Presented at DEF CON 18 (2010)
Aug. 1, 2010, 5 p.m.
For antivirus vendors and malware researchers today, the challenge lies not in "obtaining" the malware samples - they have too many already. What's needed is automated tools to speed up the analysis process. Many sandboxes exist for behavior profiling, but it still remains a challenge to handle anti-analysis techniques and to generate useful reports.
The problem with current tools is the monitoring mechanism - there's always a "sandbox" or some type of monitoring mechanism that must be loaded BEFORE malware execution. This allows malware to detect whether such monitoring mechanisms exist, and to bail out thus avoiding detection and analysis.
Here we release 0box--an afterDark analyser that loads AFTER malware execution. No matter how well a piece of malware hides itself, there will be runtime forensics data that can be analyzed to identify "traces" of a process trying to hide itself. For example, evidences within the process module lists or discrepancies between kernel- and user-space datastructures. Since analysis is done post mortem, it is very hard for malware to detect the analysis.
By using runtime forensics to extract evidences, we turn a piece of malware from its original binary space into a feature space, with each feature representing the existence or non-existence of a certain behavior (ex, process table tampering, unpacking oneself, adding hooks, etc). By running clustering algorithms in this space, we show that this technique not only is very effective and very fast at detecting malware, but is also very accurate at clustering the malware into existing malware families. Such clustering is helpful for deciding whether a piece of malware is just a variation or repacking of an existing malware family, or is a brand new find.
Using three case studies, we will demo 0box, compare 0box with 0box with recent talks at BlackHat and other security conferences, and explain how 0box is different and why it is very effective. 0box will be released at the conference as a free tool.
- Security Researcher, Armorize Technologies
Jeremy Chiu (aka Birdman) has more than ten years of experience with host-based security, focusing on kernel technologies for both the Win32 and Linux platforms. In early 2001 he was investigated and subsequently held prison by Taiwan Criminal Investigation Bureau for creating Taiwan's first widespread trojan BirdSPY. The court dropped charges after Jeremy committed to allocate part of his future time to assist Taiwan law enforcement in digital forensics and incidence response. Jeremy specializes in rootkit/backdoor design. He has been contracted by military organizations to deliver military-grade implementations. Jeremy also specializes in reverse engineering and malware analysis, and has been contracted by law enforcements to assist in forensics operations. Jeremy is a sought-after speaker for topics related to security, kernel programming, and object-oriented design; in addition to frequently speaking at security conferences, Jeremy is also a contract trainer for militaries, law enforcements, intelligence organizations, and conferences such as SySCAN (09 08), Hacks in Taiwan (07 06 05), HTICA(06 08) and OWASP Asia (08 07). In 2005, Jeremy founded X-Solve Inc. and successfully developed forensics and anti-malware products. In July 2007, X-Solve was acquired by Armorize Technologies.
- CTO, Armorize Technologies
Wayne Huang has extensive experience in the security industry and is a frequent speaker at security conferences including RSA (07, 10), SyScan (08, 09), OWASP (08, 09), Hacks in Taiwan (06, 07), WWW (03, 04), PHP (07) and DSN (04). He is the first author to achieve consecutive best paper nominations at the prestigious World Wide Web (WWW) Conferences (2003, 2004), and has a co-authored the Web Application Security chapter of "Computer Security in the 21st Century" (Springer US, 2005).
Wayne is a PhD candidate at the EE, NTU, and has received his BS and MS in CS from NCTU.