文摘
The proliferation of malware in recent years has motivated the need for tools to analyze,classify,and understand intrusions. Current research in analyzing malware focuses on labeling malware as malicious or benign,or labeling it with the family or variant it belongs to. We argue that,in addition to providing coarse family labels,it is useful to label malware by the capabilities they employ. Capabilities can include keystroke logging,downloading a file from the internet,modifying the Master Boot Record,and trojanizing a system binary. Unfortunately,labeling malware by capability requires a descriptive,high-integrity trace of malware behavior,which is challenging given the complex stealth techniques that malware employ in order to evade analysis and detection. In this thesis,we present DIONE,a flexible rule-based disk I/O monitoring and analysis infrastructure. DIONE interposes between a system-under-analysis and its hard disk,intercepting disk accesses and reconstructing high-level file system and registry changes as they occur. We evaluate the accuracy and performance of DIONE,and show that it can achieve 100% accuracy in reconstructing file system operations,with a performance penalty less than 2% in many cases. Given the trustworthy behavioral traces obtained by DIONE,we convert file system-level events to high-level capabilities. For this,we use model checking,a formal verification approach that compares a model extracted from a behavioral trace to a given specification. Since we use DIONE traces of file system and registry events,we aim to label persistence capabilities---that is,we label a sample by the mechanism it uses not only to persist on disk,but to restart after a system boot. We model the Windows service,a commonly-employed capability used by malware to persist,load a binary after reboot,and even load dangerous code into the kernel. We model the installation of a Windows service,the system boot,and the file access of the service binary. We test our models on over 1000 real-world malware samples,and show that it successfully identifies service-installing malware samples over 99% of the time,and malware that loads that service over 97% of the time. Moreover,we demonstrate that we are able to use traces of disk reads to differentiate between two types of file accesses. We show that we can not only detect when a persistence mechanism is installed,but also that the persistence mechanism is successful because we detect the automatic load of the program binary after a system reboot. We correctly identify file access types from disk access patterns with less than 4% of samples mislabeled,and demonstrate that even an expert analyst would have difficulty correctly identifying the mislabeled accesses.
