Malware Repository Overview

1
Malware Repository Overview

• Wenke Lee
• David Dagon
• Georgia Institute of Technology

2
Overview

• How malware is collected and shared now
• Malfeases service-oriented repository
• Support for malware analysis, e.g., signature
  generation, and evaluation of intrusion/anomaly
  detection/prevention systems, etc.
• Automated unpacking

3
Current Practices

• Numerous private, semi-public malware collections
• Need trust to join
• Too much sharing often seen as competitive
  disadvantage
• Analysis not shared
• Incomplete collections reflect sensor bias
• Darknet-based collection
• IRC surveillance
• Honeypot-based collection

4
Shortcomings

• Malware authors know and exploit weaknesses in
  data collection
• Illuminating sensors
• Mapping Internet Sensors with Probe Response
  Attacks, Bethencourt, et al., Usenix 2005
• Automated victims updates
• E.g., via botnets

5
SolutionService-Oriented Repository

• Malfease uses hub-and-spoke model
• Hub is central collection of malware
• Spokes are analysis partners
• Hub
• Malware, indexing, search
• Static analysis header extraction, icons,
  libraries
• Metainfo longitudinal AV scan results
• Spoke
• E.g., dynamic analysis, unpacking, signatures,
  etc.

6
Malware Repo Requirements

• Malware repos should not
• Help illuminate sensors
• Serve as a malware distribution site
• Malware repo should
• Help automate analysis of malware flood
• Coordinate different analysts (RE gurus, Snort
  rule writers, etc.)

7
Approaches

• Repository allows upload of samples
• Downloads restricted to classes of users
• Repository provides binaries and analysis
• Automated unpacking
• Win32 PE Header analysis
• Longitudinal detection data
• What did the AV tool know, and when did it know
  it?
• Malware similarity analysis, family tree
• Etc.

8
Overview
9
Repository User Classes

• Unknown users
• Scripts, random users, even bots
• Humans
• CAPTCHA-verified
• Authenticated Users
• Known trusted contributors

10
Repository Access Control

• Unknown users
• Upload view aggregate statistics
• Humans
• Upload download analysis of their samples
• Authenticated Users
• Upload download all access analysis

11
Basic User View
12
Analysis Page for Sample
13
Static Analysis Example
14
Static Analysis Example
Note search ability
15
Dynamic Analysis
Unpacked binary Available for Download, Along
with asm version
16
Malware Why Pack?

• Reduced malware size
• Obfuscation transformation
• Opaque binaries prevent pattern analysis
• Invalid PE32 headers complicate RE
• Increases response time
• Unpacking often requires specialized skill sets

17
Polyunpack Work Flow
18
Unpacking Heuristic
19
Unpacking Example
20
Results

• Improved AV detection

10-40 improved AV detection on old stuff
5.2K Samples Claimed VX
AV Scan
6K very old Samples
Unpacking
0.8K Claimed OK
42 are now claimed VX
AV ReScan
21
Plan for Cyber-TA

• Evaluation of various signature generation
  schemes
• Development of new schemes
• Development of signature ensemble scheme -
  automatically combine the attributes of
  signatures from different generation schemes
• Evaluation of intrusion/anomaly detection systems
• E.g., automatically generating mimicry/blending
  attacks based on malware

22
Conclusion

• Service-oriented repository
• Support research in malware analysis and
  intrusion/anomaly detection/prevention
• See malfease.oarci.net for details
• Credits
• David Dagon
• Paul Vixie
• Paul Royal
• Mitch Halpin