JP2013084064A - Analyzer, analysis method, and analysis program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve identification accuracy of a packer.SOLUTION: After receiving an instruction to generate a signature from an input section 11, an analyzer 10 performs the steps of: acquiring a packed execution file stored in a packed execution file storage section 14b to run the packed execution file; and acquiring an execution trace of an unpacked code of the packed execution file. A signature generation section 13a then divides the execution trace into specific blocks and generates sets of code blocks. Subsequently, the analyzer 10 compares the sets of code blocks in the execution trace with one another, extracts a set of code blocks which appear in common, and generates a signature.

Description

  The present invention relates to an analysis apparatus, an analysis method, and an analysis program.

  Conventionally, malware program codes that are malicious programs such as computer viruses and spyware are often obfuscated in order to prevent analysis of the operation and function of the malware. One example of such obfuscation is one that uses a reversible algorithm such as XOR encoding or encryption using a specific key. Further, obfuscation of the program code of the malware and concealing the original code, which is the original program code, is called packing, and the tools that execute the packing are generally called packers.

  By the way, the packed malware has an obfuscated program code as data and an expanded code for restoring the original code. Specifically, when the packed malware is executed, the portion of the expanded code is executed, the obfuscated program code is solved, and the original code is expanded on the memory. Subsequently, when the development of the original code is completed, the developed original code is executed.

  As a method for identifying a packer used for such packed malware, a technique is known in which a matching process using a signature is performed to identify a packer used in an execution file to be inspected. For example, a characteristic byte sequence of the packed expanded code portion and data portion is manually extracted, matching processing is performed using the extracted characteristic byte sequence as a signature pattern, and used in the execution file to be inspected. Identify the packer.

“The new signature generation method based on an unpacking algorithm and procedure for a packer detection”, International Journal of Advanced Science and Technology, VOL. 27, February 2011 “A Survey of Malware Detection Techniques”, Technical report. Department of Computer Science, Purdue University, February 2007

  However, in the above-described conventional technique, the characteristic byte strings of the packed expanded code portion and the data portion are manually extracted. Therefore, it is difficult to create a large number of signatures at high cost. Further, taking the case of the x86 architecture as an example, it is difficult to perform accurate disassembly, and a highly accurate signature cannot be obtained. As a result, there was a problem that the packer identification accuracy could not be improved.

  Accordingly, the present invention has been made to solve the above-described problems of the prior art, and an object thereof is to improve the packer identification accuracy.

  In order to solve the above-described problems and achieve the object, the analysis device disclosed in the present application operates each executable file obfuscated using each of a plurality of obfuscation tools with respect to a plurality of execution files. A division unit that divides each instruction code obtained as an operation result of the executable file into a plurality of blocks, and an executable file obfuscated by the same obfuscation tool among the blocks divided by the division unit Extracting blocks that appear in common, generating information about the extracted block features, and using information about the block features generated by the generating unit to obfuscate the executable file to be examined A specifying unit that specifies the obfuscation tool used.

  The analysis device disclosed in the present application has an effect of improving the packer identification accuracy.

FIG. 1 is a block diagram illustrating the configuration of the analysis apparatus according to the first embodiment. FIG. 2 is a diagram illustrating a process of generating a signature using a packed execution file. FIG. 3 is a diagram for explaining processing for generating a signature using an execution file before packing together with an execution file that has been packed. FIG. 4 is a diagram illustrating an identification process for identifying a packer. FIG. 5 is a flowchart for explaining the procedure of the signature generation process of the analysis apparatus according to the first embodiment. FIG. 6 is a flowchart for explaining the procedure of the packer identification process of the analysis apparatus according to the first embodiment. FIG. 7 is a diagram illustrating a computer that executes an analysis program.

  Exemplary embodiments of an analysis apparatus, an analysis method, and an analysis program according to the present invention will be described below in detail with reference to the accompanying drawings. Note that the present invention is not limited to the embodiments.

[Configuration of analyzer]
First, the analysis apparatus according to the first embodiment will be described with reference to FIG. FIG. 1 is a block diagram illustrating a configuration example of an analysis apparatus 10 according to the first embodiment. The analysis apparatus 10 shown in FIG. 1 is mounted on a computer that executes a predetermined program.

  Here, an example of the operation of a computer that executes a program will be described. When a program is executed by a computer, for example, a CPU (Central Processing Unit) inside the computer expands a program stored in a hard disk device or the like in a memory space such as a RAM (Random Access Memory). Specifically, the CPU expands data such as instructions and values in the memory space. Thereby, the program functions as a process. After the process is generated in this manner, the CPU executes various instructions using various data expanded in the process memory space.

  The analysis device 10 includes an input unit 11, an output unit 12, a control unit 13, and a storage unit 14. The analysis apparatus 10 generates a signature and identifies a packer that packs an execution file to be inspected using the generated signature.

  The input unit 11 inputs a signature generation instruction, an execution file to be inspected, and the like, and includes a keyboard, a mouse, a microphone, and the like. The output unit 12 displays, for example, a packer packed in an execution file, and includes a monitor and a speaker.

  The storage unit 14 stores data and programs necessary for various types of processing by the control unit 13, and particularly those closely related to the present invention include an execution file storage unit 14 a, a packed execution file storage unit 14 b, and a signature storage. It has a portion 14c. The storage unit 14 is a semiconductor memory device such as a random access memory (RAM), a read only memory (ROM), or a flash memory, or a storage device such as a hard disk or an optical disk.

  The executable file storage unit 14a stores a plurality of executable files before packing. For example, the executable file storage unit 14a stores a plurality of executable files 1 to n. The packed executable file storage unit 14b stores the packed executable file. For example, the packed executable file storage unit 14b stores each executable file (that is, n × m executable files) packed using the packers 1 to m with respect to the executable files 1 to n. The signature 14c stores a signature generated by a signature generation unit 13a described later.

  The control unit 13 has an internal memory for storing a program that defines various processing procedures and necessary data, and performs various processes by using these programs. Particularly, as closely related to the present invention, It has a signature generation unit 13a and an obfuscation tool identification unit 13b. Note that a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or the like is applied as the control unit 13.

  The signature generation unit 13a extracts a characteristic code block corresponding to each packer to be used for identifying a packer as a signature, and generates a signature to be used for packer identification from the extracted code block. The signature generation unit 13a includes a division unit 131 and a generation unit 132.

  The dividing unit 131 operates each execution file packed using each of a plurality of packers with respect to a plurality of execution files, and executes an execution trace of each expanded code obtained as an operation result of each execution file into a plurality of blocks. Divide every. Specifically, first, upon receiving a signature generation instruction from the input unit 11, the dividing unit 131 acquires a packed executable file from the packed executable file storage unit 14 b. For example, referring to the example of FIG. 2, the dividing unit 131 uses the n × m packed executable files packed by the packers 1 to m (packer 1 (executable file 1 in the example of FIG. 2)). N), packer 2 (execution files 1 to n)... Packer m (execution files 1 to n) are acquired from the packed execution file storage unit 14b.

  Then, the dividing unit 131 operates each packed execution file, and acquires an execution trace of the expanded code of the packed execution file. Here, the execution trace is a list of instructions executed by the program. Taking the x86 instruction as an example, it may be paraphrased as a sequence of the opcode of the executed instruction and its operand. The execution trace can be acquired by several methods. For example, a method using a debugger, a method using Binary Instrumentation, a method using an emulator, and a method using a virtual machine can be considered.

  More specifically, the expanded code execution trace is a sequence of instructions from the top of the packed execution file to the original entry point that is the original entry point of each execution file. In addition to the original entry point, it is possible to operate until a uniquely defined event appears. In other words, it is only necessary to move to the vicinity where an event that seems to be the end of the expanded code appears. For example, communication to the network occurs until an API call that is highly likely to be used by the original code is seen. However, it may be moved by an index such as until a certain time. Many packers often have this expanded code in multiple stages. When the first expanded code is executed, the expanded code and data of the second stage are expanded on the memory. When the expansion is completed, the jump to the expanded code of the second stage is performed, and the expanded code of the second stage is executed. Read the data that was expanded earlier and expand the original code. The above is a two-stage example, but there are many packers in which this expanded code has multiple stages.

  In addition, as a byte string originally used as a signature, a code portion is preferable to a data portion of an executable file. This is often unsuitable for use as a characteristic pattern of a specific program because the data portion is often in a state of being fluctuating and variable due to an obfuscation algorithm. For example, when XOR encoding is used, if the value that takes XOR with the binary code is changed, the value to be generated changes greatly. On the other hand, the packed executable file is mainly composed of a development code and data. As described above, since the data portion is not suitable as a signature pattern, the accuracy of identification is higher when the byte sequence of the expanded code portion is used as a pattern for the signature.

  Subsequently, the dividing unit 131 divides the execution trace into specific blocks, and creates a set of instruction sequences (hereinafter referred to as code blocks). As a method of dividing into blocks, a basic block unit, a constant instruction number unit (n-gram), a function unit, or the basic block, a constant instruction number, and a function n-gram can be considered. The hash value of each block is obtained. When obtaining a hash value, taking x86 as an example, only the opcode portion of each instruction may be used, or the hash value may be calculated including the operand portion. The hash value calculated here is for facilitating calculation when comparing sets of code blocks described later. If the calculation cost is not taken into account, the hash value is calculated. Is not necessarily required.

  Subsequently, the generation unit 132 extracts code blocks that appear in common among execution files packed by the same packer from the blocks divided by the division unit 131, and obtains the signatures of the extracted code blocks. Generate. For example, the generation unit 132 compares hash value sets of code blocks of the execution traces of the execution files 1 to n packed by the packer 1 to obtain a hash value that appears in common. In other words, a common instruction code is searched for in each execution trace.

The process for obtaining the code block that appears in common is defined by the following equation (1). In other words, if a set of execution trace blocks of the i-th (0 ≦ i ≦ n) executable file packed by the packer q is B _{q, i} , the blocks that appear in common in the n executable files are as follows ( 1) It is defined by the formula. Then, as illustrated in FIG. 2, the generation unit 132 extracts code blocks that appear in common in the execution trace of the expanded code of the packed execution file for all packers 1 to m.

  In the above processing, the generation unit 132 has described the case of generating a signature of a code block that appears in common between executable files packed by the same packer. However, the following equations (2) to (5) are used. As will be described with reference to the above description, a signature of a code block that appears in common among executable files packed with the same packer and does not appear in an executable file packed with another packer is generated. You may do it.

For example, when the calculation of the code block that appears in common in the execution trace of the expanded code portion of the packed execution file is completed for all packers 1 to m, the generation unit 132 is common to the next packer. A set of code blocks that do not appear as code blocks common to other packers is obtained, and this is used as a signature for the packer. When this is defined by an equation, the following equation (2) is obtained. Let P be the set of packers and S _qj be the signature of the packers.

The generation unit 132 obtains the signature S _qj by omitting code blocks that appear in common in all code blocks common to other packers from code blocks that appear in common in a certain packer. When this is defined by an equation, the following equation (3) is obtained.

Alternatively, it is also possible to form generating unit 132, a code block that appears in common in some packers, another signature S _qj a set of code blocks even omitting the code that appeared in one code block execution trace of each packer It is good. When this is defined by an equation, the following equation (4) is obtained.

Furthermore, the generation unit 132 omits code blocks that appear in common in all packers from code blocks that appear in common in a certain packer, although they do not appear in all of the plurality of executable files in each packer. The signature S _qj may be created by When this is defined by an equation, the following equation (5) is obtained.

  Also, the signature generation unit 13a is a block that appears in common among executable files packed by the same packer among the blocks divided by the dividing unit, and appears in an unpacked executable file You may make it produce | generate the signature of the block which does not carry out.

  For example, as illustrated in FIG. 3, the signature generation unit 13a acquires not only the execution file packed by the packer but also the execution file before packing from the execution file storage unit 14a. When the signature generation unit 13a generates a signature for a specific packer, the signature generation unit 13a appears not only in the code block that appears in other packers but also in each executable file from the set of code blocks that commonly appear in the packer. The signature may be created by omitting the code block to be processed.

  As a result, code blocks that tend to appear in a normal executable file can be omitted from the signature of the packer, and a packer-specific signature can be created.

  As shown in FIG. 4, the obfuscation tool identification unit 13b identifies the packer used in the input inspection target execution file using the signature generated by the signature generation unit 13a, and outputs the identified result. . Specifically, when the obfuscation tool identification unit 13b receives the inspection target execution file via the input unit 11, the obfuscation tool identification unit 13b operates the inspection target execution file and acquires an execution trace. Here, since the obfuscated tool identification unit 13b once operates the execution file to be inspected, the expanded code after the second stage appears, and this part is also compared with the signature and used for packer identification processing. . As a result, the development codes in the second and subsequent stages can also be used for the packer identification process, and the packer identification process with high accuracy can be performed.

The obfuscation tool identification unit 13b then divides the execution trace into specific blocks and creates a set of code blocks. Subsequently, the obfuscation tool identification unit 13b compares the created code block with each signature S _j (0 ≦ j ≦ m) stored in the signature storage unit 14c, and calculates a score.

  Here, the score calculation method will be specifically described. The obfuscation tool identification unit 13b obtains an execution trace of the input execution target execution file in the same manner as the signature generation unit 13a, and creates the code block set T obtained from the execution trace and the signature generation unit 13a. The respective signatures are compared, and the score in each signature is calculated by the following equation (6). This equation shows how many code blocks of the code blocks of each signature are included in the execution trace of the execution file to be inspected (how much is matched).

  This score is obtained for all packers 1 to m, and the one with the maximum value (see the following expression (7)) is defined as the packer packed with the execution file. Then, the obfuscation tool identification unit 13b outputs the packer corresponding to the signature with the maximum score from the output unit 12 as a packer packed with the execution file to be inspected. In addition, when a certain value or more is shown based on a certain threshold instead of the maximum score, the executable file may be identified as a packed packer.

  The packer has a situation that it is difficult to perform accurate disassembly. Taking x86 code as an example, this is an architecture that allows data to be included in the code area for reasons such as code optimization and increased cache efficiency. Packers often have an analysis blocking function that makes disassembly difficult by exploiting this feature and including data in the middle of code blocks. As a result, it is difficult to automatically specify the expanded code portion of the packed executable file, and manual intervention is often required to obtain an accurate disassembly result. On the other hand, in the analysis device 10, since the execution trace is based on the instruction code actually executed by the CPU, it can be clearly determined as the code, and the data and code at the time of disassembly can be distinguished. The problem of disappearing does not occur.

[Processing by analyzer]
Next, processing performed by the analysis apparatus 10 according to the first embodiment will be described with reference to FIGS. 5 and 6. FIG. 5 is a flowchart for explaining the procedure of the signature generation process of the analysis apparatus according to the first embodiment. FIG. 6 is a flowchart for explaining the procedure of the packer identification process of the analysis apparatus according to the first embodiment.

  As illustrated in FIG. 5, when the signature generation unit 13a of the analysis apparatus 10 receives a signature generation instruction from the input unit 11 (Yes in step S101), the packed execution file stored in the packed execution file storage unit 14b is received. The acquired execution file is acquired and operated (step S102).

  Then, the signature generation unit 13a acquires an execution trace of the expanded code of the packed execution file (step S103). Subsequently, the signature generation unit 13a divides the execution trace into specific blocks, and generates a set of code blocks (step S104).

  Then, the signature generation unit 13a compares a set of code blocks of each execution trace (step S105), extracts a set of code blocks that appear in common, and generates a signature (step S106). Specifically, the signature generation unit 13a obtains a set of code blocks that appear in common to a certain packer but do not appear as common code blocks of other packers, and the set of code blocks is obtained as the packer. And is stored in the signature storage unit 14c, and the process ends.

  Next, the packer identification process will be described with reference to FIG. As illustrated in FIG. 6, when the obfuscation tool identification unit 13b of the analysis apparatus 10 receives the inspection target execution file via the input unit 11 (step S201), the execution trace of the inspection target execution file is acquired (step S202). ).

  The obfuscation tool identification unit 13b then divides the execution trace into specific blocks and creates a set of code blocks (step S203). Subsequently, the obfuscation tool identification unit 13b compares the created code block with each signature stored in the signature storage unit 14c, and calculates a score (step S204).

  Specifically, the obfuscation tool identification unit 13b acquires the execution trace of the input execution target execution file in the same manner as the signature generation unit 13a, and obtains a set T of code blocks obtained from the execution trace and the signature. The signatures created by the generation unit 13a are compared, and the score for each signature is calculated. Then, the obfuscation tool identification unit 13b outputs the packer corresponding to the signature with the maximum score from the output unit 12 as the packer used in the execution file to be inspected (step S205).

[Effect of Example 1]
As described above, the analysis apparatus 10 operates each execution file packed using each of a plurality of packers with respect to a plurality of execution files, and uses each instruction code obtained as an operation result of each execution file. Divide into multiple blocks. Then, the analysis apparatus 10 extracts code blocks that appear in common among executable files packed by the same packer from among the divided blocks, and generates a signature of the extracted code blocks. Then, the analysis apparatus 10 specifies the packer used for packing the execution file to be inspected using the generated code block signature. For this reason, as a result of generating a highly accurate signature, it is possible to improve the packer identification accuracy.

  Further, according to the first embodiment, among the divided code blocks, code blocks that appear in common between execution files packed with the same packer and packed with other packers are executed. Generate a signature that does not appear in the file. For this reason, as a result of being able to generate a packer-specific signature, it is possible to improve the packer identification accuracy.

  Further, according to the first embodiment, among the divided code blocks, code blocks that appear in common among executable files packed by the same packer and appear in an unpacked executable file Generate information about the features of the code blocks that do not. For this reason, as a result of being able to generate a packer-specific signature, it is possible to improve the packer identification accuracy.

  Further, according to the first embodiment, the execution file to be inspected is operated, the degree of matching between the instruction code obtained as the operation result of the execution file to be inspected and the generated signature is calculated, and according to the calculated result Thus, since the packer used for packing the execution file to be inspected is specified, it is possible to improve the packer identification accuracy.

[Analysis program]
FIG. 7 is a diagram illustrating that the processing by the analysis program is specifically realized using a computer. As illustrated in FIG. 7, the computer 1000 includes, for example, a memory 1001, a CPU 1002, a hard disk drive interface 1003, a disk drive interface 1004, a serial port interface 1005, a video adapter 1006, and a network interface 1007. These units are connected by a bus 1008.

  As illustrated in FIG. 7, the memory 1001 includes a ROM (Read Only Memory) 1001a and a RAM (Random Access Memory) 1001b. The ROM 1001a stores a boot program such as BIOS (Basic Input Output System). The hard disk drive interface 1003 is connected to the hard disk drive 1009 as illustrated in FIG. The disk drive interface 1004 is connected to the disk drive 1010 as illustrated in FIG. For example, a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1010. The serial port interface 1005 is connected to, for example, a mouse 1011 and a keyboard 1012 as illustrated in FIG. The video adapter 1006 is connected to a display 1013, for example, as illustrated in FIG.

  Here, as illustrated in FIG. 7, the hard disk drive 1009 stores, for example, an OS 1009a, an application program 1009b, a program module 1009c, and program data 1009d. That is, the analysis program is stored in, for example, the hard disk drive 1009 as a program module 1009c in which a command to be executed by the computer 1000 is described. Specifically, a signature generation procedure for executing the same processing as the signature generation unit 13a described in the above embodiment and an obfuscation tool identification procedure for executing the same processing as the obfuscation tool identification unit 13b are described. A program module 1009c is stored in the hard disk drive 1009. Data used for processing by the analysis program is stored as program data 1009d in, for example, the hard disk drive 1009. Then, the CPU 1002 reads the program module 1009c and program data 1009d stored in the hard disk drive 1009 to the RAM 1001b as necessary, and executes a signature generation procedure and an obfuscation tool identification procedure.

  Note that the program module 1009c and the program data 1009d related to the analysis program are not limited to being stored in the hard disk drive 1009, but are stored in, for example, a removable storage medium and read out by the CPU 1002 via the disk drive 1010 or the like. Also good. Alternatively, the program module 1009c and the program data 1009d related to the analysis program are stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.), and are transmitted via the network interface 1007. May be read by the CPU 1002.

DESCRIPTION OF SYMBOLS 10 Analysis apparatus 11 Input part 12 Output part 13 Control part 13a Signature production | generation part 13b Obfuscation tool identification part 14 Storage part 14a Execution file storage part 14b Packed execution file storage part 14c Signature storage part

Claims (6)

Dividing multiple executable files by operating each executable file obfuscated using multiple obfuscation tools, and dividing each instruction code obtained as a result of each executable file into multiple blocks And
A generation unit that extracts blocks that appear in common among executable files obfuscated by the same obfuscation tool from among the blocks divided by the division unit, and generates information about the characteristics of the extracted blocks; ,
An analysis apparatus comprising: a specifying unit that specifies an obfuscation tool used for obfuscation of an execution file to be inspected using information about the feature of the block generated by the generation unit.   The generating unit is a block that appears in common among executable files obfuscated by the same obfuscation tool among the blocks divided by the dividing unit, and is obfuscated by other obfuscation tools. The analysis apparatus according to claim 1, wherein information relating to a feature of a block that does not appear in the converted execution file is generated.   The generation unit is an execution file that is a block that appears in common among execution files obfuscated by the same obfuscation tool among the blocks divided by the division unit and is not obfuscated The analysis apparatus according to claim 1, wherein information on a feature of a block that does not appear is generated.   The specifying unit operates the execution file to be inspected, calculates a degree of matching between the instruction code obtained as an operation result of the execution file to be inspected and information about the feature generated by the generation unit, and calculates The analysis device according to claim 1, wherein an obfuscation tool used for obfuscation of the execution file to be inspected is specified according to the result. Dividing multiple executable files by operating each executable file obfuscated using multiple obfuscation tools, and dividing each instruction code obtained as a result of each executable file into multiple blocks Process,
A generation step of extracting blocks that appear in common among executable files obfuscated by the same obfuscation tool among the blocks divided by the division step, and generating information on the characteristics of the extracted blocks; ,
And a specifying step of specifying an obfuscation tool used for obfuscation of the execution file to be inspected using information on the feature of the block generated by the generating step. Dividing multiple executable files by operating each executable file obfuscated using multiple obfuscation tools, and dividing each instruction code obtained as a result of each executable file into multiple blocks Steps,
A generation step of extracting a block that appears in common among executable files obfuscated by the same obfuscation tool among the blocks divided by the division step, and generating information on the characteristics of the extracted block; ,
An analysis program for causing a computer to execute a specific step of identifying an obfuscation tool used for obfuscation of an execution file to be inspected using information on the feature of the block generated by the generation step.

Images