رویکردی نو در شناسایی بدافزارها با تحلیل تصویر حافظه

آقایی‌خیرابادی, معصومه; فرشچی, سیدمحمدرضا; شیرازی, حسین

رویکردی نو در شناسایی بدافزارها با تحلیل تصویر حافظه

نویسندگان

¹ کارشناسی ارشد، دانشکده فناوری اطلاعات ارتباطات و امنیت، دانشگاه صنعتی مالک اشتر، تهران، ایران

² دانشجوی دکترا، مرکز فرماندهی و کنترل، آزمایشگاه شبکه‌های اجتماعی، تهران، ایران

³ استاد، دانشکده فناوری اطلاعات، ارتباطات و امنیت، دانشگاه صنعتی مالک اشتر، تهران، ایران

چکیده

روش‌های تشخیص بدافزار مبتنی بر تحلیل محتویات حافظه در سال‌های اخیر محبوبیت زیادی به دست آورده‌اند. تحقیقات انجام‌شده در این زمینه پیشرفت زیادی داشته‌ و چهار‌چوب‌های تحلیل قدرتمندی نیز بوجود آمده است. درحالی‌که این چهارچوب‌ها امکان بررسی یک تصویر لحظه‌ای حافظه با جزئیات کامل را فراهم می‌کنند، اما تفسیر و همبسته‌سازی این جزئیات برای استخراج ناسازگاری‌ها نیاز به دانش کاملی از ساختارهای داخلی سیستم‌عامل دارد. در این پژوهش تمرکز پویش‌گر پیشنهادی ما بر استخراج اطلاعات از ساختار‌های حافظه با پرداختن به ناسازگاری‌های ایجادشده توسط تکنیک‌های دفاعی مورد استفاده بدافزارها می‌باشد. در روش ارائه شده با توصیف ساختارهای حافظه به استخراج اثرات مؤثر مربوط به تغییرات رجیستری، دسترسی فایل‌های کتابخانه‌ای و فراخوانی‌های توابع سیستم‌عامل پرداخته‌ایم. برای ارزیابی ویژگی‌های استخراج شده، نمونه‌ها‌ را براساس ویژگی‌های انتخاب‌شده دسته‌بندی کردیم، بهترین نتایج شامل نرخ تشخیص 98% و نرخ مثبت کاذب 16% می‌باشند که نشان‌دهنده مؤثر بودن روش‌های تشخیص مبتنی بر تحلیل محتویات حافظه است.

کلیدواژه‌ها

20.1001.1.23224347.1394.3.1.7.2

عنوان مقاله [English]

A new approach in identifying malware with memory image analysis

نویسندگان [English]

Masoumeh Aghaei Kheirabadi ¹
Seyed Mohammad Reza Farshchi ²
Hossein Shirazi ³

¹ Master's degree, Faculty of Information Communication Technology and Security, Malik Ashtar University of Technology, Tehran, Iran

² PhD student, Command and Control Center, Social Networks Laboratory, Tehran, Iran

³ Professor, Faculty of Information, Communication and Security Technology, Malik Ashtar University of Technology, Tehran, Iran

چکیده [English]

Detection methods based on analysis of memory contents have achieved great popularity in recent years.
Researches in this area have great progress and powerful analysis frameworks has been innovated. Although these
frameworks provide detailed examination of a memory snapshot, interpretation and correlation of these details to
extract inconsistencies require a comprehensive knowledge of the internal structure of the operating system. In this
paper, our proposed scanner focus on extracting information from the memory structure along with addressing the
inconsistencies created by defense techniques used by malwares. In the proposed method, memory forensics is used,
for the first time, to investigate the main functionality of malware by extracting function calls from the user space
memory. In other words, in this method memory structures are described to extract the effective indicators related to
registry changes, access to library files and operating system function calls. At last to evaluate the extracted features,
Samples have been classified based on the selected feature. Best result include detection rate of 98% and false positive
rate of 16%, which demonstrates the effectiveness of the memory contents.

مراجع

[1] L. O. Murchu and E. Chien, “W32.Stuxnet dossier,” Symantec Security Response, Tech. Rep., Oct. 2010.

[2] P. O'Kane, S. Sezer, and K. Mclaughlin, “Obfuscation: The Hidden Malware,” in Security & Privacy, IEEE, Sept-Oct. 2011.

[3] M. Egele, T. Scholte, E. Kirda, and C. Kruegel, “A survey on Automated Dynamic Malware-Analysis Techniques and Tools,” ACM Computing Surveys (CSUR), February 2012.

[4] M. Sharif, A. Lanzi, J. Giffin, and W. Lee, “Automatic Reverse Engineering of Malware Emulators,” in Security and Privacy, 2009 30th IEEE Symposium on, 17-20 May 2009.

[5] C. Ries, “Inside Windows Rootkits,” in Vigilant Minds Inc., 4736, May 2006.

[6] J. Butler and P. Silberman, “Raide: Rootkit analysis identification elimination,” in Black Hat USA, vol. 47, 2006.

[7] A. Kristine, “Techniques and Tools for Recovering and Analyzing Data from Volatile Memory,” 2009. [Online]. Available:http://www.sans.org/?utm_source=web&utm_medium=text-ad&utm_content=generic_rr_pdf_(c)_text1&utm_campaign= Reading_Room&ref=36914.

[8] S. Vomel and H. Lenz, “Visualizing Indicators of Rootkit Infections in Memory Forensics,” In IT Security Incident Management and IT Forensics (IMF), 2013 Seventh International Conference on IEEE, pp. 122-139, March 2013.

[9] “Windows Rootkit Overview,” Symantec Corporation, 2010.

[10] A. Aljaedi, D. Lindskog, P. Zavarsky, R. Ruhl, and F. Almari, “Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging,” in Privacy, Security, Risk and Trust (passat), International Conference on and 2011 IEEE third, International Conference on Social Computing (socialcom), 9-11 Oct. 2011.

[11] “SQL Slammer Worm Propagation,” 2003. [Online]. Available: http://xforce.iss.net/xforce/xfdb/11153.

[12] A. White, B. Schatz, and E. Foo, “Surveying the User Space Through User Allocations,” in Digital Investigation 9, August 2012.

[13] M. E. Russinovich and D. A. Solomon, “Windows Internals,” 4th ed., Redmond: Microsoft, 2005.

[14] B. Dolan-Gavitt, “The VAD Tree: A Process-eye View of Physical Memory,” in Digital Investigation, September 2007.

[15] M. Ligh, S. Adair, B. Hartstein, and M. Richard, “Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,” Wiley, 2010.

[16] M. Ligh, S. Adair, B. Hartstein, and M. Richard, “Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code,” Wiley, 2010.

[17] A. Schuster, “Searching for Processes and Threads in Microsoft Windows Memory Dumps,” Digital Investigation 3, pp. 10-16, 2006.

[18] A. Tevanian and e. al, “A UNIX Interface for Shared Memory and Memory Mapped Files Under Mach,” in USENIX Summer, 1987.

[19] M. Ligh, “Malfind Volatility Plugin,” [Online]. Available: http://mnin.blogspot.com, 2009.

[20] T. C. Keong, “Dynamic Forking of Win32 EXE,” [Online]. Available: http://www.security.org.sg/ code/loadexe.html, 2004.

[21] A. Walters and B. Dolan-Gavitt, “Volatility: an advanced memory forensics framework,” 2007.

[22] “GMER - Rootkit Detector and Remover,” [Online]. Available: http://www.gmer.net/, 2012.

[23] B. Cogswell and M. Russinovich, “Rootkit Revealer,” [Online]. Available: www. sysinternals. com/ntw2k/freeware/rootkitreveal. shtml , 2006.

[24] J. Pan, “Ice Sword,” [Online]. Available: http://www.xfocus.net /tools/200509 /1085.html, 2005.

[25] G. Palmer, “A Roadmap for Digital Forensic Research,” First Digital Forensic Research Workshop (DFRWS), 2001.

[26] R. Harris, “Examining how to define and control the anti-forensics problem,” Proceedings of the 6th Annual Digital Forensic Research Workshop (DFRWS ’06), Digital Investigation 2006, 3(Suppl. 0), 2006.

[27] T. Haruyama and H. Suzuki, “One-byte Modifications for Breaking Memory Forensic Analysis,” In Proceedings of Blackhat Europe, 2012.

[28] L. Milkovic, “Defeating Windows Memory Forensics,” In Proceedings of the 29th Chaos Communications Conference, 2012.

[29] J. Stüttgen and C. M, “Anti-forensic Resilient Memory Acquisition," In The Proceedings of the Thirteenth Annual DFRWS Conference, August 2013.

[30] H. Inoue, F. Adelstein, and R. Joyce, “Visualization in Testing a Volatile Memory Forensic Tool,” In Digital Investigation, 2011.

[31] D. Bilby, “Low down and Dirty: Anti-forensic Rootkits,” In: Proceedings of Black Hat, Japan, 2006.

[32] S. Vömel and F. Freiling, “Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition,” In Digital Investigation, November 2012.

[33] B. D. Carrier and J. Grand, “A hardware-based Memory Acquisition Procedure for Digital Investigations,” in Digital Investigation, February 2004.

[34] A. Boileau, “Hit by a Bus: Physical Access Attacks with Firewire,” In Ruxcon Computer Security Conference, 2006.

[35] J. Wang, F. Zhang, K. Sun, and A. Stavrou, “Firmware-assisted Memory Acquisition and Analysis Tools for Digital Forensics,” Systematic Approaches to Digital Forensic Engineering (SADFE),IEEE Sixth International Workshop on. IEEE, 2011.

[36] C. Tilbury, August 2012. [Online]. Available: https://code.google.com/p/mft2csv/wiki/SetRegTime.

[37] J. Williams and A. Torres, 2014. [Online]. Available: http://code.google.com/p/attention-deficit-disorder/.

[38] L. Milković, 28 December Communication Congress in Hamburg 2012. [Online]. Available: http://code.google.com/p/dementia-forensics/downloads/detail?name=Defeating Windows memory forensics.pdf.

[39] T. Haruyama and H. Suzuki, 16 March 2012. [Online]. Available: https://media.blackhat.com/bh-eu-12/Haruyama/bh-eu-12-Haruyama-Memory_Forensic-Slides.pdf.

[40] D. Brendan, “Forensic Analysis of the Windows Registry in Memory,” in Digital Investigation, September 2008.

[41] A. Wichmann and E. Gerhards-Padilla, “Using Infection Markers as a Vaccine Against Malware Attacks,” In Green Computing and Communications (GreenCom), International Conference on, 20-23 Nov. 2012.

[42] [Online]. Available: http://home.mcafee.com/virusinfo/virusprofile.aspx?key=142626.

[43] R. B. Van Baar, W. Alink, and A. R. Van Ballegooij, “Forensic Memory Analysis: Files Mapped in Memory,” In Digital Investigation, 2008.

[44] “Volatility Labs,” Black Hat USA & DFRWS 2014, July 2014. [Online]. Available: http://volatility-labs.blogspot.ae/.

[45] S. Almarri and P. Sant, “Optimised Malware Detection in Digital Forensics,” International Journal of Network Security & Its Applications 6.1, 2014.

[46] “ntoskrnl.exe,” [Online]. Available: http://en.wikipedia.org/wiki/Ntoskrnl. [Accessed 2014].

[47] V. Zwanger and F. C. Freiling, “Kernel Mode API Spectroscopy for Incident Response and Digital Forensics,” Proceedings of the 2nd ACM SIGPLAN Program Protection and Reverse Engineering Workshop. ACM, 2013.

[48] “Malware Research & Data Center,” [Online]. Available: http://www.virussign.com/.

[49] “Computer Virus Collection,” [Online]. Available: http://vxheaven.org/vl.php. [Accessed 2014].

[50] Melville, “WEKA Tutorial,” [Online]. Available: http://www.cs.utexas.edu/users/ml/tutorials/Weka-tut/. Accessed 2014.