PANDEMONIUM:

Automated Identification of Cryptographic Algorithms using Dynamic Binary Instrumentation and Fuzzy Hashing

Yuma Kurogome

CODE BLUE 2015 [U-25]

2015.10.29

1

This material is partially based upon work supported by

Asian Office of Aerospace Research and Development,

U.S. Air Force Office of Scientific Research under Award No. FA2386-15-1-4068.

$ whoami

2

• Yuma Kurogome(@ntddk)

• ntddk.github.io

Peer reviewSecurity Camp lecturer AVTOKYO speaker

Abstract

• Malware utilize many cryptographic algorithms• To conceal messages and configurations

• DBI(Dynamic Binary Instrumentation)• Dynamic analysis on PANDA(QEMU)• Translate x86 code to LLVM IR(Intermediate representation) per

BB(Basic Block)• Remove obfuscated code by optimization

• Fuzzy hash based pattern matching• Detect and avoid anti-analysis code• Identify cryptographic algorithms from the similarity of handling

received data

3

One entry, one exit

Malware and crypto-algorithms

4

Malware utilize many crypto-algorithms

to conceal messages and configurations

• Banking trojan• Decrypt configuration files

• Ransomware• Encrypt victim files

We deal with banking trojan in this researchs

Server(C&C) has key

Key is hardcoded in own body

Evolution of banking trojan

5

Malware come to birth one after

another from the black market

• Many variants were born from leaked Zeus• Citadel• IceIX• GameOver• KINS

• New spiecies have also been born• Dyre• Vawtrak• Chthonic

http://www.wontok.com/wp-content/uploads/2014/10/wdt0185_MalwareTimeline_largeV2.jpg

Banking trojan and crypto-algorithms

6

Many banking trojan utilize encrypted

configuration files and commands

• Ex. Communication between Dyre and C&C

We have to identify crypto-algorithms promptly

……

Key + IV

Encrypted data

Related work (1/2)

7

Identify crypto-algorithms by paying

attention to the arithmetic/bit operations

• Dispatcher[CCS’09]• Find crypto-routines from insns ratio between call and ret insns

• Impossible to find if crypto-routines are made of multiple subroutines

• ReFormat[ESORICS’09]• Find crypto-routines from the peak in the overall execution log

• Impossible to find if multiple algorithms are implemented

Related work (2/2)

8

Identify crypto-algorithms by paying

attention to the loop structures

• Aligot[CCS’11]• Extract the input of the loop structures, and give it to known algorithms

implementation

• If output is same, algorithm is same

• The amount of calculation is O(n^2) a lot, it can only extract known crypto-algorithm

• Kerckhoffr[RAID’11]• Extract the input of the loop structures, and compare with known algorithms

signatures

• If pattern is matched, regard as crypto-routines

• Can only extract known crypto-algorithm

Downside of related work

9

Method Known algorithms Unknown algorithms Anti anti-analysis

Dispatcher ☓

ReFormat ☓

Aligot ☓ ☓

Kerckhoffr ☓ ☓

• Previous approaches assumes execution log is infallible

• PANDEMONIUM can analyze if malware has anti-analysis routines and has been obfuscated

Anti-analysis

10

Many malware try to detect debugger

and sandbox to avoid analysis

••

•

•

•

•

•

we cannot often obtain expected analysis results

There is no silver bullet

11

Analysis platform hasn’t been able to follow

complex technique of malware

•

••

•

•

We need extensible analysis platform

PANDEMONIUM

Avoid anti-analysisNetwork

communication

Remove obfuscated

code

Identify crypto-

algotiyhms

12

Combine different approaches to identify

decrypt-routines of malware

PANDA

Guest OS malware LLVM IR Analysis log

PANDEMONIUM

Dynamic analysis Static analysis

Emulation by QEMU

• TCG(Tiny Code Generator)

13

1. Disassemble target code, and create BB(Basic Block) separated by branch insns

2. Translate BB to RISC-like TCG IR

3. Translate TCG IR to host code

4. Build chain of translated BBs and execute

PANDA[REcon’14]

• DBI(Dynamic Binary Instrumentation)

14

1. Disassemble target code, and create BB(Basic Block) separated by branch insns

2. Translate BB to RISC-like TCG IR

3. Translate TCG IR to LLVM IR

4. Translate TCG IR to host code

5. Build chain of translated BBs and execute

1. 2. 3.push esppush ebppush ebx

movi_i64 tmp12,$0x8260a634st_i64 tmp12,env,$0xdae0ld_i64 tmp12,env,$0xdad0

Can apply taint analysis and symbolic executionCallback before/after translation

We can obtain LLVM IR corresponded to malware code

%2 = add i64 %env_v, 128%3 = inttoptr i64 %2 to i64*store i64 2187372084, i64* %3

github.com/moyix/panda

Extract decrypt-routines (1/5)

15

Combine different approaches to identify

decrypt-routines of malware

OS

MalwareObfuscated code

Anti-analysis routine

Handler to received data

……

Decrypt-routine

Obfuscated code

16

EPROCESS

ActiveProcessLi

nks

PEB

Flink

Blink

EPROCESS

ActiveProcessLi

nks

PEB

Flink

Blink

EPROCESS

ActiveProcessLi

nks

PEB

Flink

Blink…

PsActiveProcess

Head

Flink

Blink

FS:[0x30]

KPCR

KdVersionBlock

FS:[0x1c] KDEBUGGER_DATA32

PsLoadedModuleList

+0x34 +0x70

+0x78

EPROCESS is generated when process created

panda/qemu/panda_plugins/

osi_winxpsp3x86/osi_winxpsp3x86.cpp

Extract malware process from running guest OS

(Register is different from the Windows 7 or later)

Expand

Extract decrypt-routines (2/5)

17

Combine different approaches to identify

decrypt-routines of malware

MalwareObfuscated code

Anti-analysis routine

Handler to received data

……

Decrypt-routine

Obfuscated code

LLVM (1/2)

18

Optimization pass of LLVM can remove

some obfuscated code

x86

FrontendPANDA

TCG IR

LLVM IR

llvm.org

Remove obfuscated code

19

Optimization pass of LLVM can remove

some obfuscated code

• Insert dead/nop equivalent insns• -dse, -simplifycfg

• Substitute with equivalent insns/Reorder insns• -constprop

• -instcombine

Absorb difference of insns by implementation of compiler

(x = 14; y = x + 8) → (x = 14; y = 22)

(y = 3; ...; y = x + 1) → (...; y = x + 1)

(y = x + 2; z = y + 3) → (z = x + 5)

Cf. opticode.coseinc.com

Extract decrypt-routines (3/5)

20

Combine different approaches to identify

decrypt-routines of malware

Malware

Anti-analysis routine

Handler to received data

……

Decrypt-routine

Obfuscated code

Anti-emulation

21

••

•

•

•

We also have to consider anti-emulation

Fuzzy hashing (1/2)

22

Techniques for identifying the data

that are partially different but similar

• ssdeep• World leading security researchers will come together for this unique

international conference in Tokyo• Bb7g86hvE/

• W0rld leading security researchers will come together for this unique international conference in Tokyo• GT7g86hvE/

Create signature of some anti-analysis and crypto-algorithms

Fuzzy hashing (2/2)

23

Techniques for identifying the data

that are partially different but similar

• Create fuzzy hash per BB• Normalize operand

• Anti-analysis• NtDelayExecution(), WaitForSingleObject(), GetCursorPos(),……

• Crypto-algorithms• MD5, DES, RC4, ……

Create signature of some anti-analysis and crypto-algorithms

From Beecrypt, Crypto++, OpenSSL

LLVM (2/2)

24

Modify TCG IR based on pattern matching

of LLVM IR before execution

x86

FrontendPANDA

TCG IR

LLVM IR Fuzzy hash table

Feedback

Pattern matching

llvm.org

(Red-black tree)

Symbolic execution (1/2)

25

Technique for extracting path constraints

through operation of symbolic variables

cmp eax, 0x7DFje 0xdeadbaad

if(x!=2015) Invalid.ASSERT( INPUT_*_*_* =0hex7DF );

Source code Trace log Conterexample

2015 affect the branch

Symbolic execution (2/2)

26

Technique for extracting path constraints

through operation of symbolic variables

mov esi, 0x13mov edx, 0x7DF

• Insns must be SSA(Static Single Assignment) form• On x86, Assignment may collide

mov esi, 0x13…mov esi, 0x7DF

(esi == 0x13) and (edx == 0x7DF)

(esi == 0x13) and (esi == 0x7DF)

LLVM IR is suitable for symbolic execution

Anti anti-analysis

27

static inline int IsSleepPatched(){DWORD time1 = GetTickCount();Sleep(500);DWORD time2 = GetTickCount();if ((time2- time1) > 450)

return 0;else

return 1;}

Avoid anti-analysis code which matched

pattern by using symbolic execution

• Ex. Avoid patch detection of Sleep()•

• RDTSC, GetTickCount(), ……

• Which branch to go?1. Get snapshot2. Rewrite branch constraints3. Long-lasting branch is taken

Or the number of expected clock is spent

(Check 50 insns)

Extract decrypt-routines (4/5)

28

Combine different approaches to identify

decrypt-routines of malware

Malware

Handler to received data

……

Decrypt-routine

Obfuscated code

VMM

Taint analysis (1/2)

29

mov eax, edx

Guest OS

Technology that analyzes dependencies

between data from propagation of tag

Taint analysis (2/2)

30

Handler BB of received data from virtual

NIC would be contain decrypt-routines

• Taint source(origin of tags)• Virtual NIC

• Taint sink(check position of tags)• End of BB

• Propagation rule• Reference of register and memory

r3 = Load(r2) tr3 = tr2

Anti taint analysis

31

Obfuscation technique that causes

interrupting the propagation of taint tag

• Under-tainting• Data is not assigned directly

But we have LLVM

x = get_input();if (x == "a"){

uri = "c2.php";msg = "a";

}send(uri, msg);

x = get_input();if (x > "a"){

tmp = x + "a"; msg = tmp − x;

} send(uri, msg);

-early-cse,-constprop,-instcombine

Extract decrypt-routines (5/5)

32

Combine different approaches to identify

decrypt-routines of malware

Malware

Handler to received data

……

Decrypt-routine

Now what?

33

Handler BBs of received data from virtual

NIC would be contain decrypt-routines

Decrypt

1. Execute malware

2. Avoid anti-analysis

3. Remove obfuscated code

4. Extract handler BBs of received data

5. Identify crypto-algorithms

Criteria for crypto-algorithm

34

Is fuzzy hash per BB useful for

Identify crypto-algorithms?

• Comparing per BB can not be maintained the uniqueness as a signature• There are many similar insns, many false positives

• Feature does not come out as anti-analysis routines

• Compare the whole point referring received data• Combine their fuzzy hash, calculate LCS

Experiments

35

Experiments of crypto-algorithms

identification using PANDEMONIUM

• Experiment A: Obfuscated sample program

• Experiment B: Real-world malware

Experiment A

36

Analysis of obfuscated sample program

Algorithm Obf A Obf B

MD5

DES

RC4

AES

Blowfish

RSA

A) Insert dead/nop equivalent insns

B) Substitute with equivalent insns/Reorder insns≒ under-tainting

Receive packet, decrypt it(by Crypto++)

Experiment B (1/3)

37

Analysis of real-world malware

• Dyre sample• 999bc5e16312db6abff5f6c9e54c546f• b44634d90a9ff2ed8a9d0304c11bf612• dd207384b31d118745ebc83203a4b04a• B44634d90a9ff2ed8a9d0304c11bf612• 999bc5e16312db6abff5f6c9e54c546f

• Anti-analysis using PEB.NumberOfProcessors

•

Experiment B (2/3)

38

Analysis of real-world malware

• KINS(ZeusVM) sample• eee1bdb8d4ad98cce0031ed6ca43274a

• 84826d5e65987c131a80b1a3aa53ce17

• a2a7d4f75fc263648824facb0757a3c7

• Obfuscation by original code virtualizer• Ex. nop(0x90) is represented as 0x32, 0x26, 0xF3

• Use

Experiment B (3/3)

39

Analysis of real-world malware

Malware Detection ratio algorithm Cause

Dyre 4/5 RSA

KINS 0/3 RC4 VM

• PANDEMONIUM could avoid anti-analysis of Dyre

• Taint tag might have not been propagated• Might've gone a point to be analyzed by the optimization

• LLVM is not suitable for analyzing modern code virtualizer• Themida, ZeusVM, ……

Consideration

• Is LLVM suitable for analyzing malware?• LLVM doesn't try to operate carry flags very much

• If the implementation improved, there might appear more features of algorithms

• Or detection rate will vary depending on the type of encryption algorithm?• Varies among implementation

• Can not be affirmed for now at criteria such as whether the Feistel structure or SPN structure

• PANDEMONIUM was compared by connecting the fuzzy hash of BBs• It may be necessary to weight the massive block

40

Task

• Extract encryption keys

• Analyze unknown algorithms• Should we focus on the density and the data length of the input and

output of function?

• Analyze code virtualizer• Should we implement optimization pass?

41

We need analysis platform can follow evolution of malware

Summary

• Malware utilize many cryptographic algorithms• To conceal messages and configurations

• DBI(Dynamic Binary Instrumentation)• Dynamic analysis on PANDA(QEMU)• Translate x86 code to LLVM IR(Intermediate representation) per

BB(Basic Block)• Remove obfuscated code by optimization

• Fuzzy hash based pattern matching• Detect and avoid anti dynamic analysis code• Identify cryptographic algorithms from the similarity of handling

received data

42

One entry, one exit