SLIDE 1
The development of a contained and user emulated malware assessment platform
Siebe Hodzelmans & Frank Potter
(TechCrunch, 2012)
2/23
The development of a contained and user emulated malware assessment - - PowerPoint PPT Presentation
The development of a contained and user emulated malware assessment - - PowerPoint PPT Presentation
The development of a contained and user emulated malware assessment platform Siebe Hodzelmans & Frank Potter (TechCrunch, 2012) 2/23 Incident Response and Malware Analysis (Debrie, Lone-Sang, and Quint, 2014) 3/23 (ArsTechnica, 2017)
SLIDE 2
SLIDE 3
Incident Response and Malware Analysis
3/23
(Debrie, Lone-Sang, and Quint, 2014)
SLIDE 4
(ArsTechnica, 2017)
4/23
SLIDE 5
(Times Square Chronicles, 2019)
5/23
SLIDE 6
Research ques+on
‘How can malware be tested for detection of antivirus software by emulating user actions, without the AV vendor learning about the malware?’
6/23
SLIDE 7
Sub questions
- What traffic is generated by AV software?
- How to prevent AV software from notifying and submitting
the red team’s malware to the AV vendor?
- Are there any differences between direct scanning and user
emulated detection rates?
7/23
SLIDE 8
Methodology - Traffic analysis
- McAfee, Symantec and Trend Micro
- Malware samples
8/23
SLIDE 9
9/23
SLIDE 10
Methodology - Preventing submission
10/23
SLIDE 11
11/23
SLIDE 12
Methodology - User emulation
(Kamali, 2016)
- Compare manual with emulated behavior of malware
- Web browsing user emulation with pywinauto and pyautogui
- Malware infection Tree
12/23
SLIDE 13
Results - Traffic analysis
- Traffic capture:
○ McAfee, Symantec and Trend Micro ○ Later Kaspersky
- In general:
○ Installation, registration, updating ○ Analytical data ○ Lots of hashes and encoded data ○ Only HTTP(S)
13/23
SLIDE 14
Results - Traffic analysis
- Noteworthy:
○ Trend Micro: missing SNI, long plain HTTP GET ○ McAfee: every file gets hashed, google analytics ○ Symantec: ping submission with data buffer ○ Kaspersky: lot of HTTP(S) 400 and 502 errors, certificate pinning
- No sample submission
14/23
SLIDE 15
Results - Traffic analysis
15/23
Das Malwerk Deloitte obfuscated Deloitte direct exports 1e84- ff45 1f7b- 55c7 230a- 6f87 266a- 11f5 2578- 6c51
- bf.
exe
- bf. dll
1
- bf. dll
2 beacon exe beacon dll msf vnm McAfee
✔ ✔ ✔ ✔ ✔
Symantec
✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Trend Micro
✖ ✔ ✔ ✔ ✔ ✔ ✔
Kaspersky
✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
SLIDE 16
Results - Sample submission preven3on
- Offline: undesirable
○ Difference Trend Micro ○ Warning Symantec
- Blacklisting
○ Unsure what to block ○ Updates can change endpoints
- Whitelisting
○ Robust ○ Parameters: ■ hostnames ■ traffic size and direction ■ content
16/23
SLIDE 17
Results - User emulation
- Two ways:
○ pywinauto, accessibility API ○ pyautogui, mouse and keyboard, screenshots
- Compared manual to emulation
○ Malware infection Tree ○ File handles, process tree structure
17/23
SLIDE 18
Results - User emulation
18/23
SLIDE 19
Results - User emula-on
19/23
SLIDE 20
Discussion
- Contamination of packet captures
- mitmproxy
○ Insecure connections ○ Kaspersky errors
- Results of sample submission prevention
○ Unable to trigger sample submission ○ Flaw in research design ○ Based on what we did observe
- McAfee low detection rate
20/23
SLIDE 21
- Variety of traffic
○ But no sample submission
- Whitelisting the best approach
- Dynamic analysis is of added value
○ User emulation matches manual ○ Multiple approaches to emulation
21/23
How can malware be tested for detection
- f antivirus software
by emulating user actions, without the AV vendor learning about the malware?
Conclusion
SLIDE 22
Future work
- Exploratory investigation in traffic generated by AV software
○ Another approach: reverse engineering
- Combine whitelisting with IRMA
- Monitoring AV detection of malware
22/23
SLIDE 23
23/23