臺灣博碩士論文加值系統

每天都有大量的惡意軟體產生，但這之中有許多惡意程式都是透過既有的惡意程式所改寫而來。這些藉由改寫而來的惡意程式通常都具有類似的行為，透過惡意軟體分群可以將相似的惡意程式歸納到相同的群組。惡意程式分析人員可以利用歸納出來的惡意程式群組加速對未知惡意程式的分析。本論文提出一個完整的分群機制，可以歸納具有相似攻擊行為的惡意程式到相同的群組。為了避免惡意程式使用隱匿程式碼的技術躲避分析，所以我們利用動態的方式在程式執行過程中進行程式追蹤。此外，為了避免惡意程式利用變造系統程式呼叫的內容來混淆追蹤，我們將追蹤的內容目標鎖定在CPU所運行的記憶體指令上。我們引用Taint技術來過濾掉惡意程式呼叫系統函式庫所產生的大量指令，避免真實的惡意程式指令遭到稀釋。藉由惡意程式兩兩間的指令比對，取得惡意程式彼此的相似度。最後再利用分群演算法透過先前取得的惡意程式相似度將相似的惡意程式納到同一群組。根據最後實驗分析的結果，我們有很高的機率將不相似的惡意程式分到不同的群組，並且發現現有的惡意程式分類的子群體。這些子群體的指令關聯性不大，卻同樣可以達成相同的攻擊。

Although a large number of malicious programs are created every day, most of them mutate from existing ones. These mutant malware programs may seemingly appear differently, but actually act with similar behavior patterns. By clustering these malware programs into the same cluster, the malware analysis effort can be reduced significantly. In this paper, we propose a clustering approach to malware classification by comparing instruction trace similarity of binary programs being tested. We take advantage of dynamic analysis to trace malware instructions at runtime. Our method can discover malware in disguise by using techniques such as polymorphism or code injection. By tracing malware instructions, our scheme ensure that the detection mechanism cannot be circumvented or sabotaged by malicious API tampering. The taint technique we adopted can filter massive instructions created by normal system library as noise to the malware analysis. Collected instruction traces are then compared to measure their similarity so that the clustering can be performed. The results demonstrate that our system is able to cluster malware with similar codes, and can recognize new malware which is undetected by anti-virus tools.

摘 要 .......................................................................................................................................... I
誌 謝 ......................................................................................................................................III
TABLE OF CONTENT ....................................................................................................................... IV
LIST OF FIGURES ............................................................................................................................. V
LIST OF TABLES .............................................................................................................................. VI
CHAPTER 1 INTRODUCTION .......................................................................................................... 1
CHAPTER 2 BACKGROUND ............................................................................................................... 6
CHAPTER 3 RELATED WORK ............................................................................................................. 9
CHAPTER 4 PROPOSED SCHEME ..................................................................................................... 11
3.1 TRACING LOG .......................................................................................................................... 11
3.2 TAINTING STRUCTURE ................................................................................................................ 12
3.3 CODE BLOCK COLLECTION .......................................................................................................... 13
3.4 ELIMINATE ABSOLUTE MEMORY ADDRESS ..................................................................................... 14
3.5 MAKE HASH VALUE OF CODE BLOCK ............................................................................................. 15
3.6 REARRANGE CODE BLOCK .......................................................................................................... 15
3.7 STRAIGHT CODE BLOCK COMPARISON ........................................................................................... 16
3.8 MALWARE SIMILARITY ............................................................................................................... 16
3.9 MALWARE CLUSTERING ............................................................................................................. 17
CHAPTER 5 IMPLEMENTATION ....................................................................................................... 19
4.1 GUEST AGENT .......................................................................................................................... 19
4.2 HOST OS CONTROLLER .............................................................................................................. 20
4.3 CODE BLOCK COLLECTION .......................................................................................................... 20
4.4 CODE BLOCK COMPARISON ........................................................................................................ 21
4.4.1 DISASSEMBLE INSTRUCTIONS OF CODE BLOCKS ................................................................................ 21
4.4.2 MAKE HASH VALUES OF CODE BLOCKS ......................................................................................... 21
4.4.3 COMPUTE SIMILARITIES OF DIFFERENT MALWARE ........................................................................... 22
4.5 CLUSTERING MALWARE .............................................................................................................. 22
CHAPTER 6 EVALUATION ................................................................................................................ 24
5.1 CLUSTERING ACCURACY ............................................................................................................. 24
5.1.1 PRECISION AND RECALL ............................................................................................................. 25
5.2 RESULT .................................................................................................................................. 26
5.2.1 CLUSTERING WITH UNKNOWN MALWARE...................................................................................... 26
V
5.2.2 CLUSTERING WITH KNOWN MALWARE .......................................................................................... 27
5.3 DISCUSSION OF EVALUATION ....................................................................................................... 28
CHAPTER 7 CONCLUSION ............................................................................................................... 29
CHAPTER 9 REFERENCE .................................................................................................................. 30

[1] Hoglund, G., Butler, J.: Rootkits: Subverting the Windows Kernel. Addison-Wesley Professional, Reading (2005)
[2] Feily, M., Shahrestani, A. & Ramadass, S. 2009, A survey of botnet and botnet detection, Third International Conference on Emerging Security Information, Systems and Technologies (SECURWARE '09), pp. 268-273.
[3] Heng, Y., Dawn, S., Manuel, E., Christopher, K. & Engin, K. 2007, Panorama: Capturing system-wide information flow for malware detection and analysis, Proceedings of the 14th ACM conference on Computer and communications security, Alexandria, Virginia, USA, ACM.
[4] Colleen Shannon and David Moore. The spread of the witty worm. Security&Privacy Magazine, 2(4):46.50, 2004.
[5] Kapersky, http://www.kaspersky.com.tw/
[6] Tred Micro, http://tw.trendmicro.com/
[7] Avira, http://www.avira.com/
[8] Clam Anti-Virus http://www.clamav.net/lang/en/
[9] Project Honey Pot. http://www.projecthoneypot.org/
[10] P. Royal, M. Halpin, D. Dagon, R. Edmonds, and W. Lee. PolyUnpack: Automating the Hidden-Code Extraction of Unpack-Executing Malware. In ACSAC, pages 289–300, 2006.
[11] M. Gheorghescu. An Automated Virus Classification System. In Virus Bulletin conference, 2005.
[12] T. Dullien and R. Rolles. Graph-based comparison of Executable Objects. In In Symposium sur la S′ecurit′e des Technologies de l’Information et des Communications (SSTIC), June 2005.
[13] Bilar. Statistical structures: Fingerprinting malware for classification and analysis. In Blak Hat,2006
[14] Mamoun Alazab , Sitalakshmi Venkataraman, and Paul Watters . In Proceedings of the 2010 Cybercrime and Trustworthy Computing Workshop (CTC), 9-20 July 2010
[15] R. Tian, L. Batten, R. Islam, and S. Versteeg, “An automated classification system based on the strings of trojan and virus families,” in Proc. of MALWARE 2009, the 4th Intl. Conf. on Malicious and Unwanted Software, Oct. 2009, pp. 23–30.
[16] U. Bayer, P. Milani Comparetti, C. Hlauscheck, C. Kruegel, and E. Kirda, “Scalable, Behavior-Based Malware Clustering,” In 16th Symposium on Network
31
and Distributed System Security, 2009.
[17] T. Lee and J. J. Mody. Behavioral Classification. In EUROPEAN EXPERT GROUP FOR IT-SECURITY(EICAR) Conference, 2006.
[18] M. Bailey, J. Oberheide, J. Andersen, Z. M. Mao, F. Jahanian, and J. Nazario. Automated classification and analysis of internet malware. In Proceedings of the 10th International Symposium on Recent Advances in Intrusion Detection (RAID’07), September 2007.
[19] Sumit Gulwani, Sagar Jain, and Eric Koskinen. Control-flow refinement and progress invariants for bound analysis. In PLDI, 2009.
[20] C. Linn and S. Debray. Obfuscation of executable code to improve resistance to static disassembly. In CCS ’03: Proceedings of the 10th ACM conference on Computer and communications security, pages 290–299, New York, NY, USA, 2003. ACM.
[21] A. Moser, C. Kruegel, and E. Kirda. Limits of Static Analysis for Malware Detection. In ACSAC, pages 421–430. IEEE Computer Society, 2007.
[22] J. Newsome and D. Song. Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software. In Proceedings of NDSS ’05, San Diego, California, USA, February 2005.
[23] A. Moser, C. Kruegel, and E. Kirda. Exploring multiple execution paths for malware analysis. In Security and Privacy, 2007. SP ’07. IEEE Symposium on, pages 231–245, 2007.
[24] J. Crandall and F. Chong. Minos: Architectural support for software security through control data integrity. In International Symposium on Microarchitecture, 2004.
[25] UDIS86, http://udis86.sourceforge.net/
[26] A. Z. Broder, S. C. Glassman, M. S. Manasse, and G. Zweig. Syntactic clustering of the web.omput. Netw. ISDN Syst., 29(8-13):1157–1166, 1997.
[27] J. Gower and G. Ross, “Minimum Spanning Trees and Single Linkage Cluster Analysis,” Applied Statistics, vol. 18, no. 1, pp. 54-64, 1969.
[28] F. Bellard. Qemu, a fast and portable dynamic translator. In USENIX Annual Technical Conference, FREENIX Track, April 2005.
[29] U.S. Department of Commerce. FIPS 180-1: Secure Hash Standard, Federal Information Processing Standards Publication, N.I.S.T., April 1995.
[30] UPX, http://upx.sourceforge.net/
[31] ASPACK, http://www.aspack.com/
[32] PECompact, http://bitsum.com/pecompact.php
[33] WWPACK32, http://www.wwpack32.venti.pl/