Oct 042012

Malware creators are continually looking for new methods to evade malware detection engines. A popular evasion method is based on malicious code obfuscation that changes the syntax of the code while preserving its execution semantics. If the malware signature relies on the syntactic features of the malicious code, it can be evaded by obfuscation techniques. In this paper, we propose a novel approach to the development of evasion-resistant malware signatures. The idea is that the signature is based on the malware’s execution profile extracted from the OS kernel data structure objects rather than on syntactic information. As a result, the signature is more resistant to malware obfuscation techniques and is more resilient in detecting malicious code variants.

To evaluate the effectiveness of the proposed approach, a prototype signature generation tool called SigGENE was developed. The effectiveness of signatures generated by SigGENE was evaluated using an experimental root kit-simulation tool that employs obfuscation techniques commonly found in rootkits.  In further experiments, different syntactic variants of the same real-world malware have been used to verify the real-world applicability of the proposed approach. The experiments show that the proposed approach is effective not only in generating signatures that detect malware and its variants, but also in producing execution profiles that can be used to characterize different malicious attacks.

Paper [Evasion-Resistant Malware Signature Based on Profiling Kernel Data Structure Objects].

Oct 042012

Many existing methods of forensic malware analysis rely on the investigators’ practical experience rather than hard science. This paper presents a formal (i.e. based on mathematics) approach to reconstructing activities of a malicious executable found in a victim’s system during a post-mortem analysis. The behavior of the suspect executable is modeled as a finite state automaton where each state represents behavior that results in an observable modification to the victim’s system. The derived model of the malicious code allows for accurate reasoning and deduction of the occurrence of malicious activities even when anti-forensic methods are employed to disrupt the investigation process.

Paper [Towards Automated Forensic Event Reconstruction of Malicious Code].

Poster [Automated Forensic Event Reconstruction of Malicious Code].

Oct 042012

When a malware outbreak happens in an organization, one of the main questions that needs to be investigated is how the malware got in. It is important to get an answer to this question to identify and close the exploited technical and/or human vulnerabilities. This paper proposes a method for malware intrusion path reconstruction in a network of computers running Microsoft Windows. The method is based on the analysis of Windows Restore Points from the compromised computers.  The idea is that malware infection traces from different computers can be correlated in time to identify the progress of the malware through the network and to identify the likely initial point of infection.

A simulated case study is given that demonstrates the viability of the proposed attack path reconstruction technique.

[A Novel methodology for Malware Intrusion Attack Path Reconstruction Paper].

Sep 132012

When digital investigators are confronted with suspicious executable during investigation, a standard, well-known incidents response process is applied. This process encompasses, hashing the suspect executable and look-up with the hash value in an online malware analysis and scanning service such as VirusTotal [1] to verify if suspect executable belongs to a known malware family. If used malware analysis service did not result positive detections, a manual or automated malware behavior analysis process is, then, required.

Behavior malware analysis examines the functionalities of a suspect executable and its interactions with the operating system in what so-called as sandbox analysis. In sandbox solution, a behavior examination process is conducted through the isolation of the suspect malware in a controlled environment, -i.e. virtual machine or machine emulator-, and all interactions/activities with the operating systems are observed. Observed interactions include, for example, invoked system calls from the executable, allocated memory regions, created processes and threads, access/created/modified/deleted registry entries, network activities, and etc.  Such valuable information enables human digital investigators and malware analysts to draw a conclusion about the suspect executable and whether it holds a threat to investigation integrity or not.

Unfortunately, although behavioral analysis using sandboxing is vital in malware analysis and assists human malware analysts in determining if further analysis is required, using sandbox in forensic investigation possess a number of limitations. In essence, the scope and objectives of malware analysis from digital investigation perspectives, is substantially different than, of security and malware detection.   Such differentials may lead forensic investigators to invalid conclusions and threaten the investigation integrity.

An example of these limitations is the problem of malware evasion personalities. Malware writers, often, employ different sophisticated methods to impede behavior analysis using sandboxing throughout the attempts of detection whether the host environment is a real environment or simulated using machine emulation. If an emulated or virtualized environment detected, malicious code execution is suppressed and terminates or executes a benign code to evade human analysts.

Even if such evasion methods are not employed, malware, usually, have different payloads to execute based on the configuration of infected hosts. That is, one malware sample may behave differently on different hosts if the hosts, for examples, have different versions of internet browsers. Hence, since currently developed sandbox solutions can not consider all possible configurations of the host infected operating systems, there are a chance that executed code in the sandbox is not the code that have previously executed  in the host under investigation, because different configuration settings are defined or malware employing sandboxing detection technique.

Thus, inferences and implications based on such analysis may mislead human investigators to a conclusion, in which, an executable is a benign program while in fact it’s a malicious program or malware executed an exploitation payload which is never been executed in the infected host under investigation.

Typically, existence of such limitations and many others is a result of building such technology without keeping digital forensic investigation requirements in-mind. The requirements for developing tools to use it in digital forensic investigation have unique characteristics and cannot be substituted by tools commonly used in computer security without customization to involve the unique objectives of digital investigation. Hence, a call to an assessment of used automation tools and techniques from malware security in digital investigation is, strictly, demanded to ensure if these tools are ,truly, assist digital investigators in producing successful investigation or contributes in misleading their inferences.


[1]. www.VirusTotal.com