Abstract
Worms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to automatically discover the timetable of a piece of malware, or when events will be triggered, so that other types of analysis can discern what those events are. This information can be invaluable for responding to rapid malware, and automating its discovery can provide more accurate information with less delay than careful human analysis.Developing an automated system that produces the timetable of a piece of malware is a challenging research problem. In this paper, we describe our implementation of a key component of such a system: the discovery of timers without making assumptions about the integrity of the infected system's kernel. Our technique runs a virtual machine at slightly different rates of perceived time (time as seen by the virtual machine), and identifies time counters by correlating memory write frequency to timer interrupt frequency.We also analyze real malware to assess the feasibility of using full-system, machine-level symbolic execution on these timers to discover predicates. Because of the intricacies of the Gregorian calendar (leap years, different number of days in each month, etc.) these predicates will not be direct expressions on the timer but instead an annotated trace; so we formalize the calculation of a timetable as a weakest precondition calculation. Our analysis of six real worms sheds light on two challenges for future work: 1) time-dependent malware behavior often does not follow a linear timetable; and 2) that an attacker with knowledge of the analysis technique can evade analysis. Our current results are promising in that with simple symbolic execution we are able to discover predicates on the day of the month for four real worms. Then through more traditional manual analysis we conclude that a more control-flow-sensitive symbolic execution implementation would discover all predicates for the malware we analyzed.
- K. Borders, X. Zhao, and A. Prakash. Siren: Catching evasive malware (short paper). In IEEE Symposium on Security and Privacy, 2006.]] Google Scholar
Digital Library
- P.M. Chen and B.D. Noble. When Virtual is Better than Real. Workshop on Hot Topics in Operating Systems (HotOS), May 2001.]] Google Scholar
Digital Library
- M. Christodorescu and S. Jha. Static Analysis of Executables to Detect Malicious Patterns. USENIX Security Symposium, pages 169--186, August 2003.]] Google Scholar
Digital Library
- M. Christodorescu, S. Jha, S.A. Seshia, D. Song, and R.E. Bryant. Semantics-aware malware detection. In IEEE Symposium on Security and Privacy, 2005.]] Google Scholar
Digital Library
- E.M. Clarke, O. Grumberg, and D.A. Peled. Model Checking. MIT Press, 1999.]] Google Scholar
Digital Library
- F. Cohen. Computer viruses: Theory and experiments. In 7th DoD/NBS Computer Security Conference Proceedings, pages 240--263, September 1984.]]Google Scholar
- N. Copernicus. On the Revolutions of Heavenly Spheres. (Available from Prometheus Books, Amherst, New York), 1543.]]Google Scholar
- R.S. Cox, J.G. Hansen, S.D. Gribble, and H.M. Levy. A safety oriented platform for web applications. In IEEE Symposium on Security and Privacy, 2006.]] Google Scholar
Digital Library
- J.R. Crandall and F.T. Chong. Minos: Control data attack prevention orthogonal to memory model. In Proceedings of the 37th International Symposium on Microarchitecture (MICRO), December 2004.]] Google Scholar
Digital Library
- J.R. Crandall, Z. Su, S.F. Wu, and F.T. Chong. On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic and Metamorphic Worm Exploits. 12th ACM Conference on Computer and Communications Security (CCS), 2005.]] Google Scholar
Digital Library
- J.R. Crandall, S.F. Wu, and F.T. Chong. Experiences using Minos as a tool for capturing and analyzing novel worms for unknown vulnerabilities. In DIMVA, 2005.]] Google Scholar
Digital Library
- D. Dagon, X. Qin, G. Gu, W. Lee, J.B. Grizzard, J.G. Levine, and H.L. Owen. Honeystat: Local worm detection using honeypots. In RAID, pages 39--58, 2004.]]Google Scholar
Cross Ref
- E.W. Dijkstra. A Discipline of Programming. Prentice-Hall, 1976.]] Google Scholar
Digital Library
- G.W. Dunlap, S.T. King, S. Cinar, M.A. Basrai, and P.M. Chen. Revirt: Enabling intrusion analysis through virtual-machine logging and replay. SIGOPS Oper. Syst. Rev., 36(SI):211--224, 2002.]] Google Scholar
Digital Library
- eEye Digital Security. Advisories and Alerts: .ida Code Red Worm, July 2001.]]Google Scholar
- J. Franklin, M. Luk, J. McCune, A. Seshadri, A. Perrig, and L. van Doorn. Remote virtual machine monitor detection. Presented at the ARO-DARPA-DHS Special Workshop on Botnets, June, 2006.]]Google Scholar
- T. Garfinkel, B. Pfaff, J. Chow, M. Rosenblum, and D. Boneh. Terra: A Virtual Machine-Based Platform for Trusted Computing. ACM Symposium on Operating Systems Principles, pages 193--206, October 2003.]] Google Scholar
Digital Library
- T. Garfinkel and M. Rosenblum. A Virtual Machine Introspection Based Architecture for Intrusion Detection. Network and Distributed System Security Symposium, 2003.]]Google Scholar
- T. Garfinkel and M. Rosenblum. When Virtual is Harder than Real: Security Challenges in Virtual Machine Based Computing Environments. Tenth Workshop on Hot Topics in Operating Systems (HotOS), June 2005.]] Google Scholar
Digital Library
- H.S. Gunawi, N. Agrawal, A.C. Arpaci-Dusseau, R.H. Arpaci-Dusseau, and J. Schindler. Deconstructing commodity storage clusters. In Proceedings of the 32nd annual International Symposium on Computer Architecture, 2005.]] Google Scholar
Digital Library
- D. Gupta, K. Yocum, M. McNett, A.C. Snoeren, A. Vahdat, and G.M. Voelker. To infinity and beyond: time warped network emulation. In ACM Symposium on Operating Systems Principles, 2005.]] Google Scholar
Digital Library
- A. Joshi, S. T. King, G.W. Dunlap, and P.M. Chen. Detecting past and present intrusions through vulnerability-specific predicates. ACM Symposium on Operating Systems Principles, 2005.]] Google Scholar
Digital Library
- J.C. King. Symbolic execution and program testing. Commun. ACM, 19(7):385--394, 1976.]] Google Scholar
Digital Library
- S.T. King and P.M. Chen. Backtracking intrusions. In ACM Symposium on Operating Systems Principles, 2003.]] Google Scholar
Digital Library
- S.T. King, P.M. Chen, Y.-M. Wang, C. Verbowski, H.J. Wang, and J.R. Lorch. SubVirt: Implementing malware with virtual machines. In IEEE Symposium on Security and Privacy, 2006.]] Google Scholar
Digital Library
- S.T. King, G.W. Dunlap, and P.M. Chen. Operating System Support for Virtual Machines. In USENIX Security Symposium, 2003.]] Google Scholar
Digital Library
- S.T. King, Z.M. Mao, D.G. Lucchetti, and P.M. Chen. Enriching Intrusion Alerts through Multi-Host Causality. Network and Distributed System Security Symposium, February 2005.]]Google Scholar
- E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Usenix Security Symposium, 2006.]] Google Scholar
Digital Library
- T. Kohno, A. Broido, and kc claffy. Remote physical device fingerprinting. In IEEE Symposium on Security and Privacy, 2005.]] Google Scholar
Digital Library
- C. Kreibich and J. Crowcroft. Honeycomb: Creating intrusion detection signatures using honeypots. SIGCOMM Comput. Commun. Rev., 34(1):51--56, 2004.]] Google Scholar
Digital Library
- C. Kruegel,W. Robertson, F. Valeur, and G. Vigna. Static disassembly of obfuscated binaries. In USENIX Security Symposium, 2004.]] Google Scholar
Digital Library
- C. Kruegel, W. Robertson, and G. Vigna. Detecting Kernel-Level Rootkits Through Binary Analysis. 20th Annual Computer Security Applications Conference (ACSAC'04), pages 91--100, 2004.]] Google Scholar
Digital Library
- L. Lamport. Time, Clocks, and the Ordering of Events in a Distributed System. Communications of the ACM, 21(7):558--565, July 1978.]] Google Scholar
Digital Library
- LURHQ Threat Intelligence Group. Key Dates in Past and Present Sober Variants. http://www.lurhq.com/soberdates.html.]]Google Scholar
- R.P. Martin, A.M. Vahdat, D.E. Culler, and T.E. Anderson. Effects of communication latency, overhead, and bandwidth in a cluster architecture. In Proceedings of the 24th Annual International Symposium on Computer Architecture, 1997.]] Google Scholar
Digital Library
- D. Moore, C. Shannon, and J. Brown. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the Internet Measurement Workshop (IMW), 2002.]] Google Scholar
Digital Library
- M. Ringgaard. Sanos source, 2002.]]Google Scholar
- R.L. Rivest, A. Shamir, and D.A. Wagner. Time-lock puzzles and timed-release crypto. Technical report, Cambridge, MA, USA, 1996.]] Google Scholar
Digital Library
- M. Rosenblum and T. Garfinkel. Virtual Machine Monitors: Current Technology and Future Trends. IEEE Computer Society, 38(5):39--47, May 2005.]] Google Scholar
Digital Library
- A. Seshadri, M. Luk, E. Shi, A. Perrig, L. van Doorn, and P. Khosla. Pioneer: Verifying integrity and guaranteeing execution of code on legacy platforms. In ACM Symposium on Operating Systems Principles, 2005.]] Google Scholar
Digital Library
- R. Sherwood, B. Bhattacharjee, and R. Braud. Misbehaving TCP Receivers can Cause Internet-wide Congestion Collapse. 12th ACM Conference on Computer and Communications Security (CCS), 2005.]] Google Scholar
Digital Library
- T. Sherwood, S. Sair, and B. Calder. Phase tracking and prediction. In Proceedings of the 30th Annual International Symposium on Computer Architecture, 2003.]] Google Scholar
Digital Library
- S. Sidiroglou, J. Ioannidis, A.D. Keromytis, and S.J. Stolfo. An Email Worm Vaccine Architecture. ISPEC, 2005.]] Google Scholar
Digital Library
- H.A. Simon. The sciences of the artificial (3rd ed.). MIT Press, Cambridge, MA, USA, 1996.]] Google Scholar
Digital Library
- J. E. Smith and R. Nair. Virtual Machines - Versatile Platforms for Systems and Processes. Morgan Kaufmann, 2005.]] Google Scholar
Digital Library
- S. Staniford, D. Moore, V. Paxson, and N. Weaver. The top speed of flash worms. In WORM '04, pages 33--42, New York, NY, USA, 2004. ACM Press.]] Google Scholar
Digital Library
- S. Staniford, V. Paxson, and N. Weaver. How to Own the Internet in Your Spare Time. In In Proceedings of the USENIX Security Symposium, pages 149--167, 2002.]] Google Scholar
Digital Library
- P. Szor. The Art of Computer Virus Research and Defense. Symantec Press, 2005.]] Google Scholar
Digital Library
- VMware. Timekeeping in VMware Virtual Machines.]]Google Scholar
- M. Vrable, J. Ma, J. Chen, D. Moore, E. Vandekieft, A.C. Snoeren, G.M. Voelker, and S. Savage. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm. ACM Symposium on Operating Systems Principles, 2005.]] Google Scholar
Digital Library
- A. Whitaker, R.S. Cox, M. Shaw, and S.D. Gribble. Rethinking the Design of Virtual Machine Monitors. IEEE Computer, 38(5):57--62, May 2005.]] Google Scholar
Digital Library
- P. Wolper and B. Boigelot. An automata-theoretic approach to presburger arithmetic constraints (extended abstract). In Static Analysis Symposium, pages 21--32, 1995.]] Google Scholar
Digital Library
- A. Young and M. Yung. Malicious Cryptography: Exposing Cryptovirology. Wiley Publishing, Inc., 2004.]] Google Scholar
Digital Library
- Commmon Malware Enumeration (CME) (Home Page). http://cme.mitre.org/.]]Google Scholar
- "Decompiled Source For Ms Rpc Dcom Blaster Worm". http://www.governmentsecurity.org/archive/t4726.html.]]Google Scholar
- Scapy. http://www.secdev.org/projects/scapy/.]]Google Scholar
- Symantec Security Response - search for malware description. http://securityresponse.symantec.com/.]]Google Scholar
Index Terms
Temporal search: detecting hidden malware timebombs with virtual machines
Recommendations
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 2006 ASPLOS ConferenceWorms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to ...
Temporal search: detecting hidden malware timebombs with virtual machines
ASPLOS XII: Proceedings of the 12th international conference on Architectural support for programming languages and operating systemsWorms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to ...
Temporal search: detecting hidden malware timebombs with virtual machines
Proceedings of the 2006 ASPLOS ConferenceWorms, viruses, and other malware can be ticking bombs counting down to a specific time, when they might, for example, delete files or download new instructions from a public web server. We propose a novel virtual-machine-based analysis technique to ...






Comments