Upload
george-sims
View
217
Download
1
Tags:
Embed Size (px)
Citation preview
University of Louisiana at Lafayette
Malware Attribution
Arun LakhotiaUniversity of Louisiana at
LafayetteUSA
University of Louisiana at Lafayette
Malware Analysis Problem
• The Old Problem– Is this binary bad?
• The New Problem– Who dun’it?
Increasing Significance with Targeted Attack
University of Louisiana at Lafayette
linked specific portions of code
Stuxnet, Duqu and Flame, …Gauss come from the same ‘factory’ or ‘factories,
University of Louisiana at Lafayette
Parts of Duqu are nearly identical to
Stuxnet,
but with a completely diffe
rent purpose.
written by the same authors
(or .. using Stuxnet source code)
University of Louisiana at Lafayette
identified the group by similaritie
s in code
and tactics utilized in the attacks
University of Louisiana at Lafayette
Stuxnet and Duqu were written on the same platform
…by the same group of programmers.
Flame used the same platformbut by different programmers
University of Louisiana at Lafayette
Properties Used for Attribution
Relationship Between• Code• Platform• Behavior
– Websites, Domains, Files, Registry
• Used to infer – Intent, Capacity, Organization, Group
University of Louisiana at Lafayette
Evolution
• Code evolution– New features– Bug fixes– Refactoring– Reuse– Malware specific
• Stealth• Evasion
• Toolchain evolution– Compiler update– New platform– New library
University of Louisiana at Lafayette
Evolutionary Relations
• Code based– P2 generated from
P1, after bug fix
– g1.c v1.14 generated from g1.c v1.13 , after adding new feature
• Toolchain based– P1’ generated
from P1, P2, Pn, after compiling using gcc v4.33
– gcc v4.33 generated from g1, g2, ..,gn, after compiling using v4.22
University of Louisiana at Lafayette
Evolutionary Models
Source
VM Binary
Binary
Compile
Compile
JIT Compile
EditBugfixTranslateGenerate
Binary RewritePackLinker
Binary RewritePackLinker
Disassemble
Disassemble
Decompile
University of Louisiana at Lafayette
Evolutions as Transformations
• Model relations as transformations– Edit: Source -> Source– Compile: Source -> Obj– Link: Obj+ -> Exe– Pack: Exe -> Exe
• Why?– Derivation = Sequence of composition
University of Louisiana at Lafayette
Derivation Graphs
• Missing relation– Object
becomes Transformer
• I: C -> (C -> C)
bot1
bot'1
●
bot2
bot'2
●
tibs'
gcc'
tibs'
gcc' gcc
tibs
I I
I I
tibs’(gcc’(bot1) = bot’1 tibs'(gcc’(bot2) = bot’2
University of Louisiana at Lafayette
Co-Evolution: Malcode and Production
bot1
bot'1●
bot'''1●
gcc' bot''1●
gcc'
tibs''
gcc''
gcc ●bugfix
tibs'
tibs ●algchng
featureadd
University of Louisiana at Lafayette
Connecting to Reality
• Stuxnet, Duqu– Common Platform
• Platform inferred from observations
• Platform evolving
“the ``Tilded'' platform .. created .. the end of 2007 or early 2008
before undergoing its most significant changes in summer/autumn2010”
Kaspersky
“the platform continues to develop”Kaspersky
University of Louisiana at Lafayette
Improvements over prior models
• Multiple, separate descendant lineages• Interleaved code sharing• Dependent lineage update and shared
functionality update• Differences in generation mechanisms
and variation after compilation• Shared generated code and
characteristics• Separate evolution of toolchain
University of Louisiana at Lafayette
Broader Contributions
• A structure to attach information– and generate knowledge
• Opens research questions– Determine evolution of code– Detect existence of platfrom– Separate platform evolution from code
evolution
University of Louisiana at Lafayette
Remaining Questions
• Model evolution of “behavior”– Does behavior exist independent of
code?– Does behavior evolution => code
evolution?– Does shared behavior => shared
team/experience?