Makoto Iwamura

Code shredding: byte-granular randomization of program layout for detecting code-reuse attacks

Code-reuse attacks by corrupting memory address pointers have been a major threat of software for many years. There have been numerous defenses proposed for countering this threat, but majority of them impose strict restrictions on software deployment such as requiring recompilation with a custom compiler, or causing integrity problems due to program modification. One notable exception is ASLR(address space layout randomization) which is a widespread defense free of such burdens, but is also known to be penetrated by a class of attacks that takes advantage of its coarse randomization granularity. Focusing on minimizing randomization granularity while also possessing these advantages of ASLR to the greatest extent, we propose a novel defensive approach called code shredding: a defensive scheme based on the idea of embedding the checksum value of a memory address as a part of itself. This simple yet effective approach hinders designation of specific address used in code-reuse attacks, by giving attackers an illusion of program code shredded into pieces at byte granularity and dispersed randomly over memory space. We show our design and implementation of a proof-of-concept prototype system for the Windows platform and the results from several experiments conducted to confirm its feasibility and performance overheads.

Controlling malware HTTP communications in dynamic analysis system using search engine

Malware is one of the most serious threats on the Internet. Countermeasures have been developed, but still many users are infected. Detecting and preventing communication by infected users from the network side would effectively mitigate the threats of malware. For this, we need to collect information about the destinations or payloads of malware communication. Dynamic analysis is usually used to obtain this information. Since some malware requires access to the Internet, e.g., bots and downloaders, the dynamic analysis environment must connect to the Internet. Recently developed malware communicates with remote hosts by HTTP protocol for not only command-and-control (C&C) or malware downloading but also attacks. For secure dynamic analysis in an environment with Internet connectivity, it is necessary to determine if the destination is for C&C or malware downloading and to only allow connection to these servers. We propose a dynamic analysis system with Internet connection that controls HTTP communication by using a search engine. To control HTTP connections, we built a classifier using a support vector machine based on the assumption that sites for C&C or malware downloading, for example, are harder to find and have a lower backlink count than benign sites. Our classifier, which is trained on popular URLs and URLs based on malware analysis, has 99.69% cross-validation accuracy. We evaluated other known benign popular sites with our classifier, and they were all classified as benign. Our evaluation confirms that our classifier can distinguish benign sites, so the proposed dynamic analysis system is effective for safe analysis in an environment with Internet connection.

Memory behavior-based automatic malware unpacking in stealth debugging environment

Malware analysts have to first extract hidden original code from a packed executable to analyze malware because most recent malware is obfuscated by a packer in order to disrupt analysis by debuggers and dis-assemblers. There are several studies on automatic extraction of hidden original code, which executes malware in an isolated environment, monitors write memory accesses and instruction fetches at runtime, determines if the code under execution is newly generated, then dumps specific memory areas into a file as candidates for the original code. However, the conventional techniques output many dump files as candidates for the original code when experiments are conducted on malware in the wild. Thus, manual identification of the true original code is needed. In this paper, we present “memory behavior-based unpacking,” an algorithm that automatically identifies the true original code from among many candidates depending on the change in the trend of accessed memory addresses before and after the dumping points. To achieve this algorithm, we have implemented Stealth Debugger, a virtual machine monitor for debugging and monitoring all memory accesses of a process without interruption by any anti-debug functions of the malware. We have evaluated our proposed system by using malware obfuscated by various common packers. The results show that our proposed system successfully finds the original entry points and obtains the original code of the malware.

API Chaser: Anti-analysis Resistant Malware Analyzer

API Application Programming Interface monitoring is an effective approach for quickly understanding the behavior of malware. It has been widely used in many malware countermeasures as their base. However, malware authors are now aware of the situation and they develop malware using several anti-analysis techniques to evade API monitoring. In this paper, we present our design and implementation of an API monitoring system, API Chaser, which is resistant to evasion-type anti-analysis techniques, e.g. stolen code and code injection. We have evaluated API Chaser with several real-world malware and the results showed that API Chaser is able to correctly capture API calls invoked from malware without being evaded.

Towards Efficient Analysis for Malware in the Wild

We propose two novel techniques for reducing the workload for malware analysis. The first technique is restricted instruction, which accelerates finding the longest common subsequence (LCS) between machine code instruction sequences of malware. The second technique is probabilistic disassembly, which can find the most probable disassembly result of a binary stream without a clue, such as debug symbols or the information of import functions. By combining the two proposals and our generic unpacker, we built an automatic malware classification system. Given an unknown malware program, the system enables malware analysts to find the most similar known malware program to this unknown one, and even estimate different/common instructions. In one of our experiments, we classified 3,233 malware samples in the wild and concluded that 75% of the samples belong to the seven largest clusters. As a result, only seven samples, one from each cluster, were required to be analyzed in order to reveal the functionality of the rest of the 75%, showing a great increase in efficiency of analysis.

Stealth Loader: Trace-Free Program Loading for API Obfuscation

Understanding how application programming interfaces (APIs) are used in a program plays an important role in malware analysis. This, however, has resulted in an endless battle between malware authors and malware analysts around the development of API [de]obfuscation techniques over the last few decades. Our goal in this paper is to show a limit of existing API de-obfuscations. To do that, we first analyze existing API [de]obfuscation techniques and clarify an attack vector commonly existed in API de-obfuscation techniques, and then we present Stealth Loader, which is a program loader using our API obfuscation technique to bypass all existing API de-obfuscations. The core idea of this technique is to load a dynamic link library (DLL) and resolve its dependency without leaving any traces on memory to be detected. We demonstrate the effectiveness of Stealth Loader by analyzing a set of Windows executables and malware protected with Stealth Loader using major dynamic and static analysis tools and techniques. The result shows that among other obfuscation techniques, only Stealth Loader is able to successfully bypass all analysis tools and techniques.

Building stack traces from memory dump of Windows x64

Abstract Stack traces play an important role in memory forensics as well as program debugging. This is because stack traces provide a history of executed code in a malware-infected host and this history could become a clue for forensic analysts to uncover the cause of an incident, i.e., what malware have actually done on the host. Nevertheless, existing research and tools for building stack traces for memory forensics are not well designed for the x64 environments, even though they have already become the most popular environment. In this paper, we introduce the design and implementation of our method for building stack traces from a memory dump of the Windows x64 environment. To build a stack trace, we retrieve a user context of the target thread from a memory dump for determining the start point of a stack trace, and then emulate stack unwinding referencing the metadata for exceptional handling for building the call stack of the thread. Even if the metadata are unavailable, which often occurs in a case of malicious software, we manage to produce the equivalent data by scanning the stack with a flow-based verification method. In this paper, we discuss the evaluation of our method through comparing the stack traces built with it with those built with WinDbg to show the accuracy of our method. We also explain some case studies using real malware to show the practicability of our method.