INSPECTOR GADGET: AUTOMATED EXTRACTION OF

PROPRIETARY GADGETS FROM MALWARE BINARIES

Christopher KruegelUniversity of California

Engin KirdaInstitute Eurecom

Clemens Kolbitsch Thorsten HolzSecure Systems Lab

Vienna University of Technology

31st IEEE Symposium on Security & Privacy, 2010

Outline Introduction System Overview Automated Extraction Gadget Preparation and Replay Gadget Inversion Evaluation

Introduction Malware is the driving force behind

many of the attacks on the Internet today.

It now being increasingly deployed as software that can be remotely controlled.

How to analyze… Static analysis

Obfuscation, etc.

Dynamic analysisIt doesn’t support automatically extracting the

specific functionality from the malware.Ex: domain generation algorithm of samples that

use domain fluxEx: the decoding function

This paper aims… Presenting a novel approach to automatically

extract from a given malware the instructions that are responsible for a certain activity of the sample

First, INSPECTOR performs dynamic program slicing on the malware to extract a slicing with “interesting” behavior.

Second, it generates a stand-alone gadget base on the extracted slice.

Advantages of the extracted gadgets Reduce our exposure to the malicious

code Immediately carry out a certain

operation the malware performs Identify in-memory buffers that hold

decrypted data Some gadgets can be inverted.

System Overview

Automated Extraction Generating Activity Logs

Anubis[web] performs dynamic malware analysis base on a processor emulator(QEMU).○ Recording all executed instructions○ Marking each byte returned by a system call, and

using taint technique○ Record all memory accesses

Once an analyst has spotted an interesting behavior, she can instruct INSPECTOR to extract a gadget.

Automated Extraction (cont.) Selecting and Extracting Algorithms

An analyst has to select the relevant flow manually.○ In the HTTP download, she may select

WriteFile, or CreateFile.

Extract a slice○ Attempts to find all necessary data sources

required to calculate the parameters pass to the function call.

Selecting and Extracting Algorithms Forward Searching and Backward Slicing

The behavior selected by an analyst is not the intended endpoint.

The analyst should specify something as an endpoint where the forward searching stops.

Heuristics for Detecting Endpointstring comparison functions, or execution of code

containing string handling instructionsThe data has been processed by a list of

mathematical instructions.

Selecting and Extracting Algorithms (cont.) Closure Analysis

INSPECTOR can decide to deliberately exclude certain dependencies.○ Conditional jump○ A behavior is only triggered under a certain

condition

Gadget Preparation and Replay Gadget Format and Relocation

Dynamic loadable library (DLL)

All references to absolute code addresses are rewritten to use relative addressing

Extract all static memory areas into a data file

Gadget Preparation and Replay (cont.) Gadget Player

Memory Management○ Preinitialized memory areas

○ Provide the player with a complete view of the memory buffers accessible to the gadget.

Gadget Preparation and Replay (cont.) Execution Containment

Must isolate the gadget from the player’s memory

Some choice○ Emulation

Performance consideration○ Our approach

Memory management rewrites the memory accessesUsing a separate threadRedirect the API or system call to environment interface

○ Other approachSFI, Native Client[web]

Gadget Preparation and Replay (cont.) Environment Interface

During the gadget start-up, it registers a callback function inside the gadget○ Invoked by the gadget each time a system or

Windows API call○ The callback can be changed by the analyst

Gadget Preparation and Replay (cont.) Callback Handling

The gadget player can return fake information to the gadget

Gadget Inversion Main idea

First, extract the gadget that is responsible for stealing and encoding the data

Second, compute the input that leads to the output observed in the network dump

Use brute-force and the data dependencies

Gadget Inversion

oniiio

o

v

DiivvCIiiD

oIiOo

ni

,,| :inputs Candidateion depends o| :bytesinput Dependent

valueexpected theis bytesinput ofset thebe ,

bytesoutput ofset thebe ,

Gadget Inversion Implementation

Using taint tracking to get information Applicability

Base64:

○ 3 byte encode to 4 byte○ Depend on 2 byte

Gadget InversionXOR

○ Using constant key depend on 1 byte○ Using the content as key depend on 2 byte

Strong Encryption○ Ex: RSA○ Depend on all byte○ imposible

Gadget Inversion Possible Extensions

Extract algebraic formulae○ Constraint solver

Input parallelization○ Check multiple input candidates

Evaluation

Evaluation Domain Flux: Conficker[web]

Evaluation

Evaluation Fetching Binary Updates: Pushdo

Over a period of 16 daysChange IP for 3 C&C servers

Binary Update Decryption: PushdoPushdo client use random key to append on

URL in order to get encrypt file.Invere the program to find the key

Evaluation Binary Update Generation: Pushdo

Inverse the decrypt algorithmRedirect connection to our server140 bytes 44 seconds

Evaluation Template-based Spamming: Cutwail

XOR based encryptStore template in memory