Presentation on theme: "Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology."— Presentation transcript:
Malware Repository Overview Wenke Lee David Dagon Georgia Institute of Technology
Overview How malware is collected and shared now Malfease’s service-oriented repository –Support for malware analysis, e.g., signature generation, and evaluation of intrusion/anomaly detection/prevention systems, etc. –Automated unpacking
Current Practices Numerous private, semi-public malware collections –Need “trust” to join –“Too much sharing” often seen as competitive disadvantage Analysis not shared Incomplete collections: reflect sensor bias –Darknet-based collection –IRC surveillance –Honeypot-based collection
Shortcomings Malware authors know and exploit weaknesses in data collection Illuminating sensors –“Mapping Internet Sensors with Probe Response Attacks”, Bethencourt, et al., Usenix 2005 Automated victims updates –E.g., via botnets
Solution: Service-Oriented Repository Malfease uses hub-and-spoke model –Hub is central collection of malware –Spokes are analysis partners Hub: –Malware, indexing, search –Static analysis: header extraction, icons, libraries –Metainfo: longitudinal AV scan results Spoke: –E.g., dynamic analysis, unpacking, signatures, etc.
Malware Repo Requirements Malware repos should not: –Help illuminate sensors –Serve as a malware distribution site Malware repo should: –Help automate analysis of malware flood –Coordinate different analysts (RE gurus, Snort rule writers, etc.)
Approaches Repository allows upload of samples –Downloads restricted to classes of users Repository provides binaries and analysis –Automated unpacking –Win32 PE Header analysis –Longitudinal detection data What did the AV tool know, and when did it know it? –Malware similarity analysis, family tree –Etc.
Results Improved AV detection AV Scan 6K very old Samples 0.8K Claimed “OK” Unpacking 5.2K Samples Claimed VX AV ReScan 42 are now claimed VX 10-40% improved AV detection on “old” stuff
Plan for Cyber-TA Evaluation of various signature generation schemes –Development of new schemes Development of signature ensemble scheme - automatically combine the attributes of signatures from different generation schemes Evaluation of intrusion/anomaly detection systems –E.g., automatically generating mimicry/blending attacks based on malware
Conclusion Service-oriented repository –Support research in malware analysis and intrusion/anomaly detection/prevention See malfease.oarci.net for details Credits –David Dagon –Paul Vixie –Paul Royal –Mitch Halpin