University of Louisiana at Lafayette Malware Attribution Arun Lakhotia University of Louisiana at Lafayette USA

University of Louisiana at Lafayette

Malware Attribution

Arun LakhotiaUniversity of Louisiana at

LafayetteUSA


Malware Analysis Problem

• The Old Problem– Is this binary bad?

• The New Problem– Who dun’it?

Increasing Significance with Targeted Attack


linked specific portions of code

Stuxnet, Duqu and Flame, …Gauss come from the same ‘factory’ or ‘factories,


Parts of Duqu are nearly identical to

Stuxnet,

but with a completely diffe

rent purpose.

written by the same authors

(or .. using Stuxnet source code)


identified the group by similaritie

s in code

and tactics utilized in the attacks


Stuxnet and Duqu were written on the same platform

…by the same group of programmers.

Flame used the same platformbut by different programmers


Properties Used for Attribution

Relationship Between• Code• Platform• Behavior

– Websites, Domains, Files, Registry

• Used to infer – Intent, Capacity, Organization, Group


Evolution

• Code evolution– New features– Bug fixes– Refactoring– Reuse– Malware specific

• Stealth• Evasion

• Toolchain evolution– Compiler update– New platform– New library


Evolutionary Relations

• Code based– P2 generated from

P1, after bug fix

– g1.c v1.14 generated from g1.c v1.13 , after adding new feature

• Toolchain based– P1’ generated

from P1, P2, Pn, after compiling using gcc v4.33

– gcc v4.33 generated from g1, g2, ..,gn, after compiling using v4.22


Evolutionary Models

Source

VM Binary

Binary

Compile

Compile

JIT Compile

EditBugfixTranslateGenerate

Binary RewritePackLinker

Binary RewritePackLinker

Disassemble

Disassemble

Decompile


Evolutions as Transformations

• Model relations as transformations– Edit: Source -> Source– Compile: Source -> Obj– Link: Obj+ -> Exe– Pack: Exe -> Exe

• Why?– Derivation = Sequence of composition


Derivation Graphs

• Missing relation– Object

becomes Transformer

• I: C -> (C -> C)

bot1

bot'1

●

bot2

bot'2

●

tibs'

gcc'

tibs'

gcc' gcc

tibs

I I

I I

tibs’(gcc’(bot1) = bot’1 tibs'(gcc’(bot2) = bot’2


Co-Evolution: Malcode and Production

bot1

bot'1●

bot'''1●

gcc' bot''1●

gcc'

tibs''

gcc''

gcc ●bugfix

tibs'

tibs ●algchng

featureadd


Evolution Patterns

descendant/ancestor polymorph

Reg Exp


Evolution Patterns (contd)

e-polymorph sibling


Connecting to Reality

• Stuxnet, Duqu– Common Platform

• Platform inferred from observations

• Platform evolving

“the ``Tilded'' platform .. created .. the end of 2007 or early 2008

before undergoing its most significant changes in summer/autumn2010”

Kaspersky

“the platform continues to develop”Kaspersky


Improvements over prior models

• Multiple, separate descendant lineages• Interleaved code sharing• Dependent lineage update and shared

functionality update• Differences in generation mechanisms

and variation after compilation• Shared generated code and

characteristics• Separate evolution of toolchain


Impact


Broader Contributions

• A structure to attach information– and generate knowledge

• Opens research questions– Determine evolution of code– Detect existence of platfrom– Separate platform evolution from code

evolution


Gaps


Remaining Questions

• Model evolution of “behavior”– Does behavior exist independent of

code?– Does behavior evolution => code

evolution?– Does shared behavior => shared

team/experience?


Future Work


Next Steps

• Opened more questions than answered

Documents

University of Louisiana at Lafayette Malware Attribution Arun Lakhotia University of Louisiana at Lafayette USA