A White Paper from AccessData Group. Cerberus. Malware Triage and Analysis

Transcription

1 A White Paper from AccessData Group Cerberus Malware Triage and Analysis

2 What is Cerberus?

3 Cerberus is the first-ever automated reverse engineering tool designed to show a security analyst precisely what an executable is capable of within minutes without a sandbox. Cerberus serves as a malware triage platform. It eliminates the potential for extraordinary backlog in a reverse engineer s workflow while equipping security experts with immediate, easily digestible intelligence. The Current Problem There are tens of thousands of static executables on disk and typically 100+ processes running on a given machine at any time. Any one of them could contain malicious code capable of stealing valuable information and sending it back to an attacker. Since most machine users (and most incident responders for that matter) are not able to translate the machine code contained in executables or extracted from running memory into something humanreadable, reverse engineers are often relied on to fill in the gaps. Reverse engineering is a time consuming effort requiring highly skilled individuals who are in very short supply. Additionally, only a small percentage of malicious files and running processes need to be fully disassembled. There is a great need for automated analysis to fill the gap between what incident responders are finding and what needs to be fully examined. Reverse engineers disassemble the executable in full and provide incident responders with relevant information about it, in a language that they understand. Similar to translating a several million word document from one language to another, reverse engineering an executable can take days, if not weeks, depending on its size and complexity. Given the sheer amount of executables and running processes on a machine, and malware being generated everyday, it is impossible for a human to translate (pull apart) every executable that finds its way onto a machine. An alternative to reverse engineering every binary on the machine would be to run each one in a sandbox or perform some form of dynamic analysis. Keep in mind that certain malware is incorporating counter measures to thwart dynamic analysis which introduces additional variables and sometimes behaves differently depending on the OS. Unfortunately, this approach only tells the analyst what an executable does under certain conditions, not everything the executable is capable of doing. That is, given an infinite number of scenarios outside a sandbox environment, where and how could this executable be most dangerous?

4 This is a diagram of a sample function from a malicious application. It checks whether a file exists in the top block, and then chooses which functionality to execute based on whether it finds this file. Malware triage via Cerberus takes roughly the same amount of time as running the executable in a sandbox but gets the results of a reverse engineer. In literally minutes, it produces results that a general security analyst can understand. Watching the program run once in a sandbox, analysts may only see one code path executed, as highlighted in brown above. This code path would only demonstrate behavior when the file isn t found. In this case, analysts would have no knowledge of behavior when the file does exist. In reviewing the results, this expert can either deal with a potential problem from a high level, or determine that further analysis is needed. Given that the vast majority of executables are benign, first triaging executables with Cerberus allows a reverse engineer to save time that would otherwise be wasted looking at all potential threats. How It Works Instead of running a binary in a sandbox, Cerberus emulates the machine code contained in the executable so that the binary has no way to control its own destiny. In this manner, Cerberus can emulate all paths through the executable and tell the user what the executable is capable of versus what it did during one or more executions. Since most malware will detect that it is running in a sandbox, this distinction is essential for triaging an executable that has malicious intent. In addition to masking its malicious intent, some malware samples seen in the wild are capable of escaping the sandbox environment and gaining access to the analyst s physical workstation. This is a huge security concern, and there is a growing amount of research into virtual machine escape vulnerabilities. With that in mind, Cerberus is designed to emulate the executable s instructions versus allowing it to execute on its own. By emulating the instructions internally, the analyst need not worry about malicious executables invading their machine because of vulnerabilities in the sandbox environment.

5 Cerberus Combining Control Flow Analysis & Data Flow Analysis Cerberus uses control flow and data flow analysis together to emulate all paths within an executable and monitor changes within its local memory and variable allocations. Cerberus then tells the user possible values for each argument in each function, revealing what that executable is capable of doing in a language that is easily understood by any security analyst. In this respect, Cerberus is analogous to IBM s Deep Blue chess-playing computer, designed to make the best chess-match decision by doing three things: 1) Data Flow Analysis: Evaluating the current conditions of a chess board (i.e. where each of the pieces are currently located on the board.) 2) Control Flow Analysis: Emulating all possibilities in all possible games moving forward given the current conditions (i.e. where each of the pieces are capable of moving and what the possible decision points are for each piece.) 3) Providing Results: Presenting data so that the best decision can be made moving forward. Building on the chess example, Cerberus emulates every single path of an executable (or, all possible moves in a chess game) and watches how the data (chess pieces) is being manipulated to show what s possible. Similar to how a well-programmed computer is able to look at a chess board, interpret data, emulate the possibilities and intelligently move forward faster and more effectively than a human player, the automated process in Cerberus is exponentially more efficient than a human reverse engineer. This function is illustrated on the next page

6 Each separate code path is highlighted in brown. Cerberus analyzes all code paths, regardless of how the executable behaves any particular time it is run. This includes behavior both when the file is found and when it is not found, providing a more comprehensive picture of the program s behavior.

7 To reiterate, Cerberus emulation uses a control flow path and plays every possible path within an executable. At the same time as it s taking each path in the control flow diagram, it records changes to memory allocations. In this manner, it is able to communicate to the user possible values for each argument to each function. Want to know whether this executable is capable of bypassing your authenticated web proxy? Simply look at the functions used for connecting to the internet and see whether a username or password is used. If one or more username/password combinations are used, are any of them correct? All of this information is available within minutes and doesn t require a reverse engineer. The Typical Scenario Let s envision you are in charge at a security operations center and you receive an alert of a potentially malicious executable, which is attempting to move from Machine A to Machine B. Not knowing exactly what the executable is, you review your options: a) analyze the executable for known strings that may give you, a non-reverse engineer, something to determine malicious intent, b) run the executable in a sandbox to see what it does in a contrived environment or c) send the executable to your reverse engineering team. Let s assume you have 10 reverse engineers on your team who, on average, take one week to completely dissect an executable. If two malicious executables cross your desk per day, and you submit each to the reverse engineering team, by day 5 they d already be behind, and you would still have not received the report from the first executable. All the while, your intellectual property could be walking out the front door. Obviously this is not a scalable process. Not to mention, this scenario assumes you have a team of 10 reverse engineers on staff, which most companies do not have. This is the major problem Cerberus solves. Cerberus essentially serves as the Babel Fish for Incident Responders, translating executables from machine code into English. The translation then offers experts an excellent understanding of what is actually occurring so that they may handle the problems themselves or seek further assistance from a reverse engineer, who now begins the dissection process with a leg up over the traditional scenario. More importantly, it allows reverse engineers to focus on the most important malware while providing immediate intelligence to the incident responders on the frontline. In addition, the reverse engineer and security analyst can communicate using similar language, saving the reverse engineer tons of time because the analyst knows why he is worried about the executable.

8 Conclusion The amount of malware is growing exponentially every day, and the manual analysis provided by reverse engineers cannot keep up with this tidal wave of work. Cerberus automated analysis will tip the scale back in your favor, so you can quickly identify threats while ignoring benign files. AccessData Group has pioneered digital investigations and litigation support for more than twenty years and is the maker of the industry-standard computer forensics technology, FTK, as well as the leading legal review technology, Summation. AccessData provides a broad spectrum of stand-alone and enterprise-class solutions that enable digital investigations of any kind, including computer forensics, incident response, e-discovery, legal review, IP theft, compliance auditing and information assurance. More than 130,000 users in law enforcement, government agencies, corporations, consultancies, and law firms around the world rely on AccessData software solutions, as well as our premier hosted review and digital investigations services. AccessData Group is also a leading provider of digital forensics and litigation support training and certification, with our much sought after AccessData Certified Examiner (ACE ) program and Summation certification program. Come learn why our e-discovery solutions are consistently ranked among the leaders in analysts coverage of the market space, by visiting AccessData.com. AccessData Group 384 South 400 West Suite 200 Lindon, UT USA AccessData, Forensic Toolkit and FTK are registered trademarks owned by AccessData in the United States and other jurisdictions and may not be used without prior written permission. All other marks and brands may be claimed as the property of their respective owners. Any reference to non-accessdata marks are for the purposes of enumerating the technologies AccessData solutions will address during the course of a digital investigation.