3 Generating keys for geolocation JSON . . . . . . . . . . . . . . . . 132 7.4 Generating values associated with tags extracted in Table 7.3 . . . 132 7.5 Extracted JSON key from Razy, see Table 3.1 . . . . . . . . . . . . 133 7.6 Summary of JSON RPC . . . . . . . . . . . . . . . . . . . . . . . . 134 7.7 Generated content of samples scraping XML files . . . . . . . . . . 139 7.8 Generated XML tags for a binary checking root tag’s length . . . . 140 7.9 URL and sample breakdown for hash validating XML tags . . . . . 140 7.10 Generated tags for malware performing hash-based tag validation . 140 7.11 XML tags for a binary hash validating tags . . . . . . . . . . . . . . 141 7.12 XML tags for a binary performing hash-based tag validation . . . . 141 7.13 Generated content for malware using XML attribute to encode data. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142 8.1 Summary of RATs and the corresponding command formats . . . . 143 8.2 Extracted commands from RATs . . . . . . . . . . . . . . . . . . . 144 8.3 Window names enumerated by Infostealer.bancos . . . . . . . . . . 144 8.4 Ruskill variants information . . . . . . . . . . . . . . . . . . . . . . 146 8.5 Extracted IRC commands. The input is delimited with spaces in stage2 . . . . . . . . . . . . . 148 8.6 Extracting commands, parameters and options for Ruskill. . . . . . 148 8.7 Ruskill commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 8.8 Symmi commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 8.9 KD commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 8.10 Autoit commands, running time and number of states . . . . . . . . 155 8.11 Infostealer.bancos commands type 1 . . . . . . . . . . . . . . . . . . 157 8.12 Infostealer.bancos commands type 2 . . . . . . . . . . . . . . . . . . 158 8.13 Commands triggering response . . . . . . . . . . . . . . . . . . . . . 159 xi 8.14 Commands with analyzed parameters . . . . . . . . . . . . . . . . . 159 8.15 Other commands for Msil.cassiopeia . . . . . . . . . . . . . . . . . . 160 8.16 Pmkfrsucinas and Kazy detailed commands analysis . . . . . . . . . 161 8.17 Pmkfrsucinas and Kazy commands triggering response . . . . . . . 161 8.18 Name and hash of some samples used in discussion . . . . . . . . . 162 8.19 Keywords and IP address mapping . . . . . . . . . . . . . . . . . . 163 8.20 Name and hash of a sample used in discussion . . . . . . . . . . . . 165 8.21 Extracted commands for symmi . . . . . . . . . . . . . . . . . . . . 165 A.2 URLs point to images with embedded zip files. The table is divided into two groups JPEG and GIF. URLs pointing to the same file are separated with dashed lines. . . . . . . . . . . . . . . . . . . . . . . 184 A.1 S-Boxes extracted from Chinbo . . . . . . . . . . . . . . . . . . . . 185 xii List of Figures 3.1 Simple illustration of dynamic symbolic execution engines . . . . . . 20 3.2 Illustration of a record generated by a learning state. Tuples values are (Value,PC,Processing Order). . . . . . . . . . . . 23 3.3 Symbolic execution tree of a binary performing sequential compar- isons of LE,EL, LA, and DL. Nodes that contain complete strings are encircled in red. (Top) tree from standard symbolic execution. (Middle) tree using the proposed approach without constraint manipulation. (Bottom) the proposed approach with ignoring constraint on non-progresss states. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 3.4 An example of records for Floating String generated by learning states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 3.5 TwoexamplesofrecordsforSeparatorFindersgeneratedbylearn- ing states . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 4.1 System Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . 68 6.1 CDF of redundant and incomplete states in process enumeration . . 126 6.2 CDF of time to enumerate process comparison from symbolic injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 xiii 8.1 Malware abuses Quora to find a rendezvous . . . . . . . . . . . . . 164 xiv Abstract I present a white-box based approach to understand string parsing and enumer- ate string comparisons in malicious binaries. Text processed by malware reveals a wealth of information about its behavior. Enumerating strings compared by malware helps analysts to reconstruct content fetched remotely by malware and reconfigure analysis environments to increase the effectiveness of dynamic analysis. The key insight in building a scalable system is to identify the "progress branch" for conditional statements and setting the path constraints I have utilized symbolic execution to build an inference module to classify parsing constructs and control the forking accordingly to reduce state explosion effectively. I have analyzed more than a thousand of malicious samples using the pro- posed approach, and reconstructed commands from Remote access trojans (RATs), detectedvariousfile-formats, includingembeddedfiles. Ialso detectedgeolocation- based malware that ceased its malicious activity based on the location of the guest and enumerated those regions. Not only have I enumerated computer and usernames used by malware to detect sandboxed environments, I detected computer names that cause malware to behave differently. I detected malware that looked for browsers and enumerated their names. I also enumerated the names of processes that cause malware to ceases its activity. xv Chapter 1 Introduction Malware processes text to check the artifacts of the guest environment and to interpret commands fetched remotely. For example, malware contacts a remote service to obtain the guest’s geographic locations. Enumerating text comparisons performedbyamalicioussamplerevealsawealthofinformationaboutitsbehavior, and facilitates generating contents that trigger different behavior. Remote services contacted by malicious software are often quickly taken down. If not, they selectively craft responses based on their assessment of the infected environment. Further, there is an evident tension between effectiveness and safety when conducting a malware experiment, regarding allowing malicious samples to interactwiththeInternet[48,15]. Malwaremightjoinatargetedcampaigntoflood services in what known as DDoS, probe or exploit vulnerabilities, transmit spam, or relay botnet control traffic. Even worse, malware author might attack analysts’ machines, to disrupt an investigation, e.g., Storm Worm initiated a DDoS [59]. Analysts use techniques to reduce the effects of harm that malware might cause to entities on the Internet such as firewalls and traffic rate-limiting [57]; however, they are not effective against zero-day vulnerabilities. There is a body of work in the literature that attempts to classify malware communication into benign and malignant [47, 14]. Several approaches leverage traffic traces to understand malware protocol format[21, 43]. However, traffic traces are not often accessible to researchers. 1 Malware often process texts obtained from the guest environment to assess the local environment. For example, searches for a specific process to identify a sandboxedenvironmentorarunningbrowser. Whilesomechecksareeasytodetect by analysts such as looking for specific registry keys or files, others are not such as the ones that involve text processing. Reverse engineering text comparisons is a daunting task, and malware uses a myriad of approaches to make it harder. Malware often copies the string to specific-purpose registers such as floating-point to lose memory breakpoints. Motivated by the difficulty of reverse-engineering and scarcity of network traces (for replaying, fuzzing, and protocol analysis) , I present a scalable approach based on white-box testing, namely symbolic execution, to enumerate string comparisons performed by malware. Symbolic execution is not efficient when executing parsing code [42, 41, 74]. A simple procedure that compares two string produces a large number of states (state explosion). Even worse, binaries often process text in multiple phases, such as looking for field separators and delimiters. Most attempts to alleviate the state explosion are based on devising selection strategy to prioritize paths based on some heuristics As in any heuristic, there is no universal strategy, and its effectiveness depends on the code under analysis [25]. Function modeling and path-merging can effectively reduce the number of states caused by parsing constructs; they require manual configuration; and, by definition, knowledge of the behavior of functions as well as the type and location of input and output. A function is modeled by building a symbolic expression that describes the semantics of the function. The expression describes the relationship between the input and the output, which produces a complex expression that slows down the constraint solver considerably. 2 Instead of building a search strategy that prioritizes promising states based on some heuristics, I look at the problem from a different angle. The goal is to eliminate redundant states instead of prioritizing promising ones. The key insight is to identify the progress branch - a branch that causes a symbolic variable to evaluate to a single constant - and configure the path constraint. I also leverage symbolic execution to infer the behavior of the parsing constructs in terms of the location of the search and drive the symbolic engine to control forking over them. The system identified various data formats, detected geolocation-based malware, enumerated environment artifacts used to identify analysis environments, and ones that trigger other behavior. 1.1 Thesis Statement Problem definition: When enumerating string comparisons performed by an unknown binary over an input source, the number of feasible execution paths are intractable for dynamic white box testing approaches. Thesis Statement: Can we leverage prior knowledge of commonly used string processing constructs when applying symbolic execution techniques to reduce the number of paths, enumerate string comparisons, and understand the behavior and order of string processing performed by a binary that uses previously unknown constructs. In summary, the contributions can be summarized as follows: • Defining and leveraging a "progress branch" in parsing construct to reduce the number of states required to generate strings compared by binaries. 3 • Using symbolic execution to infer the behavior of parsing constructs relative to the location of search and order of processing, and leverage the inferred behavior in controlling the forks. • A scalable approach that effectively enumerates string comparison performed by malware. I provide a demonstration of the effectiveness of the proposed approach to real malware. Scalable means it scales to analyze real malware, and effective means it successfully regenerates text compared by malware. • AgenericframeworktodetectstructuredfileformatssuchasXMLandJSON and understand the structure of custom communication protocols. I provide mechanisms to configure the constraint system and control state termination togeneratecontentsofpreviouslyknownformataswellasworkingcommands for malware using custom protocols. • A working prototype system that includes a novel method that identifies the structure of the parsing messages and the characteristic of the parsing constructs to guide the symbolic execution engine. 4 Chapter 2 Literature Review I present and discuss work closely related to my thesis. For each piece of work, I emphasized parts related to the thesis. Then, I categorize related works as some fall into multiple categories. Malware analysis falls into two main categories: dynamic and static. In static, the executable structure and content are examined and analyzed, usually in a disassembler or debugger. While in a dynamic counterpart, the behavior of the malware is observed during execution and analyzed. Dynamic analysis is attractive as it provides analysis in a relatively short time. However, it reveals the behavior of a single execution. There are several tech- niques to mitigate this problem, such as forced execution, and dynamic symbolic execution. Static analysis can provide more complete results. However, static analysis requires extensive knowledge of system internals and CPU instructions. Even worse, a significant percentage of binaries are protected against static analysis with packing [22], which usually involves deflating and decrypting compressed or encrypted code. A myriad of tools that facilitates static analysis from debuggers to assemblers from academia and industry exist [7, 1, 83, 72]. The composition and randomness of the executable are leveraged to detect compressed and encrypted malware. The size and the Shannon entropy are used to detect packed malware [35, 62]. Static 5 analysisisoutsidethescopeofthisthesis. Therefore, therestofthechapterfocuses on dynamic analysis techniques. 2.1 Dynamic Malware Analysis Dynamic analysis is conducted by observing the behavior of a malicious sam- ple while executing in a controlled environment. Multiple dynamic systems were proposed, and those systems differ in the level of execution component they mon- itor - process or OS - and the granularity of analysis, e.g., API calls or machine instructions. Coarse-grainedanalysis CWSandbox[82], ZeroWine[13], andTTAnalyze[19] automatically load a sample into a virtual machine and execute it for a certain amount of time and report its activity. After execution, a report about the sam- ple’s interaction with the Operating System and Network is generated. The report captures network activities system and API calls, modifications to the guest oper- ation systems, e.g., read/write to the file system. Zerowine [13] monitors API calls made by malware by leveraging Wine DEBUG capability to collect API calls. Fine-grained Analysis As dynamic analysis demonstrated its strength, there is a need for fine-grained analysis on the machine instruction-level, to facilitate applying white-box testing techniques such as taint analysis and symbolic execu- tion. Multiple fine-grained analysis frameworks were presented and discussed in the literature. The frameworks vary in the level of instrumentation in terms of system components. Process-level dynamic binary instrumentation frameworks were presented and prototyped, such as Valgrind[67], Pin[61], and DynRIO [40]. Running malware 6 in the same address space of the analyzer has disadvantages. Colocating a mali- cious software with the analysis tool in the same security domain makes it prone to detection and tempering. It is impossible to analyze rootkits and malware that runs in the kernel domain. Further, malware spawns multiple processes, and process-level frameworks fall short of capturing the interactions between different processes. Last, process-level frameworks do not enable tracking information flow across different components of the system. It did not take a long time until researchers shifted to system-wide dynamic analysis tools. The goal is to observe malware from outside the operating system, thus, increases the fidelity by making it more transparent to the malicious sample. Multiple tools were presented and prototyped such as Anubis[18],TEMU[86] and DECAF[44]. Most of the proposed tools share the same concept of building on top of the whole system emulators that use dynamic binary translation techniques to emulate CPUs such as QEMU[20]. QEMU is a system emulator based on dynamic binary translation, intending to emulate several CPUs on several hosts. Dynamic translation works by converting guest code into an intermediate form called tiny code generator TCG, then execute the TCG into the host CPU. Whole system dynamic analysis tools were built by modifying and instrumenting QEMU binary translation module. 2.1.1 Dynamic taint analysis Dynamic taint analysis enables tracking the flow of information in a program. An analyst can taint some data sources, e.g., network, keyboard, or a system call output, and track the flow of the information [75] as a program processes them. Taint analysis proved useful in detecting spyware, rootkit, protocol reverse engineering, and others [58, 60, 87, 39, 65]. 7 Dytan[36] - a generic dynamic taint analysis framework - complements data- flow with control-flow propagation to capture control-flow relationships between data. Consider a program that uses a tainted data A in a conditional statement, and processesB in one of the statement’s branch, thenB is control-flow dependent on A. TEMU[86] is an x86 system-wide dynamic analysis framework - based on QEMU - developed as part of Bitblaze[79]. The framework provides external mon- itoring, OS awareness, and fine-grained support analysis. Further, it provides researchers with an ability to track information across the system, leveraging the taint analysis techniques. Although TEMU requires no modification to the guest OS, it hooks process creation and deletion system calls to detect system events like loading processes. Further, they instrument sysenter and sysexit machine instructions to trace system calls. TEMU exploits the fact that the stack pointer value changes during external function call to log API calls made by malicious samples. DECAF[44] is another system-wide dynamic analysis tool built on top of QEMU. Although similar in many aspects to TEMU, they differ in the implemen- tation details. DECAF delivers higher performance and comes with a formally verified taint analysis engine. Further, it does not leave artifacts in the guest OS whatsoever. It exploits TLB misses to detect loading new processes. One of the primary goals is to provide a cross-platform generic tool, yet they still need to read the kernel data structure to retrieve the processes list, which might fall short to some malware that modifies the kernel data structures. Virt-ICE [72] is a dynamic analysis tool based on QEMU with a purpose to providedebuggingcapabilitiesoutsidethevirtualmachinetodefeatanti-debugging 8 techniques. Similar to DECAF and TEMU, the debugger runs outside the guest OS. Applicationinmalwareanalysis Taintanalysisisausefultechniquetoreason about the way malware process data, the flow of data across the system, and tracking control and data dependencies. Tracking data and control dependencies enabled researchers to build behavioral graphs. Those graphs were used to summarize malicious behavior and later on are used as signatures to detect different variants of malware or C&C communication [47, 53]. Further, it is useful in isolating and extracting working algorithm from a binary for further processing [54, 84, 53, 58]. Taint-analysis was an essential component in approaches that detected privacy breaches in binaries and understanding hooking behavior in malware [87, 60, 85] The technique was further used in observing the way a binary processes data to automate reverse engineering multiple functionalities in closed-binaries. For instance, it was used to infer protocol messages format and state machine[29, 37] and to reverse engineer malware emulator[76]. Furthermore, it was used to detect areas of code responsible for encryption, compression, and encoding in malware [28]. 2.1.2 Multi-Path Exploration Dynamic malware analysis became indispensable for malware analysis. How- ever, its coverage is limited by the code it executes - which might not be necessary malicious after all. 9 There are attempts by researchers to address this shortcoming by leveraging a white-box testing technique such as forced execution and forward symbolic execu- tion. The core idea of symbolic execution is to feed the program with symbolic input instead of concrete ones. The execution engines build first-order boolean expres- sions as symbolic values are used in computations. Expressions used in control- flow instructions are called branch conditions. The engine keeps track of the path condition and mapping of variables to symbolic expressions. The conjunction of branch conditions for execution is called path condition. A set of concrete values that satisfies the path condition are guaranteed to drive the program to the same execution branches. Tools Moser [65] proposed a system that allows for exploring multiple execution paths. The system aimed to identify and execute malicious behavior that depends on the existence of files, Internet connectivity, or environmental settings such as time. The system tracks several input sources and monitors the data as they are used in conditional branches. Once it finds one, it snapshots the current virtual machine states and forces execution to one branch, and later explores the other one. Althoughtheapproachincreasescodecoverage, someoftheexploredbranches are infeasible relative to the executed program. For instance, consider an external procedure, e.g., in a system library that checks if a variable a is below specific range; however, there is no path in the code such that a variable with such range is passed to the function. KLEE[30] is an online symbolic execution engine operating on LLVM, models libc functions that deal with the execution environment, such as opening a file. Chipounov[33] introduced the concept of selective symbolic execution that takes 10 another approach by interleaving symbolic and concrete execution. The author introduced different consistency models to account for inconsistency introduced by such an approach. Selective symbolic execution enables symbolic code to interact with system libraries and operating system code running natively, i.e., no modifi- cation required. Rudder is a dynamic symbolic execution engine part of the Bitblaze project[79]. Rudder takes a different approach to run malware and collecting the traces and the propagation of symbolic data across instructions and system calls. The traces are lifted to a VINE intermediate language and used in a further offline analysis to gen- erate inputs that would exercise different execution branches. Although it involves offline analysis, it is superior in the way it tracks symbolic data propagation to and from the permanent storage [45]. FuzzBALL[63], is a light weight x86 online symbolic execution engine based on x86-interpreter. S2E[34] presented a whole-system symbolic execution engine that supports interleaving between symbolic and concrete as well as conical execution. Coni- cal execution is a hybrid between symbolic and concrete, where the execution is driven by concrete input and building formulas in branches to explore later. S2E uses a stripped-down version of KLEE. It lifts the executed instructions into LLVM intermediate language and feeds them to KLEE. S2E is the most supported and efficient whole system symbolic engine available. However, S2E introduced arti- facts in the guest operating systems that can be easily detected. The artifacts are necessary to build OS-level semantic, e.g., monitoring processes and modules. There is a myriad of security work developed on top of S2E. 11 Challenges Several challenges arise when running read-world programs such as malware symbolically. The challenges span from dealing with symbolic memory pointers, interaction the environment, and state explosion and path selection[16]. A rich body of literature attempted to tackle the challenges mentioned above. X86 is a complex language that has many implicit operations. Many instruc- tionsmodifyregistersimplicitly. Thecomplexityandmemoryaliasingandpointers lead to several working introducing a simplified intermediate language that also models the memory to deal with aliasing and pointer [24, 79]. Program traces - recorded machine instructions - are lifted to an intermediate language for further analysis, which does not come without a cost as binary lifters suffer from semantic bugs[50]. Another challenge that severely limits the scalability of symbolic execution is a state explosion. State explosion occurs as dynamic symbolic execution engines create a new state at every branch. The total number of states may be exponential to the number of branches in the program. Imagine a loop a condition depending on a symbolic values. At every branch, the execution engine checks the feasibility of either branch and prune unsatisfiable ones. Although this reduces the number of states, the number of valid ones is still intractable. Engines use path selection heuristics to prioritize paths that might yield to higher coverage. As in any heuris- tic, there is no universal strategy, and its effectiveness depends on the code under analysis [25]. Several approaches for reducing path explosion to some extent were introduced, such as state merging [25]; however, their effect is minimal. Multiplestateschedulingalgorithmswereintroducedtoprioritizepathselection that would select "interesting behavior" such as Breadth-First-Search, Depth-First- Search, Random-Weighting, likely to discover new code, .etc [16]. 12 Several works tried to tackle the path explosion by augmenting state selec- tor with program information to select meaningful states [25, 68, 84]. Xu et al. [84] enriched the path selection process by information obtained from prior offline analysis to assign weights to branches that may eventually execute the system calls of interest. CHEF[25] augmented the state selection heuristic with informa- tion to make it aware of the high-level program structure as well as a state selection heuristic that partitions the states into classes to control the selection probability for each class. Saxena et al. presented an approach to incorporate the semantic of loops to direct the exploration of the program [74]. Caballero et al. [28] presented a novel approach to tackle the intractability of encoding and encryption code by bypassing the functions enclosing the code. Finally, Godefroid et al. [41] proposed a grammar-based approach to direct the exploration of states to fuzz XML parsers. Application Multi-path exploration is used in malware analysis to trigger dif- ferent behavior and to find vulnerabilities in malicious and benign binaries. Several work leveraged multi-path exploration to detect trigger-based behavior [23, 65]. Neugschwandtner et al. [68] leveraged multi-path exploration to discover backup C&C endpoints by simulating the takedown of those servers. The lever- aged information of known endpoints and communication signatures to reduce the exploration space as malware blend in communication to popular Internet services. PeerPress [84] used different multi-path exploration techniques to extract network messages that facilitate fingerprinting P2P malware. Similarly, Banabic et al. [17] demonstrated how to use symbolic execution to find trojan message vulnerabilities in distributed systems. Finally, several works used symbolic execution to find vulnerabilities in mali- cious and benign closed-binaries [27, 74, 28]. 13 Defeating Multi-path Exploration Multi-path exploration can be impeded by using conditional code obfuscation with secure triggers. Sharif[77] proposed a method to encrypt the conditional code with a key derived from the input and hence thwarting multi-path exploration. 2.2 Transparency Dynamicanalysisproveditsstrengthinautomatingmalwareanalysis. Malware writers thrive to increase the lifespan of their products. Hindering such an analysis canhelpadversariestoreachthatgoal. Therefore, theytryeverytechniqueattheir disposal to thwart such analysis. A significant percentage of malicious software deploy one or more of dynamic analysis evasion technique [22]. Taxonomies of anti-analysis techniques were pre- sented in [26, 32, 31]. Dynamic analysis frameworks vary in their level of transparency. The more fine-grained they get, the less transparent and scalable they become[51, 52, 66]. Analyzing malware in bare or semi bare-metal machines provides the highest form of transparency. A virtualized environment provides excellent isolation and saves time in restor- ing to a clean state after the analysis. However, VM introduces artifacts in the guest operating system for management, which can be used to fingerprint the environment. Apart from that, malware may exploits vulnerability in the virtual machines to crash them or escape to the host systems [71, 69]. 14 A fine-grained analysis is an indispensable approach for analysts. Such an anal- ysis is conducted in an emulator that is much slower than a physical machine. Fur- ther, due to optimization techniques, the execution behavior might differ. Attack- ers proved to evade and attack the CPU emulator, however. Martignoni et al. presented a systematic method for enumerating differences between VMs and physical machines[64, 70]. Shi et al. draw on Martignoni et al.’s work on Red Pill Testing for enumerating differences between VMs and physical machines [78]. Ether [38] is a highly transparent malware analysis system to collect execution traces of the program running on bare metal CPU. The system is based on hardware virtualization extensions, such as Intel VT. There are many attempts to circumvent the delays introduced by such emula- tors. Multiple works patched sleep and delay APIs [72, 68]. Kolbitsch[55] observed that attackers use stalling code that runs significantly slower in an emulator to evade analysis. Kolbitcsh presented - Hasten - an approach to detect stalling code by monitoring loops with low activity and instrument the malicious sample to jump out of them. To utilize the power of fine-grained analysis without sacrificing transparency, Kang[49] proposed scalable, automated techniques to dynamically modify the exe- cution of a whole-system emulator to match a reference. Further, it diagnoses the source of anti-emulation behavior by comparing the execution traces obtained from an emulator and a higher fidelity system. A highly transparent emulator that facil- itates collecting instruction traces made such an approach feasible; namely, they used Ether[38]. Finally, Martignoni et al. [63] presented an approach to increase the fidelity of a process emulator by exploring with symbolic execution a high-fidelity emulator 15 and lift the test cases to the lower fidelity one. The test cases are used to detect discrepancies and patch them. 2.3 Malware Communication Malware communicates with the Internet to register or obtain instructions from their C&C, contribute to a spam campaign, DDoS attack, or obtain other informa- tion. Malware communicates popular Internet Services to perform a connectivity check, obtain time and date information, or other reasons [63, 73, 68, 15]. Analysts typically analyze malware in an environment isolated from the Inter- net to avoid the risk of harming others. However, certain types of malware are operationally dependent on communication with entities on the Internet. System simulating Internet connectivity returns a standard or random response for every request [46, 21, 2]. However, certain types of malicious programs expect a particu- lar response format, e.g., binaries to download, a list of emails to spam, or a server address to attack. Since emulating C&C communication is not a simple task, those communica- tions are often allowed, while others are denied. Multiple solutions were proposed to regulate and automate the containment process. GQ [57] and Botlab[48] allow limited communication with the outside world. GQ work proposes a malware exe- cution farm that introduces containment as the first-order component in support of malware analysis. Similarly, Botlab—a real-time spam botnet monitoring system that also allows controlled communication with the Internet. However, both GQ and Botlab require a human expert in the loop for strict containment.Conversely, Aokietal. [15]tookanalternativeapproachbyallowingcommunicationtopopular 16 Internet services under the assumption that such communication is safe and essen- tial to reveal malicious behavior.The proposed approach leverages search engine’s ranking systems. It is of a great benefit to be able to identify the characteristics that distinguish malware communication with their masters from others as it is a sign of infected hosts in an individual network. Several approaches attempt to identify malware communication with their masters from another type of communication. Jacob et al. [47] proposed a system to detect automatically detect C&C communication; however, the fact that malware blend in other communication made the task quite challenging. Manos et al. [14] proposes a technique to detect malware C&C traffic, specifically the one uses a domain generation algorithm (DGA). Malware uses DGA to increase resiliency. Instead of contacting a single master that can be taken down, they deploy DGA to generate many domain names until they found a functioning one. The paper exploits the fact that DGA results in many NXDomain error messages. 2.4 Summary Dynamic and static analyses were utilized to understand the behavior of closed- binaries and, in particular, malicious ones. In dynamic mode, the behavior of a binary is observed as it runs in a controlled environment. The observed behavior includes network activity and interaction with the operating systems. Multiple works extended the dynamic analysis to support a deeper level of granularity, such as instrumenting machine instructions to track the propagation of data. In an attempt to trigger behavior dependent on the existence or lack of system artifacts, multiple works leveraged force and symbolic execution to increase 17 the code coverage to trigger behavior dependent on the existence of certain system artifacts(e.g., filesorprocess)orcertainnetworkactivitiesMultipleworkleveraged taint analysis to infer network messaging protocol, distinguish harmful network activities from the benign ones. Several approaches were presented to deal with a large number of intractable execution paths resulted from symbolic execution for a particular domain. 18 Chapter 3 Symbolically Executing Malware This chapter explains the challenges facing dynamic symbolic execution engines when executing text parsing code and presents the approaches used to alleviate the state explosion caused by such constructs. I explain the rationale behind the decisions taken and explain the terminologies used through the document. The proposed approaches leverage symbolic execution to enumerate string comparison performedbymalwareovervaluesobtainedfromthelocalenvironmentorremotely. 3.1 Background SymbolicExecution Thecoreideaofsymbolicexecutionistofeedtheprogram with symbolic input instead of concrete ones. As symbolic variables are used in further computation, they build more complex expressions. Expressions used in control-flowinstructionsarecalledbranchconditions. Theenginekeepstrackofthe path condition and mapping of variables to symbolic expressions. The conjunction of branch conditions for execution is called path condition. A set of concrete values that satisfies the path condition are guaranteed to drive the program to the same execution branches. Consider the example shown in the left of Figure 3.1, and assume that the concrete variable a - a parameter to fun - is replaced with a symbolic variable λ. The symbolic execution engine at any time maintains the currently executed statement, path constraintπ, and the symbolic storeλ for each state. Whenever a 19 1 void fun(int a) { 2 int x =1; 3 if( a > 100 ) { 4 //path1 5 x = a*3; 6 } else { 7 //path2 8 x = 50; 9 a *= 2; 10 } 11 } 1. Let π ={0<λ}, α ={a=λ} 2. Path1: π =100<λ, α ={a=λ,x=λ×3} 3. Path2: π =0<λ≤100 , α ={a=λ×2} Figure 3.1: Simple illustration of dynamic symbolic execution engines program executed symbolically reaches a conditional statement, line 3 in the left, the engine checks the validity of the condition in the statement with respect to the current path condition - π at line 1 in the right. If both branches are feasible, the engine chooses a path for the current state and creates a new state for the other state. The engine updates the path condition for each state to include the branch condition. Figure 3.1 shows the path conditions - π for both states. After executing the first instruction of the first path - line 5 - the symbolic store is updated to reflect the propagation of λ to the variable x. Challenges for Symbolic Execution A challenge that severely limits the scal- ability of symbolic execution is state explosion. State explosion occurs as dynamic symbolic execution engines create a new state at every feasible branch. This prob- lem is manifested when executing a parsing loop or when a symbolic variable is used to address memory location, e.g., array index. Imagine a parsing loop that looks for a keyword or delimiter in each iteration at least a new state is forked or a symbolic variable used to index an array - in some cases, there is a virtually infinite number of possible addresses. It is well known that symbolic execution is not efficient when executing parsing code [42, 41, 74]. 20 3.2 Approach Overview I alleviate the state explosion problem by looking at the problem from a differ- ent perspective. Instead of following the standard approach of devising a search heuristic that prioritizes the execution of some promising states, I eliminate redun- dant states by identifying and following the progress branch. I also observe the behavior of the binary when forced to take the progress and non-progress branches independently to classify constructs in terms of the location of the search and drive the symbolic execution engine accordingly. The approach can be summarized as follows: First, I configure the constraint system to avoid creating states on some constructs, such as the ones that search for a NULL byte to determine the length of the input. Second, I identify a progress branch in conditional statements and analyze its behavior. It is worth noting that if I force the binary to take the progress branch, it will start processing strings that are enough to identify the type or format of the input, e.g., an XML tag or header or file signatures (magic). Third, I leverage the observed behavior of the binary when forced to take the progress and non-progress branches to classify parsing constructs based on the location of the search and order of processing and drive the engine accordingly. Progress Branch I name a branch in a conditional statement that evaluates a symbolic expression to a unique constant value, a progress branch. Some condi- tional statements do not have a progress branch, such as greater or less than com- parisons. Such comparisons are used by binary for various reasons. One example is to check that the input falls in a certain range of values before starting processing the text or case conversion, e.g., upper to lower or vice versa. 21 Symbolic Execution of malware To enumerate string comparisons, I run mal- wareinasymbolicexecutionengine. Iinjectthedesiredinputwithsymbolicvalues and observe the computations performed over those variables. The input can be data fetched from the network or an output of a system API. In what follows, I describe the mechanism, mode of operation, and parameters of the proposed system. Mode of operation There are two modules where the system can operate, controlled forking and inference module. The user can configure the system to run in either mode. 3.3 Mode 1: Controlled Forking Module The user can configure the symbolic driver to place an upper bound on the number of forks a state is allowed to make. For subsequent conditional branches, the driver forces the state to take a progress branch if feasible or arbitrarily choose a branch. Most often, using this approach enumerates initial comparisons made by binaries to give an idea of the format of the input. Consider a binary that sequentially searches for a string in the same location. The user can configure the system to bound the number forks to two for each state. Scouting module Malware often fetches remote content and sends them remotely or displays them on the screen without processing them. The user can leverage this mode by configuring the system to allow the initial state only to fork up to four times and force it and other generated state to take the progress branch. This mode can also be used to make a scouting pass on network input to eliminate such contents as well as to determine the format of the input. 22 0 1 2 3 4 (M,0x40980,0) (A,0x40990,1) (L,0x40990,2) (W,0x40990,3) (A,0x40990,4) Figure 3.2: Illustration of a record generated by a learning state. Tuples values are (Value,PC,Processing Order). 3.4 Mode 2: Inference Module The module aims to classify the characteristics of parsing construct in terms of thepositionofthebytestheyprocess. Whenabinaryexecutesabranchinstruction where both paths are feasible, and at least one of the branches evaluates some symbolic values into constants - progress branch - the driver switches into the learning mode. A decider state analyzes the records generated by the learning states and classifies the construct into one of the following: Comparator, String Finder, and Separator Finder. 3.4.1 Learning mode The engine forks and executes two states (progress and non-progress) indepen- dently. The progress state is forced to take the progress branch, while the non- progressstateistheonethattakesthatbranchthatdoesnotcreateconstants. The engine records all the symbolic variables that were evaluated to constants in the progress state. In the non-progress, the engine records constants evaluated from the negation of the constraints produced by conditional branches. Learning states generate a list of tuples, each representing a symbolic byte. Each tuple contains the constant value for a byte satisfying the path constraint if any, the program counter and the order the byte was processed. Figure 3.2 shows an illustration of a record generated by learning states. 23 Upon the termination of both states, the module classifies the construct based on the records generated. The module drives the symbolic engine according to the determined class of the construct. I focus primarily on three parsing constructs relative to the location of the search: comparators, string finder, separator finders. In what follows, I describe the constructs, the method to identify and handle them. 1 bool cmp(const char *s,const char *p,int n) { 2 for(int i=0;i<n;i++) { 3 if(s[i] != p[i]) return false; 4 } 5 return true; 6 } 7 char *findstr(char *s,char *p,int n) { 8 for(int i=0;i<n-strlen(p)+1;i++) { 9 if(s[i] == p[0]) 10 if(cmp(s+i,p,strlen(p)) ) return s+i; 11 } 12 return NULL; 13 } Listing 3.1: "cmp": a function that compares two strings in specific location. "findstr": a function that find a string in multiple location 3.4.2 Comparator A comparator is a loop(s) or a group of instruction that compares two strings - to find a particular keyword in a specific place. A simple procedure that compares two strings falls into this category. Such a construct - in most cases - creates a new state on every comparison. However, keywords are often treated atomically 24 S0 ? ? S0 L ? S0 L E S2 L !E S2 L A S3 L !A∧!E S1 !L ? S1 E ? S1 E L S5 E !L S4 !L∧!E ? S4 D ? S4 D L S7 D !L S6 !L∧!E∧!D ? S0 ? ? S0 L E S1 !L ? S1 E L S2 !L ? S2 D L S3 !L ? S0 ? ? S0 L E S1 ? ? S1 E L S2 ? ? S2 L A S3 ? ? S3 D L S4 ? ? Figure 3.3: Symbolic execution tree of a binary performing sequential comparisons of LE,EL, LA, and DL. Nodes that contain complete strings are encircled in red. (Top) tree from standard symbolic execution. (Middle) tree using the proposed approach without constraint manipulation. (Bottom) the proposed approach with ignoring constraint on non-progresss states. - either they exist as a whole or not. A string generated from a Comparator is called a Keyword. 25 The system deals with machine instructions, but I use a high-level code for illustration. Consider calling the function cmp in listing 3.1 with symbolic inputs. Assume that p translates to “[version]”. In this case, the execution engine would fork 11 times, and most of the 11 generated states are redundant. Only two states are useful, either s is qual to “[version]” or not. All the other generated states are redundant. Detection Comparators are detected by checking records generated by the two learning states. The binary in the non-progress state stops the comparisons and either start processing another keyword or move to another construct. Moving to another keyword would not change the generated record as it would process the first byte or group of bytes, and forcing the state to take the non-progress branch causes the comparison to fail. The binary might move to another construct and, by definition, a different instruction with different program counter. Handling The engine forks a new state when the binary executes a branch clas- sified ascomparator. The current state is forced to take the progress branch until it exists the parsing construct (progress state). The other state is forced to take non-progress branches until exiting the construct, without, assigning a constraint to the state (non-progress). I mean forcing the state to take the non-progress branch without expanding the path constraint with the branch’s condition. The reason behind ignoring the constraint is that a binary might continue a sequential search for other strings that share the same prefix. Figure 3.3 illustrates three symbolic tree of a binary that performs sequential comparisons of four independent keywords in the same location in the following order: LE,EL, LA, and DL. The tree in the top shows the states generated from a standard symbolic execution, while the bottom shows states generated from the 26 proposed approach. The comparison function - used in the discussion - compares one byte at a time of the string, and if one-byte mismatches, it moves to the second keyword. The tree in the middle and the bottom shows the effect of not ignoring the constraint in the non-progress. Ignoring the constraint makes the non-progress state feasible for enumerating keywords that share the same prefix as the one generated in the progress state. To further illustrate the point, look at the symbolic tree at the top. The tree shows that LA is generated by the state resulting from the false comparison of the second byte of LE. However, other strings were generated by states resulted from the false comparison of the first byte of LA. Had the system not ignored the constraint, more forks are required to enumerate strings sharing the prefix, and the number of forks is dependent on the length of the prefix. This approach is to handle performing independent string comparisons (see subsection 3.4.5 for binaries performing prefix matching). I mean that the binary restart comparisons if the string is not found - see the example below. 1 if( cmp(s,"LA",2) ) { 2 } else if(cmp(s,"EL",2) ) { 3 } else if(cmp(s,"LA",2) ) { 4 } else if(cmp(s,"DL",2) ) { 5 } The number of states generated by the proposed approach is linear to the number of states in most cases equals to the number of keywords plus 1. However, the number of feasible paths depends on the number and of keywords and the length of each one. 27 3.4.3 String Finder Astringfinderisaloop(s)thatsearchesanarrayofbytesforthefirstoccurrence of a character or a group of characters. String finders is a challenge for symbolic execution as it forks on virtually every byte of the input. A string generated by a String Finder is called a Floating String and is super-scripted with the letter "F" in the document. Consider calling function findstr(s,"MOTD",10) in listing 3.1 , where s is symbolic. The function generates 1409 states, 352 ( 25%) of them return non-zero - the rest are redundant. Increasing the buffer length by 20, the function gener- ates 2876911 states, 684779 (23.8%) of them return non-zero. There are multiple functions in libraries provided by compilers or the operating system that behaves in this way; for example, the common "strstr" function. An analyst can model the function by returning a symbolic expression that summarizes the behavior of the function, but a knowledge of the behavior of the function and the format and loca- tion of the input and output has to be known. Further, there are functions used by binaries that behave similarly but are named differently, and the underlying binary differs. 0 1 2 3 ... n-1 (<,0x40980,0) (<,0x40990,1) (<,0x40990,2) (<,0x40990,3) ... (<,0x40990,n-1) (a) Non-progress state record 0 1 2 3 4 5 ... n-1 (<,0x40980,0) (|,0x40990,1) (O,0x40990,2) (K,0x40990,3) (|,0x40990,4) (>,0x40990,5) ... (-,-,-) (b) Progress state record Figure 3.4: An example of records for Floating String generated by learning states 28 Detection The engine checks the comparisons made in the progress and non- progress state. Since the binary searches for the string in multiple-location, forcing the binary to take the non-progress branch causes it to continue looking for the character or group of characters in multiple locations of the buffer. Therefore, the non-progress record would illustrate a continuous attempt to find a character, while the progress record would show the character or the complete string. The binary might also move to another construct in the progress state after finding the substring. Figure 3.4 shows an example of a record generated for a String Finder. The values searched by a binary might not necessarily appear in contiguous places in the buffer. In some cases, the current path constraint renders some bytes infeasible for the bytes searched by the constructs - especially if the binary searches for the string in later phases of parsing. In other cases, the binary intentionally skips over some bytes. Handling The engine creates a new state when a binary executes a branch instruction identified as String Finder. The current state is forced to take the progress branch until it exists the construct. The other state - a forker state - is forced to take the non-progress branch without assigning constraints, and forks a state after a pre-determined number of iterations. The newly forked state is forced to take the progress branch until it exists the construct. There are multiple scenarios of why a binary searches for a string in different locations. One scenario is when a binary searches for a string and process the bytes before or after it (a delimiter), or two strings and process the bytes between them. The latter scenario is seen in binaries that scrape a webpage, for example. Those 29 scenarios should explain the rationale behind the way I fork after a pre-determined number of iterations. 1 GetCMDAccess 2 a h 1 2 window.baidu_time( 1 123456 3 ) 2 3 Malware 1 Sandbox 2 Consider the three examples shown above. Texts are superscripted with a numberdescribingtheorderofwhichthestringwasprocessed. Inthefirstexample, the binary searched fora h followed by the keyword GetCMDAccess. Sincea h is a Floating String, three states were created. One state where a h appears at the beginning of the buffer, a h is absent in the second, and a h is in a position farther than the beginning - determined by the number of iteration after which a forker state is configured to create a progress state. Note that only the third state is where the binary starts processing the keyword. The second example shows a binary that searches for two floating strings, win- dow.baidu_time( and ), then it starts processing the bytes in-between. For the first Floating String, two states were created along with the initial state. In the initial state and the state created by the forker, the binary searched for the other floating strings. Each of the two states creates two states for the second Floating String. The values in the created states given the behavior mentioned above would have the following values. 1 window.baidu_time() 2 3 window.baidu_time( 4 window.baidu_time( ) 5 window.baidu_time() 6 window.baidu_time( ) 30 7 window.baidu_time( There are redundant states but I choose such strategy to capture all cases. The generated states are also dependent on the underlying binary. For instance, the above example is from variants of malware I analyzed, few binaries that searched for the above strings, searched for) even in the absence of window.baidu_time( The third example belongs to a binary searching for two independent Floating String. The values of all generated states are as follows: 1 Malware 2 Sandbox 3 Malware 4 Sandbox Note the user can configure the forker not to create a progress state to reduce the number of states, and the output would be 1 Malware 2 Sandbox 3.4.4 Seperator Finder A separator finder is a loop(s) or a group of instructions that searches for a string in multiple locations. This construct is similar to the String Finder in that it searches for a string in multiple locations, but differs in that it searches for numerous occurrences of the string. Most time, the binary searches for such strings to delimit the input and process each chunk independently. Similar to the previous constructs, it generates an excessive number of states. A string generated from Seperator Finder is called a Field Seperator. 31 0 1 2 3 ... n-1 (%,-,0) (%,-,1) (%,-,2) (%,-,3) ... (%,-,n-1) (a) Non-progress state record for sample #1 0 1 2 3 4 5 ... n-1 (%,-,0) (E,-,1) (n,-,2) (D,-,3) (%,-,4) (%,-,5) (E,-,5) ... (-,%,n-1) (b) Progress state record for sample #1 0 1 2 3 ... n-1 (d h ,-,0) (d h ,-,1) (d h ,-,2) (d h ,-,3) ... (d h ,-,n-1) (c) Non-progress state record for sample #2 0 1 2 3 4 5 6 ... n-1 ([,-,10) (d h ,-,0) (a h ,-,1) ([,-,11) (d h ,-,2) (a h ,-,3) ([,-,12) ... (-,%,n-1) (d) Progress state record for sample #2 Figure 3.5: Two examples of records forSeparator Finders generated by learning states Detection Identifying a separator finder is similar to the string finder in the sense that it will keep searching for the first byte of a string in the non-progress state; however, it differs in the progress state as it keeps searching for the string multiple times. Figure 3.5 shows records for Separator Finders for two different malware samples. The Program counter was omitted for brevity from the tuples. TherecordsinthelowerhalfofFigure3.5belongstoabinarythatskipssomebytes when processing the field separators. After scanning the buffer for the separators, it starts processing the chunks, and those values appear as "[". By looking at the values in the buffer, it is not straight-forward to extract the separator. "[" appears to be part of the separator. However, recording the order of processing helps in extracting the complete separator. Astringfinderandseparatorfindermightbeusedforthesamepurpose, suchas finding delimiters to split the input. However, the order of processing is different. In the string finder, the binary searches for a delimiter and then processes the 32 bytes to the left or right of it and then start finding another delimiter again. In the separator finder, the malware searches for all delimiters before start processing the chunks. Some delimiters are optional. For example, some binaries start by searching for white spaces to ignore those bytes such as JSON and XML parsers. Handling The engine handles separator finders in three different ways. The user can configure the system to choose any combination of them. Whenever an engine executes a branch instruction that is identified as a separator finder, the engine extracts the complete separator and forks one or multiple states depending on how the system is configured. The options to handle separator finders are as follows: • Assigning the separator in several locations in a deterministic fashion, while adjusting the path constraint such that other bytes cannot evaluate to any character of the separator. • Assign the separator in random locations while constraining other bytes not to equal any character of the separator. • Do not assign the separator and adjust the path constraint such that the separator cannot exist in any location of the symbolic array. Below I show two examples of Field Separators. 1 getdesktop\r\n <........> \r\n <........> \r\n 2 %0666|"|2||"|2|%%EnD%% <...> %%EnD%% <....> %%%EnD%% The first is a standard CRLF, while the second is %%%EnD%%. Note that the binaries started processing the data after the separators were assigned to some locations. 33 3.4.5 Resetting Once I detect a parsing construct, it is crucial to know when to reset. Con- sider the case where a binary searches for two floating strings to locate a token (in-between) ; if I do not reset between the two operations, I do not leave a space between them. In general, over-approximating construct boundaries yields to partial-string enumeration, and under-approximation increases the number of generated states. Identifying the boundaries of the parsing construct is a hard problem, and I approximate it by procedure calls. For string finders, I count the pair of call/ret instructions performed in the non-progress learning state and use that information to determine the procedure enclosing the outer loop that searches for the first character. For instance consider the example below: 1 Procedure1(haystack,needle) 2 found = False 3 p = 0 4 WHILE not found and p < |haystack| 5 call Procedure2(..) 6 .... 7 call ProcedureN(..) 8 if cmp(haystack[p:],needle) == True: 9 found = True 10 return 11 return 12 p = p + 1 13 return found The aim is to determine the procedure enclosing the while loop in line 4 and reset after it returns. In the non-progress state, the binary would execute an iteration 34 of the loop in line 4 between each failed comparison. The engine leverage this behavior to determine the resetting point, specifically after Procedure1 returns. However, consider the example below. 1 Procedure1(haystack,needle) 2 found = False 3 p = 0 4 WHILE not found and p < |haystack| 5 found_p = findstr(haystack[p:],needle[0]) 6 if found_p != NULL: 7 if cmp(found_p,needle) == TRUE: 8 found = True 9 p = p + 1 10 return found findstr would not return until it finds the first occurrence of the first character of needle in the buffer starting from p. The approach would reset after findstr returns, which results in extra states as findstr would be classified as a string finder and cmd as comparator. To avoid the extra states the user can leverage strlevel - see Table 4.6 - parameter to delay resetting and avoid the additional states. A scenario where this approach would fail to enumerate independent substrings is when there are two independent loops in the same procedure as follows. 1 Procedure1(haystack,needle1,needle2) 2 found = False 3 p = 0 4 WHILE not found and p < |haystack| 5 if haystack[p] == needle1[0]: 6 if cmp(haystack[p],needle1): 7 found = True 8 p = p + 1 35 9 10 if found == True: 11 goto END 12 13 p=0 14 WHILE not found and p < |haystack| 15 if haystack[p] == needle2[0]: 16 if cmp(haystack[p],needle2): 17 found = True 18 p = p + 1 19 20 END: 21 return found Althoughtheprototypeimplementsanoptionthatleveragesloopanalysistodeter- mine the resetting point, resetting on exit edges of the current loop or the outer loop is not accurate, and this problem is undecidable. For comparators, I reset after the procedure that compared the first byte(s) returns. However, some malware uses the EFLAG register to determine the return value of the procedure instead of using the standard way by checking the RAX/EAX register. Therefore, I check if the EFLAG has a symbolic value, and I delay resetting until the calling procedure returns. In some cases, the binary can perform all sequential comparisons in one procedure, and the proposed approxi- mation would miss the rest of the strings. Prefix matching A binary might leverage prefix matching to optimize string comparisons - for instance, a prefix tree. The code listing below illustrates an example of such an operation. 1 procedure1(s) 36 2 if |s| < 3: return -1 3 if cmp(s,"te",2) == True: 4 if s[2] == "d": return 0 5 elif s[2] == "n": return 1 6 elsif cmp(s,"ba",2) == True: 7 if cmp(s[2:],"nk",2):return 2 8 elif s[2] == "d": return 3 The proposed approximation would enumerate all the strings, however, if all com- parisonsweredoneinthesameprocedurethefirststringwouldonlybeenumerated. Toaccountforscenarioswhereallcomparisonsaremadeinthesameprocedure, the user can leverage the Controlled Forking Module. For instance, the user can bound forking threshold by two to enumerate string comparisons. Also, the user can increase the threshold depending on the length of shared prefixes between compared keywords. 3.5 Symbolic Memory Address # AV Family SHA256 First Seen (VirusTotal) 1 Mydoom 1022dabb547d5afe11baf4e893f39a80024bacc8dbe2a0407451f1707535a26d 2019-05-10 00:57:30 2 Razy 07a324fd2854421c723a2cb735b4b731e08626389c6533d1bc19a6169d037e6a 2019-09-27 13:57:56 3 Chinbo 8e6479b94debfaff39f16f3a018103c7cd328224da93d5de3919ae662b8e4595 2015-12-02 04:26:00 4 Getnow.a ed5b534ae5b4ed30df7dfeb0405c123100a566edcf1f1e6e7003a7060aa7ef2b 2013-09-20 01:39:21 5 KD e191d84c617d211dfb6159a8668110343927edd778aa63d0c4df440071469e9e 2013-04-06 01:58:27 Table 3.1: Name and hash of some samples used in symbolic memory address discussion. One common scenario a symbolic memory address is formed, is when a binary involves symbolic data in indexing an array or a lookup table as I like to name it. Symbolic memory addresses pose a challenge as the number of possible addresses satisfying the path constraint might be huge, and in some cases, virtually infinite. Binaries utilize lookup tables for multiple purposes, including but not limited to 37 encoding conversion or data format validation. Further, in some instances, com- pilers represent switch statements as lookup tables. Lookup tables differ in the way they associate data, and the purpose they serve. Some tables take a form of one-to-one relationships such that each value is mapped to a unique single value, while others categorize bytes by associating each group of bytes to a value. In some cases, the relationship between the data involved in computing the index and the resulting memory address is not trivial. Some lookup tables serve multiple purposes, and to understand the purpose of usage analyzing instructions utilizing data read from memory is required. Not only lookup tables pose a challenge to white-box approaches, but also human analysts. The standard approach to resolve a symbolic memory address is as follows: the engine asks the constraint solver to calculate a concrete value satisfying the current path’s constraint. The calculated concrete value is used to determine the memory address for the instruction accessing the memory in the executed states, and the current path’s constraint are expanded, such that the expression representing the memory address is equal to the calculated concrete value. The engine then creates another state with expanding the path constraint such that the symbolic memory addressisnotequaltotheconcreteaddressusedinthepreviousstate. Thisprocess is repeated for each created state until there is no feasible solution. The standard approach expands the path constraint such that symbolic vari- ables used in calculating memory addresses fall in the range that guarantees to point to the choose concrete address. This approach is ideal for an application that requires exercising all feasible paths, such as searching for vulnerabilities; however, it creates redundant states and not efficient for enumerating string comparisons. Further, it expand the path constraints such that some symbolic variables become 38 infeasible for further string processing and in some cases the engine lose track of symbolic data propagation - in cases such as byte replacements. 3.5.1 Byte Replacements Key Value 0-0x20 0x20 0x21-0x7f 0x0 1 1F1 movzx ecx,byte [eax] 2 1F4 mov cl,[ecx+0x501520] 3 1FA test cl,cl 4 FC jz 0x200 5 1FE mov [eax],cl 6 200 inc eax 7 201 dec edx 8 202 jnz 0x1f1 Table 3.2: Lookup table and a snippet of code from Mydoom Key 0x0 0x1 0x2 .. 0x80 0x81 0x82 0x82 ... Value 0x0 0x0 0x1 0x0 0x2 0x0 .. 0xac 0x20 0x81 0x0 0x1a 0x20 0x1a 0x20 Key 0x0 0x0 0x1 0x0 0x2 0x0 .. 0x61 0x0 .. 0x80 0x0 0x81 0x0 .... Value 0x0 0x1 0x2 .. 0x61 .. 0x3f 0x81 Table 3.3: Encoding conversion tables Table1 1526 Table2 641 Table1∩ Table2 477 Table 3.4: Encoding conversion statistics Consider a table that is merely used to replace bytes; not only does the stan- dard approach creates unnecessary states, but also the engine loses track of the computations performed over the replacement bytes. Table 3.2, shows a summary of a table used by Mydoom and a snippet of code that uses the table, refer to Table 3.1 for the sample details. The code process the input buffer one byte at a time. Line 1 copies one byte from the buffer to ecx. Line 39 2 in the code snippet copies a value from the table, ecx is holding a symbolic data, to cl. The next instruction checks if cl is not zero, and if so, it replaces the value - which might be symbolic - in the original buffer with a concrete value of 0x20. The purpose of this table is only to normalize control and whitespace characters to one value - a space in this case. After this stage, the binary searches for spaces to delimit the buffer. Using the standard approach of forking on every possible address creates many states where some symbolic variables are missing in the buffer i.e., the buffer contains concrete values mixed with symbolic ones. Further, the path constraint is restricting the range of possible values for the buffer, let alone a large number of states. Table 3.3, shows a summary of two tables that are used to convert between encodings. The top table is used in MultiByteToWideChar, while the one in the bottom is used in WideCharToMultiByte. Those tables are also used in some string comparisons API, such as strcmpi,lstrcmp, CharUpperBuff, and StringCom- pare variants. The standard approach to handle symbolic memory creates a new state for each item in the table for every byte in the buffer, which is prohibitively expensive and hinders scalability. A significant number of malicious binaries call MultiByteToWideChar over the data received from the network - which is replaced with symbolic data - followed by a call to WideCharToMultiByte. Not only does this create a large number of states, but it also loses track of computation on the input. Table 3.4, shows the number of samples in my data-set using one of the tables, or both. Using the standard approach over these two tables is prohibitively expensive and hinders enumerating string comparisons. 40 3.5.2 Configurable Tables Index Bits 7 6 5 4 3 2 1 0 0x0 0x7 0x6 0x5 0x4 0x3 0x2 0x1 0x0 0x1 0xf 0xe 0xd 0xc 0xb 0xa 0x9 0x8 0x2 0x17 0x16 0x15 0x14 0x13 0x12 0x11 0x10 0x3 0x1f 0x1e 0x1d 0x1c 0x1b 0x1a 0x19 0x18 0x4 0x27 0x26 0x25 0x24 0x23 0x22 0x21 0x20 0x5 0x2f 0x2e 0x2d 0x2c 0x2b 0x2a 0x29 0x28 0x6 0x37 0x36 0x35 0x34 0x33 0x32 0x31 0x30 0x7 0x3f 0x3e 0x3d 0x3c 0x3b 0x3a 0x39 0x38 0x8 0x47 0x46 0x45 0x44 0x43 0x42 0x41 0x40 0x9 0x4f 0x4e 0x4d 0x4c 0x4b 0x4a 0x49 0x48 0xa 0x57 0x56 0x55 0x54 0x53 0x52 0x51 0x50 0xb 0x5f 0x5e 0x5d 0x5c 0x5b 0x5a 0x59 0x58 0xc 0x67 0x66 0x65 0x64 0x63 0x62 0x61 0x60 0xd 0x6f 0x6e 0x6d 0x6c 0x6b 0x6a 0x69 0x68 0xe 0x77 0x76 0x75 0x74 0x73 0x72 0x71 0x70 0xf 0x7f 0x7e 0x7d 0x7c 0x7b 0x7a 0x79 0x78 Index Keys Table 3.5: Strtok populated table with values 0-0x7f Binaries leverage lookup tables as a fast way to search for certain values. The desired bytes are placed in specific addresses that a function of those values. The binary checks each byte or group of bytes in the input buffer upon the lookup table to determine if they are one of the desired values. The underlying binary code of strtok, a function used to split string by delim- iters, leverages a lookup table in a non-trivial way.The code snippet in the middle of Table 3.6 processes a list of delimiters and builds a lookup table. esi holds the memory address pointing at the beginning of the delimiter string. Each delimiter is associated with one bit in the value stored in its corresponding location - 0x7 is represented by the most significant bit, i.e., bit 7. Table 3.5 shows the location in the table and bit representing each value from 0x0-0x7f. 41 Index Value 0x0 0x0 0x1 0x2 0x2-0x3 0x0 0x4 0x1 0x5-0xf 0x0 1 1C0 mov dl,[esi] 2 1C2 movzx ecx,dl 3 1C5 mov eax,ecx 4 1C7 and ecx,edx ;;edx=0x7 5 1C9 mov bl,0x1 6 1CB shl bl,cl 7 1CD shr eax,byte 0x3 8 1D0 lea eax,[ebp+eax-0x24] 9 1D4 or [eax],bl 10 1D6 inc esi 11 1D7 test dl,dl 12 1D9 jnz 0x1c0 1 1E8 mov al,[edx] 2 1EA movzx esi,al 3 1ED xor ebx,ebx 4 1EF mov ecx,esi 5 1F1 and ecx,edi ;edi = 0x7 6 1F3 inc ebx 7 1F4 shl ebx,cl 8 1F6 shr esi,byte 0x3 9 1F9 mov cl,[ebp+esi-0x24] 10 1FD test cl,bl 11 1FF jnz 0x245 Table 3.6: Strtok analysis: (left) a summary of a table populated with tab and space, (middle) a code snippet to populate a table, and (right) a code to use the table Group1 HT LF VT FF CR SP , - . 0 1 2 3 4 5 6 7 8 9 ? A B C D E F G H I J K L M N O P Q R S T U V W X Y Z a b c d e f g h i j k l m n o p q r s t u v w x y z Group2 NUL SOH STX ETX EOT ENQ ACK BEL BS SO SI DLE DC1 DC2 DC3 DC4 NAK SYN ETB CAN EM SUB ESC FS GS RS US ! \" # $ % & ’ ( ) * + / : ; < = > @ [ \ ] ^ _ ‘ { | } ∼ 1 1E0 movzx edx,byte [ebp-0x4] 2 1E4 xor eax,eax 3 1E6 mov ecx,edx 4 1E8 inc eax 5 1E9 and ecx,byte +0x7 6 1EC shr edx,byte 0x3 7 1EF shl eax,cl 8 1F1 mov ecx,[ebp-0x8] 9 1F4 test [edx+ecx],al 10 1F7 jz 0x1fc 11 1F9 xor ebx,ebx 12 1FB inc ebx 13 1FC mov eax,[ebp+0x8] 14 1FF mov eax,[eax+0x8] 15 202 and eax,byte +0x1 16 205 cmp ebx,eax 17 207 jnz 0x20d 18 209 xor al,al 19 20B jmp short 0x211 20 20D mov [edi],esi 21 20F mov al,0x1 22 211 pop edi 23 212 pop esi 24 213 pop ebx 25 214 mov esp,ebp 26 216 pop ebp 27 217 ret 0x4 Table 3.7: Table to validate a regular expression. partial lookup table (left) , (right) code snippet of a function uses the table in Razy. The table in the left, see Table 3.6, shows a summary of a table built for space and tab. Only two elements are set to a value, creating a state for every column in the array causes redundancy and expanding the path’s constraint that renders further string processing infeasible. Given that the purpose of this table is to search for tab and space, the ideal solution is to adjust the path constraint such that some variables are evaluated to tab and space, and the rest are not equal to 42 tab and space. Further, choosing a tab or space is sufficient given that the binary immediately delimits the buffer based on one of them. Another variant of the table is found in Razy, shown in Table 3.7. The table is filled in the same way. However, the purpose and underlying binary using the table differ. The table is used in regular expression checking <([A-Za-z0-9,\.\s\?\-]*)?. $([A-Za-z0-9,\.\s\?\-]*)?. Line 9,10 checks if the resulting AND operation is zero, and if not, it does some processing. It classifies bytes into two groups show in the left of Table 3.7. Overwriting 0x1 in table entries or copying the symbolic value to the buffer would cause it to treat the symbolic data as if it belongs group1, and then in further steps, it processes the data. 3.5.3 Formatting Table Table 3.8, is common in windows APIs and is used to validate and categorize bytes. Merely looking at the table does not explain the way it is used - similar to other tables. This table is used to validate if a buffer contains only printable characters, check if a character is a whitespace, or ASCII decimal or hex digits. Even functions that parse ASCII digits use the table multiple times for different purposes. For example, sscanf calls isspace function repeatedly, which uses this table to find whitespaces, and then uses the table again to search for digits. It is also used by other functions that check for spaces, digits, alphnum, islapha isxdig- ith. This is commonly used by malware, and it is used extensively by Windows APIs. Some custom XML parsers leverage the code to validate that key constructs conform to the file’s rule e.g., a tag and attribute starts with a character. Binaries perform a logical AND operation of the character in hand and the corresponding value in the table. Some functions uses TEST , while other uses MOV 43 Value Keys 0x1 0x47 0x48 0x49 0x4a 0x4b 0x4c 0x4d 0x4e 0x4f 0x50 0x51 0x52 0x53 0x54 G H I J K L M N O P Q R S T 0x55 0x56 0x57 0x58 0x59 0x5a U V W X Y Z 0x2 0x67 0x68 0x69 0x6a 0x6b 0x6c 0x6d 0x6e 0x6f 0x70 0x71 0x72 0x73 0x74 g h i j k l m n o p q r s t 0x75 0x76 0x77 0x78 0x79 0x7a u v w x y z 0x10 0x21 0x22 0x23 0x24 0x25 0x26 0x27 0x28 0x29 0x2a 0x2b 0x2c 0x2d 0x2e ! " # $ % & ’ ( ) * + , - . 0x2f 0x3a 0x3b 0x3c 0x3d 0x3e 0x3f 0x40 0x5b 0x5c 0x5d 0x5e 0x5f 0x60 / : ; < = > ? @ [ \ ] ^ _ ‘ 0x7b 0x7c 0x7d 0x7e { | } ∼ 0x20 0x0 0x1 0x2 0x3 0x4 0x5 0x6 0x7 0x8 0xe 0xf 0x10 0x11 0x12 NUL SOH STX ETX EOT ENQ ACK BEL BS SO SI DLE DC1 DC2 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a 0x1b 0x1c 0x1d 0x1e 0x1f 0x7f DC3 DC4 NAK SYN ETB CAN EM SUB ESC FS GS RS US DEL 0x28 0x9 0xa 0xb 0xc 0xd HT LF VT FF CR 0x48 0x20 SP 0x81 0x41 0x42 0x43 0x44 0x45 0x46 A B C D E F 0x82 0x61 0x62 0x63 0x64 0x65 0x66 a b c d e f 0x84 0x30 0x31 0x32 0x33 0x34 0x35 0x36 0x37 0x38 0x39 0 1 2 3 4 5 6 7 8 9 Table 3.8: Formatting table in windows followed by AND. The table is used as follows - where c refers to the character used to index the table: • c∧8 to look for a space. • c∧4 for digits. • c∧107 alphanumeric. • c∧103 alpha. • c∧80 isxdigit. Table 3.9 shows the number of samples; in my data-set that uses the table, the purpose it is used for, and the API using it. The two most interesting usages are 44 Purpose API #Samples ASCII digit parsing msvcr110.strtoul 25 ws2_32.inet_addr 6 msvcrt.atoi 5 ntdll.sscanf 4 ws2_32.bind 1 ws2_32.gethostbyname 1 oleaut32.VarParseNumFromStr 1 oleaut32.VarNumFromParseNum 1 - 5 Text validation/parsing User32.dll.CharLower(A|W) 43 wininet.dll.HttpSendRequest(A|W) 6 msvcrt.dll._snwprintf 5 shell32.dll.ShellExecute(A|W) 3 URLDownloadToFile(A|W) 2 user32.dll.DrawText(A|W) 1 - 3 xml_validation - 2 others - 193 Total 265 Table 3.9: Formatting table statistics looking for ASCII digits. Some malware expects the input to be of hexadecimal digit form to be converted to numbers and then decrypted. For binaries looking for hex or decimal will start searching for 0x 0x, +- 0x, and for decimal, it looks for +- or $ - depending on the used compiler. Forking over all possible values is infeasible and adding unnecessary constraints. This table should serve as a hint to set up constraints for subsequent usages. 3.5.4 Space finding 1 0x3 0x0 0x0 0x0 0x3 0x0 0x0 0x0 .... 0x1 0x0 0x0 0x0 .... 0x2 0 x0 0x0 0x0 .... 45 Value Keys 0x1 0xa 0x2 0xd 0x3 {x|x6=0xa∧x6=0xd} Table 3.10: KD spacing table Another interesting usage of a table is shown in Table 3.10. The table is used to determine the number of bytes to skip between the subsequent search of a delimiter. This binary searches for CRLF to delimit the buffer. Before looking for the delimiter, it checks if the current value is not equal to CRLF and skips three bytes. If the value is LF, it skips 1 byte, and if the value is CR, it skips 2 bytes. This table serves minimal effect in enumerating string comparisons. Forking and setting constraints would generate multiple states with unusable buffer bytes. Table 3.13 a generated command of this particular sample. The table was handled by choosing a concrete address satisfying the path’s constraint and the symbolic expression used to index the table without adding the concrete address to the set of constraints. 3.5.5 Switch Statement Table Compilers transform some switch statements into a lookup table. Table 3.11, illustratesatableusedbygetnow. OneinterestingobservationisthatmostASCII values are mapped to a single value. Each value in the table represents a "case" in the switch statement. The code using the switch statement is movzx eax,byte [eax+0xb0d2f4] ; cmp eax,[esi+0x50]; jmp dword [eax*4+0xb0d2bc] , movzx copies the mapped value of a byte into eax, then eax is used to determine a location in the code by the following jmp statement. Modeling such a table symbolically is challenging, as it would cause the code to jump to random locations. The 46 Value Keys 0x1 " 0x2 , 0x3 - 0 1 2 3 4 5 6 7 8 9 0x4 / 0x5 : 0x6 [ 0x7 ] 0x8 f 0x9 n 0xa t 0xb { 0xc } 0xd SOH STX ETX EOT ENQ ACK BEL BS HT LF VT FF CR SO SI DLE DC1 DC2 DC3 DC4 NAK SYN ETB CAN EM SUB ESC FS GS RS US SP ! # $ % & ’ ( ) * + . ; < = > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z \ ^ _ ‘ a b c d e g h i j k l m o p q r s u v w x y z | 0xcc ∼ Table 3.11: Table used in switch statement interesting part of this table is that there is no order. The binary looks for any address and jumps to any address without any order. 3.5.6 Tables used in known algorithms Some tables are used by known algorithms as optimization, while others in key scheduling in substitution ciphers. Table A.1 shows S-Boxes obtained from one of the samples used in this document. The table is identical to the one illustrated in [56] Another table that is commonly used is for CRC32 calculation; the table looks like Table 3.2. 1 0x00000000, 0x77073096, 0xee0e612c, 0x990951ba, 0x076dc419, 0x706af48f, 0xe963a535, 0x9e6495a3, 0x0edb8832, .... Listing 3.2: A snippet of a CRC32 table 47 3.5.7 Handling lookup tables In summary, whenever I face a lookup table, I match it with a number of tables inreferenceandprintthetypeoftableiffound. Bytereplacementtables-shownin Table 3.3 - are handled as follows: 1) Ask the solver for a concrete value satisfying the symbolic expression and path constraint and uses that as a memory address without adding branch condition to the path’s constraint. 2) Parse the instruction and extract the symbolic expression used to calculate the index, excluding the base address, and places the expression in the address calculated in the previous step. 3) After the instruction is executed, I rewrite the original value that was in the memory address. The default way I handle other tables is to ask the solver for a concrete value satisfying the symbolic expression with respect to the current path constraint and uses that as a memory address without expanding the path constraint. Also, I allow the user to specifically configure the system to use the approach used for replacement tables for other tables. 3.6 Other Constructs String Normalization Malware often normalizes strings; one common form is to convert letters from one case to another. Those constructs generate many states, and some of them generate states that evaluate variables to zero in case of subtraction in unsigned values. A zero-byte often causes binaries to stop parsing the rest of the input as they are used to mark the end of the string. String normalization constructs might share the same behavior while having a different binary code. 48 1 1F0 cmp ax,byte +0x41 2 1F4 jc 0x1fc 3 1F6 cmp ax,byte +0x5a 4 1FA jna 0x230 5 <.. omitted ..> 6 230 add eax,byte +0x20 7 233 jmp short 0x1fc 8 9 if( buffer[i] >= ’A’ && 10 buffer[i]) <=’Z’) { 11 buffer[i] += 0x20; 12 } 1 151 movzx edx,word [ecx] 2 154 lea eax,[edx-0x41] 3 157 cmp ax,byte +0x19 4 15B lea eax,[edx+0x20] 5 15E jna 0x162 6 160 mov eax,edx 7 162 mov [ecx],ax 8 9 char c = buffer[i] ; 10 if(c-’A’ <= 0x19 && 11 c-’A’>=0) { 12 c = buffer[i] + 0x20; 13 } 14 buffer[i] = c; 1 1F2 cmp al,0x61 2 1F4 jc 0x1fc 3 1F6 cmp al,0x7a 4 1F8 ja 0x1fc 5 1FA sub al,0x20 6 7 if(buffer[i] >= ’a’ 8 && buffer[i] <=’z’) { 9 buffer[i] -= 0x20; 10 } 1 1E8 movzx eax,word [ebx] 2 1EB mov esi,eax 3 1ED add esi,byte -0x61 4 1F0 sub si,byte +0x1a 5 1F4 jnc 0x1fa 6 1F6 xor ax,byte +0x20 7 8 if( buffer[i] >= ’a’ && 9 buffer[i] <=’z’) { 10 buffer[i] -= 0x20; 11 } Table 3.12: Example of case conversion codes A binary might choose to convert upper cases to lower by adding 0x20 or subtracting 0x20 for the other way around. Table 3.12 shows a listing of four nor- malization constructs. Examples in the same row achieve the same functionality. However, the underlying code is different. For instance, the code in the upper left in Table 3.12, convert upper case letters to lower cases, and the code to its right achieves the same functionality but uses different instructions. The code to the left is a straightforward representation of a simple conditional statement, while the other one is less trivial. Such constructs do not often have a progress branch, and 49 both branches are feasible. Forking over those constructs for each byte creates a large number of states, as well as changing the constraint, especially in the case of XOR operations. The way the system handles such a construct is to force the binary to take one branch without adding the constraint. For instance, if the binary executes the code in the upper left, we take the false branch of the statement, to avoid the addition operation, without adding constraints. The system automatically detects nine variants of case conversion code by analyzing the symbolic expression and chooses a branch without adding constraint accordingly. XOR Operation XOR operations used in binaries for mainly two purposes, comparisons and encryption/decryption. I offer an option to bypass the encryption for examplec=λ⊕a, we chooseλ . If I havec=λ 1 ⊕λ 2 , I choose one arbitrary. I also offer an option to print the operands, which can be used to extract XOR keys, as shown in Section 5.2. Setting the constraints I allow the user to set the constraint of the symbolic values, which gives the user the ability to control the parsing constructs, see Table 4.5. For example, the user can place delimiters in certain positions and expand the path constraint such that other bytes do not evaluate to any byte in that delimiter, which will cause the parser to bypass the delimiter processing stage. Highly structured file formats Highly structured file formats such as XML and JSON require special handling. Most XML parsers start by searching for white spaces, followed by tabs, then XML header, followed by looking for DOCTYPE and CDATA tags, it starts searching validating tags and their attributes. Further, some XML parsers use a form of hash comparison to compare tags and their 50 closings. Similarly, JSON starts by searching for white spaces, followed by NULL, true, false, and different types of brackets. I offer a generic way to bypass JSON and XML parser by setting the path constraintsuchthattheinputconformstothefileformatwithoutgeneratingstates in the parser’s code. In the case of XML, I provide an opening and a closing tag with the data between them constrained not to equal bytes used in formatting the file. I also provide a method to mount the same symbolic values in both opening and closing tags to avoid generating complex symbolic expressions produced by tag validation constructs. Stepovers Acomparisonmadeoveravariablethatwasalreadyprocessedand/or constrained not to satisfy the current comparison. The user can configure the sys- tem to record the stepovers during execution. This is useful to resize or reconfigure the constraints of the system. Consider analyzing a binary that fetches content remotely using the proposed system. I provided an input of length 50 and configure the path constraint such that∀x∈S|0<x<80 h , whereSisthesymbolicinput, seeTable3.13. Thebinary processed the buffer searching for CRLF in multiple locations and was classified as a Field Seperator. The engine placed the separator at every 16th byte starting from the beginning of the buffer - from the left. The binary started searching for [version] in multiple fields, and after enabling the Stepovers, I figured the construct searching for the keyword compares the last byte with the NULL byte, i.e., it expected the following values [version]0 h . I reassigned the separator such that the first one appeared in position 9 from the left and was able to generate a command that triggered Internet activity. 51 AV family Remote Point Generated Command Time KD troubleshooting.no-ip.org/ [version]\r\nurl.://.oooooooooo\r\nversion.1.0.1.1:::: 112,114 2081Fix/version.ini Configuration: Machine 1, 30 cores Table 3.13: Example of leveraging stepovers to position separators Stepper mode Removing the constraint after resetting from a construct helps in understanding the behavior of a parser. Consider a binary that searches for three Floating strings in the following order: 1. <|SocketMain|>. 2. <<|. 3. <|CLIP|>. The first 17 bytes of the symbolic buffer would evaluate to <|SocketMain|><<| after processing the first two strings - in one of the generated states. The binary scans the buffer from the left for the third one. The binary considers the last two bytes, which belongs to the second string, as the prefix of the last string and starts processing the third string from there, and the output after processing the three strings would look like <|SocketMain|><<|CLIP|>. Theoutputcontainsoverlappingstrings, anditishardtodistinguishthestrings from it. Overstep enables extracting the three strings, the output of the Stepper mode is as follows. 1 <|SocketMain|> 2 <<| 3 <|CLIP|> There are multiple scenarios where removing the constraints after resetting reveals intriguing behavior. 52 3.7 Evaluation Methodology Data-set The samples evaluated in this document were obtained from two pools of samples, Pool1 and Pool2 as follows: • Pool1: binaries obtained from Malsharebyte[6] and Virustotal[80] reposito- ries in October 2017. • Pool2: binaries obtained from Virustotal, where all samples were captured in the middle of 2019. I have selected 2893 random samples and run them in a sandboxed environment and recorded network communication. I have analyzed samples from the set based on communication end-points and char- acteristics. The selection method will be explained when presenting results in later chapters. Throughout the document, I will use the above names to describe sample datasets. Family name It is not uncommon that a single sample is labeled differently by engines. I determine the family name of a malicious sample by applying the follow- ingsteps. Iretrieveall labelsassignedby88Anti-virusenginesfromVirustotal[80]. I remove unnecessary keywords from a label such as Win32 and Trojan. I perform a pairwise comparison between labels and calculate a similarity ratio based on the longest contiguous matching subsequence that contains no "junk" elements imple- mented in difflib[4]. I merge labels if the similarity ratio is>0.75 and assign them a new label - the longest common substring - and increase the weight of the label by 2. Finally, I choose the label with the highest weight as a label. I use the same approach over labels assigned to sample to group them into families. I am aware of the limitations of the labels assigned by Anti-Virus engines, but I try to follow the best practices proposed in [73]. 53 3.7.1 Experiment Machines & Configuration There are two set of machines used to evaluate the system. The specifications of the machines are as follows: 1. Machine1isa32-coreAMDRyzenThreadripper1950xwith64GB,running Ubuntu 16.04.6 LTS. 2. Machine 2 is a 48-core Intel Xeon E5-2651 V2 1.80GHz. Throughout the document, I will use the above names to describe the machine used. Experiments are assigned a subset of the cores in the machines for the symbolic engine, and multiple experiments are often run in parallel. For every experiment, an Impersonator VM is instantiated - see Section 4.1 and is assigned one core. Samples are run in Windows 7 64-bit machine configured with 2GB of RAM. Learning states are configured to terminate after 10 seconds, while normal states after 60 seconds. Some binaries perform CPU intensive operations, and I have to slow down the virtual clock to avoid receiving interrupts frequently and hinder progress [10]. States are terminated if the process executed symbolically exists or crashes. Therefore, some states might run slightly more than the allotted time. String Finder is configured to create a progress state after 10 iterations - totaling in 3 states. Separator Finder is handled as follows: the driver forks two states, one where the separator is assigned at every 16 bytes, and the other state does not have a separator present. Experiments are configured as described above unless otherwise specified. 54 3.7.2 Result Representation For each experiment, I report a pair of time values separated by a comma - the average time elapsed from launching the sample followed by the average time from symbolic variable injection to termination separated by a comma. I also report a pair of the number of states separated by a comma -the average number of normal states followed by the total number of states, including the learning ones. I superscript a Floating String with the letter F, and Field Separator with the letter S, followed by a number that shows the order of which the string is processed relative to other string in the generated output. I use the notations in Table 4.5 to describe the path constraints. The above representation is used throughout the document unless otherwise specified. 3.8 Microbenchmark This section presents an evaluation of the proposed approach and three differ- ent search heuristics against multiple string comparison scenarios. The goal is to demonstrate the effectiveness of the proposed approach in reducing the number of paths necessary to enumerate string comparisons. I also show that the number of feasible execution paths in string parsing constructs is large and, in some instances, is intractable. The effectiveness of a heuristic depends on the code under analysis. However, prioritizing states is not sufficient, and eliminating paths is required. The test cases used in the evaluation are inspired by real malware and per- formed in a controlled experimental setting. I decided to use a controlled experi- ment as malware behavior is not always deterministic, and they might not termi- nate indefinitely. The test cases perform relatively simple string processing, and the memory and CPU usage is minimal - even simple test cases cripple symbolic 55 execution engines. I use three different search heuristics, namely, Breadth-First- Search (BFS), Depth-First-Search (DFS), Non-Uniform Random Search (NURS). BFS and DFS traverse states in breadth and depth-first order, respectively. NURS select states randomly according to a given weight - each state is assigned a weight of 2 depth . Configuration All reported experiments in this section were performed on a single core of Machine 1.Each state runs until the test case terminates, and an experiment is terminated if the memory usage exceeds 32GB of RAM. A symbolic array of length 50 bytes is used in the evaluation - unless otherwise specified. The path constraint is configured for all experiments such that∀x∈ S|0 < x < 80 h , where S is the symbolic input. INF refers to the proposed approach, and the forker state is configured to fork every 10 iterations. Each experiment using NURS was run four times, and the average is reported. Result Representation For each completed path, I report the time elapsed from the symbolic value injection and the number of states terminated in pairs - separated by a comma. I report the measurements for the first coverage of a named path. For the proposed approach, I ignore paths covered in learning states, and I report the second coverage instead. I also report the following information: • All paths: is the minimum measurements that covered all paths. • Max Mem: is the maximum memory used by an experiment is reported as the percentage of increase from the baseline, which is 5.07GB. The memory usage is recorded every second. • Term. States: is the number of states terminated upon experiment com- pletion, or forced termination (in case of exceeding memory cap). 56 • Term. Time: is the time elapsed upon experiment completion, or forced termination (in case of exceeding memory cap). • Cov. %: is the percentage of paths covered upon experiment completion, or forced termination (in case of exceeding memory cap). Paths that entails successful enumeration of a complete string are annotated with the corresponding string. 3.8.1 Category1 Keyword comparisons is the least challenging problem for symbolic exe- cution engines. However, some functions use lookup tables and normalization such as case-conversion that produce a prohibitively large number of states. 1 2 if( s == "keyword1") { 3 //keyword1 path 4 } 5 else if(s == "1drowyek") { 6 //keyword2 path 7 } else { 8 //other path 9 } Listing 3.3: Microbenchmark Category1 Listing 3.3 shows a code that compares the input with two different keywords, each composed of 8 characters. There are three different paths named "keyword1", "keyword2" and "other". I created five different variations of test cases as follows: • CAT1_T1: uses strncmp exported from msvcrt.dll to compare the keywords. 57 • CAT1_T2 uses lstrcmp exported from kernel32.dll. • CAT1_T3 uses lstrcmpi exported from kernel32.dll. • CAT1_T4: converts the input string to Unicode using MultiByte- ToWideChar from kernel32.dll then uses wcsncmp from msvcrt.dll. • CAT1_T5: uses _lstrcmpi from mscvert.dll that performs case-insensitive comparisonsusingstringnormalizationconstructsasdescribedinsection3.6. Path BFS DFS NURS INF keyword1 (3, 4),(-,-),(-,-),(-,-) (5, 8),(-,-),(-,-),(-,-) (2.75, 5.25),(-,-),(-,-),(-,-) (3, 3),(2, 3),(3, 3),(3, 3) keyword2 (4, 8),(-,-),(-,-),(-,-) (5, 9),(-,-),(-,-),(-,-) (3.5, 9.0),(-,-),(-,-),(-,-) (3, 4),(2, 4),(3, 4),(4, 4) other (3, 1),(2, 1),(3, 1),(-,-) (3, 1),(2, 1),(2, 1),(2, 1) (1.5, 1.0),(1.5, 1.0),(1.5, 1.0),(3.5, 1.0) (3, 5),(2, 5),(3, 5),(4, 5) Term. States 17,2196,5478,- 17,17307,11205,1014 17.0,6286.5,4511.75,152.5 5,5,5,5 Term. Time 9,1769,1343,273 10,2545,2851,286 9.0,1271.75,1111.0,241.0 6,6,6,7 Max Mem 20.98 %,501.20 %,501.36 %,501.37 % 20.98 %,501.38 %,501.32 %,501.19 % 20.98 %,501.13 %,501.28 %,500.70 % 19.73 %,19.73 %,19.73 %,20.96 % All Paths (4, 8),(-,-),(-,-),(-,-) (5, 9),(-,-),(-,-),(-,-) (3.5, 9.0),(-,-),(-,-),(-,-) (3, 5),(2, 5),(3, 5),(4, 5) Table 3.14: Category1: Two sequential keyword comparisons. Results are shown in the order of CAT1_T1, CAT1_T2, CAT1_T3, and CAT1_T4. Table 3.14 shows the results of running the four categories against four search heuristics. CAT1_T1producedatotalof17paths,andallexperimentsterminated. However, the rest generated a large number of states and were intractable for searching heuristics. All failed to cover even a single path. The reason behind a large number of states is the usage of lookup tables - all used the replacement table illustrated in Table 3.3. CAT1_T2 used another lookup table as well that was handled by the default approach - see subsection 3.5.7. INF covered all paths in the same number of states - 2 learning and 3 normal states ( one for each path). The percentage of reduced paths is 70.6% for CAT1_T1, and it unknown for other categories as the number of feasible paths is hard to calculate. Table 3.15 shows the result of running CAT1_T1 and CAT1_T5 over 60 key- words. The keywords were generated from one malware variant discussed in sec- tion 6.2.3 and shown below: 58 Path BFS DFS PDF INF Cov. % 85.25%,4.92% 100.00%,24.59% 84.84%,26.64% 100.00%,100.00% Term. States 95,195 594,3418 448.25,429.0 63,63 Term. Time 2849,2708 253,4370 2990.5,2450.25 30,31 Max Mem. 501.37 %,501.37 % 82.03 %,501.37 % 501.25 %,501.27 % 28.61 %,23.52 % Table 3.15: Category1: 60 sequential keyword comparisons. Results are shown in the order of CAT1_T1, and CAT1_T5. 1 cfp.exe,360tray.exe,qqpcwebshield.exe,qqpcrtp.exe,avgnt.exe, avcenter.exe,egui.exe,ekrn.exe,rstray.exe,ravmond.exe,avp. exe,msmpeng.exe,zhudongfangyu.exe,ccsvchst.exe,bdagent.exe, kvmonxp.exe,kvsrvxp.exe,uiseagnt.exe,coreframeworkhost.e, coreserviceshell.ex,uiwatchdog.exe,mcshield.exe,360sd.exe, baidusd.exe,baidusdsvc.exe,baidusdtray.exe,baiduantray.exe, baiduan.exe,baiduansvc.exe,avastsvc.exe,avastui.exe,avgui. exe,avgwdsvc.exe,360rp.exe,avgidsagent.exe,mpmon.exe,mpsvc. exe,dwarkdaemon.exe,dwengine.exe,dwservice.exe,clamtray.exe, clamwin.exe,avkservice.exe,avktray.exe,ksafetray.exe,fsm32. exe,fsma32.exe,fsorsp.exe,twssrv.exe,twister.exe,dgservice. exe,drivergenius.exe,dtlservice.exe,drivethelife.exe, pcmaster.exe,ksafesvc.exe,winguard.exe,kxescore.exe,kxetray. exe,qqpctray.exe The only heuristic - besides the proposed approach - that enumerated the complete set of strings with relatively small memory usage is DFS. However, DFS and all heuristics achieved a low coverage on a function using normalization constructs. INF achieved full coverage, and the number of generated states was 63 - 2 learning and 61 normal states. The reduction rate of paths for the CAT_T1 is 90%, and for CAT_T5 is at least 98% since the total number of paths is unknown. Although DFS successfully enumerated the set of strings for CAT_T1, the running time is 743% more than INF. 59 3.8.2 Category2 String sub-matching poses a challenge to symbolic execution engines as the number of feasible paths is large and intractable. In order for a binary to exit searching constructs, it has to exhaust all the buffer, let alone to enumerate the complete substring. 1 char *p = findstr(s,"INSERTED"); 2 if( p != NULL) { 3 //INSERTED path 4 } else { 5 //other path 6 } Listing 3.4: Microbenchmark Category2 The code in Listing 3.4, shows a code that searches for one substring in the buffer. I created two variations of the code shown in the listing as follows: • CAT2_T1: uses strstr from msvcrt.dll. • CAT2_T2: uses strstr from ntdll.dll The top part of Table 3.16 shows the measurements of running CAT2_T1 and CAT2_T2 over the substring INSERTED. NURS enumerated the substring in all runs for CAT2_T1 and only three out of the four runs for CAT2_T2; however, the memory usage exceeded the 32GB cap in all runs. An interesting observa- tion is that heuristics perform differently over two binary codes that share the same semantic. For instance, NURS performed slightly better on CAT2_T1 than CAT2_T2. INF enumerated all the strings in 5 states (see Term. States - 2 60 Path BFS DFS NURS INF One substring INSERTED (-,-),(-,-) (-,-),(-,-) (25.5, 8.0),(89.75, 18.25) (2, 3),(3, 3) other (-,-),(-,-) (2, 1),(3, 1) (5.75, 1.0),(5.25, 1.0) (3, 4),(3, 4) Term. States - 415,409 66.5,66.0 5,5 Term. Time 341,403 256,273 214.0,271.5 6,7 Max Mem 500.22 %,501.03 % 501.40 %,501.18 % 500.12 %,478.58 % 19.74 %,19.72 % All Paths (-,-),(-,-) (-,-),(-,-) (25.5, 8.0),(89.75, 18.25) (3, 4),(3, 4) Total coverage -,- 50.00%,50.00% 100.00%,87.50% 100.00%,100.00% INS (6, 1),(4, 1) (116, 198),(116, 198) (2.75, 1.0),(2.5, 1.0) (3, 3),(3, 3) other (-,-),(-,-) (2, 1),(2, 1) (4.75, 2.5),(5.25, 2.25) (3, 4),(3, 4) Term. States 133,110 417,416 168.5,187.5 5,5 Term. Time 417,357 257,252 226.25,259.0 7,7 Max Mem 501.20 %,501.07 % 501.15 %,500.31 % 501.00 %,500.91 % 19.95 %,19.73 % All Paths (-,-),(-,-) (116, 198),(116, 198) (4.75, 2.5),(5.25, 2.25) (3, 4),(3, 4) Three substrings Buffer of 20 bytes Virus (65, 1),(-,-) (706, 1453),(-,-) (8.25, 4.5),(9.0, 4.5) (3, 3),(2, 3) Malware (-,-),(-,-) (-,-),(-,-) (-,-),(-,-) (3, 4),(2, 4) Sandbox (-,-),(-,-) (-,-),(-,-) (-,-),(-,-) (3, 6),(3, 6) other (-,-),(-,-) (2, 1),(2, 1) (2.5, 1.0),(3.5, 1.0) (3, 7),(3, 7) Term. States 8,- 1699,1679 177.0,162.75 9,9 Term. Time 352,354 836,855 289.25,287.0 7,6 Max Mem 501.08 %,501.13 % 501.11 %,501.01 % 500.90 %,500.64 % 21.30 %,19.71 % All Paths (-,-),(-,-) (-,-),(-,-) (-,-),(-,-) (3, 7),(3, 7) Buffer of 50 bytes Virus (40, 1),(339, 1) (-,-),(-,-) (12.75, 1.75),(15.0, 2.25) (5, 3),(5, 3) other (-,-),(-,-) (3, 1),(3, 1) (9.25, 1.25),(9.25, 1.0) (7, 7),(6, 8) Malware (-,-),(-,-) (-,-),(-,-) (-,-),(-,-) (6, 4),(5, 4) Sandbox (-,-),(-,-) (-,-),(-,-) (-,-),(-,-) (6, 6),(6, 5) Term. States 6,1 409,409 52.0,42.75 9,9 Term. Time 314,451 755,787 270.0,269.75 10,10 Max Mem 500.22 %,501.33 % 501.40 %,500.90 % 500.80 %,500.17 % 20.95 %,19.72 % All Paths (-,-),(-,-) (-,-),(-,-) (-,-),(-,-) (7, 7),(6, 8) Table 3.16: Category2 : Results are shown in the order of CAT2_T1, and CAT2_T2 learning and 3 normal states (one from the forker) - and terminated. The reduc- tion in running time compared to NURS is 97.19%. In general, the percentage of reduced paths is 99.99%. The number of paths for a string finder is determined by the size of the buffer and the length of the floating string. The second quarter of Table 3.16 shows the effect of reducing the size of the substring. BFS was able to enumerate the substring; however, it was stuck in the construct and never moved to other path. 61 Similar to the previous experiment, all heuristics exceeded the memory limit and never terminated. The number of paths for a single substring is prohibitively large for searching heuristics. Such construct cripples symbolic execution engines, and that is evident whenaddingmoresubstrings. ThelowerhalfofTable3.16showsthemeasurements of adding two more substrings - all heuristics failed to reach the paths processing the second or third substring. INF produced only 9 states and enumerated the completesetofstrings. Thesamepatternof NURSdifferentperformanceoverthe two functions. It performed better over msvcrt.dll implementation than ntdll.dll one. The size of the buffer affects the performance as well. Decreasing the buffer decreased the running time - illustrated in the lower half of Table 3.16 3.8.3 Category3 The code in Listing 3.5 is a simplified version of a malware scraping the web to extract a token situated between two substrings. The code searches for two substringsandprocessesthedatain-between, whichcreatesanadditionalchallenge for heuristics as several forks are required between the two substrings to create a space for a token. 62 1 char *p = findstr(s,"time("); 2 if( p != NULL) { 3 p += strlen("time("); 4 char *to = findstr(p,");"); 5 if(to-from > 2 ) { 6 //Token path 7 } else { 8 //Partial path 9 } 10 } else { 11 //other path 12 } Listing 3.5: Microbenchmark Category3 I created two different variations of testcases: • CAT3_T1: uses strstr from msvcrt.dll. • CAT3_T2: uses strstr from ntdll.dll Path BFS DFS NURS INF partial (350, 1),(-,-) (-,-),(-,-) (27.0, 7.75),(27.75, 8.25) (3, 3),(3, 3) token (-,-),(-,-) (-,-),(-,-) (94.25, 29.25),(88.5, 30.25) (4, 8),(3, 7) other (-,-),(-,-) (2, 1),(3, 1) (6.0, 1.25),(5.75, 1.0) (3, 4),(3, 4) Term. States 1,- 413,415 70.5,74.5 9,9 Term. Time 371,352 256,258 231.0,224.5 7,7 Max Mem. 501.17 %,501.20 % 500.18 %,500.16 % 466.94 %,500.98 % 19.74 %,19.73 % All Paths (-,-),(-,-) (-,-),(-,-) (94.25, 29.25),(88.5, 30.25) (4, 8),(3, 7) Table 3.17: Category3 : Results are shown in the order of CAT3_T1, and CAT3_T2 Table 3.17 shows the measurements of running the code over the searching heuristics. NURS was able to cover all paths in the majority of the runs; however, the required memory was relatively large. INF was able to cover all paths in 63 9 states only and terminated. The reduction in running relative to NURS is 97%. The same pattern of NURS different performance over the two functions is observed in this test case. 3.8.4 Category4 This section evaluates the effectiveness of the proposed approach on code pro- cessingstringinmultiple-phases. Listing3.6showsacodeinspiredbytworemotely accessed trojans (RATs). The first test case - CAT4_1 - starts by searching for a delimiter - %%%EnD%%% - as floating string followed by searching for 32 com- mands to the left of the keywords. I created another test case - CAT4_2 - that precedes the delimiter searching phase with searching for two floating strings, namely, MOTD and 376. 64 1 char *[]cmd = {"!d","!die","!dl","!h","!http.inj","!http.int","! http.set","!j","!l","!logins","!m","!mdns","!mod","!msn.int","! msn.set","!p","!r","!rc","!rm","!rs0","!rs1","!s","!slow","! speed","!ssyn","!stats","!stop","!udp","!up","!us","!v","!vs", NULL}; 2 char *p = findstr(s,"%%%EnD%%%"); 3 if( p != NULL) { 4 for(int i=0;cmd[i] != NULL;i++) { 5 if(s == cmd[i] ) { 6 //cmd_i path 7 } 8 } 9 } else { 10 //other path 11 } Listing 3.6: Microbenchmark Category4 Path BFS DFS NURS INF Cov. % 0.00% 2.94% 2.94% 100.00% Term. States - 1108 126.5 39 Term. Time 493 441 352.5 16 Max Mem. 501.17 % 500.63 % 500.97 % 20.99 % All Paths (-,-) (-,-) (-,-) (12, 38) Cov. % 2.78% 2.78% 5.56% 100.00% Term. States 7 409 62.25 43 Term. Time 341 794 279.5 18 Max Mem. 501.37 % 501.06 % 500.65 % 21.00 % All Paths (-,-) (-,-) (-,-) (15, 42) Table 3.18: Category4 : Results are shown in the order of CAT4_T1, and CAT4_T2 Table3.18showstheresultsofrunningthetestcasessymbolically. Mostheuris- tics consumed the whole allocated memory and failed to enumerate a single string. 65 Some heuristics were able to reach the other branch. NURS was able to enu- merate the first string in CAT_T2 - shown at the bottom of the table - namely MOTD. 3.8.5 Summary Search heuristics performance depends on the code under analysis, some of the simple strategies such as DFS perform better than other heuristics in sequen- tial keyword comparisons. However, string normalization constructs increase the number of feasible paths and limit the scalability for DFS and other searching heuristics. The usage of lookup tables rendered all searching heuristics infeasible due to a large number of paths, and lose of symbolic propagation. While one might devise a search heuristic that succeeded in prioritizing promis- ing states that reveal strings, the number of feasible paths is extensive. It requires a significant amount of memory to handle. String parsing is often a multi-phase process. A simple program that searches for a delimiter before processing text generates a large number of states that are intractable for symbolic engines in commodity PCs. Most of the generated states are redundant, and a pruning strat- egy is needed. In order to prune redundant paths, a knowledge of the construct is required. The proposed approach leverage the observed behavior in progress and non-progress learning states to prune paths. The number of paths necessary to enumerate string comparisons is exacerbated in real malware as they consume relatively larger memory and perform other operations in parallel. For instance, a malware launches another thread that encrypts the hard-drive. The proposed approach performance is consistent over parsing constructs, and the number of generated states is linear to the number of enumerated strings. The number of states required for sequential keyword comparisons is equal to the 66 number of strings plus one excluding the learning states. The number of states required for floating strings is equal to the number of strings multiplied by two plus one states. 3.9 Summary String parsing constructs generate a prohibitively large number of states when executed symbolically because the number of feasible paths in parsing construct is large. However, only a few of those paths are necessary to generate string comparisons. Identifying and following the progress branch prunes a large number of unnecessary paths. Also, understanding the behavior of the parsing constructs enable reducing the number of states by carefully manipulating the constraint system. Other parsing constructs contribute to path explosions. Some of those con- structs do not have a progress branch. Forking over those constructs creates many states, and restricting the constraint set of the executing state. In some cases, choosing one branch without adding constraints enables string comparisons without creating additional states. Other cases require manual handling by con- figuring the constraint system. Some problems remain challenging, and further research is required to find solutions such as lookup tables for switch statements. 67 Chapter 4 Implementation This chapter describes the prototype of the concept presented in the thesis. All experiments in this document are performed using the implementation and setup described below. The system is composed of two virtual machines, the Inspector and the Impersonator - illustrated in Figure 4.1. A sample is executed, instrumented, and monitored in one Virtual Machine - Inspector, while the other one acts as an Internet simulator - Impersonator. All traffic from the Inspector is forwarded in Layer 2 granularity to the Impersonator. Through this chapter, the terms strstr refers to String Finder and keyword refers to Comparator. Figure 4.1: System Architecture 68 Parameter Type Default Description verbose-xor boolean false Print XOR operation operands. bypass-xor boolean false Bypass XOR operation, choose one symbolic operand. print-interrupt boolean false Print hw/sw interrupt ID. increase-slowdown boolean true Increase clock slow-down exponentially when timing interrupt is received. reduce-symaddress-fork boolean false Reduce the number of states generated from symbolic memory by selecting the unique mapped values. Table 4.1: General system parameters 4.1 The Impersonator The Impersonator emulates standard Internet services as well as acting as a DHCP for connected VMs. The emulating services are DNS, HTTP/HTTPs, IRC, and NTP. The VM runs a Linux in QEMU[20] in KVM mode utilizing VT- x technology. A modified version of INetSim [46] runs in the VM. All traffic flows are forwarded to the Impersonator that generates responses, which happens transparently as far as the sender concerns. TheImpersonatorresolvesaDNSaddressmappingrecordquerytoIPaddresses formed the MD5 hash of the name to be resolved - the generated IPs are valid routable IPv4. It also acts as a trusted root certificate authority, where all other interacting VMs regards the Impersonator as a trusted root authority - the certifi- cateisinstalledinallVMs. ForeachTLS/SSLconnection, acertificateisgenerated for each host-name, which is extracted from the SNI record, and signed with the root’s private keys. The machine is configured to transparently handles connectiv- ity tests conducted by Browsers and Microsoft Windows, e.g., dns.msftncsi.com. 69 4.2 The Inspector The Inspector -a whole-system emulator running Windows7 x86_64 version - executes, instruments, and monitors malicious samples. I favor a whole-system emulator over its process-based counterparts for two reasons. First, it is more transparent to malware. It allows instrumenting and monitoring malware from outside the VM and OS. Second, multiple malware variants instantiate or inject malicious code in other processes. I build the system on top of S2E[34], which is based on QEMU[20] and KLEE[30]. I forked from S2E in December 2017, and the source code is available at https://anonymous.4open.science/r/2963d9ee-d554-439c-bd2d-fa8bb665860b/. Apart from some changes to the core of S2E, the prototype is composed of three main components: CFGSearcher, ApiIntercept, and StackTracer. CFGSearcher implements the core idea of the thesis, CFG prefixes the name due to a historical reason. WhenIstartedimplementing,theprimarymethodforresettingaconstruct was based on loop analysis on partial control graphs. The prototype exports a myriad of configuration parameters; in what follows, I will explain the components and the parameters they expose. The main system exports five parameters - shown in Table 4.1 - and they are independent of the other system component. XOR Operations Two of the exported parameters are related to XOR oper- ations. One parameter enables printing XOR operands, while the other one allows bypassing the operation by ignoring the operation and assigning a symbolic operand arbitrarily -if applicable -to the destination. Mostencryption/decryption operations composed of one symbolic and one concrete operand. 70 Printing interrupt Virtual machines as their physical counterparts receive interrupts from different sources and for various reasons. Print-interrupt enables printing the identifier of an interrupt. The "physical" clock sends a periodic inter- rupt to the CPU, and this is of interest because symbolic execution is expensive and slows down the performance. Receiving such interrupts will hinder progress. Increase-slowdownincreasetheintervalsoftiminginterruptsbythevirtualclock exponentially. Symbolic memory forking The number of feasible concrete addresses satisfy- ing the path constraint for a memory address that involves symbolic expression is often prohibitively large. reduce-symaddress-fork creates a single state for each unique value in the range of feasible concrete memory addresses satisfying the path constraints. For instance, if three concrete addresses satisfying the sym- bolic expression points to a location holding 0xd,0xa,0xd, respectively. The engine creates two states, one for the first and third locations. 4.2.1 ApiIntercept Parameter Type Default Description Logging and Tracing monitorIndirectJumps boolean false Monitor indirect jump instructions. monitorDirectJumps boolean false Monitor direct jump instructions. monitorReturn boolean false Monitor return instructions. monitorExtLibrary boolean false Trace non-system libraries. apispecs string N/A API description file. traceAllApi boolean false Print input/output of all API calls. traceList list N/A Print input/output of APIs specified in the list 71 dosend boolean false Print all data sent by a state upon termination. dorecv boolean false Print all data received by a state upon termination. ignorecreateprocess boolean false Ignore processes launched by sample. sleepAdjust int -1 Override sleep time, -1 for not adjust- ing. verbose boolean false Increase verbosity of logging. ip_filter string "68." Trace if an IP matching ip_filter is con- tacted. net_filter string "" Trace if a packet matches net_filter. ignorealloc boolean false Ignore memory allocated after tracing. nosymboliclog boolean false Stop logging after sym. injection. dodotnet boolean false Ignore first layer of APIs for dotnet binaries allsyscall boolean false Trace all "system calls". tidonly boolean false Only trace threads with sym. data. Symbolic injection net_length int 300 Size of the sym. buffer. net_profile int 0 Constraint profile , see Table 4.5. injectList list N/A Inject sym data in API output, specified in the list, see Table 4.4. ApiName list "" Inject sym. data if output matches any of the list. ignoreFunctions list of strings N/A Ignore forking when executing an API in the list. modelFunctions list N/A Override a function with sym. model, see Table 4.3. ignoreheader boolean true Ignore HTTP header when injecting. 72 constraints list N/A List of constraints, serves as UserInput in Table 4.5. onlyx boolean false Inject sym. data on marked bytes only. injectall boolean false Reinject sym. data if the API is called again. doxml boolean false Mount same sym. data in XML opening/closing tags. Termination timeout int <seconds> 0 Terminate all states after <seconds> elapsed from tracing (0: do not termi- nate) terminateOnExit boolean false Terminate a sym. state on exit API/system. werfaultterminate boolean true Terminate on werfault.exe launching. terminalList list N/A Terminate sym. state on API call. terminateonnet boolean false Terminate sym. state on internet activ- ity. Table 4.2: ApiIntercept parameters - sym. is an abbreviation of symbolic strcmp lstrcmp strncmp strtok(1|2) strstr strchr strcpy strncpy strlen lstrlen Table 4.3: Functions modeled symbolically. Two models of strtok, one of them is mere emulation (not modeled symbolically) This component is responsible for logging the API calls made by a malicious sample. APIcallsarenecessarytofindtheinjectionpoint, understandthebehavior of a sample, and detect various behavior that is necessary to terminate states. 73 Network gethostbyname getaddrinfo getnameinfo HttpQueryInfo(A|W) recv recvfrom WinHttpReadData WSARecv InternetReadFile GetPrivateProfileString(A|W) File Manipulation ReadFile FindFirstUrlCacheEntry(A|W) FindNextFile(A|W) FindNextUrlCacheEntry(A|W) System information GetCommandLine(A|W) GetComputerName(A|W) GetCurrentDirectory(A|W) GetModuleFileName(A|W) GetUserName(A|W) GetWindowText(A|W) Module32First(W) Module32Next(W) Process32First(W) Process32Next(W) QueryFullProcessImageName(A|W) Table 4.4: Injection point as APIs Symbol Meaning Symbol Meaning A {x|x∈Z,0 h <x} W {9 h ,a h ,d h ,20 h } B {x|x∈Z,x<80 h } L {x|∈Z, a ≥x≤ z} C {x|x∈Z,0 h <x<80 h } U {x|x∈Z, A ≥x≤ Z} I <Userinput> i i∈I Profile# Constraints Profile# Constraints 0 {x∈Z|0 h ≤x} 22 { [, ]} 1 A 23 {x∈Z| 0 ≤x≤ 9} 2 B 24 A\{W∪{ -}} 3 C 25 C\{x∈Z|8 h ≤x≤1f h } 4 B\{20 h } 26 {x∈Z|1f h <x<80 h } 5 C\{20 h } 27 C\{ *} 6 C\W 28 C\L 7 C\U 29 C\U 8 U 30 C\{L∪W} 9 L 31 C\{U∪W} 10 A\{ ,} 32 C\I 11 A\{ [, ], <, >, !, ?, /} 33 I 12 A\{ [, ], !, ?} 34 N/A 13 C\{W∪{ :}} 35 {x∈Z|40 h <x<80 h } 14 C\{W∪{ C, S, :}} 36 A\I 15 A\{ [, ], {, }, :, ", /} 37 B\I 16 C\{ +, -, x, X, 0} 38 {x∈Z|0 h ≤x}\I 17 {x∈Z|0 h ≤x}\{ ;} 39 L∪U 18 {x∈Z|0 h ≤x}\{ w} 40 C∩{x∈Z|i<x} 19 A\{ [, ], {, }, (, ), :, ", /, ;,a h ,20 h ,27 h } 41 C∩{x∈Z|x<i} 20 { 2, 4,\} 42 N/A 21 C\{ {, }, (, ), ;, /,9 h ,a h ,d h ,20 h ,27 h } 43 {x∈Z|min(I)<x<max(I)} Hex values are suffixed with h , and printable characters are enclosed in a square Table 4.5: Constraint parameter: symbol definition (top), profile number and range of values representing system constraint (bottom) 74 A binary uses instructions such as calls or indirect jumps to invoke a function residing in a dynamically linked library. Some malicious samples use instructions designed to return from a procedure to confuse logging by placing the address of the procedure in the stack, causing the binary to jump to the desired address. The user can enable monitorReturn to log APIs invoked by return instructions. Further, the malware uses other techniques to obfuscate the calls, such as jumping into the middle of the function. A summary of the plugin configuration parameters is shown in Table 4.2. The parameters are grouped into four categories describing their general purpose. Logging The plugin logs all the API calls made by the process of executing symbolically. I parsed the MSDN website and extracted the signature of 12823 APIs; the apispec parameter specifies the path of such a file. Listing 4.1 shows the format of API description comprehended by the plugin, and listing 4.2, shows two examples of API descriptions. <callconv> ::= "_stdcall" | "_cdecl" | "fastcall" <access> ::= "_In_" | "_Out_" | "_Out_opt_" | "_Inout_opt_" | "_In_opt" <param> ::= <access> <datatype> <params> ::= <param> | <param> "," <params> <api> :: =<returnvalue> <callconf> <library>"."<Apiname>(<params>) Listing 4.1: Format of apispec file 1 BOOL WINAPI kernel32.ReadFile(_In_ HANDLE hFile,_Out_ LPVOID lpBuffer, _In_ DWORD nNumberOfBytesToRead,_Out_opt_ LPDWORD lpNumberOfBytesRead, _Inout_opt_ LPOVERLAPPED lpOverlapped) 2 BOOL None wininet.InternetReadFile(_In_ HINTERNET hFile,_Out_ LPVOID lpBuffer,_In_ DWORD dwNumberOfBytesToRead,_Out_ LPDWORD lpdwNumberOfBytesRead) Listing 4.2: Examples of API description in apispec There are two levels of verbosity of logging. The default is to print the name of the library and the API. The more verbose level is to print the API parameters. 75 the user can specify to print parameters for all APIs - traceAllApi, or a specific list of APIs specified in traceList. Malware does not often start Internet communication until some time has passed. Some variants do delay communication intentionally to evade analy- sis, while others’ functionality requires performing time-intensive operations. For instance, ransomware enumerates files stored in the hard drive, and other binaries inject code in system processes. Therefore, I delay watching API calls and the stack until the desired communication is initiated. The user can specify network activity of interest, after which the system starts tracing the process initiating the communication. All communication the network device driver through NtDeviceIoControlFile system call is traced by instrument- ing syscall machine instruction. Once the binary contacts a network point that matchesip_filter, or send data over the network matchingnet_filter, the plugin determines the process ID of the process involved and analyzes the VAD tree of the process to extract all memory location allocated and the loaded module and starts tracing all API calls. Symbolic injection The plugin supports several functions to inject symbolic data in their output; the list is shown in Table 4.4. The user can specify the API names to injected in injectList. In some cases, the same function is called multiple times; the user can specify the call instance to be injected by providing a substring of the instance’s output. For instance, a recv API might be called multiple times for different network flows. WheninjectingsymbolicdatainanAPIthatreceivesinputfromthenetwork, if the data is X, the symbolic value replaced with a symbolic value with a constraint specified by net_profile - see Table 4.5 for the list of profiles. If the value is not 76 X, then the value is constrained with the value of that byte. The user can instruct the component to skip bytes with values other than X by enabling onlyx option. The plugin provides a flexible way of setting the constraints. There is a list of constraints that the user can specify. For instance Profile# 3, where the data is constrained in the range of{x|0<x< 80 h }, to avoid creating states for binaries that perform an optimized string length calculation, see Section 5.1.2. The user also can provide a set of values and configure the system to constrain the data to only equal nor not equal the provided values; for example, profile 32, the user can provide the list of values to be excluded. Some XML parsers use some form of hashing to validate tags, i.e., checking if opening and closing tags are equal. Those checks are expensive for the constraint solver and create complex expressions. The plugin offers a way to mount the same symbolic data in the opening and closing tags by setting the doxml parameter. Function Modeling The plugin provides symbolic modeling of several string comparison functions. The models bypass function calls and write a symbolic expression of the parameters describing the semantic of the functions in the output location. The user can specify a list of function names, and the plugin would call the model instead of the original function. Termination The user can specify the timeout to terminate the experiment; the time is in seconds. Further, the user can specify conditions to terminate symbolic states, for instance, on internet activity or if a specific API is called. Some malware uses blocking APIs that might wait indefinitely. 4.2.2 CFG Searcher 77 Parameter Type Default Description Inference module resetmethod int 1 0: reset on call/jump/return instruction. 1: reset when the procedure made the first fork returns. 2: reset based on partial CFG loop analysis. [81] sep int 16 Assign seperator at every <sep>th byte. sepmethod int 1 0: set seperator at <sep>th, random location, and none. 1: set at <sep>th and none. 2: set in none. strstr int 10 fork after <strstr> iterations keywordflag boolean true Delay keyword non-progress state resetting until EFLAG is not symbolic stepper boolean false Remove constraints on progress keyword/strstr resets. noinference boolean false Disable inference. level int 0 reset keyword after−1× returns strlevel int 0 reset strstr after−1× returns resetq int 0 1: reset non-progress keyword after the first non- progress branch. 2: reset non-progress keyword after the first non- progress branch and remove constraint from the cur- rent state. Controlled Forking allprogress boolean false Enable controlled forking mode. progress_threshold int 2 Number of forks before going all progress. allow_childfork boolean false Allow child states to fork. dosolution boolean false Print solution for each branch on forking Debugging 78 printcode boolean false Print forking machine code. generatemessage boolean false Print enumerated strings. verbose int 1 verbosity level 0-5. printsymclass boolean false Print forking instruction category. printmodule boolean false Print forking module name. overstep boolean false Calculate oversteps. analyzesym boolean false Calculate symbolic variables for each feasible memory location and print them. memdump boolean false Write virtual machine dump after the first fork. Symbolic Memory forksymbolicmem boolean false Fork on symbolic memory. symmemory boolean true Match lookup tables with known references. printsym boolean false Print symbolic memory data alwayscopysym boolean false Copy symbolic data in index in the indexed location. XML and JSON dojson boolean false JSON symbolic template {"S":""} jsontag string "" JSON tag dojsonbody boolean false JSON symbolic template {"<jsontag>":"S"} xmlhead string <?xml version="1.0" encoding="UTF-8"?>< doxml boolean false XML symbolic template <xmlhead><S1></S2>. tag_min int 3 tag_max-tag_min+1 states for XML/JSON tag_max int 12 Generic searcher int 1 1: DFS state scheduling 2: NURS state scheduling, weight=2 depth ingorekernalfork boolean true Disable forking in kernel code. maxp boolean false Maximize symbolic process and thread priority. forking40 boolean true Handle case-insensitive constructs. 79 parseexpression boolean true Do not parse expression to detect progress branch, instead process the symbolic buffer. zeroprogress int 0 If two branches are progress, , choose the <zeroprogress> branch as progress. State Termination stateTimeout int 0 Terminate a normal state after <seconds> <sec> learningTimeout int 20 Terminate a learning state after <seconds> <sec> keywordterminate boolean false Terminate progress keyword state on reset. strstrterminate boolean false Terminate progress strstr on reset. killonunload boolean true Terminate state if symbolic process is unloaded. Table 4.6: CFGSearcher parameters This section describes the core plugin that implements the approach presenting in this thesis. The plugin identifies the progress branch, controls forking, and perform inference over parsing constructs. When a binary executing symbolically reaches a branch instruction where both branches are feasible, the plugin consults the STP solver and analyzes both branches. There are two modes of operation: Controlled forking, and inference mode. Controlled forking In this mode, the component consults the STP solver about the feasibility of both branches. If that is the case, it uses the solver to identify if one of them is a progress branch. A threshold bounds the number of forks each state is allowed to perform. States are forced to favor a progress branch if the threshold is exceeded. The user can specify the forking threshold by setting the progress_threshold parameter. Further, the threshold can be enforced only 80 on the initial states, while other states are not allowed to fork by disabling the allow_childfork parameter. Inference module Inference module exports a myriad of parameters to control its behavior. For example, resetting, setting separator, number of time a String Finder construct forks. Resetting a construct can be based on the loop, or when the primary procedure returns. The loop analysis is based on partial control-flow-graph CFG, similar to [55]. However, it differs in the level of granularity as nodes in the graph are represented by basic block Each basic block represents a sequence of continues instructions, and control flow instructions represent edges in the graph, while [55] represent edges by procedural calls. Then I implement loop detection based on [81]. In loop-based resetting, keywords are terminated if the binary reaches an exit node belonging to the loop immediately, enclosing the first progress branch. Strstr is terminated once the binary reaches an exit node of the first loop enclosing the innermost loop. In procedural based resetting, keywords are terminated once the procedure enclosing the first progress branch existed. For strstr, the inference module counts the pair of call/return instructions made between successive com- parisons in the non-progress learning state. The module leverage this information to determine the number of call/return instructions required to reset. Symbolic memory In cases where a symbolic expression to calculate a memory address, the data in the feasible concrete values satisfying the symbolic expres- sion and path constraints are checked with a reference of previously known tables and prints the matched tables.If the symbolic memory is used in encoding con- version tables, the component analyzes the symbolic expression and the machine 81 instruction used to access the memory using XED [12] to determines the size of the output operand, and copies the symbolic data in the memory location. The user can specify the system to copy on symbolic memory address symcopy. The user also can ask the plugin to analyze the symbolic memory where it prints the mapping for each address. XML and JSON The component enables setting the symbolic data constraints such that it conforms to the rules of a valid XML or JSON files. Such settings bypass parsers without generating states. The user can enable dojson, and the component would set the symbolic data constraints as {"S":"", where S is con- strained such that any character used in the formatting JSON file is invalid. The component allows also setting the constraint for XML. The user can specify the minimum and maximum tag sizes. The component creates states, each with a different tag size ranging from the minimum to maximum tag size. Progress detection optimization The component analyzes the branch condi- tion and extract the variables in the expression and only consult the solver over those values to determine a progress branch. The component follows this approach to avoid consulting the solver on every byte of the buffer. However, branch con- ditions composed of bit-wise operations over multiple variables result in complex symbolic expressions. It is infeasible to parse such expressions, and the user can disable such optimization by disabling the parseexpression parameter. Branch conditions that involve bit-wise operations might result in two progress- branches,zeroprogress instruct the component to choose a specific branch in that case. 82 StateTermination Statesareterminatedafterarunningforaspecifiedamount of time. learningTimeout specifies the timeout for learning states. state- Timeout specifies a timeout for normal states. keywordterminate terminates a progress keyword state upon resetting. Similarly strstrterminate terminates a progress strstr state upon resetting. killonunload terminates a state if the process containing symbolic data terminates. Multi-Process/Thread For multi-process/thread malware, the component offers an option - maxp - to increase the priority of the process and thread that contains the injected symbolic data. It manipulates the values in the EPROCESS and ETHREAD structure corresponding to the process under analysis in the ker- nel. Multiple-Instances When using multiple cores, the plugin shares inference information with other instances by using a key-value store. The information shared is the PC of instruction alongside with a code identifying the construct type as well as the resetting level. The component creates a session id for each experiment and records the process id and status of instances upon creation and destruction. This facilitates tracking experiments from outside the virtual machine. For instance, an analyst can use python scripts to run multiple experiments and leverage such information to know the status of the experiment. 4.2.3 StackTracer This component watches the stack on control flow changes to search for specific values in memory or registers. Some malware use functions not supported by ApiIntercept, and the user can use the StackTracer to inject symbolic data 83 Parameter Type Default Description arguments int 3 Number of arguments in stack. contentlen int 20 Number of bytes for pointers. verbose boolean false Print bytes in arguments dommx boolean true Trace and re-inject on MMX register usage. dofloat boolean true Trace and re-inject on FFP stack usage. . key string "" cmd string "" inject: replace <key> with sym data inject_constant: replace <key> with sym data if a byte6= X constraints it to the same value dump: virtual machine memory if <key> is found. value string "" key_r string "" replace data matching <key_r> with concrete <value>. Table 4.7: StackTracer parameters or replace data with concrete variables. The user can provide encrypted input and specify the clear-text version to be replaced by symbolic variables, or can be replaced by other variables. The parameters exposed by StackTracer is shown in Table 4.7. Special purpose registers Malware uses special-purpose registers to confuse analysis tools. For instance, malware copies data to FFP registers to confuse mem- ory breakpoints. Recent malware variants repeatedly copy data to FFP or MMX registers and back to memory. Most symbolic execution engines do not support floating-point operations, and even if they do, those operations are complex. For this particular case, it is sufficient to track the data as it moves between memory and floating point registers. The component records when data is copied to a floating-point stack. Whenever an instruction that reads from a floating-point stack is executed, the plugin checks the last data copied to the stack, and if it is symbolic, it reinjects the data to the memory. For MMX, the plugin records data as they are copied to registers and intercept instrument instructions reading from MMX register and reinject. 84 Symbolic Injection The user can set cmd to inject and specify a key. Once the key is found in the stack, it is replaced with symbolic data. Also, the user can configure the component to dump the VM memory once key is found in the memory. Consider a binary that receives encrypted data from the network that is represented as hex-digits. The user can specify the clear-text, and the plugin would inject symbolic data once the data is transformed and decrypted. 4.3 Summary Malware variants are significantly different in many aspects. Some variants launch multiple-processes. Some malware use standard functions to fetch data received from the network, while others leverage undocumented APIs. Format of data processed by malware differ. The initial input can be formatted as ASCII digits, clear-text Base64 encoded. Some malware uses JSON or XML to communicate with their masters. In general, the structure of the binary code is not standard. Binary comes in multiple forms and structures, and even malware belonging to one family process data from the same source differently. The implementation exports a myriad of configurations to support different binaries and data formats. The chapter presented an explanation of the main three component of the prototype and their parameters to assist the user in configuring the system. 85 Chapter 5 Progress branch and initial phase of processing Bounding the number of forks, setting constraints, and favoring the progress branch reveals an initial phase of text processing of the input. For example, search- ing for a file signature or a set of characters unique to a specific file format is often time sufficient to understand the purpose of the input. The initial comparisons made upon network input help analysts to quickly determine whether the input is of interest - some binaries send the data to be displayed by a browser. Notations I use some notations to save space throughout this chapter. • A h denotes that A is a value represented in hexadecimal format. • A denotes that there is more than one value satisfying the path constraint for a symbolic byte. • 80 h R means the value enclosed in the box - 80 in this case - appears in multiple arbitrary locations in the buffer starting from the position of the box. • 80 h d means the value enclosed in the box - 80 in this case - appears in d adjacent locations starting from the position of the box. 86 • 80 h * means the value enclosed in the box - 80 in this case - appears in adja- cent locations starting from the position of the box until the next constant value towards the end of the buffer. 5.1 Scouting Module The user can configure the system to bound the number of forks a state is allowed to make and forbids all states but the initial state from making any fork. Once a binary reaches a conditional branch where both paths are feasible, the state is forced to take a progress branch, or arbitrary any branch if there is no progress branch. In this section, I discuss the output of running samples in the scouting module, the effect of setting constraints on bypassing parsing phases, and observed parsing behavior. I configure the initial state to fork up to four times and force it as well as other generated states to take the progress branch, if there is one, otherwise choose a branch arbitrarily. All reported experiments were performed in a single core of Machine 2.All experiments are configured with a symbolic array of length 50 bytes. The path constraint is configured such that∀x∈ S|0 < x, where S is the symbolic input. Data-Set I have selected 2332 samples from Pool1 - see Section 3.7 - randomly and run them in a sandboxed environment to collect contacted hosts. Multiple samples contacted several different URLs, and multiple URLs were contacted by the multiple samples. An experiment - Exp. for short - is a unique combination of samples and URLs - the set generated 8243 experiments. 40% of the Exp. where formed by 30 samples only. Those samples generated random hostnames - onesamplegenerated463hostnames. TwoofthosesamplesrequiredaDNSanswer 87 where a hostname is mapped to multiple IPs to initiate HTTP connections - they wereanalyzedin6.1.3. Twoothersamplesthatcontactedhundredofhostsrequired input of 300 byte-length - at least. The input was passed to CryptVerifySignature and sent remotely if the function succeeded. The above samples and the following Exp. - not necessarily samples - were ignored. • 740 Exp. by 236 samples that use multiple layers of library calls before the native APIs (dot net). • 144 Exp. by 137 samples contacting google subdomains for connectivity tests and google-analytics. • 131 Exp. by 94 samples opened in a browser. • 26Exp. by 26 samples used Microsoft BITS ("Background Intelligent Trans- fer Service") to download a file. • 26 Exp. by 12 samples used microsoft.com as a connectivity test. • 11 Exp. by 4 samples generated a Unicode-based hostname. • 8Exp. by 7 samples that use the fetched input in RC4 key-scheduling phase. • There were other transient URL that was not contacted when running the sample again. That left me with 3062 Exp. and 1552 samples. 5.1.1 Detecting Data Type The output obtained from running samples in the scouting module reveals the initial phase of network input processing. The initial phase involves sometimes 88 searching for file signatures or a specific set of characters that identify a particular file format. For instance, an XML header or tags indicate the underlying file is encoded as XML. Interestingly, few binaries search for multiple file signature in the same network input and parse the file accordingly. Type #Exp. #Samples AV families #URLs GIF89a 405 210 7 385 Embedded zip 275 34 12 81 UTF-8 BOM 240 239 12 203 UTF-16 163 159 15 146 MZ 12 8 6 10 Bzip2 10 10 5 1 RIFF 4 4 4 3 7-zip 3 3 3 2 PDF 2 2 2 2 BMP 1 1 1 1 CISO 1 1 1 1 Gzip 1 1 1 1 RAR 1 1 1 1 TAR.Z 1 1 1 1 TGZ 1 1 1 1 Total Unique 977 530 45 708 Table 5.1: Detected binary file signatures Type #Exp. #Samples AV families #URLs SGML 403 210 7 383 Generic hex. 148 8 5 118 Generic decimal. 109 67 10 22 XML/HTML/XHTML 44 35 16 30 JSON 39 13 3 3 ASCII digits 14 14 7 4 Readable Unicode. 9 9 6 2 Total Unique 766 350 44 561 Table 5.2: Detected text file formats 89 Type #Exp. #Samples AV families #URLs GIF89a SGML 400 209 6 380 UTF-8 BOM UTF-16 131 131 7 120 RIFF MZ 4 4 4 3 GIF89a SGML BOM 1 1 1 1 GIF89a SGML MZ 1 1 1 1 GIF89a GZIP2 TGZ SGML 1 1 1 1 TAR.Z CISO RAR 7zip MZ 1 1 1 1 Table 5.3: Malware searches for different types independently Malware searches for file signatures to identify or verify the content of the data received over the network. Table 5.1 shows a summary of different signatures searched by malware. The table shows the number of experiments, which is a sample and URL combination, for each detected signatures. The majority of the signaturesareusedtoverifyfileformats, whileotherssearchforsignaturestolocate embedded files. Few samples leverage the signature to determine the next parsing stages. For instance, Table 5.3 shows some malware that attempts to identify different compression formats in order to process the data. Once an analyst detects a binary searching for a known file signature, they can feed the binary with a file of such format or ignoring it altogether. Embedded files 34 samples searched for bytes used to identify a zip file - PK. The samples searched for the signature in multiple locations in the buffer - this is observed in all five generated states, and by the file specification the signa- ture should present in the first bytes of the buffer. One possible explanation for such behavior is that a zip file is embedded in another file format. To verify the hypothesis I have downloaded content from those websites - the accessible ones - and they were indeed embedded. All the URLs belongs to an image sharing websites. Seventy-two of those URLs were accessible as of July 27, 2019, and I 90 submitted the URLs to VirusTotal [80]; they were undetected as of July 27, 2019. I have analyzed the files, few were hidden in JPEG and the majority in GIF files - see Table A.2. Hidden executable URLs with executable extensions indicate malicious activ- ity and often flagged and prevented by protection software. Malware disguises such URLs with extensions of non-executables files. In this phase, I have detected malware searching forMZ, in files downloaded from URLs that show text and icon data types. Multi-Format Interestingly, there are binaries that look for different signatures in the same network input. Table 5.3 shows a summary of URLs where binaries search for bytes identifying different file formats. For instance, looking for a GIF and/or an SGML file containing a CRC checksum section, see the listing below. 1 GIF89a\_<!--SECTION NAME="CRC"--><<<< ON-->>>> 2 <!--SECTION NAME="CRC"--><!--/SECTION--> 3 <!--SECTION NAME="CRC"-->2147483647 Highly-Structured JSON and XML are languages that define a set of rules to encode data structures and hence, complicated by definition. Binaries differ in the way they parse such files. Some scrape the file for specific keywords and use their positions to locate the desired string, while others use a generic parser to achieve the same result. The second type is more complicated as generic parsers go through multiple rounds of processing and validation. 1 <?xml-stylesheet 2 <![CDATA[/> 3 <geo ver="1.0"><country><postal_code><city><region 4 NULL 91 5 [] 6 BDMReport_url":"" Using the scouting module, I have detected both type of processing. Examples of output generated from binaries using a generic XML parser is shown above at lines 1 and 2, while a scrapper is in line 3. Similarly, line 4, and 5 show outputs from binaries using JSON parser, while line 6 shows a scrapper. Line 6 illustrates that the binary ignored the quote supposed to prefix BDReport_url. ASCII digits Some binaries search for specific ASCII digits such as 100! or 45 _89, while others parse the input - most often using lookup tables - for ASCII digits for further processing, such as converting them into numbers followed by decryption. Table 5.2 shows a summary of malware searching for ASCII digits. Progress branch in constructs that parse ASCII digits to convert them to num- bers does not immediately produce digits as they usually validate that a byte falls in specific ranges. However, those constructs usually start searching for specific values that indicate the nature of conversion, e.g., to hex or decimal. Converting to hex is often preceded by searching for±0X,±0x or± for decimals, and those are denoted by Generic hex and Generic decimal in Table 5.2. Type #URLs #Samples AV families ASCII digit 160 97 28 CRC32 383 210 8 DES 1 1 1 Table 5.4: Detected lookup tables 92 Look-up tables In many cases, lookup tables reveal information on the nature of the processed data. For instance, some binaries leverage lookup tables to cal- culate a CRC checksum. Table 5.4 shows some detected usage of lookup tables in malware. Parsing by Standard API Some binaries use system API to parse files such as an INI file. The scouting module logs API calls; however, some of those calls behave distinctively in this setting. Malware use functions such as GetPrivatePro- file(SectionNames|String) from kernel32.dll. For instance an INI parser produce the following output 1 d h A d h a h * 2 ( 20 h A d h a h * 3 d h A ( 20 h A d h a h * Some binaries use a browser to display remotely fetched content, and some browsers like Microsoft Internet Explorer uses ieshims.dll to parse the content, and it starts searching for Client UrlCache MMF Ver. Table 5.5 shows the breakdown of network input, where a standard API is used to process it. API/Library #Experiments URLs #Samples AV families INI parser 94 28 93 24 ieframe.dll 32 24 18 7 ieshims.dll 8 4 8 3 Table 5.5: Breakdown of malware using API 5.1.2 Setting constraints Binaries often process text in multiple-phases, and the number of phases and their complexities varies. Some malware checks the length of the input by counting 93 Exp ID URL #Samples AV families S1 shadu.baidu.com/api/openapi/json_get_full_down_url_v4/<omitted> 11 3 S2 shadu.baidu.com,api/openapi/json_get_2to1_minipath_config_v4/<omitted> 13 5 S3 auth.weather.com/ursa/xml/desktop/installId/ 1 Dinppb S4 apisoft.hao123.com/data/ad.xml?t=<omitted> 1 chinbo apisoft.hao123.com/data/rm_task.xml S5 switchboard.real.com/player/installer.html 1 - cache-download.real.com/free/windows/installer/stubinst/xml/rp16/stubinst_config_en.xml S6 play.google.com/store/apps? 1 Getnow.a S7 freegeoip.net 13 3 ip-api.com ipinfo.io S8 www.fastdownloads.info/api/software/ 5 linkular www.ppdistro.us/api/software/ S9 static.fastenloads.com/feed/multi/feed_test_3.xml 28 15 static.fileupstream.com/feed/multi/feed_usa.xml static.freefileweb.com/feed/multi/feed_usa.xml static.rompi4me.com/feed/multi/feed_usa.xml static.skachat.org/feed/multi/feed_usa.xml static.ticnofiledownloader.com/feed/multi/feed_test_3.xml static.ticnofiledownloader.com/feed/multi/feed_usa.xml S10 down.downrealm.com/yak/Downloader_Demo.txt 1 - S11 www.qqxc8.com/yd.txt 1 tonmye S12 yz.app.sogou.com/appinfo?num=1179 1 sogou S13 open.baidu.com/special/time/ 19 8 S14 secure.oinstaller4.com/validate/timestamp?ts=<omitted> 4 1 secure.oinstaller6.com/validate/timestamp?ts=<omitted> secure.oinstaller7.com/validate/timestamp?ts=<omitted> S15 descargasfree.im/Admin/db/url_cmd.txt 1 symmi S16 takeinfo.ru/get_xml?file_id=<omitted> 3 loadmoney forces.buy-file.ru/get_xml S17 DGA 16 4 Table 5.6: Summary of experiments information the number of bytes before reaching a NULL character; others search for delimiters and field separators. Delimiters and separators might be necessary for enabling further processing, but in some cases, they are not. Setting the constraints to bypass those phases 94 Type #Exp. #Samples AV families #URLs Eliminating whitespaces JSON 106 106 4 69 XML 45 45 19 11 Windows setup INFormation 1 1 1 1 Generic hex. 8 4 4 8 Eliminating 80 h HTML 1 1 1 1 Windows setup INFormation 1 1 1 1 Table 5.7: Detected text file formats after adjusting the path constraint enables - in some cases - moving quickly to deeper phases. For instance, constrain- ing symbolic input not to equal zero - NULL byte - avoid creating states when the binary is calculating the length and allows moving the next phase of processing. Searching for whitespaces Whitespaces can be part of a string a malware is processing or serve as a delimiter that identifies field boundaries. Some times those delimiters are optional, while in other cases, they are a necessary part of parsing as some keywords are expected to be separated by delimiters. In a few cases, the existence of white spaces causes the binary to restart the processing, such as S6 in Table 5.8. Eliminating whitespaces caused the binary to continue processing the input, and more text is revealed. Table 5.7 shows the detected text format after eliminating whitespaces from the input. Note that the path is also constrained such that only bytes in the ASCII range excluding whitespaces are eliminated. Table 5.8 illustrate the results of binaries searching for whitespaces and the effect of eliminating whitespaces from the constraints. S7 is an example of a binary using a generic JSON parser over the symbolic input. The binary starts searching for keyword NULL, followed by whitespaces. Eliminating whitespaces, enabled the binary to progress toward other phases of parsing. The binary starts searching for digits, true,false, and quotes. Similarly, S9 illustrates the output 95 of a binary using a generic XML parser. Eliminating whitespaces enabled moving quickly to further parsing stages, and the binary starts looking for XML headers and tags. There were 5 Exp. generated by 5 samples (1 family), 2 unique URLs where a meaningful output - the string OK - was generated when eliminating whitespaces. There were 364 Exp. generated by 317 samples (34 families), 241 URLs where binaries started searching for other non-printable characters even after eliminating whitespace such as form-feed (c h ), and vertical-tab (b h ). I took one sample and eliminated those characters, and strings were generated. Examples of those strings are skip, select, and show. Optimized string length calculation It is conventional to mark the end of a string of characters with a NULL byte. To calculate the length of the string, a binary iterates through the byte until it finds a NULL byte. Some binaries leverage bit manipulation to optimize the search of a NULL byte [9]. The bit manipulation involvesXOR,addition,logicalAND,andnegation. Oneexampleofsuchoperation is (((X+0x7efefefefefefeff)⊕¬(X))∧0x8101010101010101) , where X is the input. Table5.9showsabreakdownofsamplesthatusesuchoperationtocalculate the length of the input. Such operations might not necessarily generate states as they are not involved immediately in branch conditions; however, they expand the path constraint such that some variables are evaluated to a constant value - 80 h in this case - and hinder further processing over those variables. Anoptimizedstringlengthcheckoftenprecedesactualstringcomparisonsupon the network input. Such operations would flip some bytes in the input to equal 80 h , and causes the binary either to stop processing or repeatedly searching for a string. 96 # Output Constraints S6 (function(){windowa h (function(){windowa h (function(){ A A (function(){windowa h (function(){windowa h (function() A A (function(){windowa h (function(){windowa h (function( A A A (function(){windowa h (function(){windowa h (function A A A A (function(){windowa h (function(){windowa h (functio (function(){window A _uc=”;})();’;})();’;})();’;})( C\W A (function(){window A _uc=”;})();’;})();’;})();’;}) A A (function(){window A _uc=”;})();’;})();’;})();’;} A A A (function(){window A _uc=”;})();’;})();’;})();’; A A A A (function(){window A _uc=”;})();’;})();’;})();’ S7 NULL 9 h * A 9 h * a h 9 h * 20 h 9 h * -0X 0 * C\W NULL false true "" S8 d h * A a h * d h a h d h * d h 2 a h d h * d h 3 a h d h * [] C\W [ A ] S9 d h A A d h A A d h A A A d h </> C\W <![CDATA[/> <?xml-stylesheet <:/> S10 d h * A a h d h * d h a h d h * d h 2 a h d h * d h 3 a h d h * { C\W {\urtf see Table for experiment information 5.6 Table 5.8: Effect of eliminating whitespaces 97 #Experiments URLs #Samples AV families 101 49 81 28 Table 5.9: Breakdown of malware using⊕ for string length Table5.10illustratesexamplesoftheoutputofbinariesusesaformofoptimized string length operation. The table also shows the effect of eliminating 80 h in the generated message, where binaries progressed to deeper levels of processing. ConsiderS1, in the most generated output, the byte 80 h is present in different positions of the input and the binary repeated attempt to search for a partial string is noticeable. More bytes of the string are revealed when eliminating the 80 h . Further, the binary scans the buffer for the string - a newly observed behavior. Note that such optimization only works for ASCII input that falls in the range of x|0 h ≤x≤7f h . Table 5.7 shows the detected text format after eliminating 80 h from the input. 5.1.3 Order of processing The relative order of parsed strings and their location the buffer is not often trivial to understand. Some binaries search for two sets of string - locators - to determine a location of bytes of interest - a token. Taking the progress branch might reveal the locators and fails to cause the binary to process a token. Similarly, consider a binary that searches for a delimiter in every byte of the input, followed by searching keyword in bytes between the delimiters. What is the number of forks necessary such that there are enough bytes between delimiters in which the binary starts processing keywords? Consider S11 in Table 5.11, the binary searches for 1, followed by a series of |*|*|. It is not trivial to determine if it is a field separator or keyword. The output isshowninS12, S14, S15belongstoabinarythatsearchesforastringinmultiple 98 locations. In some cases, a binary searches for a string and uses it to locate other strings, while in others, the binary searches for strings in multiple locations, and if not found, it searches for another one - sequential string sub-matching. Only by increasing the number of forks, one can distinguish between the two cases. S15 shows several commands processed by malware. It is not easy to determine if those are one atomic string or multiple commands. Running the above examples in the inference module reveals more informa- tion on parsing behavior. S12 the binary searches for two sets of strings win- dow.baidu_time(, followed by ) and only analyzes the bytes between them. However, in S14, the binary searches for another string only after it did not find the first string in every byte of the buffer. In S15, the binary searches for all commands and then starts processing the parameters of these commands. One observation about binaries searching for Floating string is that some of them appear broken such asS3, S4, S17, while the rest appear as a whole. This is due to the nature of the parsing loops. Those binaries check for the first character in the outer loop and, if found, enters a nested loop while the others perform all the checks in the nested loop. 5.2 Constraining to a single value Constraining symbolic data such that they only equal to a single value reduces the number of feasible paths to one in most cases. Such practice enables tracking the symbolic variable propagation to API calls, and XOR operation. Analysts can leverage this approach to extract XOR encryption keys, track variables as they are used in APIs, or lookup tables. 99 Decrypting network traces One of the samples in the previous section searched for ASCII digits to convert them to numbers and decrypt the input using a variant of the RC4 algorithm. I found network traces of three vari- ants of this sample - namely Cryptowall - from hybrid-analysis [5]. The network traces contained ASCII hex-digits representing encrypted texts. Each binary con- tacts multiple webservers in parallel, and an encryption key is generated for each request. The binary uses some form of RC4 algorithm to generate the key from a passphrase, and I observe that there is a relationship between the URL argu- ment. For instance, the binary contacts jqbabycare.com/wp-content/themes/ twentythirteen/ap4.php?l=ysaivcx6wcjtkc, and the value ysaivcx6wcjtkc changes in every run. I use the sample I have to extract the encryption key from phrases in the URLs. I feed the binary ASCII digits and inject symbolic data once they are converted into numbers. Those data are constrained to equal a single value to avoid forking, and the state is configured to terminate on Internet activity. I also replace the generated passphrase with the one extracted from a PCAP file - ysaivcx6wcjtkc for the above URL. Then I enable printing XOR operands - see Table 4.1 - and extractthekeysfromthelogs. Table5.14showsasnippetofthedecryptednetwork flows. Extracting keys from RATs Two RAT samples, Kazy, and Pmkfrsucinas - see Table 8.1, receive XOR encrypted messages, the input is formatted as ASCII digits. To extract the keys, I provided the following input 61 50 , and leveraged StackTracer to inject symbolic data when a 50 is found, i.e., when the digits are convertedtoactualnumberssince’a’isequivalentto0x61. ThenIenableverbose- xor - see Table 4.1, to print XOR operation operands. Table 5.13 shows the first 100 ten bytes of the extracted keys, as well as the running time - states, are configured to terminate on Internet activity. 5.3 Non-progress branches Binary code is not always trivial to comprehend by human analysts. In some cases, previous instruction needs to be inspected. Consider the following assembly snippet from Pmkfrsucinas - see Table 8.1. 1 1EB movzx eax,byte [edx+eax-0x2] 2 1F0 add al,0xd0 3 1F2 sub al,0xa 4 1F4 jnc 0x212 What is the purpose of this conditional branch, given the data in eax has already passed through one round of processing ? By leveraging dosolution option in the controlled forking mode, the system prints two possible solutions for each branch for the variables involved in the branch condition. Two possible solutions are "A" and "0," which are the ASCII representation of 41 h and 30 h . 5.4 Summary Limitingthenumberofgeneratedstatesbyathreshold, andsettingconstraints, and forcing the binary to take the progress branch reveals the initial phase of string processing. The user can detect file signatures identifying binary file formats or XML and JSON parsers. Certain lookup tables can be detected in a constant number of states. The user can extract the XOR encryption key in a single state, as well as understanding the semantic of non-trivial assembly instructions. 101 The user can configure the constraint to eliminate generating states over con- structs searching for particular values to enable moving to a deeper phase of string processing. However, in some cases those constraints are not trivial to setup. For instance, a binary performs sequential string sub-matching. The user can adjust theconstrainttoeliminatethefirstcharacterofthefirstsubstringtoenablemoving to the second one, howeve the two strings might share the same prefix. 102 # Output Constraints S1 BDMReport_url":"" 80 h * A BDM 80 h BDM * DMRepo 80 h BDM * BDMReport_u 80 h BDM * BDMReport_url": 80 h BDM * BDMReport_url":"" BDMReport_url":"" C A BDMReport_url":"" A A BDMReport_url":"" A A A BDMReport_url":"" A A A A BDMReport_url":"" S2 BaiduSdMini_id":""B 80 h Bai * A BaiduSdMini_id" 80 h Bai * BaiduSdMini_id":""BaiduAnMini_id":""BaiduBrowser_i C A BaiduSdMini_id":""BaiduAnMini_id":""BaiduBrowser_ A A BaiduSdMini_id":""BaiduAnMini_id":""BaiduBrowser A A A BaiduSdMini_id":""BaiduAnMini_id":""BaiduBrowse A A A A BaiduSdMini_id":""BaiduAnMini_id":""BaiduBrows S3 <id> 80 h 80 h R A <id></i 80 h 80 h R <id></id> 80 h R <id></id> C < < <id></id> < A <id></id> < <id></id> S4 <html> 80 h 80 h R A <html> 80 h R <ht 80 h 80 h R < < <html> C A <html> <html> < A <html> < <html> S5 <??><??><??><??><?? 80 h ?>< 80 h R A A <? 80 h ?>< 80 h R A <??><? 80 h ?>< 80 h R A <??><??><? 80 h ?>< 80 h R A A <??><??><??>< 80 h 80 h R <??> * C A <??> * A A A A <??> * A A A <??> * ch <??> * see Table for experiment information 5.6 Table 5.10: Effect of setting constraints to eliminate 80 h 103 # Output S11 1|*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*| 1 A A |*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*| |*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*||*|*| S12 status=true A A status=true A A A A status=true A A A A A A status=true A A A A A A A A status=true S13 window.baidu_time() A window.baidu_time() A A window.baidu_time() A A A window.baidu_time() S14 200 OK A A A 200 OK A A A A A A A A 200 OK A A A A A A A A A A A A 200 OK A 44 200 OK S15 UUUpdate*update*update*update*update*update*pdate* HUHideVisit*hidevisit*hidevisit*hidevisit*: Update*update*update*update*update*update*update*S UuUpdate*update*update*update*update*update*Visit* UUpdate*update*update*update*update*update*update* S16 <internet><internet_silent><referer_inet></referer A <internet><internet_silent><referer_inet></refere A A <internet><internet_silent><referer_inet></refer A A A <internet><internet_silent><referer_inet></refe A A A A <internet><internet_silent><referer_inet></ref S17 INSERTED A INSERTED I A INSERTED IINSERTED IIINSERTED see Table for experiment information 5.6 Table 5.11: Generated Messages from scouting module 104 key Time 4xzy5b9f7v60x 14,3 61h7cyxq5q5mt 14,3 9rg13pmw4fet8 13,3 cnv3ih92uitk0 12,3 d42l3nr91ic 15,3 d93uaj44z8q1z 12,2 m4evco592n003q 12,2 q8qoc7s0n5mc 12,2 rh1devzjiw 14,2 y8ru138vtq1t 15,3 ysaivcx6wcjtkc 16,2 Table5.12: Runningtimeforextract- ing Cryptowall 3.0 keys Sample Key Time Kazy 5c18f968f65af78f2b66 46,17 Pmkfrsucinas f638ff1f1ebe8fb234d6 23,12 Table 5.13: Extracted keys from RATs (first 10 bytes) 1 Request: {1|crypt7|E6CC74E43EA57DC21450157269245C13 |5|1|2||209.126.97.199} 2 Response: {1421|1} 3 4 Request: {7|crypt7|E6CC74E43EA57DC21450157269245C13|1} 5 Response: {1323|6i3cb6owitcouepv.onion|1Lx9sUY|US|-----BEGIN PUBLIC KEY-----<omitted>-----END PUBLIC KEY-----} 6 7 Request: {3|crypt7|E6CC74E43EA57DC21450157269245C13|1} 8 Response: {1378} 9 t7|E6CC74E43EA57DC21450157269245C13|1},{1375} 10 {3|crypt7|E6CC74E43EA57DC21450157269245C13},{1125} Table 5.14: Decrypted network traces from CryptoWall 3.0 105 Chapter 6 Malware scraping the web and checking the local environment This chapter evaluates the proposed approach to enumerating string compar- isons performed over data obtained from the local environment and the web. Mal- ware compares string obtained from the local environment such as username, com- putername, runningmodules, an-dprocessesforvariousreasonssuchasidentifying sandboxedenvironmentsorspecificsoftwarerequiredtoitsfunctionality. Similarly, malware process text obtained from remote-services to identify the geolocation of the infected machine, perform a connectivity test, or instructions. To enumer- ate string comparisons performed over input, I replace data obtained locally and remotely with symbolic data and enumerate string comparisons performed over those values, and report the generated strings and the observed behavior in their presence or absence. 6.1 Network input All reported experiments in this section are configured as follows - unless oth- erwise specified. Each experiment is run for 30 maximum minutes and performed on a 4-core of Machine1.All experiments are configured with a symbolic array of length 50 bytes. The path constraint is configured such that∀x∈S|0<x< 80 h , where S is the symbolic input. 106 Most samples in this section were analyzed to complement the initial analysis performed during the scouting phase in section 5.1. Other samples were obtained from Pool2 - see Section 3.7 - and the samples were selected as follows. I have selected all samples that contact google.com in an attempt to analyze connectivity tests but found other usages. The break down of samples contacting google.com is as follows: • 26 samples contacted google.com for connectivity tests. • 1 sample contacted ssl.google-analytics.com. • 1 RAT (remotely accessed trojan) fetched a google doc page and used an INI parser. Some of the extracted keywords are VER, EXEURL1, and PORT. I have ignored the URL and extracted the commands, instead - see Chapter 8.3. • 32 samples were analyzed in Section 6.1.1. I have selected samples that contacted yahoo.com. One sample used the site as a connectivity test; another sample contacted yahoo answers - analyzed in Chapter 8.8. Three samples were analyzed in Section 6.1.2. I also selected all samples that contacted twitter.com - analyzed in Section 6.1.2. One RAT contacted a different page on twitter to obtain an update link, and I have analyzed the communication protocol; instead, see Chapter 8.7. I have selected all samples that contacted a geolocation service and were analyzed in 6.1.1. 6.1.1 Geolocation Malware expresses interest in victim machine’s geo-location for multiple rea- sons. I have analyzed malware that retrieves the geolocation of the host machine 107 Regions Sites #Samples AV families Time States Behavior Chinese symbols: F Beijing F Shenzhen F Zhuhai int.dpool.sina.com.cn /iplookup/iplookup.php 5 (2) Chindo Bagsu Mikey Strictor 104.7,102.6 7,9 Terminate pv.sohu.com/cityjson 4 (2) Graftor, Mikey,Zusy 64,62.25 7,9 Tags Body freegeoip.net ip-api.com ipinfo.io 13 (11) Cerber/Zerber NSIS.Androm Ccya Tags Body Tags Body No Ransom country country_code countryCode am, az,by ge,kg,kz md,ru,tj tm,ua, uz 144.7, 42.9 210.67,111.74 4,8 14.7,18.7 Normal Controlled Fork google.com 32 Virlock Normal Controlled Normal Controlled Currency F google.com.au .co.uk: 19 .co.nz: 15 .ca: 18 146.1, 80.75 67.14,62.31 3,5 10.52 Table 6.1: Enumerated geolocation strings used by malware from public services. Some binaries once they identify specific locations, they cease malicious activities, while others behave differently based on the obtained location. Most ransomware obtains the geolocation to tailor the ransom message - the cur- rency, for instance - according to the infected machine’s location. Identifying the geolocation is often associated with ransomware; therefore, communicating with such services is flagged by network monitoring systems. Recently, websites offer- ing geolocation services requires an authentication token to avoid malicious usage. By using the proposed approach, I detected a stealthy approach to identify the geolocation in recently captured samples. I group geolocation malware into three categories. The first category com- pares the geolocation with three Chinese districts and terminates if any of them is detected. The hex representations of the extracted regions are b1 b1 be a9 , c9 ee db da, and d6 e9 ba a3 for Beijing, Shenzhen, and Zhuhai, respectively. The scouting module extracted only the first region, namely Beijing. The second cat- egory compares the geolocation with Post-Soviet states. Malware in this category does not cease activity but chooses not to act like ransomware. The third category uses a stealthy way to detect its location. Contacting GeoLocation websites vio- lates most corporate policies and are flagged by Intrusion detection systems (IDS). While the majority of malware contact google.com for connectivity checks, I found binaries that parse the google webpage looking for hints of geolocation. 108 Table 6.1 shows the results of running binaries that check geolocation. The first group of malware searched for substrings in all the buffer. The second group of malware passes the retrieved value to a JSON parser, which was detected in the scouting phase 5.1.1. For those, I run each experiment twice, one time to generate the tags and the second to generate the values. The last group contact google.com and looks for google.com.au in all the symbolic values. However, they also look for other values that share the same prefix. They look for google.co.uk, google.co.az, and google.ca. The binaries use instructions in the same procedure to enumerate all the substrings, and due to the way the module resets the non-progress states, otherstringsweremissingintheenumerationprocess. Touncovertheothervalues, I prefixed symbolic array with ’google.’ and adjust the path constraints such that bytes do not evaluate to ’g’. I use the controlled forking experiment with four forking thresholds, and I allow the child to fork. I configure each state to run for 10 seconds as those are ransomware, and if running longer, they will consume all the memory of the virtual machine. Country name for IRC 6 malware variants - one from Pool2 - contacted api.wipmania.com/ to obtain the country name and use it in an IRC channel. The binaries searched for <br> in every location at the buffer, then calculates the length of the string to the right of it. After a number of experiments, I detected that the required length is 2 characters. The binaries searched forXX and use it to identifytheUSA;otherwise,itusesthefoundstringasacountrycode. Therunning time and number of states for the first and second experiments are (183.67,104), (3,5), and (257,180.67),(4,8), respectively. The above samples use blocking API callssuchasselect, whichiscommonamongbinariesthatuseinteractiveprotocols suchasIRC.Toreducetherunningtime, IconfigurestatestoterminateonInternet 109 activity and the running time is as follows for both experiments (79.83,3) and (80,5.17) Regions Site #Samples AV families Time States Beijing http://pv.sohu.com/cityjson 7 5 214.57,212.43 7,11 Shenzhen Zhuhai Beijing int.dpool.sina.com.cn/iplookup/iplookup.php 28 20 79.93,76.86 7.03,11.03 Shenzhen Zhuhai Beijing int.dpool.sina.com.cn/iplookup/iplookup.php 7 3 142.86,141.43 4.86,8.86 Shenzhen int.dpool.sina.com.cn/iplookup/iplookup.php 1 1 79,77 9,13 Zhuhai Total - 43 24 - - Table 6.2: Geolocation samples using sliding window parsing approach Sliding window parsing 43 samples use an unusual approach to parse content obtained from geolocation services. The samples starts by searching for CRLF as Floating String and use it to mark the end of the buffer. I obtained content of those web-sites from different formats (JSON, and tab-delimited) and none of them contained CRLF at the end. The binaries searched the buffer in a sliding window fashion. They start processing the first four or six-bytes and advance four/six steps on successful comparisons; otherwise, they advance by one. The binaries place the digit ’0’ at the end of the window and compare the string with ’0’ before the keyword - a region in this case - each time they advance the window. If the comparison with ’0’ succeeded - means the end of the buffer - the malware reloads the buffer and start searching again for another region. Even on successful comparisons over region strings, the binaries search for multiple occurrences of the same region and move to the next region only if the exhaust the buffer. There are multiple Floating Strings or a Field Seperator. To reduce the number of generated states, I suffix the symbolic input with CRLF and adjust the path constraint such that ’0’ digit and CRLF are infeasible. Further, I configure the forker state not to generate a progress state. Table 6.2 shows the extracted 110 regions of binaries using the sliding window approach. The regions in the first row of the table are identical to the one in Table 6.1, however, the extracted Chinese characters are different. They are suffixed with two bytes - ca and d0 in hexadecimal - which translates to city in Chinese. 27 samples in the second row generated 7,11 states, and only one generated 8,12. Samples in the third row generated 5,9 states, and only one generated 4,8. The output extracted for those samples in the scouting phase is CRLF in the scouting module, while the output of the other samples is CRLF as well as ff h . ObtaininghostIP Onemalwarevariantcontactedbothint.dpool.sina.com. cn/iplookup/iplookup.php, and pv.sohu.com/cityjson. The binary sent the content of the first URL remotely after encoding it. At the same time, parsed the second one - after copying to the floating point stack and back to the memory -looking for "cip": "<ip>" and contacted another website ip.t086.com/?ip=<ip> using<ip>intheURLandsentthecontentofthenewlyfetchedURLafterencod- ing it remotely. The malware searched for two floating strings "cip":" followed by ", and processed the data between them to for the second URL. The running time is (22,16), and the number of states is (10,18) - states were configured to terminate on Internet activity. Sending Location Remotely Some binaries retrieve geolocation to send it remotely to the master. For instance, there are three malware variants that URL encode the fetched content and send them remotely — two of those copied the content to FFP stack and back to memory before encoding. The binaries process the input, searching for numerous special characters in the buffer. They search for one character, followed by another one. For instance, they are searching for whites- paces and asterisks. Those characters are the ones required escaping according to 111 the URL encoding roles. The order of characters searched differ by the variants. Two binaries contacted http://int.dpool.sina.com.cn/iplookup/iplookup. php, and one contacted http://pv.sohu.com/cityjson. Onemalwarecontactedthreewebsitesapi.ipify.org/,freegeoip.net/xml/, and ip-api.com/json/. Two malware variants contacted www.ipip.net/ parsed the content using javascript parser. One malware contacted api.ip138.com/ query/ and used an authentication token. The binary looked for "ret" that indi- cates the status of the request and parses the payload. Another variant contacted madmax.stuffpicks.com/MaxMind.asmx/GetGeoInfo and used XML parser to extract the country code. All the above variants sent the parsed data remotely, and I excluded them from the analysis. Sending Location Remotely Some binaries retrieve geolocation to send it remotely to the master. For instance, there are three malware variants that URL encode the fetched content and send them remotely — two of those copied the content to FFP stack and back to memory before encoding. The binaries process the input, searching for numerous special characters in the buffer. They search for one character, followed by another one. For instance, they are searching for whites- paces and asterisks. Those characters are the ones required escaping according to the URL encoding roles. The order of characters searched differ by the variants. Two binaries contacted http://int.dpool.sina.com.cn/iplookup/iplookup. php, and one contacted http://pv.sohu.com/cityjson. Onemalwarecontactedthreewebsitesapi.ipify.org/,freegeoip.net/xml/, and ip-api.com/json/. Two malware variants contacted www.ipip.net/ parsed the content using javascript parser. One malware contacted api.ip138.com/ 112 #Samples AV families URL Generated Value Time States Status of URL Behavior/Purpose Remarks 18 8 Flooder twitter.com/pidoras6 F1 )))))______________ F2 </p> 113.30, 112.05 - Structure changed WinHttpCrackUrl / DDoS 4 Razy 6 Ulise 18 5 Graftor 4 Symmi 3 flystudio 2 ktool flystudio 2 seodec adload uds open.baidu.com/special/time F1 window.baidu_time(8.+__ F2 ) 425, 421.6 - N/A Unix timestamp 2 QGM, Slugin yahoo.com/setting.doc [setting]\r\ndownloaded=success 95.5, 85 2,4 "OK" Injecting svchost.exe GetPrivateProfileString 1 Getnow.a play.google.com/store/apps? F1 (function() F2 {window uc=’\420\420\4’ F3 ;}) F4 (); 1137,1127 - Login required Fetching registered phones No CLRF 1 Dinppb auth.weather.com/ursa/xml/desktop/installId/ F1 <id>&#x ;&# && F2 </id> 383,379 - Not Authorized WriteFile() 1 Mydoom search.yahoo.com/search?q @ &#;@ - - Malformed URL Harvesting emails Symbolic memory copy 1 Hbpw hi.baidu.com/sinianxc/blog/item/[omitted].html div F1 id=”blog text” class=”cnt” > 2 \xa1\xbe 170,167 7,9 N/A N/A Table 6.3: Extracted tokens from malware scraping the web query/ and used an authentication token. The binary looked for "ret" that indi- cates the status of the request and parses the payload. Another variant contacted madmax.stuffpicks.com/MaxMind.asmx/GetGeoInfo and used XML parser to extract the country code. All the above variants sent the parsed data remotely, and I excluded them from the analysis. 6.1.2 Token finder I detected and generated content for malware scraping the web for tokens. Most of those samples, locate two or more strings and process the data positioned between them. Table 6.3 shows the results of malware scraping webpages for tokens. I do not report the number of states for experiments that did not terminate by the allotted time. Instead, I report the time the first state where the malware started parsing the token or called a new API, and we report that API. Tokens are super-scripted with numbers indicated the order of which they were processed. Different Responses The majority of the websites contacted by samples in this section responded with values different than the ones I generated. The reason is that either they require login or the page structure has changed. For instance, two malware samples contact yahoo.com/setting.doc, and the website responds with "OK," however, the malware searches for "downloaded=success." I believe that the 113 website responds with such string if a particular software is installed in the victim’s machine. Structure Change Samples that contacted a twitter.com were not able to parse the content even though the tweet was available to the date of writing this docu- ment The reason is that twitter has changed the underlying HTML structure. In particular, </p> was not present in the page. Allowing Internet access to the sample did not reveal the behavior it is intended to do, which is a URL to DDoS. However, the system was able to regenerate the original content. When running the samples symbolically, I observed that the data between the tokens were passed to WinHttpCrackUrl API. I intercepted that API and change the parameter, and we observed that the malware performed DDoS against the fetched target. Login is required One malware contacted play.google.com to fetch a token that is used in subsequent requests to retrieve the list of registered cell phones. The website required a login to display the token. This binary required a specific cookie in order to issue the communication. In some cases, it is easy to identify a cookie a binary requires as they attempt to locate a specific file that reveals the name. This particular sample was enumerating all the files and parse their content. To identify the cookie, we replaced the data read from the file with symbolic ones and extracted several strings. Harvestingemails Onemalwarecontactedseveralsearchenginesinanattempt to search for email addresses. All the generated URLs were broken when I tried to visit them. The sample first searches for whitespaces to delimit the string. Only the state where delimiters were present the binary start searching for "@" and "at" . 114 #Samples AV fam. URL Value Time States Added Behavior Remarks 64 4 rp.baixakialtcdn2.com DONE 282,224 9,13 N/A 37 1 /bstr.php /wstr.php INSERTED 148,83 3,5 Stop DGA 4 2 validate/timestamp F1 200 OK 105.5,104 - Contact diff. hosts ..... F1 403 - Forbidden 343.75,342.25 - 2 2 DGA OK<code> 191,83 2,4 XOR encrypted Multi-answer DNS MZ ;site; site CAB 511.5,402 50.5 Launch process parse cab internet activity Controlled Fork threshold=40 30 cores Table 6.4: Enumerated confirmation code 6.1.3 Confirmation code Confirmation codes are responses from remote-servers where a malware send data uniquely identifying the analysis environments. I have analyzed malware that parses webpages searching for a confirmation code. Table 6.4 shows the results of the generated token. Two binaries processed an XOR encrypted message. Those messages start with a confirmation code followed by a payload. I had to reanalyze the samples using the controlled forking module configured at 40 fork threshold and used 30 CPU threads. The malware searches for three different data types. It looks for an executable, cab file, and list of websites to contact. Although malware that contacted rp.baixakialtcdn2.com belongs to the same family, they processed the data differently. The majority of generated nor- mal two states, some of them reused the rest of the buffer for other purposed and generated more states. Four samples contacted websites sharing the same suffix validate/timestamp and provided the current time and the hash digest of the executable. Those web- sites responded with The cake is a lie. However, the generated contents were "200 OK" and "403 Forbidden". Both of those responses caused the samples to contact different hosts and show different GUIs. 115 6.2 Environment artifacts This section evaluates malware inspecting the host environment artifacts. In particular, malwarethatqueriescomputername, username, andrunningprocesses. All reported experiments in this section are configured as follows - unless oth- erwise specified. Each experiment is run for 30 maximum minutes and performed on a 4-core of Machine2. All experiments are configured with a symbolic array of length 20 bytes. The path constraint is configured such that∀x∈S|0<x< 80 h , where S is the symbolic input. States are terminated if the process under analysis exists or starts an Internet activity. I selected 2000 samples randomly from Pool1 - see Section 3.7 and ran them in a virtual machine and logged API calls. I choose all the samples that called an API related to Username(A|W), Comput- ername(A|W), Process32First(A|W),Process32Next(A|W),Module32First(A|W), and Module32Next(A|W). Malware utilizes other methods to retrieve environment artifacts; however, the analysis is limited to those APIs. Further, I only select sam- ples that call those APIs within 30 minutes of running in an emulator. This would reduce the sample set, but currently, the implementation does not support delay- ing tracing samples until those APIs are called. Total samples used in this section is 788. 6.2.1 Usernames Among the dataset, 238 samples queried the username of the guest machine. 132 samples copied the obtained value to a floating-point register and back, encrypting the value and sending it remotely. 42 samples used the username in LookupAccountName API to obtain the SID of the running user. 3 samples 116 Username #Samples AV families Time States Norm. CurrentUser 52 11 189.70, 45.25 2,4 16 F Virus F Malware F Sandbox 2 2 83,67 7,9 0 Table 6.5: Usernames by malware to detect sandboxes used the username to schedule jobs using mstask.dll, and 1 sample obtained the username to determine the user’s home directory. 54 samples checked the username to detect a sandboxed environment, 16 of those used case-insensitive comparisons. Table 6.5 shows the enumerated user- names, the number of samples, the time taken to enumerate usernames, and the number of states. The time is shown in pairs — the number of seconds to termina- tion from launching the malware and injecting the symbolic variable, respectively. 1 data={"msg":"0001000010","Language":"English","version":"2.0.5" ,"osname":"Microsoft Windows 7 Enterprise ","osnumber":"6.1" ,"Process_architecture":"x64","av":"","fw":"","as":"Windows Defender","TP_Sandbox_USER":"0","TP_Sandbox_PATH":"1"," TP_Sandboxie":"0","TP_VM_WMI":"0","TP_VM_REG":"0"," TP_VM_TimeBase":"0","TP_VM_hook":"1","TP_VM_files":"0"," TP_Wine":"0","TP_VPN_WMI":"0","TYPE":"TP"} Listing 6.1: Infected machine information sent to a master Two samples performed sequential string sub-matching, shown in the bottom of Table 6.5. The binaries searched one sub-string and, if not found, moved to another. Unlike the other samples, verifying the extracted strings was not straightforward. The binaries did not exhibit malicious behavior in a Sandbox - Cuckoo sandbox version 2.0.7 [3] in this case. They used an undocumented API CsrGetProcessId, which returns the Process ID of csrss.exe, to detect if 117 ComputerName #Samples AV families Time States Norm. Behavior Sandbox 54 11 119.21, 33.37 2,4 17 Detect Sandbox Localhost "." 13 Outbrowse 315.15,24.92 2,4 - Whitelisting-bypass[11] for "." PC 1 Infostealer.bancos 55,25 2,4 - Increase C&C packet rate PC2014 KVM HVM MALTEST MWS SANDBOX 0E2E44 PC[0-9] 1 Firseria 134,117 9,11 - N/A Table 6.6: Enumerated computernames from malware SeDebugPrivilege flag is enabled [8]. The flag is enabled by modules that hook processes to trace API calls. Calling OpenProcess API over a system process is not allowed from user processes; however, the API does not return an error when passing the value returned by CsrGetProcessId if the debugging flag is set. Malware leverages such behavior to detect analysis behavior. I had to patch OpenProcess to bypass this check, and I was able to run the binaries. The binaries still detected the analysis environment, and that was evident from the payload sent to the master - see Listing 6.1. The flags TP_VM_hook and TP_Sandbox_PATH were set to 1. The enumerated usernames caused the binaries to flip TP_Sandbox_USER flag to 1. Although the samples performed identical tricks to detect analysis environ- ments, communication patterns and API calls, they were classified differently by Anti-Virus engines. In fact, BitDefender classified one of them as non-malicious, and McAfee-GW-Edition assigned each different labels, namely CryptDoma.tc, and SoftPulse.tc. A one can leverage string extracted from malware to enhance malware detection and classification. 118 6.2.2 Computernames I have analyzed 109 samples that queries the computer name. 69 samples com- pared the username, while the reset sent the obtained value remotely. Contrary to the common belief that malware uses the computer name to identify sandbox, I found 13 samples that behave differently if the username starts with dot ".". Those samples use the wmmicexec whitelisting-bypass technique [11]. This technique is used to bypass group policies added by system administrators to restrict applica- tion execution for local users. It seems that the samples use the dot to identify machines running large organizations such as corporates. I show the enumerated computer names, the number of samples, time taken to enumerate usernames, and the number of states in Table 6.6. One sample checked if the name is PC, and increased the rate of network packets. That was consistent among four runs. Another sample compared the computer name with multiple values, and I could not verify the behavior as it seems that malware already detected the analysis environment. 6.2.3 Running processes Ihaveanalyzed608samplesthatenumeratetherunningprocesses. 181samples compared each process name with the executable name obtained by GetModule- FileName API calls. Interestingly, 173 samples use a neat trick to identify their names. They launch two processes and enumerate the running executables and count the number of times each executable appears and record their process IDs. The malware re-enumerate processes and obtain the name of the process that appeared twice in the previous phase, encrypt it and send it to a remote host. 119 242 samples performed string comparisons over the running processes. 142 of them copied the value to floating-point stack and back before starting the compar- ison. 70 samples used case-insensitive comparisons. I had to constraint the input not to equal backslash and quote for 145 samples, I classify the enumerated process names into five categories. • Sandbox: The presence of such processes indicates a sandboxed environment. The existence of those processes causes malware to ceases execution. Table 6.10showsenumeratedprocessnamesusedbymalwaretoidentifysandboxes. • Anti-Virus: process names that belong to known Anti-Virus software. The existence of such processes does not necessarily cause malware to cease; how- ever, most malware tries to terminate those processes. Table 6.9 shows enu- merated process names used to identify the existence of Anti-virus engines. • Browser and legitimate software: malware looks for those processes to func- tion. Table 6.7 shows process names searched by malware that identify browsers and other legitimate software. For each malware that searches for a legitimate process, I ran a fake program with the enumerated name and observed its behavior. I classified the added behavior into categories and present them in Table 6.11. Interestingly, two of malware that searches for legitimate processes were not detected by any Antivirus engine, although they showed malicious behavior after rerunning them. • System: areprocessesthatbelongtotheoperatingsystem. Malwaresearches for system processes either to inject malicious code in them or to verify it is not running in an emulated environment such as WINE. • Malware name: are process names that malware uses to disguise itself. The malwarelaunchesitselfunderthosenamesregardless. However, theexistence 120 of such a process causes the malware to terminate it. Twenty-seven samples keep enumerating the running processes and waiting for their dropped file to start. The analyst can use this to launch those processes to speed up the analysis. Toevaluatetheproposedapproach,Ishowthenumberofincompleteandredun- dant states generated for each experiment. A state is incomplete if it generates partial value. Figure 6.1 shows the distribution of malware that generated redundant and incomplete strings. 40% of samples performed flawlessly, 50% generated two or less unnecessary states. Most of those states are the ones I constrained the input not to equal to backslash and quote. Those samples pass the input to a path parser to extract the executable name from the path. Since I constrained the symbolic value, the binary start searching for "c" followed by a colon. Also, few samples (32 samples) start looking for backslashes and then process data between, before, or after them. Those constructs were classified as separator finders, and they resulted in other states. Some of those samples required a backslash to be present before starting the comparison, while for others, backslashes were optional. I also measured the time elapsed from the sample start and symbolic value injection to the termination. Figure 6.2 shows the distribution of the time taken for each experiment. 80% of experiments terminated in less than 305 seconds from the injection, and 755 from the process started. Table 6.12 shows the distribution of valid process names enumerated per samples. Injection Point Retrieving the list of running processes in Windows OS is as follows. The user calls CreateToolhelp32Snapshot to take a snapshot of the 121 running processes, followed by a call to Process32First to retrieve the first pro- cess, and Process32Next for the rest. In a few instances, malware expresses interest in specific processes based on their order in the list or their priorities. To detect such behavior, I have injected symbolic data in the output of each call that retrieves the running process. 12 samples performed comparisons in this setup. 11 searched for explorer.exe while one searched for ESGRemoteSupport.exe. #Samples AV families Value 116 5 amigo.exe 112 5 opera.exe 108 5 iexplore.exe 107 5 avant.exe 107 5 chrome.exe 107 5 firefox.exe 103 5 arora.exe 102 5 leechcraft.exe 98 5 launcher.exe 97 5 luna.exe 94 5 maxthon.exe 94 5 seamonkey.exe 93 5 browser.exe 2 2 rapport 1 1 dgservice.exe 1 1 drivergenius.exe 1 1 drivethelife.exe 1 1 dtlservice.exe 1 1 terms.exe 1 1 ucbrowser.exe Table 6.7: Enumerated browsers and legitimate softwares 6.2.4 Loadeds Modules I analyzed 210 samples that enumerate loaded modules; 2 of them sent the data remotely. 32 samples called the API with invalid parameters - I guess it is some 122 Malware name #Samples AV families Value 32 1 install.exe 4 1 picview.exe 2 2 F main.exe 1 1 mism.exe 1 1 pcmaster.exe 1 1 winguard.exe 1 1 zzs.exe System #Samples AV families Value 90 5 svchost.exe 39 4 explorer.exe 37 2 cmd.exe 37 2 csrss.exe Table 6.8: Enumerated malware name and system processes form of detecting an analysis environment. 136 samples checked the length of the loaded module and did not process that data during the allotted times. Table 6.13, shows the different categories of module checks performed by malware. Dynamic libraries linked to a binary, processes that launched a binary, and API hooking software all appear in the loaded module list. The majority of analyzed samples searched for modules to identify a sandbox. Two samples searched for a specific DLL and if not found they attempted to download the files from the web. One sample checked for a specific loaded module and when I placed a fake module with the same name the malware showed extra behavior. 6.3 Summary Malware performs string comparisons over values obtained from the local envi- ronment to identify sandboxes, protection software, running browsers, or for other 123 #Samples AV families Value #Samples AV families Value 11 10 360tray.exe 1 1 clamwin.exe 2 2 baidusdsvc.exe 1 1 coreframeworkhost.e 2 2 kxescore.exe 1 1 coreserviceshell.ex 2 2 qqpcrtp.exe 1 1 dwarkdaemon.exe 2 2 ravmond.exe 1 1 dwengine.exe 2 2 zhudongfangyu.exe 1 1 dwservice.exe 1 1 360rp.exe 1 1 ekrn.exe 1 1 360sd.exe 1 1 fsm32.exe 1 1 avastsvc.exe 1 1 fsma32.exe 1 1 avastui.exe 1 1 fsorsp.exe 1 1 avcenter.exe 1 1 ksafesvc.exe 1 1 avgidsagent.exe 1 1 ksafetray.exe 1 1 avgnt.exe 1 1 kvmonxp.exe 1 1 avgui.exe 1 1 kvsrvxp.exe 1 1 avgwdsvc.exe 1 1 kxetray.exe 1 1 avkservice.exe 1 1 mcshield.exe 1 1 avktray.exe 1 1 mpmon.exe 1 1 avp.exe 1 1 mpsvc.exe 1 1 baiduan.exe 1 1 msmpeng.exe 1 1 baiduansvc.exe 1 1 qqpctray.exe 1 1 baiduantray.exe 1 1 qqpcwebshield.exe 1 1 baidusd.exe 1 1 rstray.exe 1 1 baidusdtray.exe 1 1 twister.exe 1 1 bdagent.exe 1 1 twssrv.exe 1 1 ccsvchst.exe 1 1 uiseagnt.exe 1 1 cfp.exe 1 1 uiwatchdog.exe 1 1 clamtray.exe 1 1 skyreg.exe Table 6.9: Processes associated with Antiviruses reasons. Enumerating the string comparisons enables tailoring the analysis envi- ronment to either hide artifacts identifying sandboxes or providing the missing ones. Malware uses multiple techniques to thwart analysis, such as the usage of floating point registers. I showed that by using the proposed approach, the string comparisons could be enumerated automatically; I also have shown that some envi- ronmental settings trigger new behavior. Content fetched remotely can also help understand the behavior of the network. Some of the remote servers intentionally select to provide invalid content, while others are inaccessible. Using the proposed approach, I regenerated content for remotely unavailable content. 124 #Samples AV families Value #Samples AV families Value 54 12 aircrack-nggui.exe 54 12 sbiectrl.exe 54 12 apis32.exe 54 12 sbiesvc.exe 54 12 camrecorder.exe 54 12 sniffer.exe 54 12 camtasiastudio.exe 54 12 superantispyware.ex 54 12 cv.exe 54 12 symrecv.exe 54 12 drvloader.exe 54 12 syser.exe 54 12 dumpcap.exe 54 12 tcpdump.exe 54 12 erdnt.exe 54 12 vboxservice.exe 54 12 erunt.exe 54 12 vboxtray.exe 54 12 etherd.exe 54 12 windbg.exe 54 12 irise.exe 54 12 windump.exe 54 12 irissvc.exe 54 12 wireshark.exe 54 12 observer.exe 54 12 wspass.exe 54 12 ollydbg.exe 54 12 zxsniffer.exe 54 12 pebrowsedbg.exe 38 5 vba32arkit.exe 54 12 regshot.exe 1 1 egui.exe 54 12 sandboxiedcomlaunch 1 1 taskmgr.exe 54 12 sandboxierpcss.exe Table 6.10: Processes associated with Sandboxes This chapter shows that the proposed approach scales to enumerate malware processing a relatively large number of strings. For instance, the system enumer- ated 60 keywords for one of the samples and 33 for 38 samples. Also, the approach was able to handle different parsing constructs that search for a string in multiple locations. For instance, the geolocation malware that searched for the Chinese dis- trict was searching for three independent sub-strings. The binary starts searching for the other sub-string if it exhausts the input for the first sub-string. The number of forks required to process the second sub-string is a function of the length of the buffer. The proposed approach can be used to detect different environment checks. For instance, malware reads the register file that identifies the CPU of the guest, the video card, or system BIOS version. There are also multiple ways to retrieve the computer and user names e.g., WMIC scripts. An analyst can inject symbolic variables in data obtained from such tools, which seems as a good avenue for future research. 125 Behavior #Samples AV families Check file version/copyright/signature 116 5 Network 12 5 Create thread 9 2 Create cryptokey 2 2 Creates ADS 2 2 Harvests credentials from email client 2 2 Disables proxy 1 1 Enumerate windows 1 1 Install autorun 1 1 Lookup privilage 1 1 Operates on firewall policies 1 1 WMI queries 1 1 Table 6.11: Added behavior obtained by running enumerated legitimate processes Figure 6.1: CDF of redundant and incomplete states in process enumeration 126 Figure 6.2: CDF of time to enumerate process comparison from symbolic injection #Samples #Keywords #Samples #Keywords 1 60 6 9 38 33 1 8 16 32 2 7 28 16 1 6 3 15 1 5 62 14 2 4 1 13 6 3 3 11 2 2 1 10 68 1 Table 6.12: Distribution of unique valid process names generated per samples 127 Module Name #Samples AV families Time States Behavior SBIEDLL.DLL SBIEDLLX.DLL DBGHELP.DLL 37 5 238.65,7.9 4,6 Detect Sandbox ServiceInstall.dll 2 2 194.5,122.5 2,4 N/A purebasic.exe 1 1 54,51 2,4 Create File Load Module Read Registry Table 6.13: Malware checking loaded modules 128 Chapter 7 Highly Structured File Formats Highly structured file formats such as JSON and XML define a set of rules to encode data structures. Binaries process such files in multi-phases, which, along with the hierarchical structure, pose a challenge to symbolic execution. Some binaries scrape the content, searching for a specific set of characters to use them to locate strings of interest. Others use a generic parser that performs multiple rounds of parsing starting by looking for whitespaces, headers - in case of XML - that define encoding and rules, followed by searching for key constructs such as tags and attributes. Parsers validate tags and attribute to ensure they adhere to the specification - in some cases, a form of hash comparisons is used which create complex symbolic expression for the constraint solver. Some parsers perform character escaping after the validation phase. After validating the file and extracting the constructs, the binarystartsprocessingtheparseddata, andthegoalistoreachthisphasequickly. This chapter aims to show that by leveraging prior knowledge of rules and formats, the number of states required to regenerate the content can be reduced significantly and the problem is reduced to simple string comparisons. I present an evaluation of using the proposed approach to regenerate the contents of malware variants that use different methods to processes JSON and XML. One might be tempted to analyze a memory dump of the malicious process, searching for key- words. However, that is often not sufficient as it does not capture their position 129 in the file. For instance, is the string part of a tag, attribute, or it is a tag nested in another tag? All reported experiments were run on a 4-core of Machine 1. The symbolic input is of length 50 bytes and the constraints settings differ for each experiments and is explained accordingly. Samples in this section were analyzed to complement the initial analysis performed during the scouting phase in Section 5.1. JSON RPC samples were selected from Pool2 - see Section 3.7. 7.1 JSON JSON parsers differ in the way they parse the content. Some parsers start searching for NULL keyword at the beginning of the buffer, followed by whites- paces∈W. After finding whitespaces, they search for true and false, then start searching pairs of curly and square brackets. This phase is followed by character escaping, and in some parser, searching for comment sections. The goal is to avoid forking in the JSON parser, one might provide a valid JSON file and inject symbolic values after the content is parsed, but the question is how to determine if the binary passed that stage, given that JSON parsers are statically linked to the binary? The key insight is to set the constraint such that the input is still a valid file while avoiding forking in the parser. I achieve such a goal by creating a template where some bytes are constants while others are constrained not to equal values used in formatting the file. For illustration, consider the following input 1 {"S_1":"S_2","S_3":"S_4","S_5":["S_6","S_7"]} The brackets, quotes, commas, and a colon can be either concrete values or sym- bolic variables constrained to equal a single constant. The path constraint is 130 configured such that the feasible values for the symbolic variables prefixed with S are: ∀x∈ S|x∈{C\{ {, }, [, [, ,, ", },9 h ,a h ,d h ,20 h ,27 h }. Such input would pass the parser without generating states - some parser requires an addi- tional narrowing of the possible values such as6= ! . Given that the input bypassed the JSON parsing phase, would malware start processing the data encoded in the file? It depends on the structure the binary expects to receive. For instance, In some cases malware process data associated with a particular key. URL #Samples AV Families http://config.fusioninstall.com/config/lightspark/offers.json 13 2 http://config.fusioninstall.com/config/ls/offers.json 5 1 http://config.fusioninstall.com/config/javaupdater/offers.json 2 1 http://config.fusioninstall.com/config/downloadmanager/offers.json 2 1 http://config.fusioninstall.com/config/7zip/offers.json 1 1 http://config.fusioninstall.com/config/windowsdriver/offers.json 1 1 http://config.softwareinstaller.org/config/7zip/offers.json 1 1 Total 25 2 Table 7.1: URL and sample breakdown for JSON installation instructions Tag #Samples country 25 diags 25 finished 25 headers 25 offers 25 progress 25 template 25 theme 25 mb 1 Time States 98.04,94.84 12.28, 14.28 Table 7.2: Generated Tags, and running time and states JSONkeys Ihaveanalyzedtwenty-fivesamplesthatfetchesinstallationinstruc- tionintheformofJSON.TheanalyzedsamplesprocessedthefirstkeyoftheJSON 131 input and did not process the values. Those samples processed the tags indepen- dently, i.e., the presence of the generated tags is not dependent on others. The symbolic input provided to the samples is as follow: 1 {"S_1":""} The contacted URLs and samples information are shown in Table 7.1, while the generated tags and running time stats are shown in Table 7.2. Only one sample was looking for mb tag. All the samples performed normalization - see Section 3.6 - upon the string before processing. Responding to the malware with the generated JSON tags enabled the malware to contact new URL to download an image and showed installation GUI. #Samples Sites Tags Template Time States 13 freegeoip.net country {" S ":""} 144.7, 42.9 4,8 ip-api.com country_code ipinfo.io countryCode Table 7.3: Generating keys for geolocation JSON Sites Template Bodies Time States freegeoip.net {"country":" S "} am, az,by,ge,kg,kz,md,ru,tj,tm,ua,uz 210.67,111.74 14.7,18.7 ip-api.com {"country_code":" S "} ipinfo.io {"countryCode":" S "} Table 7.4: Generating values associated with tags extracted in Table 7.3 JSON keys and values Thirteen samples fetched the host machine’s geoloca- tion from three public services. Those samples requested the JSON version of the response and used a JSON parser to extract the keys and values. The total number of experiments is thirty-nine, and the extracted keys for each website are shown in Table 7.3. The symbolic input provided to the extract the keys is as follow: 132 Tags Setup Time States Root tag success {" S ":""} | 1≤|S|≤13 108,56 15,19 Table 7.5: Extracted JSON key from Razy, see Table 3.1 1 {"S_1":""} Those samples processed values associated with the keys, and those values are independent of each other. The symbolic inputs provided are as follow: 1 {"country":"S"} 2 {"countryCode":"S"} 3 {"country_code":"S"} The extracted values and the running times are show in Table 7.4. Key length Some binaries check the length of the data encoded in JSON files. Providing a template with arbitrary length would not necessarily enable the mal- ware to process the data. Razy - see Table 3.1 - fetches JSON content from a URL formed from a Quora post. I leverage tag_max, tag_min - see Table 4.6, to automatically generate tags of lengthsl|1≤l≤13. The binary process the JSON key if the size is equal to seven and searches for the keyword success. The running time and states are show in Table 7.5. JSON RPC I analyzed thirteen variants of malware using JSON RPC to com- municate with a remote server. Those binaries contact mine.ppxxmr.com using TCP, and they require the input to be terminated with a carriage return - a h . The samples repeatedly move the data obtained from the network to MMX and back to memory. After bypassing the parser, the length of the keys is checked. 133 AV Family SHA-256 First Seen (VirusTotal) coinminer 0752b3b4f664702e45371510713e1437c2d650c04a0f980ae7ac859ba307022d 2019-05-09 21:48:22 04a315002dee3f94aee8b10b23b88e558787332815ad6d31d59acdd697b0559a 2019-05-10 00:13:07 0148ae45a406ff9f331ae5ef11a6a94060aeb4bf105ee507346957ccc38815ee 2019-05-10 00:27:58 08305cef88097907b69765480337c062af3b8b568f4b86a358ce77701d275768 2019-05-10 02:52:49 0bb789d5173b1cd7b9417500c3c50c763a3b4d95e194a3e3a2c2cadcfc6e72a6 2019-05-10 04:12:10 05f5b60c728e4d7a28928c5bcff085694dded494a64e8eb060b88cb5f47e1861 2019-05-10 07:03:18 052e2883cff11055b52cd1b11038c0378912fc0e771be6644efad7721464037a 2019-05-10 07:14:50 kd 0053182ee42bdd2157c049c4fb9bd07ee8373f1f8f409ca63fc7b61e301136e2 2019-05-09 23:01:43 0df5c87cb77a8ae11098fddd9b52f70c29645a394d1ba6971f9dcd33770ac0bf 2019-05-10 05:27:09 02ffb4e6a48b3568cc4a10e356a4accdc17da1a1686fef78a5adc86a22d2706d 2019-05-10 05:42:27 117192636564c6db76a68d53dc873891b7808afc579e000b7ba3d47fc6adf23f 2019-05-10 05:53:50 0cbf7863d0b74172df64db4e2c7e6560fd7d7e9ee34b3a51e9744f46d6f167b5 2019-05-10 06:23:21 Output Setup Time States id {" S1 ":""}a h | 1≤|S1|≤13 405.23,234.62 14.08,16.85 error method params S2 = job {"id":" S1 ","method": " S2 ","error": " S3 ","params": " S4 "} 82.15,15.92 2, 4 S3=blob, S5=job_id {"id": " S1 ","method": "job","error": " S2 ","params": {" S3 ": 120,28.92 2.85,4.85 " S4 "," S5 ":" S6 "," S7 ": S8 "," S9 ": " S10 "," S11 ":" S12 "}} Table 7.6: Summary of JSON RPC Table 7.6, shows the sample information as well as the extracted strings and running time. The strings were extracted in three steps as follows: 1. I run the sample to extract the keys, and four keys were extracted. 2. Run the samples with a JSON input containing the keys extracted from previous steps with symbolic data placed in the values. The binaries pro- cessed the value associated with one key, which is "method", and the value is associated "job". 134 3. The third step involves extracting the value associated with "params". The binary processed the value if "method":"job" existed, and the value is of type hash. Two keys were extracted blob and job_id. 7.2 XML Binaries differ in the way they parse XML files. Some binaries scrape the file to locate constructs of interests, while others use a generic XML parser to extract and validate constructs, after which they process the constructs. Some parsers use a form of hash comparisons to validate tag openings and closings. Other parsers perform a thorough validation of the input, making sure that the input is well-formatted. For instance, a parser checks that tags and attributes start with characters only. Even binaries that scrape XML pose a challenge due to the verbose nature of those files. A simple XML file requires relatively larger data buffers. Tags are defined in a pair of closing and opening and attributes, and their values could be associated with a tag. Further, multiple key constructs are defined by keywords such as DOCTYPE. For malware using a generic XML parser, the goal is to successfully pass the parsing phase while avoid generating states in the parser’s code. I acheive such goal by providing an input the complies with the specification and constraint the variables such that they do not evaluate to characters used to identify constructs such as x <, >, /, ", !, ? For parsers that hash validate tags, I mount the same symbolic variables in the opening and closing tags. Below are examples input passing the parsers without forking. 135 1 <S1>S2</S1> 2 <S1 S2="S3" S4="S5"><S6>S7</S6></S1> Malware that scrapes XML format poses a challenge as well due to the verbose nature of the format, see S16 in Table 5.11. Such binaries use String Finders to find tags, subtags, and tag contents. A handful number of tags would fill in the input, and the goal is to extract independent tags and adjust the input to extract dependent tags, which might require multiple experiments. Malware scraping XML To extract tags for malware that scrape XML, I pro- vide the following input <S></S> where the path constraint is set such tat S does not equal characters used in formatting the file. In table 7.7, shows the extracted tags for three malware samples of the same family that scrapes a webpage to extract tags. The tags presented in the tables were generated in two steps. In the first steps, symbolic data inside a tag is provided. In the second step, a symbolic data inside a tag where the tag is nested in <internet> tag. The table shows the tags extracted in both stages, and the running times and states. The samples processed some tags only if they were nested in <internet>, and some of those were processed in both stages. The same samples were run in the scouting phase, see S16 in Table5.11. The malware searches for three nested tags starting by the outermost one, followed by their closings. Length check Some binaries check the length of XML constructs returned by a parser before performing string comparisons. To generate tags for such a binary, one can configure the system to create multiple states, each of which has a different tag size. Table 7.8, show tag generated for a malware checking the length. The 136 binary checks the length of the root tag only. To extract the inner tag, I provide an XML input enclosed with the root tag generated in the previous step. Hash comparisons of tags Some XML parsers perform hash comparisons as an optimization to tag validation - opening and closing tags are equal. Such operations, when executed, symbolically create a complex symbolic expression that cripples the constraint solver. As mitigation, I mount the same symbolic variables in the opening and closing tags. Table 7.10, shows tags generated for samples using such parser. Interestingly, those samples did not perform comparisons on the root tag. Instead, they were interested in the immediate inner tag. The binary starts searching for <url> only if it is enclosed by offer tag, and it is enclosing some data. Also, the tag name is only searched for if url exits. The table shows the number of steps to extract the tags. See Table 7.11 and Table 7.12 for other variants that perform hash comparisons to validate tags. XML attribute Table 7.13 shows the result of a malware leveraging XML attributes. Interestingly, this sample uses lookup table 3.8 , to validate the the attributes and tags start with letters. 7.3 Summary Highly structured formats, such as JSON and XML, requires special handling. Most binaries leverage generic parsers to extract constructs and validate input. The number of feasible paths when executing such parsers prohibitively large. Byleveragingpriorknowledgeofrulesdefiningtheformatofahighlystructured file, the user can set the constraint of the input such that it successfully bypasses 137 the validation phase to the stage where a binary starts processing the content encoded in the file. 138 Sample ID URL #1 http://takeinfo.ru/get_xml?file_id=12952333 #2 http://forces.buy-file.ru/get_xml #3 http://forces.buy-file.ru/get_xml #Samples AV family 3 loadmoney Tag S.#1 S.#2 S.#3 internet X X X internet_silent 4 X 4 X 4 X mpcln 4 X 4 X 4 X name 4 X 4 X 4 X partner_new_url 4 X 4 X 4 X dltype X 4 X 4 X force_run X 4 X 4 X nohomesearch 4 X 4 X homepage_search_only 4 X partner_dse_url 4 X partner_new_url_amigo 4 X referer 4 X X X referer_amigo 4 X file_size X X X partner_new_url_inet X X X partner_online_url X X X referer_inet X X X url X X agent X X notoolbar X X amigo X partner_homepage_url X Stage1 6 8 12 Stage2 12 14 21 Stage1∪ Stage2 13 15 22 Stage1∩ Stage2 5 7 11 Stage1\ Stage2 1 1 1 Stage2\ Stage1 7 7 10 Stage1 Time 198,196 279,277 371,369 Stage1 States 8,10 10,12 14,16 Stage2 Time 330,328 444,443 537,535 Stage2 States 14,16 17,19 24,26 - tag did not appear in any stage X- tag appeared in stage 1 X- tag appeared in stage 2 4 X - tag appeared in stage 1 and & 2 Table 7.7: Generated content of samples scraping XML files 139 Tags Setup Time States Root tag FILE < S1 ></ S2 > | 1≤|S1|=|S2|≤13 223,219 8,10 Inner tags TorrentUrl <FILE>< S1 >< S2 ></FILE> 262,258 14,16 DownloadUrl Md5 FileName InvalidVersion Name realUrl URL AV family query.fly321.com/soft.php?<omitted> kuaiba Table 7.8: Generated XML tags for a binary checking root tag’s length URL #Samples http://static.fileupstream.com/feed/multi/feed_usa.xml 7 http://static.fastenloads.com/feed/multi/feed_test_3.xml 4 http://static.skachat.org/feed/multi/feed_usa.xml 4 http://static.rompi4me.com/feed/multi/feed_usa.xml 3 http://static.freefileweb.com/feed/multi/feed_usa.xml 2 http://static.ticnofiledownloader.com/feed/multi/feed_usa.xml 2 http://static.ticnofiledownloader.com/feed/multi/feed_test_3.xml 1 Total #Samples AV families 23 12 Table 7.9: URL and sample breakdown for hash validating XML tags Experiment # #Samples Output Setup Time States 1 23 <_>< OFFER ></ OFFER ></_> < S1 >< S2 ></ S2 ></ S1 > 454.13, 439.7 2,4 2 23 url <abc><offer>< S1 >abcd</ S1 ></offer></abc> 94.9,80.7 2,4 3 23 name <abc><offer><url>aaaa</url>< S1 >abcd</ S2 ></offer></abc> 169.3,155.7 2.1,4.1 4 23 allow_ping <abc><offer><url>aaaa</url><name>aaa</name>< S1 >abcd</ S1 ></offer></abc> 212.30,198.87 9.96,11.95 html statkey checkbox recommended cmd custom install Table 7.10: Generated tags for malware performing hash-based tag validation 140 Experiment # Output Setup Time States 1 language <S1></S1> 74,45 2,4 2 affiliate <language><S1></S1></language> 247,216 52,54 async cancel cdns code date display label language offers session signature skip software summary thankyou theme uninstaller URL AV family http://files.getsoftfree.com/get/session installer Table 7.11: XML tags for a binary hash validating tags Output Setup Time States click_id <S1></S1> 75,49 17,19 enabled rules rulesets session_id timeout URL AV family http://files.getsoftfree.com/get/launch/ installer Table 7.12: XML tags for a binary performing hash-based tag validation 141 Experiment # Output Setup Time States 1 delay <aaaa S1 ="aaaa"></aaaa> 107,103 3,5 interval 2 url <aaaa interval="aaa" delay="bbb"> <bb S1 ="aaaa"></bb></aaaa> 151,148 8,10 md5 cmd file stat ver delay URL AV family http://ie.dianxin777.com/vip1.xml badur Table 7.13: Generated content for malware using XML attribute to encode data. 142 Chapter 8 Understanding communication protocols’ format Remote access trojans (RATs) define protocols to communicate with their mas- tersthatvaryinformatandcomplexity. Mostoften, commandsareassociatedwith a set of parameters for which the number of possible values is virtually infinite - for instance, a file-path - which poses a challenge to symbolic execution engines. Further, malware processes input in multiple phases, and the order of processing differs among variants. Is it possible to leverage symbolic execution to understand the format and order of processing of the communication protocol and use that knowledge to generate working commands efficiently? This chapter aims to show that one can use the proposed approach not only to enumerate commands but to understand the format and order of processing to generate working commands that trigger different behavior. I evaluate the proposed approach on eight remote access trojans - see Table 8.1 - followed by a binary that obfuscates IP address into keywords. The majority of the analyzed samples are recently captured by Virustotal, and the rest are relatively older. I AV Family SHA256 Endpoint First Seen (VirusTotal) Cmd Format Remark KD 10d5993c812b368408893289f6fa71a1d3b4bace5f185636fcf4250ab680a313 TCP:xred.mooo.com:1199 2019-05-10 01:57:21 2 <cmd> F1 \x0a<param> F3 \x0d\x0a Kazy 0710f721a99065dfb692e62996c0681172acfc256c230f1676ebb646e94f2cca TCP:thedarkdkpiteur.no-ip.org:4526 2019-05-10 02:38:34 1 <cmd> F6 <param1> F2 | 5 <param2> F3 | 4 <param3>.. XOR encrypted FFP Pmkfrsucinas 0e0d67c8f4801bef0dd89bdf70eb47eb815b01f2ae9b34215188cf92438453d2 TCP:angeldarksoullol.hopto.org:1604 2019-05-10 05:15:28 1 <cmd> F6 <param1> F2 | 5 <param2> F3 | 4 <param3>.. XOR encrypted FFP Msil.cassiopeia 0007a54a73b54147545413de6221526d9d5f5fc2b0b9dc4aac74bd1fdc78b622 TCP:ilovebug.no-ip.org:8030 2019-05-10 05:41:04 2 <cmd> F1 \x0c 4 <len> F3 \x0c 4 param1... Ruskill 080fcd1070c24086446a10697b8c8945fae5a28582a4620498a4612c13c607ab IRC:pwnnet.no-ip.info:1337 2017-08-29 01:26:50 2 332 F1 4 #pwnx :___ F3 F6 _!<cmd> F5 7 <param1>.. Infostealer.bancos db5d332700e30ef12fdd0001b4edf358cacc45831b9fd2e695852dca15f69751 TCP:tudopranos1995.ddns.net:7751 2014-07-28 21:00:58 F1 <|cmd_t1| 3 >param F2 <|> F4 cmd_t2 Autoit 0a44b1102ff8c19cdb0b03d5ac23a9a861449dcfbf5dc3ac58f0484152c27384 TCP:speedconectest.ciscofreak.com:996 2015-09-21 23:40:06 5 <cmd> F3 | 6 param1 F4 | 7 param2 S1 \x0d\x0a__ S2 \x0d\x0a Symmi 79adae211704882f34ee48818ac2caec972a821454b106ed4f9fa884114c95b5 http://ir-a.us/conexiones /pro/Admin/db/url_cmd.txt 2013-10-08 14:19:23 F1 <cmd>* 2 param Table 8.1: Summary of RATs and the corresponding command formats 143 AV Family Time States #Commands Selected commands Explanation KD 100,91 7,9 6 GetCMDAccess\xa<cmd>\x0d\x0a GetScreenImage\x0d\x0a ListDir\x0d<path>\x0d\x0a Send output of running <cmd>in DOS Send screenshot Send a list of DIR in <path> Kazy 142,115 193,195 189 DDOSHTTPFLOOD<url|ip>|<time> DDOSSYNFLOOD<url|ip>:port|<time> HTTP,SYN commands Pmkfrsucinas 119,109 192,194 191 Msil.cassiopeia 133,108 124,126 123 x63\x0c10\x0c<ip> x82\x0c22\x0c<url> x48\x0c42\x0c<file> sniff on interface bound to <ip>and send Download file Send connect of <file> Ruskill 101,29 79,87 34 332 #pwnx :AAA A!slow <hostname|ip><duration> 332 #pwnx :AAA A!speed 332 #pwnx :AAA A!udp <hostname|ip><port><duration> Slowris DDOS Report speed (contact i.root-servers.org:80) UDP DDOS Infostealer.bancos 91,69 23,27 23 <|REQUESTKEYBOARD|> <|espiar| <|deski|> Control keyboard Spy on window Send desktop info 328,306 88,94 74 {DESCONET} {BBESMS} Window mainpulation. Autoit 143,118 146,148 143 removerservico|<servicename>\x0d\x0a \x0dx0a getpasswords|\x0d\x0a \x0d\x0a fmdownload|<file path>\x0d\x0a \x0d\x0a Remove service Send passwords Send <file> Symmi 1386,1366 72,102 8 Desinfected*<ip> Visit*<url> Check checkip.dyndns.org for <ip>if equal delete Visit URL Table 8.2: Extracted commands from RATs Browsers Window Title Google Chrome Banco Santander Brasil | Pessoa Jur’dica | Atendimento empresarial, empresas Mozill Firefox [bb.com.br] Internet Explorer Sicredi Digital Life Table 8.3: Window names enumerated by Infostealer.bancos choose to present them because of the different exhibit behavior regarding the way they parse commands and the input structure. Extracting commands from RAT is not an easy task, the majority of the sam- ples evaluated in this chapter are equipped with advanced anti-debugging, and anti-analysis techniques. One way to extract commands is to dump the physical machine memory once it starts processing the network input. However, it is a challenge to distinguish between text corresponding to network responses, error messages, and commands. Further, generating a working command is more chal- lenging as binaries expect a certain number of delimiters in a specific position relative to the commands. 144 Table 8.1 show the name, SHA256, network end-point, date of submission, and a summary of the command format. I use "_" to denote any character that is not part of a command or delimiter has to be placed in that byte. For instance, Autoit requires the majority of commands to be followed by "|" and three sets of CRLF with multiple characters between them (I only show two in the Table). TheanalysisofRATsiscomposedofmultiplesteps. First, Iruneachsamplefor a maximum of five minutes, which is sufficient - at least for the evaluated samples - to reach a state that starts processing commands. Table 8.1 shows a summary of the order processing obtained from the first step. Second, I adjust the symbolic constraints not to equal any bytes of the delimiters - either filed separator or floating strings - to extract all the commands. The idea here is to avoid processing the parameters of the commands. In Table 8.2, we show the number of commands generated, running time, and the number of states generated. For extracting the command, I configure each state to terminate if there is a network activity or if the construct taking the progress branch resets. Third (optional), I extract the parameters of the commands. Most often, a small set of commands require parameters, and usually, those parameters are passed to system API. To extract the parameter, I prefix the input with a command and set the parameter, and we can use the scouting module. Table 8.2, shows a few commands for each analyzed samples, and in what follows, I provide a detailed analysis of each sample. Experiments were run on a 4-core of Machine1. Symbolic data is of length 50 bytes such that∀x∈ S|0≤ x≤ 80 h , unless otherwise specified. States were configured to terminate on Internet activity. 145 8.1 IRC # SHA256 First Seen (VirusTotal) 1 080fcd1070c24086446a10697b8c8945fae5a28582a4620498a4612c13c607ab 2017-08-29 01:26:50 2 0943a07fe5228b79c13dc1654f6874d35f04417171005ae21f67f5297fa65e07 2017-08-29 01:00:40 3 41695b5b3fe4e263a134297ee957570e454629c683982ab2626858a40826937a 2017-08-29 01:27:40 4 84d9bef10bb5c868d4f24a8cf35a3747bd5fa99f1203de73dfb84d54b49215c3 2017-08-29 01:10:28 5 33a3b71ad31e006c2598f10ad3bc03c345ed59c1ab0cfa2c9ba0d50cb6ef9b55 2017-08-29 01:26:50 Table 8.4: Ruskill variants information Extracting commands for malware that uses IRC protocol to communicate with their master, requires additional analysis. IRC defines several commands and parameters on top of which malware payloads its messages. The question that poses itself is, what IRC command(s) does the malware use to communicate with its master? To answer the question, I precede the analysis with an additional step in which I replace the whole network response with symbolic data to extract the IRC commands processed by the binary. This section explains the analysis of five variants of Ruskill that use IRC protocol to communicate with its master, see Table 8.4 for samples details. All five variants are identical in terms of the end-point they communicate with and the extracted commands. The reported running time and the number of states are for the first sample in Table 8.4. Ruskill communicates with a remote server identified by pwnnet.no- ip.info:1337 and uses IRC over non-standard port. The malware searches for MOTD and 376 in every byte of the buffer, followed by several IRC commands 001,433, JOIN, and PRIVMSG. This is followed by searching for a space - 20 h - to split the input - using a lookup table found in strtok function, see Table 3.6. The malware searches for the IRC command332 only if the input contains spaces. The analysis was composed of two runs, wherein the second one the input is delimited 146 with spaces. The running time and the number of states are illustrated in Table 8.5. 332 is the only IRC command that causesRuskill to process instructions from itsmasterintheinitialroundofcommunication. Insubsequentruns, symbolicdata is injected with<IRC_PREFIX> 332 #pwnx :", where pwnx is the password provided by the malware when it registers to the server. IRC_PREFIX contains the registered nickname and joined room - which varies in every run. Thirty-four commands were extracted from the binary, and to extract parame- ters associated with a command, a symbolic variable is prefixed with the command in question, and similarly, parameter’s options are extracted. Table 8.6 shows the setup, running time, and states for each stage. MOTD and 376 each create two progress states and one non-progress. The non-progress - forker - states are the one from which the binary searches for other commands. Each of those states generates commands, and that results in some redundant states. Table 8.7 shows details of each extracted command and its parameters. Com- mands of interest that reveals the main capabilities of the malware are in rows 24,25,26, and 30. Those commands engage the victim in a DDoS campaign. Com- mand 24 starts a Slowris DDoS attack, and command 25 measures the bandwidth of the victim connection by sending large data to one of the root DNS servers and report the calculated value to the master. Interesting, commands have to formatted as follows in order to be processed by malware <IRC\_PREFIX> 332 \#pwnx :A A!cmd <param>, whereas A denotes to any character other than space. There should be at least one character after the colon, followed by a space, then at least one character followed by a command. It is not trivial to form a working command by manual analysis only, but by observing the binary processing the input a one can do so, however. 147 Keyword Stage1 Stage2 F MOTD X X F 376 X X 001 X X 433 X X JOIN X X PRIVMSG X X 332 X Time 118,21 88,13 States 8,12 10,14 Table 8.5: Extracted IRC commands. The input is delimited with spaces in stage2 . Stage Setup Output Time States commands P<S1> <S2> <S3> <S4> <S5> <S6> <S2> 1 101,29 79,87 !mod parameters PAAA A!mod <S1> <S2> <S3> <S4> <S1> 123,16 14,20 !j parameters PAAA A!j <S1> <S2> <S3> <S4> <S1> 97,9 8,12 !s parameters PAAA A!s <S1> <S2> <S3> <S4> <S1> 112,11 9,13 !p parameters PAAA A!p <S1> <S2> <S3> <S4> <S1> 94,11 7,11 !rc parameters PAAA A!rc <S1> <S2> <S3> <S4> <S1> 90,9 7,11 !m parameters PAAA A!m <S1> <S2> <S3> <S4> <S1> 98,9 6,10 !stats parameters PAAA A!stats <S1> <S2> <S3> <S4> <S1> 103,10 7,11 !us parameters PAAA A!us <S1> <S2> <S3> <S4> <S1> 87,11 9,13 !msn.set parameters PAAA A!msn.set <S1> <S2> <S3> <S4> <S1> 103,13 5,7 !dl parameters PAAA A!dl <S1> <S2> <S3> <S4> <S2><S3> 97,12 13,17 1 (last bytes) P= "<IRC_PREFIX> 332 #pwnx :" Table 8.6: Extracting commands, parameters and options for Ruskill. 8.2 Analysis of Symmi The way Symmi processes commands is different from other malware in this chapter. The malware searches for multiple occurrences of a single command and other commands in the buffer before processing their parameters. A snippet of commands generated in the scouting phase is shown in S16 in Table 5.11. 148 # Command Parameters Options Behavior Network response 1 ! N/A 2 !d N/A 3 !die - Terminates the process QUIT :exiting 4 !dl url -r -n Downloads executable and launch 5 !h 6 !http.inj PRIVMSG n{USA|W7u}aszwdeq :[HTTP]: Injected value is now disabled on n{USA|W7u}fbmkqyv :[HTTP]: Injected value is now enabled. 7 !http.int - <num> n{USA|W7u}aosmkum :[HTTP]: Updated HTTP spread interval to "<num>" 8 !http.set PRIVMSG n{USA|W7u}djqbbgo :[HTTP]: Updated HTTP spread message to "<param> 9 !j -c -n -v 10 !l 11 !logins N/A 12 !m on 13 !mdns <host1> <host2> PRIVMSG n{USA|W7u}ubnrkxy :[DNS]: Redirecting "<host1>" to "<host2>" 14 !mod bdns on usbi on popgrab on msn on msnu on pdef on ffgrab on iegrab on ftpgrab on 15 !msn.int <num> #<num> 16 !msn.set PRIVMSG n{USA|W7u}wxsmkva :[MSN]: Updated MSN spread message to "<param>" 17 !p -v -c 18 !r 19 !rc - QUIT :reconnecting 20 !rm - Deletes itself QUIT :removing 21 !rs0 N/A 22 !rs1 N/A 23 !s - :#pwnx secret -o :#W7 -n :#new -a :#user -v :#1.1.0.0 24 !slow <host><duration> Slowloris DDoS PRIVMSG #pwnx :[Slowloris]: Starting flood on "<host" for <duration minute(s) PRIVMSG #pwnx :[Slowloris]: Finished flood on "<host>" 25 !speed Large data to i.root-servers.org:80 n{USA|W7u}ijmwbjl :[Speed]: Estimated upload speed 1466 KB/s 26 !ssyn <host><port><duration> TCP sync DDoS PRIVMSG #pwnx :[SYN]: Starting flood on "<host>:<port>" for <duration>second(s) PRIVMSG #pwnx :[SYN]: Finished flood on "<host>:<port>" 27 !stats - PRIVMSG n{USA|W7u}bxslqds :[usb="0" msn="0" http="0" total="0"] PRIVMSG n{USA|W7u}bxslqds :[ftp="0" pop="0" http="0" total="0"] -l n{USA|W7u}ejjemuy :[ftp="0" pop="0" http="0" total="0"] -s n{USA|W7u}azeawjc :[usb="0" msn="0" http="0" total="0"] 28 !stop Terminates 29 !u 30 !udp <host><port><duration> UDP DDoS PRIVMSG #pwnx :[UDP]: Starting flood on "<host>:<port>" for <duration>second(s) PRIVMSG #pwnx :[UDP]: Finished flood on "<host>:<duration>" 31 !up <url><md5> Update PRIVMSG n{USA|W7u}pzuejkx :[d="<ur>"] Error downloading file [e="12006"] 32 !us - PART #USA -o PART :#W7 -n PART :#new -v PART :#1.1.0.0 -a PART :#user 33 !v - Version PRIVMSG n{USA|W7u}swvytxv :[v="1.1.0.0" c="30e41aa1" h="<sample_md5>" p="<sample_path>"] 34 !vs <url> "iexplore.exe" <url> PRIVMSG n{USA|W7u}gnmxemm :[Visit]: Visited "<url>" 35 !msn.inj on #pwnx :AAA A!msn.inj on Table 8.7: Ruskill commands 149 Constructs searching for commands are classified as Floating Strings, and to generate the commands effectively, the system is configured such that the forker state does not create a progress state - the progress state is limited to the first iteration. Commands and parameters are extracted in the same step, i.e., no isolation like the rest of the examples in this chapter. The extracted commands are shown in Table 8.8. Desinfected is interesting as it triggers another communication to a website that shows the public IP address of the infected machine. The binary compares the IP obtained remotely with the parameter of the command, and if they are equals, it deletes itself. Keyword Behavior "Desinfected*<ip> Checks checkip.dyndns.org for <ip>if equals delete "DownExec*<url>" Download file "Update*<url>" Update "Visit*<url>" Executes "Explorer <url>" "HideVisit*<url>" Executes "Explorer Hide <url>" "StopVisit*<url>" Executes "Explorer Stop <url>" "HomePage*<url>"; Searches for Chrome and Firefox "Intervalo*<num>" N/A Time 1386,1366 States 72,102 Table 8.8: Symmi commands 8.3 KD This malware contacts xred.mooo.com:1199 over TCP, and send s2e|WIN -I4I0G9E0HIF|10.0.0.154 to the master. The following behavior is observed by injecting 50 bytes of symbolic input and running an experiment for 5 minutes only. 150 First, the binary searches for a h as a Floating String. The system generates three states where a h is at position 0, at position 11, and does not exist. The binary does not process commands in the first and last states; the binary does only process commands in the bytes located to the left of a h . The second state is the one where the binary starts looking for commands. However, some commands are partially enumerated, I mean the ones whose length is greater than 11. The following strings are generated. GetScreenIa h ListDir A 3 a h ListDisk A 3 a h DownloadF A a h DeleteFil A a h GetCMDAcce A a h 151 I used two ways to extract the full commands, 1. Increase String Finder threshold such that the forker creates a progress state after 20 iterations. 2. Provide an input where a h is at a position farther than the one in the previous step and constraint other bytes not to equal a h . The input provided is as follows: 1 <S1>0xa<S2>0xa<S3> Symbolic variables are constrained such that∀x∈S|x∈C\{a h }. In both settings, states can be configured to terminate on keyword resetting or Internet activity to speed up the process. The first method has a drawback as it generates extra since the binary might start searching for a h at later stages. Even when increasing the threshold, String Searcher creates a progress state for the first iteration, and that state is extra. The extracted commands and the running times for both methods are shown in Table 8.9. It is clear that method1 is superior, and the number of states and running time is reduced. A command of interest is GetCMDAccess as it runs the string in the parameter section in DOS and reports back the output. 8.4 Autoit Autoit contacts multiple network end-points and communicates with the first responding server. One of the contacted servers is speed- conectest.ciscofreak.com:996 over TCP. The malware sends myversion|2.5.2.0 to the first responding master. 152 Keyword parameter Behavior GetCMDAccess <cmd> Run <cmd> in DOS and send output GetScreenImage send screen shot (JFIF) ListDisk Send list of disks ListDir <path> send list of dirs DeleteFile Deletes itself DownloadFile <filepath> send <file-path> content Time States Method1 135,125 16,22 Method2 100,91 7,9 Table 8.9: KD commands The following behavior is observed by injecting 50 bytes of symbolic input and running an experiment for 5 minutes. The binary searches for a h followed d h as Filed Seperators. It starts searching for a h , followed by searching for d h in the byte directly left to the one containing a h . The binary then searches for keyword ping, and if it does not exists, it searches for | as Floating String, followed by a command to the left of the pipe. Interestingly, all commands require at least three field seperator d h a h in this case, except ping. In the following, I choose two output from running an experiment for five minutes. ping getdesktop| To extract commands, the following input is injected 1 S1|S2\x0d\x0aS3\x0d\x0aS4\x0d\x0a Symbolic variables are constrained such that ∀x ∈ S|x ∈ C\{a h ,d h , |}. I extracted 143 commands in a total of 143 seconds and 148 total states. The commands are illustrated in Table 8.10. All commands except ping requires that 153 they are formatted as follows: <cmd>|\x0d\x0aanything\x0dx\x0aanything\x0d\x0a, to trigger malicious behavior. Table 8.10 shows the extracted commands, and the number of additional APIs observed when a command is received. The additional APIs is the delta of the APIs when a command is received with a reference run. All commands except four triggered new API calls. Optional parameters for commands were not reported in the Table. Some commands require parameters to function, and those are listed at the bottom of the Table. 8.5 Infostealer.bancos This malware targets banking credentials. The binary enumerates windows in the machine searching for browsers with particular bank websites opened, and if any exists, it sends messages to the browser’s window. To extract the name of the windows the binary is looking for, I injected symbolic values, and found it is looking for browser names as floating strings followed by bank names, see Table 8.3. Once it finds any of those windows, it manipulates them and notifies the C&C about them. Further, many of the commands I extracted only worked if one of those windows is active. Whenrunningthemalwareforfiveminutes, Iobservethatthemalwaresearches for multiple commands and processes them in a later stage. Most of the commands are independent of each other, and that is not obvious by looking at the generated messages. Two sets of commands are observed: • Type1: commands fall under Floating Strings. • Type2: commands exist in fixed positions. 154 # Command Net Res. #APIs # Command Net Res. #APIs 1 ping yes 3 73 filesearch no 10 2 btnstartblock no 4 74 finalizarconexao no 7 3 btnstarthide no 4 75 finalizarjanela no 3 4 btnstartshow no 4 76 finalizarprocessoportas no 3 5 btnstartunblock no 4 77 fmcheckrar no 7 6 clearclipboard no 9 78 fmcopyfile no 2 7 closecd no 2 79 fmcopyfolder no 3 8 flogoff no 45 80 fmcriarpasta no 3 9 fpoweroff no 42 81 fmdeletararquivo no 1 10 frestart no 42 82 fmdeletararquivolixo no 1 11 fshutdown no 41 83 fmdeletarpastalixo no 2 12 getclipboard no 4 84 fmdownloadfolder no 8 13 getprocesslist no 21 85 fmdownloadfolderadd no 2 14 getserversettings no 2 86 fmeditararquivo no 5 15 listarportas no 9 87 fmfilesearchlist no 8 16 listarportasdns no 11 88 fmfilesearchliststop no 54 17 listdevices no 6 89 fmfolderlist2 no 1 18 listextradevices no 7 90 fmgetrarfile no 9 19 maximizarjanela no 2 91 fmrarfile no 8 20 minimizarjanela no 2 92 fmrenomearcriarpasta no 1 21 mostrarjanela no 2 93 fmresumedownload no 2 22 mouseblock no 8 94 fmsendftp yes 1 23 mouseclick no 6 95 fmthumbs no 0 24 mouseswap no 2 96 fmthumbs2 no 27 25 mouseunblock no 38 97 fmunrarfile no 7 26 mudarcaption no 2 98 fmunzipfile no 16 27 novoregistro no 3 99 fmupload no 6 28 novoregistrostartup no 3 100 getdesktoppreview no 67 29 opencd no 2 101 habilitarjanela no 6 30 systrayicohide no 4 102 iniciarservico no 5 31 systrayicoshow no 4 103 instalarservico no 2 32 taskbarblock no 3 104 keylogger no 6 33 taskbarhide no 3 105 keyloggerativar no 38 34 taskbarshow no 3 106 keyloggerdesativar no 19 35 taskbarunblock no 3 107 keyloggerexcluir no 8 36 deskicoblock no 3 108 keyloggeronlinestart no 1 37 deskicohide no 4 109 keyloggeronlinestop no 1 38 deskicoshow no 4 110 keysearch no 11 39 deskicounblock no 3 111 killprocessid no 3 40 desktopconfig no 0 112 listadeprogramas no 6 41 apagarchave no 1 113 listadeservicos no 9 42 chattext no 10 114 proxystop no 7 43 cpuusage yes 11 115 removerservico no 7 44 crazywindow no 7 116 renomearchave no 1 45 desktoppreview no 67 117 renomearregistro no 1 46 fecharjanela no 2 118 restaurarjanela no 2 47 fmdeletarpasta no 2 119 resumeprocessid no 9 48 fmdownload no 2 120 sendkeyswindow no 1 49 fmessage no 4 121 setclipboard no 11 50 fmfolderlist no 1 122 startupmanager no 3 51 fmwallpaper no 14 123 suspendprocess no 6 52 getdesktoppreviewinfo no 67 124 teamviewersendfile yes 8 53 listadechaves no 1 125 teamviewerstart no 7 54 listadedados no 1 126 teamviewerverify no 7 55 listadejanelas no 12 127 webcamconfig no 0 56 novachave no 2 128 windowprev no 0 57 ocultarjanela no 2 129 getpasswords yes 50 58 pararservico no 5 130 shellstart yes 17 59 proxystart no 16 131 startaudio yes 5 60 script no 9 132 webcam yes 22 61 updateserverlink no 4 133 desktop yes 9 62 apagarregistro no 1 134 enviarlogskey yes 16 63 changeserversettings no 6 135 fmdrivelist yes 10 64 chat no 65 136 fmshareddrivelist yes 8 65 chatstop no 1 137 fmspecialfolders2 yes 6 66 desabilitarjanela no 2 138 keyloggerbaixar yes 16 67 desinstalarprograma no 9 139 memoryexecoperation no 9 68 desinstalarprogramassile no 5 140 tecaladoexecutar no 18 69 desktopmovemouse no 6 141 fmexechide no 10 70 editarservico no 2 142 fmexecnormal no 10 71 fdeslmonitor no 8 143 fmexecparam no 10 72 fhibernar no 6 Format pingdhah Format <cmd>|dhah A * dhah A * dhah Format <cmd>|<param1>|<param2>|dhah A * dhah A * dhah Commands with parameters fmessage|<num>|message updateserverlink|<url> updateserverlink|<url> fmdownloadfolder|<path> fmdownloadfolderadd|<path> fmdownload<file> fmunzipfile|<path> filesearch|<filename> Time 143,118 States 146,148 Table 8.10: Autoit commands, running time and number of states 155 Below are examples of generated commands, where "_" denotes to bytes not evaluating to a constant. 1 {SENHA6BB}<|ITAF|><|> 2 <|SocketMain|><<|CLIP|><|> 3 <|SocketMain|><|OK|>_____<<| 4 <|first|><|ITAF|> 5 <|first|><|CLIP|><|> 6 <|SocketMain|><|ITAF|><|> 7 <|first|><|ITAF|>___________________ &<|> In line 1, the binary searched for three keywords in the following order: <|ITAF|> F ,<|> F , and SENHA6BB. <|ITAF|> in this particular output is a result of the progress state generated by theforker - note that for eachFloating String two progress states are generated. Space before the string revealed the second set of commands. Some commands are formatted as <cmd>parameter<|>, while two commands are suffixed with <<|. Those suffixes are optional for commands, the set of generated strings above shows the binary searching for <|CLIP|> followed <|CLIP|><|>. By enabling stepover option, I observe that the binary searches for <|CLIP|> twice followed by the <|> suffix. Interestingly, the binary searches for commands in arbitrary order. For instance, it searches for <|SocketMain|> and its suffix |<<|, then searches for other commands from the beginning of the buffer and since the first number of bytes have |<SocketMain|> it keeps searching until the first space, see Line 3. This makes analyzing the binary quite challenging, as it is hard to know if <|OK|> is a nested command or an independent one. Anotherunusualbehavioristhatifthebuffercontains <|SocketMain|><<|, which is the command and its closing, it starts searching for another command and once 156 it finds <|, which is the last two character of its closing it searches for another command - see Line 2. Line 7 shows an output where the binary starts processing the parameter of the command, namely <|ITAF|>. In what follows, I show output of the binary when I adjust the parameter such that the forker does not create a progress state. 1 <|deski|><|ITAF|><|> 2 <|SocketMain|><|CLIP|><|><|LETR|><|> 3 <|SocketMain|><<|Close|><|NOSenha|><|REQUESTKEYBOARD|><<| 4 <|SocketMain|><|SocketMain|><|ITAF|><|ITAF|><|> 5 <|SocketMain|><<|CLIP|><|> 6 <|SocketMain|><<|CLIP|> To extract the first set of command, I provide the following symbolic input. <S whereSisconstrainedsuchthat∀x∈S|x∈{C\{ <}}. Thegeneratedcommands and running time are shown in Table 8.11. To extract the other set of commands, I provide S, and the constraint is set as above. The set of commands extracted is shown in Table 8.12. <|NOSenha|> <|ITTP|> <|desli|> <|OK|> <|deski|> <|CEFN|> <|ITTB|> <|ITAF|> <|PING|> <|espiar|> <|ITAN|> <|MouseLD|> <|DESP|> <|Close|> <|reini|> <|MSG6|> <|SocketMain|> <|MousePos|> <|REQUESTKEYBOARD|> <|DES6|> <|dekl|> <|MouseDC|> <|first|> Time 91,69 States 23,27 Table 8.11: Infostealer.bancos commands type 1 8.6 Msil.cassiopeia This malware contacts ilovebug.no-ip.org:8030 over TCP. When running it symbolicallyforfiveminutes, Iobservethatthebinarysearchesfor c h asFloating String, followed by commands to the right of it. 157 0 {BBESMS} {DESCO4P} {DESMON} {SENHA6BB} {SICASS} {TRAVA24} {TRAVASIC} 1 {BBGF8} {DESCOB} {DESTRAVAM} {SENHA6CF} {SPACE} {TRAVABB} {TRAVAUNI} 2 {BBGFA} {DESCOCN} {DOWN} {SENHA6E} {TOKENEM} {TRAVABBE} {UP} 3 {BBGFC} {DESCOCP} {ENTER} {SENHA6EM} {TOKENHS} {TRAVACEF} {VIRG} 4 {BBGFT} {DESCONET} {ESCAPE} {SENHA6IT} {TOKENIT} {TRAVAEM} 5 {BS} {DESCONETC} {LEFT} {SENHA6PE} {TOKENPE} {TRAVAHS} 6 click {DESCONETT} {PONTO} {SENHA6SA} {TOKENSA} {TRAVAM} 7 {CTRL} {DESCOP} {PONTO1} {SENHA6UN} {TOKENSE} {TRAVANO} 8 {DEL} {DESCOPO} {RIGHT} {SENHA7HS} {TOKENSIC} {TRAVAPER} 9 {DESCO4N} {DESCOTO} {SENHA4HS} {SENHASBB} {TOKENUNI} {TRAVASAN} Time 328,306 States 88,94 Table 8.12: Infostealer.bancos commands type 2 The binary process some commands in the absence of c h , and those are the ones that do not take parameters. Below are examples of generated output, where "_" denotes to bytes not evaluating to a constant. 1 \x0c 2 \x0c\x0c 3 x0__________\x0c 4 x53__________\x0c All the commands start by x, followed by digits. To extract the commands, I inject the following symbolic input S1\x0c I extracted 123 commands. Some of those commands triggered response to the master with the absence of c h - which indicates they do not take parameters. I run all the extracted commands suffixed with c h in scouting mode and observe that the binary searches for digits, which is used to identify the size of the payload. Table 8.13 shows the list of commands that triggered a response to the master without parameters. Most of those commands send information related to the victim machine. Several commands with their parameters and description of their behavior are shown in Table 8.14. x63 is a command of interest as it sniffs network traffic and sends them to the masters. The rest of the commands are grouped by the category of API calls they introduce - see Table 8.15. 158 # Cmd Resp. 1 x0 x0127 Papi <ip>10.0.0.156 <OS> <Date> 1 2 x5 x410 3 x6 x40 4 x10 x10 5 26487 5 x11 x11916800.078 6 x16 x1621 C: [20/10.77] GiB3 7 x25 Started: 11/12/2019 7:27:00 PM 8 x83 x1093nir 9 x84 10 x85 11 x86 12 x87 13 x91 14 x92 format <cmd>c h <len>c h <path> 1 Some fields were omitted to fit the table c h is replaced with a space Table 8.13: Commands triggering response # Cmd Parameters/Format Behavior 15 x33 nkey|dkey N/A 16 x48 x48c h <len>c h <fpath> Send fpath content 17 x63 x63c h <len>c h <ip> Bind to <ip> and sniffs on all traffic upd,tcp,ICMP 18 x70 Root|Homepath|My documents N/A 19 x93 x93c h <len>c h <hostname> Change C&C to <hostname> 20 x82 x82c h <len>c h <url> Download <url> Table 8.14: Commands with analyzed parameters 8.7 Pmkfrsucinas and Kazy The commands extracted from Pmkfrsucinas and Kazy resembles the ones in Darkcomet. Those two binaries share the same message format, and the intersec- tion of the extracted commands comprises a significant percentage of both sets. The format of the initial input is a hex binary digit where hex-digits are capi- talized. Each pair of digits represents a xor-encrypted ASCII character. The keys were extracted by providing a symbolic input constrained with a constant value; 159 Mouse Manipulation Read TCP Table Restart/Shutdown Others Exception Empty x40 x61 x88 x74 x56 x115 x41 COM Object x89 x72 x57 x116 Window Manipulation & Hooking x101 x90 Exception x59 x119 x42 x121 Registry Manipulation/Enumeration x117 x60 x120 x43 x94 x32 x118 x62 x124 x38 x98 x103 x123 x66 x125 x39 x99 x112 x14 x95 x126 x46 Draw Window x12 x15 x80 x128 x52 x19 x13 x17 x79 x130 File Manipulation x67 x28 x18 x75 x1 x47 WMI scripting x36 x21 x30 x37 x81 x54 x50 x22 Empty x4 Create Process/Thread Enumeration x58 x96 x23 x104 x7 x51 x71 x111 x26 x105 x8 x20 x77 Others x27 x106 x9 x55 Adjust Privilage x78 x31 x107 x100 Parse URL x76 x64 x34 x108 x102 x29 Commands to Device x68 x35 x109 KeyLogging x44 x69 x49 x113 x97 x45 x73 x53 x114 Table 8.15: Other commands for Msil.cassiopeia see Table 5.13 for details. Both samples repeatedly copy any data to FFP registers and back to memory before processing. The following output is observed when running the sample for five minutes. 1 GetSIN|_________| 2 DOWNLOAD\\?\\______|XLEFT 3 RunPrompt::{ The binaries searches for commands, followed by its parameters. In most com- mands, thefirstparameterisplaceddirectlyafterthecommands, andotherparam- eters are separated by "|". Further, a single buffer might contain more than one command separated by "|". The binary processes the parameters as follows: 1. Searches for parameter separators "|" 2. Processes the parameters starting by the last parameter in descending order. . Table 8.16 shows a number of commands, I fully analyzed. The commands of interest here are that engages the victim machine into a DDoS campaign. Table 160 # cmd format Net Resp. 1 DDOSHTTPFLOOD DDOSHTTPFLOOD<url|ip>|<time> BTRESULTHTTP Flood|Http Flood task finished!|<computername> 2 DDOSSYNFLOOD DDOSSYNFLOOD<url|ip>:port|<time> BTRESULTSyn Flood|Syn task finished!|<computername> 3 DDOSUDPFLOOD DDOSUDPFLOOD<url|ip>:<port>|time BTRESULTUDP Flood|UDP Flood task finished!|<computername> 4 FTPFILEUPLOAD FTPFILEUPLOAD<domain>|<user>|<pass>|<port>|<destfile>|<sourcefile> FTPFILEUPLOAD<domain>|<user>|<pass>|<port>|<destfile>|<sourcefile> 5 ACTIVEREMOTESHELL ACTIVEREMOTESHELL<digit> DATAFLUXDOSCAP|<digit> 6 MkeDir MkeDir|<DIR> MkeDir|<dir> Table 8.16: Pmkfrsucinas and Kazy detailed commands analysis 8.17 shows a list of commands that triggers responses to the master without any parameters. The following commands are also of interest 1 %IPPORTSCAN 2 RPCLanScan 3 SOUNDCAPTURE 4 ListCam 5 WEBCAMLIVE Commands in lines 3-5 are interesting as they crash the process since the sounding capability is not present in the virtual machine as well as a webcam. # Cmd # Cmd # Cmd # Cmd 7 1SCDesktop 8 GateWay 9 GETMONITORS 10 MoveFold 11 1SCMydocs 12 GetActivePorts 13 GetPrivilege 14 NETDRV 15 #BOT#CloseServer 16 GetAppList 17 GetSIN 18 REFRESHPROC 19 #BOT#OpenUrl 20 GETDRIVEINFO 21 GetSrchDrives 22 RefreshSIN 23 #BOT#Ping 24 GetDrives 25 GetStartUpList 26 REFRESHWIFI 27 #BOT#RunPrompt 28 GetFileAttrib 29 GetTorrent 30 RenameFile 31 #BOT#SvrUninstall 32 GetFullInfo 33 GetWindow 34 RunSelectedAsAdmin 35 #BOT#URLUpdate 36 GetHostsFile 37 IDTYPE 38 SendYourClipboard 39 BROWS 40 GetMiniWind 41 Md5GetFromFile 42 TraceRoute 43 DelDir 44 GetMo 45 MkeDir - - Table 8.17: Pmkfrsucinas and Kazy commands triggering response 8.8 IP address as keywords In this section, I provide an analysis of a piece of malware that abuses public services to find its master’s IP address. Razy - see Table 8.18 - is intriguing in 161 AV Family SHA256 First Seen (VirusTotal) Razy 07a324fd2854421c723a2cb735b4b731e08626389c6533d1bc19a6169d037e6a 2019-09-27 13:57:56 Table 8.18: Name and hash of some samples used in discussion the sense that it uses several techniques to hinder analysis. The sample contacts a post in Quora, and Yahoo answers and parses the content of those posts. It copies the data from those websites repeatedly to MMX registers and back to memory. The yahoo answer post was already removed at the time of analysis, but the Quora post was alive and was updated in August 2019. Figure 8.1 shows two snapshots of the post - one after updating. Although the sample was captured in the middle of 2019, it seems that it was alive and undetected since 2016 or this is a new generation of an existing campaign. The malwareusesthekeywordsinthethreadtodeterminetheIPaddressofthemaster. Although both posts were accessible, they only reveal part of the keywords used to determine IP addresses. When running the malware symbolically, the following behavior is observed. • The binary searches for the following float strings in order bingle,deedy, and claggy. • After locating the three stings, the binary processes the data between them. • The binary uses a lookup table in 3.7 to validate a regular-expression over the data between the keyword. • once the input matches the regular expression, it searches for spaces and splits the input over them. • The binary uses a string normalization construct to convert the data to the lower-case. 162 • This is followed by usage of another lookup table - see Table 3.8 - to validate that the data is only lower case ASCII character. • The binary then start string comparisons. After delimiting the input by spaces, the binary uses a complicated string comparison routines. Some of the keywords are compared character by character, while in others, four characters are compared at one time. The same routine is used to compare one or two keywords based on the prefix. To extract the keywords, I provide the following input bingle AAAAAAAAAA deedy claggy, and inject symbolic data when AAAAAAAAAA is converted to lowercase. Table 8.19 shows the running time, states, and keyword mapping to IP addresses. Keyword Mapping or . love 0 hate 1 fire 2 couple 3 green 4 weed 5 block 6 party 7 natrual 8 hopeful 9 Time States 67,11 49,49 Table 8.19: Keywords and IP address mapping Usingthesamesetupwithvanillasymbolicexecutionfailstoenumerateasingle keyword. The engine consumed all the available memory, and the reason is that this binary uses lookup tables, and forking over those tables rendered the engine ineffective. 163 (a) Screen shot taken on September 23rd 2019 (b) Screen shot taken on August 5th 2019 Figure 8.1: Malware abuses Quora to find a rendezvous When enabling the overstep option, an intriguing behavior is revealed. If I provide the binary with "bingle S anything deedy claggy," where S is symbolic. I observe after enumerating all the commands, the binary compares the symbolic data with the keyword to the left to it, in this case "anything". If I enable resetq parameter - remove the constraint after non-progress keyword resets- I was able to enumerate all the keywords. 164 AV Family SHA256 First Seen (VirusTotal) End-point symmi 0606494f0f5aa20a54dc96ef2825807646bee22752b0052ebda93815de07d401 2019-05-10 07:34:25 sunray1975.zapto.org kdz 100248011857792fb76dcbdb3a86ae22a2edcc9e259d33e2b82a9ca2dc7f24ca 2019-05-10 05:21:54 carder.bit Table 8.20: Name and hash of a sample used in discussion 8.9 Other Examples In this section, I provide a partial analysis of one RAT and an analysis of a ransomware. The samples information are shown in Table 8.20. Running the first sample for five minutes, I observe that the sample searches for %%EnD%% as a field separator and then processes commands. The separator is relatively long and fills in the buffer. I increase the size of the symbolic buffer to 100 bytes. The following command triggers response to the master. 1 %0666|"|2||"|2|_%%EnD%% %%EnD%% %%EnD%% %%EnD%% To extract the commands, I run another experiment with the input delimited with %%EnD%%, and adjust the constraint such that no other byte evaluates to %. The states are configured to terminate on progress keyword state resetting. 64 commands were extracted in a total of 118 seconds. Table 8.21 illustrates the extracted commands, running time, and a number of states required to generate the commands. @0100 @0253 @0304 @0321 @0330 @0420 @0801 @0809 @0111 @0254 @0305 @0322 @0401 @0472 @0802 @0810 @0200 @0255 @0306 @0323 @0402 @0560 @0803 @0811 @0201 @0256 @0307 @0325 @0403 @0666 @0804 @0812 @0202 @0300 @0308 @0326 @0404 @0700 @0805 @0813 @0203 @0301 @0309 @0327 @0405 @0701 @0806 @0814 @0250 @0302 @0310 @0328 @0410 @0702 @0807 @0815 @0252 @0303 @0320 @0329 @0411 @0800 @0808 @0999 Time 118,58 States 64,66 Table 8.21: Extracted commands for symmi 165 The second sample was resolving numerous DNS names without contacting a host. The sample launches nslookup.exe and parses the output of the process, which looks like the following: Server: www.inetsim.org Address: 68.211.134.177 Name: ransomware.bit.example.org Address: 68.135.86.252 Server: www.inetsim.org Address: 68.211.134.177 Name: carder.bit.example.org Address: 68.192.210.107 I inject symbolic data in the process output, and the system generated Addresses: F , which indicates that the sample is expecting multi-responses for the resolved hostname. After adjusting the DNS resolver to return multiple IPs for the resolved names, the binary initiated HTTPs connection. The running time and number of states are (175,140), and (3,5). The running time can be reduced to (40,6) by adjusting the state to terminate on Internet activity, I injected symbolic data into the newly initiated HTTPs connection, and the binary decodes the input - base64 - and XOR decrypts it. I enabled bypass XOR option and the binary searches for } and { both as field separators. The sample repeatedly copies the data to MMX registers and back to memory. The system assigned the separators next to each other, and the binary stopped processing the input. The running time and number of states for this step are (74,37) and (4,10). I adjusted the input such that it looks like {S} such that ∀x∈S|x∈{C\{ {, {}} whereS is the symbolic value. The binary searches for 166 the keyword DELETE, followed by = F . Only if = exists it searches for mask. The running time and number of states for this step are (205,170) and (6,12). I adjusted the input again such that it looks like {S1=S1} such that∀x∈S1∧S2|x∈ {C\{ {, { =}}, and I generated the three commands DELETE,pub_key, and mask. The running time and number of states for this step are (146,112) and (4,8). The interpretation of the commands are as follow: • {DELETE}: deletes the binary. • {pub_key=<certificate>} with {mask=}, which is optional: encrypt the hard drive with the provided public key. . 8.10 Summary To generate working commands that reveals the capability of remotely accessed trojans, it is not sufficient to only extract commands but to understand the format of the communicated messages. The number of commands intelligible by a sample can be large - over a hundred in some variants -, and those commands are often associated with parameters that might have a large number of possible values. The combination of commands and parameters generates a substantially large number of states for a single machine to process in a relatively short time. However, an analyst can leverage symbolic execution to understand the messaging protocols, and through setting constraints and controlling state termination, the proposed approach can scale to extract commands and their parameters. 167 Chapter 9 Conclusion and Future Work 9.1 Future Work and Limitations In this work, I leveraged symbolic execution to infer the behavior of constructs in terms of the location of the search. I used the progress and non-progress branch; however, not all constructs have a progress branch. For instance, constructs that check if a value falls within specific ranges. An adversary can devise a string comparison where the progress branch is deep. Leveraging loop-analysis The code in listing 9.1 shows an example of a com- parison function where the progress-branch is deep. Loop-analysis can be utilized to infer the construct and control forking. For this particular example, a back-edge or an inner edge can be favored to avoid forking while executing code in the loop. However, such a problem is challenging and is reduced to some form of a halting problem. 1 2 bool cmp(char *src,char *dst) { 3 while(*src && *dst ) { 4 char a = *src, b = *dst; 5 src++; dst++; 6 bool found = false; 7 if( b > a-10 && b < a+10) 8 if(b > a-9 && b< a+9 ) 9 if(b > a-8 && b< a+8 ) 168 10 if(b > a-7 && b< a+7 ) 11 if(b > a-6 && b< a+6 ) 12 if(b > a-5 && b< a+5 ) 13 if(b > a-4 && b< a+4 ) 14 if(b > a-3 && b< a+3 ) 15 if(b > a-2 && b< a+2 ) 16 if(b > a-1 && b< a+1 ) 17 18 if(a==b) { 19 found = true; 20 } 21 22 if(!found) { 23 break; 24 } 25 } 26 return (!*src && !*dst); 27 } 28 } Listing 9.1: A string comparison function with deep progress branches Encoding/Deconding If the encoding algorithm is known, the user can pro- vide an encoded input, which would be eventually decoded, and symbolic data can be injected to avoid forking in the decoding routines. However, it is not always trivial to detect the encoding algorithm. Encoding algorithms behave differently, and such behavior can be observed while executing the binary symbolically and possibly inferred. An interesting research problem is to identify the type of encod- ing algorithm by observing the behavior under symbolic execution. Some binaries 169 use known encoding methods such as Base64 with a different alphabet. I mean, they use a different table to encode and decode the message. Automatic extrac- tion of the alphabet used Base64 is a possible future research problem as well as determining the encoding algorithm used by a binary. Encryption/Decryption It is infeasible to execute encryption constructs sym- bolically; however, one can leverage the behavior of encryption algorithms under symbolic execution to identify the algorithm used by a binary. Hash Comparisons A binary can leverage hash comparisons to easily evade dynamic testing approaches such as taint-analysis and symbolic execution. Caballero [28] proposes an approach to bypass hashing and encryption algorithms when executing a binary symbolically. Levering such an approach reduces the problem into simple string comparisons. Enumerating hash comparisons might trigger malicious behavior but will not enable generating content for use outside theinstrumentationtools. Aonecanbypasshashingconstructstoreducetheprob- lem into string comparisons and leverage techniques like backward taint analysis [54] to track the hashes to their original value. Floating point input In this thesis, I analyzed samples that use the floating instructions to confuse the analysis. Most of the samples copy the data to the floating-point stack and back before processing the text. Few samples repeatedly copy the data back and forth from and to floating-point stack. There are mal- ware variants that use floating-point numbers to communicate with their masters. Enumerating and understanding such commands remains an open problem. 170 Identifying constructs boundaries So far I have used procedures to approx- imate boundaries. Over-approximation yield to partial enumeration, while under- approximation results in extra states. Determining the boundaries is a hard prob- lem and remains a possible future research avenue. 9.2 Summary There are many challenges to overcome to leverage symbolic execution on unknown binaries to enumerate string comparisons, learn the format of commu- nication protocols, and generating input triggering different behavior in malware. Oneofthemainchallengesisalargenumberoffeasiblepathsinparsingconstructs, especially the ones that search for a string in multiple-location. Devising searching heuristics, function modeling, and path merging can alleviate the problem to some extent. As in any heuristics, there is no universal strategy that is effective in all binaries. Function modeling and path merging requires prior knowledge of the semantics of the binary code, and the type and location of the input and output. These approaches are ideal for applications that require exercising multiple paths, such as vulnerability finding. To reduce the number of states required to reveal strings processed by malware, I leveraged progress branches, setting constraints, and driving the engine over various constructs. Symbolic memory addresses pose a challenge as the number of concrete values satisfying the path constraints is huge, and generating a state for each value is infeasible. There is multiple proposed solution on reducing the number of the possible state; However, some of the lookup tables are used to substitute values, and creating extra states is unnecessary. Further, for other lookup tables, it is 171 sufficient to choose one concrete address arbitrarily and avoid adding a constraint to the state. By identifying and utilizing the progress branch, I was able to reduce the num- ber of paths necessary to enumerate string comparisons to a feasible level. I also utilized the progress branch along to infer the behavior of parsing constructs in terms of the location of the search. I used the inferred information on parsing con- structs to drive the engine over parsing constructs and manipulate the constraint system to reduce the number of states significantly. Using the proposed approach, I built a prototype system and enumerated string comparisons in malware over input received from the network and local environ- ment. Some of the comparisons caused the malware to trigger new behaviors, while others ceased their activities. I demonstrated that by prior knowledge of highly structured file formats can be used to configure the constraint system to gener- ate content for those files effectively. I demonstrated that the proposed approach could be used to understand the communication protocol of remotely-accessed- trojans and further generate working commands. Using the proposed approach I generated over a hundred commands in few minutes in a commodity PC. 172 Reference List [1] "Immunity Debugger: The Best of Both Worlds". www.immunityinc.com/ products-immdbg.shtml. [2] burbsuite. https://portswigger.net/burp/. [3] Cuckoo Sandbo. [4] difflib - helpers for computing deltas. https://docs.python.org/2/ library/difflib.html. [5] Hybrid-analsis. [6] malshare. https://malsharebyte.com. [7] Ollydbg. http://www.ollydbg.de/. [8] OTHER ANTIDEBUG TRICKS. [9] String manipulation functions in Glibc, MS Visual Studio and 0x7efefeff, 0x81010100, 0x81010101. [10] Symbolic execution extensions for kvm. http://s2e. systems/docs/DesignAndImplementation/KvmInterface.html# setting-the-clock-scale-pointer. [11] Wmic whitelist-bypass. http://subt0x11.blogspot.com/2018/04/ wmicexe-whitelisting-bypass-hacking.html. [12] xed. https://software.intel.com/en-us/articles/ xed-x86-encoder-decoder-software-library. [13] zerowine. http://zerowine.sourceforge.net/. [14] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away traffic to bots: detecting the rise of dga- based malware. In Presented as part of the 21st USENIX Security Symposium (USENIX Security 12), pages 491–506, 2012. 173 [15] K. Aoki, T. Yagi, M. Iwamura, and M. Itoh. Controlling malware http com- munications in dynamic analysis system using search engine. In Cyberspace Safety and Security (CSS), 2011 Third International Workshop on, pages 1–6. IEEE, 2011. [16] R. Baldoni, E. Coppa, D. C. D’elia, C. Demetrescu, and I. Finocchi. A survey ofsymbolicexecutiontechniques. ACM Computing Surveys (CSUR),51(3):50, 2018. [17] R. Banabic, G. Candea, and R. Guerraoui. Finding trojan message vulnera- bilities in distributed systems. ACM SIGARCH Computer Architecture News, 42(1):113–126, 2014. [18] U. Bayer, I. Habibi, D. Balzarotti, E. Kirda, and C. Kruegel. A view on current malware behaviors. In USENIX workshop on large-scale exploits and emergent threats (LEET), 2009. [19] U.Bayer, C.Kruegel, andE.Kirda. TTAnalyze: A tool for analyzing malware. na, 2006. [20] F. Bellard. QEMU, a Fast and Portable Dynamic Translator. In Proceedings of the Annual Conference on USENIX Annual Technical Conference, 2005. [21] J. Blackthorne, A. Bulazel, A. Fasano, P. Biernat, and B. Yener. Avleak: fingerprinting antivirus emulators through black-box testing. In Proceedings of the 10th USENIX Conference on Offensive Technologies, pages 91–105. USENIX Association, 2016. [22] R. R. Branco, G. N. Barbosa, and P. D. Neto. Scientific but not academical overview of malware anti-debugging, anti-disassembly and anti-vm technolo- gies. Black Hat, 2012. [23] D. Brumley, C. Hartwig, Z. Liang, J. Newsome, D. Song, and H. Yin. Auto- matically identifying trigger-based behavior in malware. In Botnet Detection, pages 65–88. Springer, 2008. [24] D.Brumley, I.Jager, T.Avgerinos, andE.J.Schwartz. Bap: Abinaryanalysis platform. In International Conference on Computer Aided Verification, pages 463–469. Springer, 2011. [25] S. Bucur, J. Kinder, and G. Candea. Prototyping symbolic execution engines for interpreted languages. In ACM SIGPLAN Notices, volume 49, pages 239– 254. ACM, 2014. 174 [26] A. Bulazel and B. Yener. A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web. In Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, page 2. ACM, 2017. [27] J. Caballero, Z. Liang, P. Poosankam, and D. Song. Towards generating high coverage vulnerability-based signatures with protocol-level constraint- guided exploration. In International Workshop on Recent Advances in Intru- sion Detection, pages 161–181. Springer, 2009. [28] J. Caballero, P. Poosankam, S. McCamant, D. Song, et al. Input generation via decomposition and re-stitching: Finding bugs in malware. In Proceedings of the 17th ACM conference on Computer and communications security, pages 413–425. ACM, 2010. [29] J. Caballero, H. Yin, Z. Liang, and D. Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proceedings of the 14th ACM conference on Computer and communications security, pages 317–329. ACM, 2007. [30] C. Cadar, D. Dunbar, D. R. Engler, et al. Klee: Unassisted and automatic generation of high-coverage tests for complex systems programs. In OSDI, volume 8, pages 209–224, 2008. [31] P. Chen, C. Huygens, L. Desmet, and W. Joosen. Advanced or not? a com- parative study of the use of anti-debugging and anti-vm techniques in generic and targeted malware. In IFIP International Information Security and Pri- vacy Conference, pages 323–336. Springer, 2016. [32] X. Chen, J. Andersen, Z. M. Mao, M. Bailey, and J. Nazario. Towards an understanding of anti-virtualization and anti-debugging behavior in modern malware. In 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN), pages 177–186. IEEE, 2008. [33] V. Chipounov, V. Georgescu, C. Zamfir, and G. Candea. Selective symbolic execution. Proceedings of the 5th Workshop on Hot Topics in System Depend- ability (HotDep), 2009. [34] V. Chipounov, V. Kuznetsov, and G. Candea. S2e: A platform for in-vivo multi-path analysis of software systems. Acm Sigplan Notices, 46(3):265–278, 2011. [35] Y.-s. Choi, I.-k. Kim, J.-t. Oh, and J.-c. Ryou. Pe file header analysis-based packed pe file detection technique (phad). In International Symposium on Computer Science and its Applications, pages 28–31. IEEE, 2008. 175 [36] J. Clause, W. Li, and A. Orso. Dytan: a generic dynamic taint analysis framework. In Proceedings of the 2007 international symposium on Software testing and analysis, pages 196–206. ACM, 2007. [37] P. M. Comparetti, G. Wondracek, C. Kruegel, and E. Kirda. Prospex: Pro- tocol specification extraction. In Security and Privacy, 2009 30th IEEE Sym- posium on, pages 110–125. IEEE, 2009. [38] A. Dinaburg, P. Royal, M. Sharif, and W. Lee. Ether: malware analysis via hardwarevirtualizationextensions. InProceedings of the 15th ACM conference on Computer and communications security, pages 51–62. ACM, 2008. [39] M. Egele, C. Kruegel, E. Kirda, H. Yin, and D. Song. Dynamic spyware analysis. 2007. [40] T. Garnett. Dynamic optimization if IA-32 applications under DynamoRIO. PhD thesis, Massachusetts Institute of Technology, 2003. [41] P. Godefroid, A. Kiezun, and M. Y. Levin. Grammar-based whitebox fuzzing. In ACM Sigplan Notices, volume 43, pages 206–215. ACM, 2008. [42] P. Godefroid, M. Y. Levin, D. A. Molnar, et al. Automated whitebox fuzz testing. In NDSS, volume 8, pages 151–166, 2008. [43] C. Gorecki, F. C. Freiling, M. Kührer, and T. Holz. Trumanbox: Improving dynamic malware analysis by emulating the internet. In Symposium on Self- Stabilizing Systems, pages 208–222. Springer, 2011. [44] A. Henderson, A. Prakash, L. K. Yan, X. Hu, X. Wang, R. Zhou, and H. Yin. Make it work, make it right, make it fast: Building a platform-neutral whole- system dynamic binary analysis platform. In Proceedings of the 2014 Inter- national Symposium on Software Testing and Analysis, ISSTA 2014, pages 248–258, New York, NY, USA, 2014. ACM. [45] D. B. Hoang, Y. Kim, and M. Kim. A case study of the application of dynamic symbolic execution to real-world binary programs. KCSE, pages 1–4, 2012. [46] T. Hungenberg and M. Eckert. Inetsim, 2013. [47] G. Jacob, R. Hund, C. Kruegel, and T. Holz. Jackstraws: Picking command and control connections from bot traffic. In USENIX Security Symposium, volume 2011. San Francisco, CA, USA, 2011. [48] J. P. John, A. Moshchuk, S. D. Gribble, and A. Krishnamurthy. Studying spamming botnets using botlab. In NSDI, volume 9, pages 291–306, 2009. 176 [49] M. G. Kang, H. Yin, S. Hanna, S. McCamant, and D. Song. Emulating emulation-resistant malware. In Proceedings of the 1st ACM workshop on Virtual machine security, pages 11–22. ACM, 2009. [50] S.Kim, M.Faerevaag, M.Jung, S.Jung, D.Oh, J.Lee, andS.K.Cha. Testing intermediate representations for binary analysis. In Proceedings of the 32nd IEEE/ACM International Conference on Automated Software Engineering, pages 353–364. IEEE Press, 2017. [51] D. Kirat, G. Vigna, and C. Kruegel. Barebox: efficient malware analysis on bare-metal. In Proceedings of the 27th Annual Computer Security Applications Conference, pages 403–412. ACM, 2011. [52] D. Kirat, G. Vigna, and C. Kruegel. Barecloud: Bare-metal analysis-based evasive malware detection. In USENIX Security Symposium, pages 287–301, 2014. [53] C. Kolbitsch, P. M. Comparetti, C. Kruegel, E. Kirda, X.-y. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In USENIX security symposium, volume 4, pages 351–366, 2009. [54] C.Kolbitsch, T.Holz, C.Kruegel, andE.Kirda. Inspectorgadget: Automated extraction of proprietary gadgets from malware binaries. In 2010 IEEE Sym- posium on Security and Privacy, pages 29–44. IEEE, 2010. [55] C. Kolbitsch, E. Kirda, and C. Kruegel. The power of procrastination: detec- tion and mitigation of execution-stalling malicious code. In Proceedings of the 18th ACM conference on Computer and communications security, pages 285–296. ACM, 2011. [56] A. Konheim. Computer Security and Cryptography. Wiley, 2007. [57] C. Kreibich, N. Weaver, C. Kanich, W. Cui, and V. Paxson. Gq: Practical containment for measuring modern malware systems. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference, pages 397–412. ACM, 2011. [58] C. Kruegel, E. Kirda, D. Mutz, W. Robertson, and G. Vigna. Polymor- phic worm detection using structural information of executables. In Interna- tional Workshop on Recent Advances in Intrusion Detection, pages 207–226. Springer, 2005. [59] R. Lemos. Universities warned of storm worm attacks. https://www. securityfocus.com/news/11482, 2007. 177 [60] Z. Liang, H. Yin, and D. Song. Hookfinder: Identifying and understanding malware hooking behaviors. Department of Electrical and Computing Engi- neering, page 41, 2008. [61] C.-K. Luk, R. Cohn, R. Muth, H. Patil, A. Klauser, G. Lowney, S. Wallace, V. J. Reddi, and K. Hazelwood. Pin: building customized program analysis tools with dynamic instrumentation. In Acm sigplan notices, volume 40, pages 190–200. ACM, 2005. [62] R. Lyda and J. Hamrock. Using entropy analysis to find encrypted and packed malware. IEEE Security & Privacy, 5(2):40–45, 2007. [63] L. Martignoni, S. McCamant, P. Poosankam, D. Song, and P. Maniatis. Path- exploration lifting: Hi-fi tests for lo-fi emulators. In ACM SIGARCH Com- puter Architecture News, volume 40, pages 337–348. ACM, 2012. [64] L. Martignoni, R. Paleari, G. F. Roglia, and D. Bruschi. Testing CPU Emu- lators. In ISSTA, 2009. [65] A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In 2007 IEEE Symposium on Security and Privacy (SP’07), pages 231–245. IEEE, 2007. [66] S. Mutti, Y. Fratantonio, A. Bianchi, L. Invernizzi, J. Corbetta, D. Kirat, C. Kruegel, and G. Vigna. Baredroid: Large-scale analysis of android apps on realdevices. InProceedings of the 31st Annual Computer Security Applications Conference, pages 71–80. ACM, 2015. [67] N.NethercoteandJ.Seward. Valgrind: aframeworkforheavyweightdynamic binary instrumentation. In ACM Sigplan notices, volume 42, pages 89–100. ACM, 2007. [68] M. Neugschwandtner, P. M. Comparetti, and C. Platzer. Detecting malware’s failover c&c strategies with squeeze. In Proceedings of the 27th Annual Com- puter Security Applications Conference, pages 21–30. ACM, 2011. [69] T. Ormandy. An empirical study into the security exposure to hosts of hostile virtualized environments, 2007. [70] R. Paleari, L. Martignoni, G. F. Roglia, and D. Bruschi. A Fistful of Red- pills: how to Automatically Generate Procedures to Detect CPU Emulators. In Proceedings of the 3rd USENIX conference on Offensive technologies. [71] G. Pék, L. Buttyán, and B. Bencsáth. A survey of security issues in hardware virtualization. ACM Computing Surveys (CSUR), 45(3):40, 2013. 178 [72] N. A. Quynh and K. Suzaki. Virt-ice: Next-generation debugger for malware analysis. Black Hat USA, 2010. [73] C. Rossow, C. J. Dietrich, C. Grier, C. Kreibich, V. Paxson, N. Pohlmann, H. Bos, and M. Van Steen. Prudent practices for designing malware exper- iments: Status quo and outlook. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 65–79. IEEE, 2012. [74] P. Saxena, P. Poosankam, S. McCamant, and D. Song. Loop-extended sym- bolic execution on binary programs. In Proceedings of the eighteenth inter- national symposium on Software testing and analysis, pages 225–236. ACM, 2009. [75] E. J. Schwartz, T. Avgerinos, and D. Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Security and privacy (SP), 2010 IEEE symposium on, pages 317–331. IEEE, 2010. [76] M. Sharif, A. Lanzi, J. Giffin, and W. Lee. Automatic reverse engineering of malware emulators. In Security and Privacy, 2009 30th IEEE Symposium on, pages 94–109. IEEE, 2009. [77] M. I. Sharif, A. Lanzi, J. T. Giffin, and W. Lee. Impeding malware analysis using conditional code obfuscation. In NDSS, 2008. [78] H. Shi, A. Alwabel, and J. Mirkovic. Cardinal pill testing of system virtual machines. In USENIX Security Symposium, pages 271–285, 2014. [79] D. Song, D. Brumley, H. Yin, J. Caballero, I. Jager, M. G. Kang, Z. Liang, J. Newsome, P. Poosankam, and P. Saxena. Bitblaze: A new approach to computer security via binary analysis. In Proceedings of the 4th International Conference on Information Systems Security, ICISS ’08, pages 1–25, 2008. [80] G. Sood. virustotal: R Client for the virustotal API, 2017. R package version 0.2.1. [81] V. C. Sreedhar, G. R. Gao, and Y.-F. Lee. Identifying loops using dj graphs. ACM Transactions on Programming Languages and Systems (TOPLAS), 18(6):649–658, 1996. [82] C. Willems, T. Holz, and F. Freiling. Toward automated dynamic malware analysis using cwsandbox. IEEE Security Privacy, 5(2):32–39, March 2007. [83] W. Windows. Windbg, 2017. 179 [84] Z. Xu, L. Chen, G. Gu, and C. Kruegel. Peerpress: utilizing enemies’ p2p strength against them. In Proceedings of the 2012 ACM conference on Com- puter and communications security, pages 581–592. ACM, 2012. [85] H. Yin, P. Poosankam, S. Hanna, and D. Song. Hookscout: Proactive binary- centrichookdetection. InInternational Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 1–20. Springer, 2010. [86] H. Yin and D. Song. Temu: Binary code analysis via whole-system layered annotative execution. EECS Department, University of California, Berkeley, Tech. Rep. UCB/EECS-2010-3, 2010. [87] H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: capturing system-wide information flow for malware detection and analysis. In Proceed- ings of the 14th ACM conference on Computer and communications security, pages 116–127. ACM, 2007. 180 Appendix A Extracted Data from Malware Several malicious samples were searching for a file signature identifying ZIP compression file formats. The analysis in Section 5.1.1 showed that the samples were searching for the file signature in multiple locations. Such behavior could indicate that the processed input is embedded in another file e.g., in an image as stenography. The URLs were pointing to contents in an image sharing websites. I have downloaded the content of those URLs and confirmed that the content was embedded in images. The URLs and the file formats are shown in Table A.2. The analysis in 5.1.1 showed one malicious sample that used lookup tables that is identical to S-Box tables used in DES key scheduling algorithm. Table A.1 shows S-Boxes extracted from the sample - the table is identical to the one illustrated in [56]. URL #Samples AV families JPEG http://t.cn/R2AShwm 8 6 http://t.cn/R2ZWjsD 8 6 http://t.cn/RLvMya2 8 6 http://t.cn/RLviVL5 7 6 http://t.cn/RLUDAHF 5 4 http://t.cn/RLUgRcv 5 4 http://t.cn/RLUdXVa 5 4 http://t.cn/RL20h7Q 4 4 http://t.cn/R2ZWWl9 4 4 http://t.cn/RLyCeHp 4 3 181 http://t.cn/RL5Zk4z 4 3 http://t.cn/RLzHrNK 3 3 http://t.cn/RLAclkQ 3 3 http://t.cn/RL5ZF1k 3 2 http://t.cn/RL5BMhK 3 2 http://t.cn/RL5dez7 3 2 http://t.cn/RL5BcDL 2 2 http://t.cn/RLc6uQL 1 1 http://t.cn/RL2pdBV 1 1 http://t.cn/RLq0ReF 1 1 http://t.cn/RLfZ04R 1 1 http://t.cn/RLAcNNR 1 1 http://t.cn/RLUTnXV 1 1 GIF http://t.cn/RUg0UMI 13 2 http://t.cn/RUmYkF8 12 3 http://t.cn/RLencZm 11 3 http://r.photo.store.qq.com/psb?/V11 1 1 85Hox09uQSJ/SIBTrTHTGoZ4osoI3sJ6bh95 8ZHA6GBVsjJhbX4nFpw!/r/dB2u6W7NQAAA http://t.cn/RU6cqnE 11 3 http://t.cn/RywPElm 10 3 http://t.cn/RLAcowy 8 6 http://t.cn/RL5BJq0 4 3 http://t.cn/RymEDnY 8 2 http://ww3.sinaimg.cn/large/ 5 3 7185bdf1gw1f05vpdktqrg20go0a5u10.gif http://t.cn/R47miYh 7 2 http://t.cn/RUDV2Sn 7 2 182 http://t.cn/R4PJQHf 6 1 http://t.cn/RyvGmgB 5 3 http://t.cn/RUNevlN 5 3 http://ww2.sinaimg.cn/large/ 5 3 7185bdf1gw1f1jhl296qlg20i2066npr.gif http://t.cn/RUGO3K6 4 3 http://ww2.sinaimg.cn/large/ 4 3 7185bdf1gw1f1bdmnkko3g20rs0774qp.gif http://t.cn/R4AJytR 4 1 http://r.photo.store.qq.com/psb?/V11 3 3 85Hox09uQSJ/pyVEnYCExWw9d*BuBI8Qxdn5 M*hGGJnd4WvapWUXKIY!/r/dNH.ptBvNwAA http://ww2.sinaimg.cn/large/ 3 2 7185bdf1gw1f0copg2ejkg207o08ce84.gif http://t.cn/R4q0W2W 3 2 http://t.cn/R4AieKB 3 1 http://t.cn/RUpewwF 2 2 http://ww3.sinaimg.cn/large/ 2 2 7185bdf1gw1f1w6pniputg20gu0de4f6.gif http://t.cn/RUnh8lN 2 2 http://t.cn/RUg0GWX 2 2 http://t.cn/RU1JE3H 2 2 http://t.cn/RU1J8Na 2 2 http://t.cn/RUg0cVa 2 1 http://t.cn/RUaGtbm 2 1 http://r.photo.store.qq.com/psb?/V11 2 1 85Hox09uQSJ/VsWzWJteHIKDUOiwTk76rtbO 8sO01WGs*YSSaddN.5M!/r/dMk.G23oAAAA http://t.cn/R4AJb0z 2 1 http://ww1.sinaimg.cn/large/ 1 1 183 7185bdf1gw1f0bxeahg91g20go0a6q9n.gif http://t.cn/R4L5tI8 1 1 http://ww4.sinaimg.cn/large/ 1 1 7185bdf1gw1f0bxedvahkg20dw080e81.gif http://t.cn/R47mqS0 1 1 http://t.cn/R4qPWjm 1 1 http://r.photo.store.qq.com/psb?/V11 1 1 85Hox09uQSJ/SIBTrTHTGoZ4osoI3sJ6bh95 8ZHA6GBVsjJhbX4nFpw!/r/ http://t.cn/R4qPnyF 1 1 http://t.cn/RUDVyVH 1 1 http://t.cn/R4fzCOH 1 1 http://ww2.sinaimg.cn/large/ 1 1 7185bdf1gw1f1xhs8oxolg20fo08sqvh.gif http://t.cn/RUg0bbz 1 1 http://t.cn/RUFKXew 1 1 http://ww1.sinaimg.cn/large/ 1 1 7185bdf1gw1f18836cufjg208s04je81.gif http://t.cn/R4VhinH 1 1 http://t.cn/RUg0quL 1 1 http://ww2.sinaimg.cn/large/ 1 1 7185bdf1gw1f1sqgado4zg20dw0b1wuz.gif 1 1 http://t.cn/RUFK3Vz 1 1 Total 34 11 Table A.2: URLs point to images with embedded zip files. The table is divided into two groups JPEG and GIF. URLs pointing to the same file are separated with dashed lines. 184 S-Box S[0] 0xe 0x4 0xd 0x1 0x2 0xf 0xb 0x8 0x3 0xa 0x6 0xc 0x5 0x9 0x0 0x7 0x0 0xf 0x7 0x4 0xe 0x2 0xd 0x1 0xa 0x6 0xc 0xb 0x9 0x5 0x3 0x8 0x4 0x1 0xe 0x8 0xd 0x6 0x2 0xb 0xf 0xc 0x9 0x7 0x3 0xa 0x5 0x0 0xf 0xc 0x8 0x2 0x4 0x9 0x1 0x7 0x5 0xb 0x3 0xe 0xa 0x0 0x6 0xd S-Box S[1] 0xf 0x1 0x8 0xe 0x6 0xb 0x3 0x4 0x9 0x7 0x2 0xd 0xc 0x0 0x5 0xa 0x3 0xd 0x4 0x7 0xf 0x2 0x8 0xe 0xc 0x0 0x1 0xa 0x6 0x9 0xb 0x5 0x0 0xe 0x7 0xb 0xa 0x4 0xd 0x1 0x5 0x8 0xc 0x6 0x9 0x3 0x2 0xf 0xd 0x8 0xa 0x1 0x3 0xf 0x4 0x2 0xb 0x6 0x7 0xc 0x0 0x5 0xe 0x9 S-Box S[2] 0xa 0x0 0x9 0xe 0x6 0x3 0xf 0x5 0x1 0xd 0xc 0x7 0xb 0x4 0x2 0x8 0xd 0x7 0x0 0x9 0x3 0x4 0x6 0xa 0x2 0x8 0x5 0xe 0xc 0xb 0xf 0x1 0xd 0x6 0x4 0x9 0x8 0xf 0x3 0x0 0xb 0x1 0x2 0xc 0x5 0xa 0xe 0x7 0x1 0xa 0xd 0x0 0x6 0x9 0x8 0x7 0x4 0xf 0xe 0x3 0xb 0x5 0x2 0xc S-Box S[3] 0x7 0xd 0xe 0x3 0x0 0x6 0x9 0xa 0x1 0x2 0x8 0x5 0xb 0xc 0x4 0xf 0xd 0x8 0xb 0x5 0x6 0xf 0x0 0x3 0x4 0x7 0x2 0xc 0x1 0xa 0xe 0x9 0xa 0x6 0x9 0x0 0xc 0xb 0x7 0xd 0xf 0x1 0x3 0xe 0x5 0x2 0x8 0x4 0x3 0xf 0x0 0x6 0xa 0x1 0xd 0x8 0x9 0x4 0x5 0xb 0xc 0x7 0x2 0xe S-Box S[4] 0x2 0xc 0x4 0x1 0x7 0xa 0xb 0x6 0x8 0x5 0x3 0xf 0xd 0x0 0xe 0x9 0xe 0xb 0x2 0xc 0x4 0x7 0xd 0x1 0x5 0x0 0xf 0xa 0x3 0x9 0x8 0x6 0x4 0x2 0x1 0xb 0xa 0xd 0x7 0x8 0xf 0x9 0xc 0x5 0x6 0x3 0x0 0xe 0xb 0x8 0xc 0x7 0x1 0xe 0x2 0xd 0x6 0xf 0x0 0x9 0xa 0x4 0x5 0x3 S-Box S[5] 0xc 0x1 0xa 0xf 0x9 0x2 0x6 0x8 0x0 0xd 0x3 0x4 0xe 0x7 0x5 0xb 0xa 0xf 0x4 0x2 0x7 0xc 0x9 0x5 0x6 0x1 0xd 0xe 0x0 0xb 0x3 0x8 0x9 0xe 0xf 0x5 0x2 0x8 0xc 0x3 0x7 0x0 0x4 0xa 0x1 0xd 0xb 0x6 0x4 0x3 0x2 0xc 0x9 0x5 0xf 0xa 0xb 0xe 0x1 0x7 0x6 0x0 0x8 0xd S-Box S[6] 0x4 0xb 0x2 0xe 0xf 0x0 0x8 0xd 0x3 0xc 0x9 0x7 0x5 0xa 0x6 0x1 0xd 0x0 0xb 0x7 0x4 0x9 0x1 0xa 0xe 0x3 0x5 0xc 0x2 0xf 0x8 0x6 0x1 0x4 0xb 0xd 0xc 0x3 0x7 0xe 0xa 0xf 0x6 0x8 0x0 0x5 0x9 0x2 0x6 0xb 0xd 0x8 0x1 0x4 0xa 0x7 0x9 0x5 0x0 0xf 0xe 0x2 0x3 0xc S-Box S[7] 0xd 0x2 0x8 0x4 0x6 0xf 0xb 0x1 0xa 0x9 0x3 0xe 0x5 0x0 0xc 0x7 0x1 0xf 0xd 0x8 0xa 0x3 0x7 0x4 0xc 0x5 0x6 0xb 0x0 0xe 0x9 0x2 0x7 0xb 0x4 0x1 0x9 0xc 0xe 0x2 0x0 0x6 0xa 0xd 0xf 0x3 0x5 0x8 0x2 0x1 0xe 0x7 0x4 0xa 0x8 0xd 0xf 0xc 0x9 0x0 0x3 0x5 0x6 0xb Table A.1: S-Boxes extracted from Chinbo 185
Abstract (if available)
Abstract
I present a white-box based approach to understand string parsing and enumerate string comparisons in malicious binaries. Text processed by malware reveals a wealth of information about its behavior. Enumerating strings compared by malware helps analysts to reconstruct content fetched remotely by malware and reconfigure analysis environments to increase the effectiveness of dynamic analysis. ❧ The key insight in building a scalable system is to identify the “progress branch” for conditional statements and setting the path constraints I have utilized symbolic execution to build an inference module to classify parsing constructs and control the forking accordingly to reduce state explosion effectively. ❧ I have analyzed more than a thousand of malicious samples using the proposed approach, and reconstructed commands from Remote access trojans (RATs), detected various file-formats, including embedded files. I also detected geolocation-based malware that ceased its malicious activity based on the location of the guest and enumerated those regions. ❧ Not only have I enumerated computer and usernames used by malware to detect sandboxed environments, I detected computer names that cause malware to behave differently. I detected malware that looked for browsers and enumerated their names. I also enumerated the names of processes that cause malware to ceases its activity.
Linked assets
University of Southern California Dissertations and Theses
Conceptually similar
PDF
Studying malware behavior safely and efficiently
PDF
Detection, localization, and repair of internationalization presentation failures in web applications
PDF
Supporting faithful and safe live malware analysis
PDF
Detecting SQL antipatterns in mobile applications
PDF
Defending industrial control systems: an end-to-end approach for managing cyber-physical risk
PDF
Automatic detection and optimization of energy optimizable UIs in Android applications using program analysis
PDF
AI-enabled DDoS attack detection in IoT systems
PDF
Asynchronous writes in cache augmented data stores
PDF
Graph embedding algorithms for attributed and temporal graphs
PDF
Assessing software maintainability in systems by leveraging fuzzy methods and linguistic analysis
PDF
Behavior-based approaches for detecting cheating in online games
PDF
Provenance management for dynamic, distributed and dataflow environments
PDF
On efficient data transfers across geographically dispersed datacenters
PDF
Detecting anomalies in event-based systems through static analysis
PDF
Discovering and querying implicit relationships in semantic data
PDF
Scalable exact inference in probabilistic graphical models on multi-core platforms
PDF
A search-based approach for technical debt prioritization
PDF
The benefits of participatory vehicular sensing
PDF
A function-based methodology for evaluating resilience in smart grids
PDF
Advancing distributed computing and graph representation learning with AI-enabled schemes
Asset Metadata
Creator
Alwabel, Abdulla
(author)
Core Title
Enabling symbolic execution string comparison during code-analysis of malicious binaries
School
Viterbi School of Engineering
Degree
Doctor of Philosophy
Degree Program
Computer Science
Publication Date
02/04/2020
Defense Date
01/07/2020
Publisher
University of Southern California
(original),
University of Southern California. Libraries
(digital)
Tag
binary,malware,OAI-PMH Harvest,symbolic execution,whitebox testing
Language
English
Contributor
Electronically uploaded by the author
(provenance)
Advisor
Neuman, Clifford (
committee chair
), Halfond, William (
committee member
), Raghavendra, Cauligi (
committee member
)
Creator Email
abdulla.wabel@gmail.com,alwabel@usc.edu
Permanent Link (DOI)
https://doi.org/10.25549/usctheses-c89-265012
Unique identifier
UC11675193
Identifier
etd-AlwabelAbd-8146.pdf (filename),usctheses-c89-265012 (legacy record id)
Legacy Identifier
etd-AlwabelAbd-8146.pdf
Dmrecord
265012
Document Type
Dissertation
Rights
Alwabel, Abdulla
Type
texts
Source
University of Southern California
(contributing entity),
University of Southern California Dissertations and Theses
(collection)
Access Conditions
The author retains rights to his/her dissertation, thesis or other graduate work according to U.S. copyright law. Electronic access is being provided by the USC Libraries in agreement with the a...
Repository Name
University of Southern California Digital Library
Repository Location
USC Digital Library, University of Southern California, University Park Campus MC 2810, 3434 South Grand Avenue, 2nd Floor, Los Angeles, California 90089-2810, USA
Tags
binary
malware
symbolic execution
whitebox testing