nach oben

Erschienen in:

2024 | OriginalPaper | Buchkapitel

Following the Obfuscation Trail: Identifying and Exploiting Obfuscation Signatures in Malicious Code

verfasst von : Julien Cassagne, Ettore Merlo, Guy-Vincent Jourdan, Iosif-Viorel Onut

Erschienen in: Foundations and Practice of Security

Verlag: Springer Nature Switzerland

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

In this paper, we delve into the intricate world of dynamic code generation in script languages. One way that malicious code authors can evade detection through static analysis is using obfuscation and relying on dynamic code generation to deobfuscate the code at runtime. These obfuscation techniques can be highly intricate, involving numerous recursive “eval” calls to ultimately reveal the payload, or requiring the deobfuscation of separately generated code segments. This complexity presents significant challenges for researchers studying such code and for tools attempting static analysis. However, the very effort invested by attackers in obfuscation and the structures they create and reuse across attacks can also serve as a distinctive signature of the attacker. In this paper, we propose leveraging the structure of these obfuscation mechanisms as a similarity metric for malicious software.

Our proposed method focuses on extracting obfuscation strategies, which we evaluate using two extensive datasets comprising over 30,000 phishing kits. Within these datasets, we identified approximately 18,000 instances of dynamically generated code, resulting in only 569 unique signatures. One notable advantage of our method compared to the state-of-the-art approaches is that it can extract a partial signature even if the deobfuscation process remains incomplete. Other methods heavily rely on the payload, rendering them inconclusive when the payload cannot be extracted.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel UDP State Manipulation: Description of a Packet Filtering Vulnerability in Stateful Firewalls

Nächstes Kapitel On Exploiting Symbolic Execution to Improve the Analysis of RAT Samples with angr

We are publicly releasing [4] the PHP code and signatures coming from public dataset, the signatures from private dataset, while the PHP code from the private dataset will be made available to researchers from academia upon request and after verification.

https://spidermonkey.dev/.

https://www.virustotal.com/.

Aho, A.V., Lam, M.S., Sethi, R., Ullman, J.D.: Compilers: Principles, Techniques, and Tools, 2nd edn. Addison-Wesley Longman Publishing Co. Inc. (2006)

Arceri, V., Mastroeni, I.: Analyzing dynamic code: a sound abstract interpreter for evil eval. ACM Trans. Priv. Secur. 24(2), 1–38 (2021). https://doi.org/10.1145/3426470

Blanc, G., Miyamoto, D., Akiyama, M., Kadobayashi, Y.: Characterizing obfuscated javascript using abstract syntax trees: experimenting with malicious scripts. In: 2012 26th International Conference on Advanced Information Networking and Applications Workshops, pp. 344–351 (2012). https://doi.org/10.1109/WAINA.2012.140

Cassagne, J.: Payloads dataset. https://github.com/weimdall/phishing-evals

Cassagne, J.: Source code. https://github.com/weimdall/obfuscation-analyzer

Christensen, A.S., Møller, A., Schwartzbach, M.I.: Precise analysis of string expressions. In: Cousot, R. (ed.) Static Analysis, pp. 1–18. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-44898-5_1

Cui, Q., Jourdan, G.-V., Bochmann, G.V., Onut, I.-V.: Proactive detection of phishing kit traffic. In: Sako, K., Tippenhauer, N.O. (eds.) Applied Cryptography and Network Security, ACNS 2021, pp. 257–286. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78375-4_11

Doh, K.G., Kim, H., Schmidt, D.A.: Abstract parsing: static analysis of dynamically generated string output using IR-parsing technology. In: Palsberg, J., Su, Z. (eds.) Static Analysis, pp. 256–272. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03237-0_18

Hajarnis, K., Dalal, J., Bawale, R., Abraham, J., Matange, A.: A comprehensive solution for obfuscation detection and removal based on comparative analysis of deobfuscation tools. In: 2021 International Conference on Smart Generation Computing, Communication and Networking (SMART GENCON), pp. 1–7 (2021). https://doi.org/10.1109/SMARTGENCON51891.2021.9645824

10.

Han, K., Hwang, S.O.: Lightweight detection method of obfuscated landing sites based on the AST structure and tokens. Appl. Sci. 10(17), 6116 (2020). https://doi.org/10.3390/app10176116

11.

Jensen, S.H., Jonsson, P.A., Møller, A.: Remedying the eval that men do. In: Proceedings of the 2012 International Symposium on Software Testing and Analysis (ISSTA 2012), pp. 34–44. Association for Computing Machinery, New York (2012). https://doi.org/10.1145/2338965.2336758

12.

Kim, H., Doh, K.G., Schmidt, D.A.: Static validation of dynamically generated html documents based on abstract parsing and semantic processing. In: Logozzo, F., Fähndrich, M. (eds.) Static Analysis, pp. 194–214. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38856-9_12

13.

Li, Z., Chen, Q.A., Xiong, C., Chen, Y., Zhu, T., Yang, H.: Effective and light-weight deobfuscation and semantic-aware attack detection for powershell scripts. In: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS 2019), pp. 1831–1847. Association for Computing Machinery, New York (2019). https://doi.org/10.1145/3319535.3363187

14.

Meawad, F., Richards, G., Morandat, F., Vitek, J.: Eval begone! semi-automated removal of eval from javascript programs. ACM SIGPLAN Notices 47(10), 607–620 (2012). https://doi.org/10.1145/2398857.2384660

15.

Merlo, E., Margier, M., Jourdan, G.V., Onut, I.V.: Phishing kits source code similarity distribution: a case study. In: 2022 IEEE International Conference on Software Analysis, Evolution and Reengineering (SANER), pp. 983–994 (2022). https://doi.org/10.1109/SANER53432.2022.00116

16.

Minamide, Y.: Static approximation of dynamically generated web pages. In: Proceedings of the 14th International Conference on World Wide Web (WWW 2005), pp. 432–441. Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1060745.1060809

17.

Oest, A., Safei, Y., Doupe, A., Ahn, G.J., Wardman, B., Warner, G.: Inside a phisher’s mind: understanding the anti-phishing ecosystem through phishing kit analysis. In: Proceedings of the 2018 APWG Symposium on Electronic Crime Research, eCrime 2018, pp. 1–12. eCrime Researchers Summit, eCrime, IEEE Computer Society (2018). https://doi.org/10.1109/ECRIME.2018.8376206

18.

Ramilli, M.: https://github.com/marcoramilli/PhishingKitTracker

19.

Roy, C.K., Cordy, J.R., Koschke, R.: Comparison and evaluation of code clone detection techniques and tools: a qualitative approach. Sci. Comput. Prog. 74(7), 470–495 (2009). https://doi.org/10.1016/j.scico.2009.02.007MathSciNetCrossRef

20.

Tejaswi, B., Samarasinghe, N., Pourali, S., Mannan, M., Youssef, A.: Leaky kits: the increased risk of data exposure from phishing kits. In: 2022 APWG Symposium on Electronic Crime Research (eCrime), pp. 1–13 (2022). https://doi.org/10.1109/eCrime57793.2022.10142092

21.

Thiemann, P.: Grammar-based analysis of string expressions. In: Proceedings of the 2005 ACM SIGPLAN International Workshop on Types in Languages Design and Implementation (TLDI 2005), pp. 59–70. Association for Computing Machinery, New York (2005). https://doi.org/10.1145/1040294.1040300

22.

Yu, F., Alkhalaf, M., Bultan, T.: Patching vulnerabilities with sanitization synthesis. In: 2011 33rd International Conference on Software Engineering (ICSE), pp. 251–260 (2011). https://doi.org/10.1145/1985793.1985828

23.

Yue, C., Wang, H.: A measurement study of insecure javascript practices on the web. ACM Trans. Web 7(2), 1–39 (2013). https://doi.org/10.1145/2460383.2460386

Titel: Following the Obfuscation Trail: Identifying and Exploiting Obfuscation Signatures in Malicious Code
verfasst von: Julien Cassagne
Ettore Merlo
Guy-Vincent Jourdan
Iosif-Viorel Onut
Verlag: Springer Nature Switzerland
Buch: Foundations and Practice of Security
Print ISBN: 978-3-031-57536-5

Electronic ISBN: 978-3-031-57537-2

Copyright-Jahr: 2024
DOI: https://doi.org/10.1007/978-3-031-57537-2_20

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner