Zhaoyan Xu
Guofei Gu
ABSTRACT
We propose a new, active scheme for fast and reliable detection of P2P malware by exploiting the enemies' strength against them. Our new scheme works in two phases: host-level dynamic binary analysis to automatically extract built-in remotely-accessible/controllable mechanisms (referred to as Malware Control Birthmarks or MCB) in P2P malware, followed by network-level informed probing for detection. Our new design demonstrates a novel combination of the strengths from both host-based and network-based approaches. Compared with existing detection solutions, it is fast, reliable, and scalable in its detection scope. Furthermore, it can be applicable to more than just P2P malware, more broadly any malware that opens a service port for network communications (e.g., many Trojans/backdoors). We develop a prototype system, PeerPress, and evaluate it on many representative real-world P2P malware (including Storm, Conficker, and more recent Sality). The results show that it can effectively detect the existence of malware when MCBs are extracted, and the detection occurs in an early stage during which other tools (e.g., BotHunter) typically do not have sufficient information to detect. We further discuss its limitations and implications, and we believe it is a great complement to existing passive detection solutions.
- Anubis: Analyzing Unknown Binaries. https://anubis.iseclab.org.Google Scholar
- Conficker C Analysis Report . http://mtc.sri.com/Conficker/.Google Scholar
- DynamoRIO . http://dynamorio.org/.Google Scholar
- LibVex . http://http://valgrind.org/.Google Scholar
- OffensiveComputing. http://www.offensivecomputing.net/.Google Scholar
- Phabot. http://www.secureworks.com/research/threats/phatbot/?threat=phatbot.Google Scholar
- Sulley. http://code.google.com/p/sulley/.Google Scholar
- Symantec Internet Security Threat Report. http://www.symantec.com/business/theme.jsp?themeid=threatreport.Google Scholar
- Temu . http://bitblaze.cs.berkeley.edu/temu.html.Google Scholar
- Virustotal. https://www.virustotal.com/.Google Scholar
- Z3 EMT Solver . http://research.microsoft.com/en-us/um/redmond/projects/z3/.Google Scholar
- Cybercriminals Making Sality Virus More Complex. http://www.spamfighter.com/Cybercriminals-Making\\-Sality-Virus-More-Complex-16068-News.htm, 2011.Google Scholar
- Thanassis Avgerinos, Edward Schwartz, and David Brumley. All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
- David Brumley, Juan Caballero, Zhenkai Liang, James Newsome, and Dawn Song. Towards automatic discovery of deviations in binary implementations with applications to error detection and fingerprint generation. In Proc. of USENIX Security'07, 2007. Google ScholarDigital Library
- David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Pongsin Poosankam, Dawn Song, and Heng Yin. Automatically identifying trigger-based behavior in malware. In Wenke Lee, Cliff Wang, and David Dagon, editors, Botnet Analysis and Defense, volume 36, pages 65--88. Springer, 2008.Google Scholar
- Juan Caballero, Noah M. Johnson, Stephen McCamant, and Dawn Song. Binary code extraction and interface identification for security applications. In Proc. of NDSS'10, 2010.Google Scholar
- Juan Caballero, Pongsin Poosankam, Christian Kreibich, and Dawn Song. Dispatcher: Enabling active botnet infiltration using automatic protocol reverse-engineering. In Proc. of ACM CCS'09, 2009. Google ScholarDigital Library
- Juan Caballero, Pongsin Poosankam, Stephen McCamant, Domagoj Babic, and Dawn Song. Input generation via decomposition and re-stitching: Finding bugs in malware. In Proc. of ACM CCS'10, September 2010. Google ScholarDigital Library
- Juan Caballero, Shobha Venkataraman, Pongsin Poosankam, Min Gyung Kang, Dawn Song, and Avrim Blum. FiG: Automatic fingerprint generation. In Proc. of NDSS'07, 2007.Google Scholar
- Juan Caballero, Heng Yin, Zhenkai Liang, and Dawn Song. Polyglot: Automatic extraction of protocol message format using dynamic binary analysis. In Proc. of ACM CCS'07, 2007. Google ScholarDigital Library
- Chia Yuan Cho, Domagoj Babic, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun Wu, and Dawn Song. Mace: Model-inference-assisted concolic exploration for protocol and vulnerability discovery. In Proc. of USENIX Security'11, 2011. Google ScholarDigital Library
- Baris Coskun, Sven Dietrich, and Nasir Memon. Friends of an enemy: Identifying local members of peer-to-peer botnets using mutual contacts. In Proc. of ACSAC'10, 2010. Google ScholarDigital Library
- W. Cui, J. Kannan, and H. J. Wang. Discoverer: Automatic protocol description generation from network traces. In Proceedings of USENIX Security Symposium, Boston, MA, August 2007. Google ScholarDigital Library
- W. Cui, M. Peinado, K. Chen, H. J. Wang, and L. Irun-Briz. Tupni: Automatic reverse engineering of input formats. In Proc. of ACM CCS'08, 2008. Google ScholarDigital Library
- Nicolas Falliere. Sality: Story of a peer-to-peer viral network. Technical report, 2011.Google Scholar
- Alexander Gostev. 2010: The year of the vulnerability . http://www.net-security.org/article.php?id=1543, 2010.Google Scholar
- Julian B. Grizzard, Vikram Sharma, Chris Nunnery, Brent Kang, and David Dagon. Peer-to-peer botnets: Overview and case study. In Proc. of USENIX HotBots'07, 2007. Google ScholarDigital Library
- Flix Grobert. Automatic identification of cryptographic primitives in software. Master's thesis, Ruhr-University Bochum,Germany, 2010.Google Scholar
- Guofei Gu, Roberto Perdisci, Junjie Zhang, and Wenke Lee. BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection. In Proc. of USENIX Security'08, 2008. Google ScholarDigital Library
- Guofei Gu, Vinod Yegneswaran, Phillip Porras, Jennifer Stoll, and Wenke Lee. Active botnet probing to identify obscure command and control channels. In Proc. of ACSAC'09, 2009. Google ScholarDigital Library
- Guofei Gu, Junjie Zhang, and Wenke Lee. BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation. In Proceedings of USENIX Security'07, 2007. Google ScholarDigital Library
- Guofei Gu, Junjie Zhang, and Wenke Lee. BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic. In Proc. of NDSS'08, 2008.Google Scholar
- Duc T. Ha, Guanhua Yan, Stephan Eidenbenz, and Hung Q. Ngo. On the effectiveness of structural detection and defense against p2p-based botnets. In Proc. of DSN'09, 2009.Google ScholarCross Ref
- Mark Jelasity and Vilmos Bilicki. Towards automated detection of peer-to-peer botnets: on the limits of local approaches. In Proc. of LEET'09, 2009. Google ScholarDigital Library
- E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R. Kemmerer. Behavior-based spyware detection. In Proc. of USENIX Security'06, 2006. Google ScholarDigital Library
- Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and Xiaofeng Wang. Effective and efficient malware detection at the end host. In Proc. of USENIX Security'09, 2009. Google ScholarDigital Library
- Clemens Kolbitsch, Thorsten Holz, Christopher Kruegel, and Engin Kirda. Inspector gadget: Automated extraction of proprietary gadgets from malware binaries. In 31st IEEE Symposium on Security and Privacy, May 2010. Google ScholarDigital Library
- Andrea Lanzi, Davide Balzarotti, Christopher Kruegel, Mihai Christodorescu, and Engin Kirda. AccessMiner: using system-centric models for malware protection. In Proc. of ACM CCS'10, 2010. Google ScholarDigital Library
- Felix Leder and Peter Martini. Ngbpa: Next generation botnet protocol analysis. In SEC, pages 307--317, 2009.Google Scholar
- Andrea De Lucia. Program slicing: Methods and applications. In 1st IEEE International Workshop on Source Code Analysis and Manipulation, 2001.Google Scholar
- Reiter M. and Yen T. Traffic aggregation for malware detection. In Proc. of DIMVA'08, 2008. Google ScholarDigital Library
- Andreas Moser, Christopher Kruegel, and Engin Kirda. Exploring Multiple Execution Paths for Malware Analysis. In IEEE Symposium on Security and Privacy, 2007. Google ScholarDigital Library
- Shishir Nagaraja, Prateek Mittal, Chi-Yao Hong, Matthew Caesar, and Nikita Borisov. Botgrep: finding p2p bots with structured graph analysis. In Proc. of USENIX Security'10, 2010. Google ScholarDigital Library
- P.M.Comparetti, G.Salvaneschi, E.Kirda, C. Kolbitsch, C.Krugel, and S.Zanero. Identifying dormant functionality in malware programs. In 31st IEEE Symposium on Security and Privacy, May 2010. Google ScholarDigital Library
- Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. An Analysis of Conficker's Logic and Rendezvous Points. http://mtc.sri.com/Conficker/, 2009.Google Scholar
- Paul Royal, Mitch Halpin, David Dagon, Robert Edmonds, and Wenke Lee. Polyunpack: Automating the hidden-code extraction of unpack-executing malware. In Proc. of ACSAC'06, 2006. Google ScholarDigital Library
- Prateek Saxena, Pongsin Poosankam, Stephen McCamant, and Dawn Song. Loop-extended symbolic execution on binary programs. In Proc. of ISSTA'08, 2008. Google ScholarDigital Library
- Joe Stewart. Inside the Storm. http://www.blackhat.com/presentations/bh-usa-08/Stewart/BH_US_08_Stewart_Protocols_of_the_Storm.pdf.Google Scholar
- Elizabeth Stinson and John C. Mitchell. Towards systematic evaluation of the evadability of bot/botnet detection methods. In WOOT'08, 2008. Google ScholarDigital Library
- S. Stover, D. Dittrich, J. Hernandez, and S. Dietrich. Analysis of the storm and nugache trojans: P2P is here. In ;login, 2007.Google Scholar
- Tielei Wang, Tao Wei, Guofei Gu, and Wei Zou. Taintscope: A checksum-aware directed fuzzing tool for automatic software vulnerability detection. In Proc. of IEEE S&P'10, 2010. Google ScholarDigital Library
- Xinran Wang, Yoon-Chan Jhi, Sencun Zhu, and Peng Liu. Behavior based software theft detection. In Proc. ACM CCS'09, 2009. Google ScholarDigital Library
- Zhi Wang, Xuxian Jiang, Weidong Cui, Xinyuan Wang, and Mike Grace. Reformat: Automatic reverse engineering of encrypted messages. In Proc. of ESORICS'09, 2009. Google ScholarDigital Library
- J. Wilhelm and Tcker Chiueh. A forced sampled execution approach to kernel rootkit identification. In Proc. of RAID'07, 2007. Google ScholarDigital Library
- Zhaoyan Xu, Lingfeng Chen, and Guofei Gu. PeerPress: Fast and reliable detection of p2p malware (and beyond). Technical report, Texas A&M University, 2012.Google Scholar
- H. Yin, D. Song, M. Egele, C. Kruegel, and E. Kirda. Panorama: Capturing system-wide information flow formalware detection and analysis. In In ACM Conference on Computer and Communication Security (CCS), 2007. Google ScholarDigital Library
Index Terms
- PeerPress: utilizing enemies' P2P strength against them
Recommendations
A framework for metamorphic malware analysis and real-time detection
Metamorphism is a technique that mutates the binary code using different obfuscations. It is difficult to write a new metamorphic malware and in general malware writers reuse old malware. To hide detection the malware writers change the obfuscations (...
Panorama: capturing system-wide information flow for malware detection and analysis
CCS '07: Proceedings of the 14th ACM conference on Computer and communications securityMalicious programs spy on users' behavior and compromise their privacy. Even software from reputable vendors, such as Google Desktop and Sony DRM media player, may perform undesirable actions. Unfortunately, existing techniques for detecting malware and ...
Automatic generation of vaccines for malware immunization
CCS '12: Proceedings of the 2012 ACM conference on Computer and communications securityInspired by the biological vaccines, we explore the possibility of developing similar vaccines for malware immunization. We provide the first systematic study towards this direction and present a prototype system, AGAMI, for automatic generation of ...
Comments