Computer Security Symposium October ,a) API API API Alkanet IDA MWS API Proposal of static analysis assistance method utilizi

Similar documents
Alkanet[1, 2] Alkanet CPU CPU 2 Alkanet Alkanet (VMM) VMM Alkanet Windows Alkanet 1 Alkanet VMM BitVisor[3] BitVisor OS ユーザモード カーネルモード マルウェア観測用 PC VM

1 BitVisor [3] Alkanet[1] Alkanet (DLL) DLL 2 Alkanet Alkanet Alkanet VMM VMM Alkanet Windows [2] マルウェア 観 測 用 VM SystemCall Windows System

今週の進捗

29 jjencode JavaScript

( 億 種 ) マルウェアが 急 速 に 増 加! 短 時 間 で 解 析 し, マルウェアの 意 図 や 概 略 を 把 握 したい マルウェアを 実 行 し, 挙 動 を 観 測 することで 解 析 する 動 的 解 析 が 有 効 しかし, マルウェアの 巧 妙 化 により, 観 測 自 体

& Vol.5 No (Oct. 2015) TV 1,2,a) , Augmented TV TV AR Augmented Reality 3DCG TV Estimation of TV Screen Position and Ro

IPSJ SIG Technical Report Vol.2012-CG-148 No /8/29 3DCG 1,a) On rigid body animation taking into account the 3D computer graphics came

1 Web [2] Web [3] [4] [5], [6] [7] [8] S.W. [9] 3. MeetingShelf Web MeetingShelf MeetingShelf (1) (2) (3) (4) (5) Web MeetingShelf

大月勇人, 若林大晃, 瀧本栄二, 齋藤彰一, 毛利公一 立命館大学 名古屋工業大学

,,.,.,,.,.,.,.,,.,..,,,, i

Web Web Web Web Web, i

17 Proposal of an Algorithm of Image Extraction and Research on Improvement of a Man-machine Interface of Food Intake Measuring System

WebRTC P2P Web Proxy P2P Web Proxy WebRTC WebRTC Web, HTTP, WebRTC, P2P i

論文9.indd

1 Fig. 1 Extraction of motion,.,,, 4,,, 3., 1, 2. 2.,. CHLAC,. 2.1,. (256 ).,., CHLAC. CHLAC, HLAC. 2.3 (HLAC ) r,.,. HLAC. N. 2 HLAC Fig. 2

28 Horizontal angle correction using straight line detection in an equirectangular image

& Vol.2 No (Mar. 2012) 1,a) , Bluetooth A Health Management Service by Cell Phones and Its Us

[2] OCR [3], [4] [5] [6] [4], [7] [8], [9] 1 [10] Fig. 1 Current arrangement and size of ruby. 2 Fig. 2 Typography combined with printing

IPSJ SIG Technical Report Vol.2017-CLE-21 No /3/21 e 1,2 1,2 1 1,2 1 Sakai e e e Sakai e Current Status and Challenges on e-learning T

1 1 tf-idf tf-idf i

2) TA Hercules CAA 5 [6], [7] CAA BOSS [8] 2. C II C. ( 1 ) C. ( 2 ). ( 3 ) 100. ( 4 ) () HTML NFS Hercules ( )

e-learning e e e e e-learning 2 Web e-leaning e 4 GP 4 e-learning e-learning e-learning e LMS LMS Internet Navigware

21 e-learning Development of Real-time Learner Detection System for e-learning

(a) 1 (b) 3. Gilbert Pernicka[2] Treibitz Schechner[3] Narasimhan [4] Kim [5] Nayar [6] [7][8][9] 2. X X X [10] [11] L L t L s L = L t + L s

7,, i

2). 3) 4) 1.2 NICTNICT DCRA Dihedral Corner Reflector micro-arraysdcra DCRA DCRA DCRA 3D DCRA PC USB PC PC ON / OFF Velleman K8055 K8055 K8055

スライド 1

258 5) GPS 1 GPS 6) GPS DP 7) 8) 10) GPS GPS ) GPS Global Positioning System

28 Docker Design and Implementation of Program Evaluation System Using Docker Virtualized Environment

IPSJ SIG Technical Report Vol.2011-EC-19 No /3/ ,.,., Peg-Scope Viewer,,.,,,,. Utilization of Watching Logs for Support of Multi-

IPSJ SIG Technical Report Pitman-Yor 1 1 Pitman-Yor n-gram A proposal of the melody generation method using hierarchical pitman-yor language model Aki

スライド 1

2. CABAC CABAC CABAC 1 1 CABAC Figure 1 Overview of CABAC 2 DCT 2 0/ /1 CABAC [3] 3. 2 値化部 コンテキスト計算部 2 値算術符号化部 CABAC CABAC

IPSJ SIG Technical Report Vol.2009-DPS-141 No.20 Vol.2009-GN-73 No.20 Vol.2009-EIP-46 No /11/27 1. MIERUKEN 1 2 MIERUKEN MIERUKEN MIERUKEN: Spe

(a) (b) 1 JavaScript Web Web Web CGI Web Web JavaScript Web mixi facebook SNS Web URL ID Web 1 JavaScript Web 1(a) 1(b) JavaScript & Web Web Web Webji

IPSJ SIG Technical Report Vol.2014-EIP-63 No /2/21 1,a) Wi-Fi Probe Request MAC MAC Probe Request MAC A dynamic ads control based on tra

大学等における社会人の受け入れ状況調査

Vol. 23 No. 4 Oct Kitchen of the Future 1 Kitchen of the Future 1 1 Kitchen of the Future LCD [7], [8] (Kitchen of the Future ) WWW [7], [3

2 [2] Flow Visualizer 1 DbD 2. DbD [4] Web (PV) Web Web Web 3 ( 1) ( 1 ) Web ( 2 ) Web Web ( 3 ) Web DbD DbD () DbD DbD DbD 2.1 DbD DbD URL URL Google

IPSJ SIG Technical Report * Wi-Fi Survey of the Internet connectivity using geolocation of smartphones Yoshiaki Kitaguchi * Kenichi Nagami and Yutaka

Vol.55 No (Jan. 2014) saccess 6 saccess 7 saccess 2. [3] p.33 * B (A) (B) (C) (D) (E) (F) *1 [3], [4] Web PDF a m

( ) [1] [4] ( ) 2. [5] [6] Piano Tutor[7] [1], [2], [8], [9] Radiobaton[10] Two Finger Piano[11] Coloring-in Piano[12] ism[13] MIDI MIDI 1 Fig. 1 Syst

Windows7 OS Focus Follows Click, FFC FFC focus follows mouse, FFM Windows Macintosh FFC n n n n ms n n 4.2 2

MAC root Linux 1 OS Linux 2.6 Linux Security Modules LSM [1] Security-Enhanced Linux SELinux [2] AppArmor[3] OS OS OS LSM LSM Performance Monitor LSMP

ActionScript Flash Player 8 ActionScript3.0 ActionScript Flash Video ActionScript.swf swf FlashPlayer AVM(Actionscript Virtual Machine) Windows

Input image Initialize variables Loop for period of oscillation Update height map Make shade image Change property of image Output image Change time L

マルウェア対策のための研究用データセット ~ MWS Datasets 2013 ~.pptx

1., 1 COOKPAD 2, Web.,,,,,,.,, [1]., 5.,, [2].,,.,.,, 5, [3].,,,.,, [4], 33,.,,.,,.. 2.,, 3.., 4., 5., ,. 1.,,., 2.,. 1,,

大学における原価計算教育の現状と課題

untitled

1 DHT Fig. 1 Example of DHT 2 Successor Fig. 2 Example of Successor 2.1 Distributed Hash Table key key value O(1) DHT DHT 1 DHT 1 ID key ID IP value D

Vol. 44 No. SIG 12(TOD 19) Sep MF MF MF Content Protection Mechanism Based on Media Framework and an Implementation for Autonomous Information C

3D UbiCode (Ubiquitous+Code) RFID ResBe (Remote entertainment space Behavior evaluation) 2 UbiCode Fig. 2 UbiCode 2. UbiCode 2. 1 UbiCode UbiCode 2. 2

fiš„v5.dvi

Iteration 0 Iteration 1 1 Iteration 2 Iteration 3 N N N! N 1 MOPT(Merge Optimization) 3) MOPT MOP

[2] , [3] 2. 2 [4] 2. 3 BABOK BABOK(Business Analysis Body of Knowledge) BABOK IIBA(International Institute of Business Analysis) BABOK 7

農研機構 食品総合研究所 研究報告 77号


1 3DCG [2] 3DCG CG 3DCG [3] 3DCG 3 3 API 2 3DCG 3 (1) Saito [4] (a) 1920x1080 (b) 1280x720 (c) 640x360 (d) 320x G-Buffer Decaudin[5] G-Buffer D

DPA,, ShareLog 3) 4) 2.2 Strino Strino STRain-based user Interface with tacticle of elastic Natural ObjectsStrino 1 Strino ) PC Log-Log (2007 6)

ISSN NII Technical Report Patent application and industry-university cooperation: Analysis of joint applications for patent in the Universit

%,, % %......

i

Microsoft Word - deim2011_new-ichinose doc

Transcription:

Computer Security Symposium 2016 11-13 October 2016 1,a) 1 1 2 1 API API API Alkanet IDA MWS API Proposal of static analysis assistance method utilizing the dynamic analysis log Shota Nakajima 1,a) Shuhei Aketa 1 Eiji Takimoto 1 Shoichi Saito 2 Koichi Mouri 1 Abstract: Malware analysis is important for anti-malware. General malware analysis is carried out in the order of dynamic analysis and static analysis. However, in the present circumstances, the results of dynamic analysis has not cooperate static analysis. We propose static analysis assistance method utilizing the dynamic analysis log. In the proposed method provide assistance information of static analysis. It includes the API call information and the code of the malware on the memory acquired by dynamic analysis. In this paper, we describe static analysis assistance method that cooperates the system call tracer Alkanet and disassembler IDA. Keywords: MWS malware dynamic analysis static analysis api trace 1. [1] [2] 3 [3] 1 Ritsumeikan University 2 Nagoya Institute of Technology a) snakajima@asl.cs.ritsumei.ac.jp API - 526 -

[4] [5] API Alkanet [6] API IDA [7] API API Alkanet API API API 動的解析によるログの取得 動的解析 解析システム 動的解析ログ API 呼び出し情報 API 名 / 引数 返り値 / 呼び出し元 マルウェアに関するコード 動的解析ログの活用 1 静的解析の補助 静的解析 逆アセンブラ 静的解析範囲の絞り込み 実行時の API 呼び出し情報の参照 マルウェアに関するコード取得の自動化 API 2 3 4 5 6 2. 2.1 ( 1 ) ( 2 ) API ( 3 ) API API API API API - 527 -

ユーザモード カーネルモード 動的解析部 Alkanet を用いた動的解析システムコールトレーススタックトレースマルウェアに関するコードの取得 マルウェア観測用 PC VM SystemCall Windows ロギング用 PC LogAnalyzer 解析 json 形式 静的解析部 Python スクリプトによる解析 API 呼び出し情報を動的解析ログから抽出 IDA プラグインを用いてマージ API 呼び出し情報を逆アセンブルコードと対応付け Python スクリプト API 情報抽出 ファイル API 情報コードダンプ IDAプラグインを用いてマージ No. Time Cid Name Type Ret SNo. Note StackTrace 1 Alkanet CPU PID TID sysenter sysexit (sysexit ) 保存 SystemCall Analyzer IEEE1394 ログログ Alkanet Logger IDA Disassembler BitVisor API 情報 IDAプラグイン 2 2.2 2.1 1 API API API 2.1 (1)(2) API API CALL API API (3) 3. 3.1 2 Alkanet API python IDA Alkanet python Alkanet API API API IDA API 3.2 Alkanet Alkanet 3 3 Windows API WriteFile Alanet 1 Alkanet Alkanet [8] API API 1 SP StackBase StackLimit 2 API API API - Writable PTE( ) - 528 -

No.:3951 Time :156673305 Type:sysenter SNo.:112 (NtWriteFile) Cid :70c.2d8 Name:sample.exe Note: file_name: \Device\HarddiskVolume1\Documents and Settings\snakajima\Desktop\test.txt current_byteoffset:0 p_buffer:0x12fb48 length:0x4 byteoffset:0 buffer: raw:41 41 41 41 utf16:\u4141\u4141 StackTrace: SP: 12f5d0, StackBase: 130000, StackLimit: 126000 [00] <- 7c94df6c (API: NtWriteFile+0xc, Writable: 0, Dirty: 0, VAD: {7c940000 --7c9dc000, ImageMap: 1, File: "\WINDOWS\system32\ntdll.dll"}), SP: 12f5d0 [05] <- 7c817067 (API: BaseProcessStart+0x23, Writable: 0, Dirty: 0, VAD: {7c800000 --7c933000, ImageMap: 1, File: "\WINDOWS\system32\kernel32.dll"}), BP: 12ffc0 3 WriteFile Alanet x86 PTE 1 Dirty Writable PTE x86 PTE 6 VAD Windows VAD(Virtual Address Descriptor) [9] VAD VAD VAD VAD EPROCESS VAD VAD API Alkanet Alkanet NtWriteFile Dirty 1 Alkanet 3.3 python Alkanet API IDA Alknaet API API API API API MWS Datasets 2016 [10] BOS2014 Alkanet DLL c13.exe Alkanet starter.exe splash screen.dll starter.exe starter.exe splash screen.dll 3.3.1 API Alkanet Alkanet API python Alkanet API Alkanet VAD - 529 -

"580": {"proc_image_name": "c13.exe", "vad_end": "0x435000", "vad_start": "0x400000"}, (a) "812": { "proc_image_name": "starter.exe", "vad_file_info": [ (b) {"vad_filename": "\\ DOCUME 1\\ ADMINI 1\\ LOCALS 1\\ Temp\\ RarSFX0\\ starter.exe", "vad_file_end": "0x407000", "vad_file_start": "0x400000"}, {"vad_filename": "\\ DOCUME 1\\ ADMINI 1\\ LOCALS 1\\ Temp\\ RarSFX0\\ splash_screen.dll", "vad_file_end": "0x10005000", "vad_file_start": "0x10000000"}], "dirty_memory": [ (c) {"dirty_memory_end": "0xa1b000", "dirty_memory_start": "0x9f0000"}, {"dirty_memory_end": "0x9f0000", "dirty_memory_start": "0x8f0000"}] 4 API 3 API API ( 1 ) ( 2 ) ( 3 ) VAD DLL WriteFile VAD Dirty (1) (3) Alkanet 4 (a) VAD VAD c13.exe (b) VAD VAD starter.exe starter.exe DLL (c) VAD Dirty 1 VAD stater.exe 3.3.2 API (a) (c) API AP 5 (i) (a) (c) CALL API (ii) (ii) API (iii) sysenter sysexit API API 3.3.3 API 3 (1) (2) API python Alkanet API IDA 6 API CALL API CALL API API - 530 -

"0x4059b3": { (i) "CreateFileW+0x1b6": (ii) [ {"name": "NtCreateFile", "no": 3648, "type": "sysenter", (iii) "optional": { "file_name": "\\??\\C:\\c13.exe"}}, 5 API 6 API API Call 4. 4.1 MWS Datasets 2016 [10] BOS2014 BOS2016 3 c13.exe API API API 4.2 4.2.1 API c13.exe 7 8 API c13.exe 7 c13.exe 0x400000 0x435000 8 ShellExecuteExW starter.exe ShellExecuteExW 0x40c673 c13.exe API 4.2.2 API API API PE API API IDA API API API API API 6 API WriteFile WriteFile NtWriteFile splash screen.dll API API - 531 -

c13.exe[0x400000-0x435000] starter.exe(create) File(\DOCUME 1\ADMINI 1\LOCALS 1\Temp\RarSFX0\splash_screen.dll)[0x10000000-0x10005000] File(\DOCUME 1\ADMINI 1\LOCALS 1\Temp\RarSFX0\starter.exe)[0x400000-0x407000] dirty_memory [0x8f0000-0x9f0000] dirty_memory [0x9f0000-0xa1b000] svchost.exe(create) dirty_memory [0x8d0000-0x8fb000] dirty_memory [0x90000-0xad000] 7 ------------------------------------------------------------------------ Created process ------------------------------------------------------------------------ {"ShellExecuteExW+0x67": { "0x40c673": { "systemcall": [ {"status": 0, "proc name": "starter.exe", "name": "NtCreateProcessEx", "proc_pid": 812 "file name": "\\ Device\\ HarddiskVolume1\\ DOCUME 1\\ ADMINI 1\\ LOCALS 1\\ Temp\\ RarSFX0\\ starter.exe", 8 API API API API API DLL API LoadDll API dll GetProcAddress DLL API API API API API API 9 Call API IDA API API API API 5. funcap [11] IDA splode [12] funcap IDA Debugger IDA splode Intel PIN IDA Alkanet egg [13] egg 1 API API egg API - 532 -

9 DLL API API Alkanet [14] API API 6. API API API API Windows10 Alkanet [15] [1] 2015 (online) https://app.trendmicro.co.jp/doc dl/select.asp?type=1&cid=161 (2016.07.05) [2] BLUE TERMITE. APT (online) http://media.kaspersky.com/jp/kaspersky BlueTermite-PR- 1013.pdf (2016.07.05) [3] (2016) [4] Andreas Moser, Christopher Kruegel, and Engin Kirda.: Limits of Static Analysis for Malware Detection, Computer Security Applications Conference, 2007. ACSAC 2007. Twenty- Third Annual, pp. 421-430 (2007) [5] Ilsun You, Kangbin Yim.: Malware Obfuscation Techniques: A Brief Survey, Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference, pp. 297-300 (2010) [6] : Vol. 55 No. 9 pp. 2034-2046 (2014) [7] Hex-Rays: IDA, https://www.hexrays.com/products/ida/ (2016.07.19) [8] Alkanet 2013 Vol. 2013, No. 4, pp. 753-760 (2013) [9] B. Dolan-Gavitt: The VAD tree: A process-eye view of physical memory, Digital Investigation, Vol. 4, pp. 62-64 (2007) [10] MWS Datasets 2016 CSEC Vol.2016-CSEC-74, No.17, pp. 1-8, (2016) [11] ANDRZEJ DERESZOWSKI: funcap, GitHub, GitHub Inc., https://github.com/deresz/funcap (2016.07.05) [12] ENDGAME: IDA-splode, GitHub, GitHub Inc., https://github.com/zachriggle/ida-splode (2016.07.05) [13] Satoshi TANDA: egg - A Stealth fine grained code analyzer, Recon2011, (2011) [14] Vol. 29 No. 4 pp. 199-218 (2012) [15] Windows10 x64 2015 Vol. 2015, No. 3, pp. 839-846 (2015) - 533 -