-

Exotic Compilers as a Malware Evasion Technique (Discussion Paper)

Michele Ianni

Elio Masciari

elio.masciari@icar.cnr.it 1

Domenico Sacca

saccag@dimes.unical.it 0 0 DIMES, University of Calabria , Rende , Italy 1 ICAR, CNR , Rende , Italy

The increasing complexity of new malware and the constant re nement of detection mechanisms are driving malware writers to rethink the malware development process. In this respect, compilers play a key role and can be used to implement evasion techniques able to defeat even the new generation of detection algorithms. In this paper we provide an overview of the endless battle between malware writers and detectors and we discuss some considerations on the bene ts of using high level languages and even exotic compilers (e.g. single instruction compilers) in the process of writing malicious code.

Metamorphic malware Obfuscation Single instruction compilers

Malware detection

Introduction

History of malware, short for malicious software, is characterized by the endless battle between malware writers and detectors. Since detection strategies are becoming more and more complex, malware writers have to invent new techniques in order to evade detection. Today we can nd many viruses that can be considered as pieces of art because they employ several clever ideas in order to keep themselves as stealth as possible. The increasing complexity of new malware is posing new intriguing challenges both from the malware writer perspective and detection mechanisms. In order to implement complex malware, able to spread itself on various operating systems and architectures, it could be useful to move from pure assembly implementations, to malware written using high level languages. In this respect the use of compilers is a key concept to take into account. Compilers, in fact, can be used to implement metamorphic techniques and obfuscation and can build executables able to defeat new detection mechanisms based on the extraction of semantic patterns from the binaries. The paper is organized as follows: in section 2 we describe several techniques used by malware writers in order to avoid detection. In section 3 we show some of the strategies used by antivirus software to detect malicious code and we focus our attention on CFG based detection. In section 4 we discuss the bene ts related to the use of compilers in the process of writing malicious code and we show the advantages Copyright c 2019 for the individual papers by the papers authors. Copying permitted for private and academic purposes. This volume is published and copyrighted by its editors. SEBD 2019, June 16-19, 2019, Castiglione della Pescaia, Italy. of using single instruction compilers as an evasion technique. Finally in section 5 we draw our conclusions. 2

Evasion techniques

The most widespread technique used by commercial anti-malware systems in order to detect viruses is based on malware signatures [ 21 ]. They are invariant patterns, usually taken from the program's code or raw le content, used to uniquely identify the given malware. To evade signature based scanners many today viruses (called metamorphic) are able to transform themselves during the propagation phase, without losing their capabilities [ 47 ]. To achieve this goal several metamorphic transformation are used, including code permutation, garbage code insertion, code shrinking and expansion, register renaming, encryption [ 2, 3, 15 ]. The result of these transformations is a brand new virus that, while keeping the functionality of its predecessor, present a di erent structure and then a di erent signature, thus evading detection [ 47 ]. As explained in [ 4 ], we de ne M P to be the set of malicious programs, where P is the set of all programs and S to be the set of signatures. A detector is then a function D : P M ! f0; 1g. A program p is detected if there is a signature m 2 S such that D(p; m) = 1. In the case of malwares D(p; m) = 1 () m is a pattern derived from p.

Using signature for malware detection is e cient only if it is applied to known malware. This technique, compared to dynamic analysis techniques, has less scanning time, lower false-positive ratio and doesn't su er of the risks of system infection due to the execution of the malware. The use of code obfuscation techniques allows to easily generate variants of known malware resulting in new malware that cannot be detected by signature based scanners and are harder to comprehend for an human analyst. As stated in [ 31 ] more than 80% of malware is packed, in accordance to [ 41 ] almost 50% of new malware in 2006 were existing malware obfuscated with packing techniques. The same trend is linked to the use of other obfuscation approaches. There exist many examples of code obfuscation designed to avoid AV scanners detection [ 17, 23, 32, 34 ] and all of them are able to easily evade signature based malware detectors.

As described in [ 47 ] except for packing, the rst obfuscation technique historically used is encryption [ 36, 37, 45 ]. The executable body is crypted and the malware adds to it a decryptor that provides decryption of the body at program runtime. Since at every infection the cryptographic keys used are di erent the crypted virus body will be always di erent. One of the rst viruses that developed this strategy is Cascade, followed by Win95/Mad and Win95 Zombie [ 42 ]. Some of this kind of viruses use also multiple layers of encryption (Win32/Coke). The major limitation of this approach is that in most cases the decryption is in clear text and, since it is always the same, it can be used in order to generate a signature. To overcome this limitation malware writers created new malware able to change also decryptor code. This led to the birth of polymorphic malware [ 34 ], that, using many di erent techniques [ 11, 26, 45 ] are able to generate always di erent decryptors, without invariant patterns that could be used as signatures. The rst viruses that used a real 32-bit polymorphic engine were Win95/Marburg and Win95/HPS. They have been developed and spreaded online many polymorphic engines, among these we can cite \The Mutation Engine" (MtE ) [ 36 ] that is able to easily convert non obfuscated code into polymorphic malware. Altough polymorphic malware are e ective against signature based detection, they can be detected using more re ned techniques. After the decryption phase, in fact, the body of the virus will be always the same. Using sandboxing techniques [ 36, 37 ] the detectors are able to emulate malware in a controlled environment, allowing the decryptor to decrypt malware body in memory. At this point it is still possible to use signature based techniques on the decrypted body. To prevent malware emulation several armoring techniques have been proposed [ 36 ] but the improvements in sandboxing mechanisms brought many of them to be ine ective. To overcome all these limitations malware writers brought obfuscation to a new level: metamorphic malware [ 17, 23 ] [ 11, 26, 37, 45 ]. They are malware able to transform their own body during infection phase. At each iteration metamorphic malware is rewritten so that each succeeding version of the code is di erent from the preceding one.

There are numerous techniques used by this kind of malware (and often by polymorphic malware too): { Register swapping : is a technique used, for example, by Vecna's Win95/Regswap virus [ 45 ]. It consists in changing registers used in various instructions during the evolution from generation to generation. Wildcard searching makes this technique ine ective. { Instruction substitution : it is based on substituting single, or groups, of instructions with other instructions (or groups of them). The new instructions will be equivalent to the previous ones in functionalities but syntactically di erent [ 26 ]. { Garbage instructions insertion : is a technique based on the insertion of garbage instructions, that are useless for the execution of the program. Their only goal is to vary malware body [ 1, 26, 45 ]. They can be single instructions or sequences that perform useless operations leaving unaltered the state of the program or even instructions located in areas of the program that will never be executed. In this case we are talking about dead-code. { Transposition: this name is used to de ne many instruction reordering techniques that leave unaltered the ow of the program [ 11 ]. One of these technique consist in randomly reordering some instructions then using unconditional jumps to reconstruct the original ow. In a more elegant way it is possible to isolate independent groups of instructions then modify their order. In this case, since the sequences are independent, there is no need to make use of unconditional jumps. Finding independent groups of instructions is not an easy task to perform, so, often developers use easier techniques, which can be considered a variant of the rst one. It is based on the reordering of the various subroutines that are present inside the malware [ 11 ]. One of the malware that used this approach is Win32/Ghost. If we have n subroutines we are able to generate up to n! di erent variants. { Code integration: is the most sophisticated technique used to obfuscate code.

It has been introduced by the virus writer Zombie in Win95/Zmist (Zombie Mistfall). It consists in decompiling the program to infect in distinct parts and then inserting malware code between them. At the end the original program and the malware are reassembled in a single executable. Although several theoretical studies [ 10, 14 ] have proved that an algorithm able to detect all types of malware can not exist, a lot of e ort has been put to improve detection mechanisms. Several methods have been proposed, varying from support vector machine (SVM) [ 7 ], to decision trees [ 25,33 ], to Naive Bayes Method [ 38 ]. There are two di erent approaches in malware detection: static and dynamic analysis. The rst analyzes a binary without executing it. Since this technique is safer, faster and easier to implement than dynamic analysis, it is the most widespread approach, even if it is more limited than the latter. Some examples of operations that are performed by static analysis are nding patterns on executables and code ow analysis. In addition to be fast and safe, static analysis has the advantage of reaching complete application code coverage, thus reducing the number of false positives in malware detection. The main problem in using static analysis is that it is very di cult to detect unknown malware. Dynamic analysis, instead, runs malware in a sandbox simulating the behaviour of a real environment, monitoring all system calls. It is clear that the speed of performing this kind of analysis is much slower than static analysis techniques. In addition to that, several techniques have been proposed from malware writers in order to check if the infected executable is running inside a virtual machine, and, in that case, changing its own behaviour in a non o ensive one. To overcome the limitation of static analysis they have been introduced many techniques based on the concept of code normalization. These techniques try to reduce obfuscated code to a base form that is the same for all obfuscated variants of the same executable. Many di erent approaches to code normalization have been proposed. Among them we can cite Christodorescu et al. [ 12 ], Walenstein et al. [ 44 ] and Lakhotia et al. [ 28 ]. In the latter the base form is called \zero form" and the process to reduce an executable to that form is called \zeroing". As herm1t states in [ 20 ] if this kind of approach was perfect a tool that could perform zeroing reducing all possible variants of a virus into a single \normalized" form (not necessarily optimal), could then use this strategy with every algorithm thus proving or refuting their identity. That's known to be indecidable. The e ort of the creators of detectors is then focused on capturing semantic pattern inside an executable rather than invariant synctactic features. These techniques vary from API call analysis [ 35 ] to Control Flow Graph analysis.

As explained in [ 40 ] a Control Flow Graph (CFG ) is a graph in which the nodes are basic blocks of execution and the edges are possible control ow transfers between them. They are used both for malware detection and vulnerability discovery. CFG recovery is a widely discussed topic in literature, we can cite [ 13, 24, 27, 39, 43, 46 ].

Many CFG recovery algorithms deal with the problem of indirect jumps. An indirect jump occurs when the control ow is transferred to a target represented by a value in a register or to a memory location. This makes ow analysis much harder because the destination of the jump is not easily resolvable. This is because it could depend from computations speci ed in code, from the application context or even from function pointers used in object oriented languages to implement object polymorphism [ 40 ].

Control Flow Graph based malware detection As previously stated, due to the di culty on isolating invariant synctactic features of a self-mutating malware, the e ort of the creators of detectors is focused on capturing semantic patterns. CFG are widely used to nd similiarities among executables [ 18 ] and, more in detail, among malwares [4{6,8,9,19,22,30]. The techniques proposed in literature are based on generating the CFG of a program P to analyze. The generated CFG is the compared to a set of CFGs of known viruses in order to nd isomorphic components. Usually ( [ 6 ]) before extracting the CFG from a program P a set of normalization operations [ 28 ] are performed on the binary. This step aims to reduce the e ects of mutation techniques. The normalized binary is then used to extract the CFG which is then compared to CFG extracted by normalized known malware. If the CFG of the normalized program contain a subgraph isomorphic to the CFG of a malware, then the executable is marked as malicious. 4

Using compilers to evade detection

The advances in malware detection and the plethora of di erent devices and operating systems in use nowadays, pose new intriguing challenges to malware writers. The use of assembly language is becoming more and more painful, because of the di culties involved to write portable and easy-to-support code. In the forward-looking article \Recompiling the metamorphism" [ 20 ], the author, herm1t, suggests to make use of high level languages in order to overcome the di culties involved in developing malware in pure assembly. He outlines how using a high level language gives to the developer the opportunity to easily extract additional information from the code, rather than builtin support for features like hashes, iterators or objects. The idea of "recompiling the metamorphism" is without any doubt interesting and introduces many advantages to the virus writer, however, not all the bene ts of using compilers have been considered in detail. In order to evade new anti-malware techniques based on the extraction of semantic patterns from executables, compilers could play an important role. They, in fact, are able to generate executables characterized by very di erent structures and could be used in order to defeat detection mechanisms. In this respect we take into accounts the bene ts introduced by using exotic compilers, like the M/o/Vfuscator2 3 in order to obtain di erent CFGs, thus fooling the CFG based detection.

Single instruction compilers as an evasion technique In [ 16 ], Dolan demonstrates the Turing-completeness of the x86 instruction mov. After the publication of the article many people started to implement, most of the time for fun, single instruction compilers, capable to compile arbitrary programs into lists of only mov instructions. Several di erent instruction turned out to be Turing-complete, so many di erent single instruction compilers arose 4. Even if at rst sight it may seem just like a funny fact, the use of single instruction compilers has very interesting consequences. Since in single instruction compiled programs comparisons, jumps, function calls are all implemented with a single instruction, the resulting CFG is a single (usually long) basic block. This result is very interesting, because having a CFG composed by a single basic block make ine ective all detection mechanisms based on CFG isomorphism detection. Using a single instruction 3 https://github.com/xoreaxeaxeax/movfuscator 4 https://github.com/xoreaxeaxeax/movfuscator/tree/master/post compiler, however, has its drawbacks. First of all a program compiled with a single instruction compiler could be considered suspicious, thus marked as malicious. In addition to that, the size of a program compiled with a single instruction compiler, is, most of the time, much bigger than the size of the same program compiled using the entire set of instructions. This introduces some problems to virus writers that in many cases have a limited space in the binary they are going to infect, so they should keep the malicious code as small as possible. Sometimes even the performances of the malicious code is important and programs compiled with a single instruction compiler usually are slower than traditional ones in terms of execution speed. These problems lead to rethink the way single instruction compilers are used for evasion purposes. A simple but e ective solution could be splitting the source code at compilation time. In our implementation we mark with source code annotation the functions that we want to compile with a single instruction compiler, then at compilation time, making use of the tools provided by LLVM [ 29 ] we are able to build an executable that uses the full set of instructions for the code that cannot be used to determine its malicious behaviour and a single instruction for the malware routines. In this way we are able to build a much smaller executable that is still able to fool CFG based malware detection. It is important to underline that the single block of single instruction compiled code can be furtherly modi ed using the metamorphic techniques described in section 2. This single block can be also manipulated in order to obtain di erent CFGs, this can be easily done by inserting jumps or comparisons, thus creating branches in the graph. To further variate the result of the obfuscation, several di erent single instruction compilers can be adopted, resulting in a great variety of CFGs, making very hard for the detectors to extract signatures, both syntactically, due to metamorphic transformation, and semantically, thanks to the always changing CFG. 5

Conclusions

In this paper we presented and overview of the techniques used by malware in order to avoid detection as well as some detection mechanisms. We showed the bene ts related to the use of compilers on the process of malware creation and we proposed the use of single instruction compilers as an evasion mechanisms for CFG based malware detection. In order to overcome the limitations of this kind of compilers we proposed several solutions that can greatly increase the ability of malware to hide itself from detectors.

1. Balakrishnan , A. , Schulze , C. : Code obfuscation literature survey . CS701 Construction of compilers 19 ( 2005 )

2. Barak , B. , Goldreich , O. , Impagliazzo , R. , Rudich , S. , Sahai , A. , Vadhan , S. , Yang , K. : On the (im) possibility of obfuscating programs . In: Annual International Cryptology Conference . pp. 1 { 18 . Springer ( 2001 )

3. Beaucamps , P. , Filiol , E.: On the possibility of practically obfuscating programs towards a uni ed perspective of code protection . Journal in Computer Virology 3 ( 1 ), 3 { 21 ( 2007 )

4. Bonfante , G. , Kaczmarek , M. , Marion , J.Y.: Control ow graphs as malware signatures . In: International workshop on the Theory of Computer Viruses ( 2007 )

5. Briones , I. , Gomez , A. : Graphs, entropy and grid computing: Automatic comparison of malware . Virus Bulletin pp. 1 { 12 ( 2008 )

6. Bruschi , D. , Martignoni , L. , Monga , M. : Detecting self-mutating malware using control- ow graph matching . In: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment . pp. 129 { 143 . Springer ( 2006 )

7. Burges , C.J.: A tutorial on support vector machines for pattern recognition. Data mining and knowledge discovery 2(2 ), 121 { 167 ( 1998 )

8. Cesare , S. , Xiang , Y. : Classi cation of malware using structured control ow . In: Proceedings of the Eighth Australasian Symposium on Parallel and Distributed Computing-Volume 107 . pp. 61 { 70 . Australian Computer Society, Inc. ( 2010 )

9. Cesare , S. , Xiang , Y. : A fast owgraph based classi cation system for packed and polymorphic malware on the endhost . In: 2010 24th IEEE International Conference on Advanced Information Networking and Applications . pp. 721 { 728 . IEEE ( 2010 )

10. Chess , D.M. , White , S.R.: An undetectable computer virus . In: Proceedings of Virus Bulletin Conference . vol. 5 , pp. 1 { 4 ( 2000 )

11. Christodorescu , M. , Jha , S. : Static analysis of executables to detect malicious patterns . Tech. rep. , WISCONSIN UNIV-MADISON DEPT OF COMPUTER SCIENCES ( 2006 )

12. Christodorescu , M. , Kinder , J. , Jha , S. , Katzenbeisser , S. , Veith , H.: Malware normalization . Tech. rep. , University of Wisconsin ( 2005 )

13. Cifuentes , C. , Van Emmerik , M. : Recovery of jump table case statements from binary code . Science of Computer Programming 40 ( 2-3 ), 171 { 188 ( 2001 )

14. Cohen , F. : Computer viruses . Computers & security 6(1) , 22 { 35 ( 1987 )

15. Collberg , C. , Thomborson , C. , Low , D.: A taxonomy of obfuscating transformations . Tech. rep. , Department of Computer Science, The University of Auckland, New Zealand ( 1997 )

16. Dolan , S. : mov is turing-complete . Tech. rep., Tech. rep . 2013 (cit . on p. 153) ( 2013 )

17. Driller , M.: Metamorphism in practice . 29A Magazine 1 ( 6 ) ( 2002 )

18. Dullien , T. , Rolles , R.: Graph-based comparison of executable objects (english version) . SSTIC 5 , 1 { 3 ( 2005 )

19. Eskandari , M. , Hashemi , S. : Metamorphic malware detection using control ow graph mining . Int. J. Comput. Sci. Network Secur 11 ( 12 ), 1 { 6 ( 2011 )

20. herm1t: Recompiling the metamorphism . https://83.133.184 .251/virensimulation.org/lib/vhe11.html ( 2002 ), accessed: 2018 -11-13

21. Idika , N. , Mathur , A.P.: A survey of malware detection techniques . Purdue University 48 ( 2007 )

22. Jeong , K. , Lee , H. : Code graph for malware detection . In: 2008 International Conference on Information Networking . pp. 1 { 5 . IEEE ( 2008 )

23. Julus , L. : Metamorphism. 29A Magazine 1 ( 5 ) ( 2000 )

24. Kinder , J. , Veith , H.: Jakstab: A static analysis platform for binaries . In: International Conference on Computer Aided Veri cation. pp. 423 { 427 . Springer ( 2008 )

25. Kolter , J.Z. , Maloof , M.A. : Learning to detect malicious executables in the wild . In: Proceedings of the tenth ACM SIGKDD international conference on Knowledge discovery and data mining . pp. 470 { 478 . ACM ( 2004 )

26. Konstantinou , E. , Wolthusen , S. : Metamorphic virus: Analysis and detection . Royal Holloway University of London 15, 15 ( 2008 )

27. Kruegel , C. , Robertson , W. , Valeur , F. , Vigna , G.: Static disassembly of obfuscated binaries . In: USENIX security Symposium . vol. 13 , pp. 18 { 18 ( 2004 )

28. Lakhotia , A. , Mohammed , M. : Imposing order on program statements to assist anti-virus scanners . In: Reverse Engineering , 2004 . Proceedings. 11th Working Conference on. pp. 161 { 170 . IEEE ( 2004 )

29. Lattner , C. , Adve , V. : Llvm: A compilation framework for lifelong program analysis & transformation . In: Proceedings of the international symposium on Code generation and optimization: feedback-directed and runtime optimization . p. 75 . IEEE Computer Society ( 2004 )

30. Lee , J. , Jeong , K. , Lee , H. : Detecting metamorphic malwares using code graphs . In: Proceedings of the 2010 ACM symposium on applied computing . pp. 1970 { 1977 . ACM ( 2010 )

31. Lyda , R. , Hamrock , J.: Using entropy analysis to nd encrypted and packed malware . IEEE Security & Privacy 5 ( 2 ), 40 { 45 ( 2007 )

32. Mohanty , D. : Anti-virus evasion techniques and countermeasures . Published online at http://www. hackingspirits. com/eth-hac/papers/whitepapers. asp. 18 ( 2005 )

33. Moser , A. , Kruegel , C. , Kirda , E.: Exploring multiple execution paths for malware analysis . In: Security and Privacy , 2007 . SP'07. IEEE Symposium on. pp. 231 { 245 . IEEE ( 2007 )

34. Rajaat: Polimorphism. 29A Magazine 1 ( 3 ) ( 1999 )

35. Sathyanarayan , V.S. , Kohli , P. , Bruhadeshwar , B. : Signature generation and detection of malware families . In: Australasian Conference on Information Security and Privacy . pp. 336 { 349 . Springer ( 2008 )

36. Schi man, M.: A brief history of malware obfuscation: Part 1 of 2 . Published online at https://blogs.cisco. com/security/a brief history of malware obfuscation part 1 of 2 , accessed: 2018 - 11-13

37. Schi man, M.: A brief history of malware obfuscation: Part 2 of 2 . Published online at https://blogs.cisco. com/security/a brief history of malware obfuscation part 2 of 2 , accessed: 2018 - 11-13

38. Schultz , M.G. , Eskin , E. , Zadok , F. , Stolfo , S.J. : Data mining methods for detection of new malicious executables . In: Security and Privacy , 2001 . S&P 2001 . Proceedings. 2001

IEEE

Symposium on . pp. 38 { 49 . IEEE ( 2001 )

39. Schwarz , B. , Debray , S. , Andrews , G.: Disassembly of executable code revisited . In: Reverse engineering, 2002 . Proceedings. Ninth working conference on. pp. 45 { 54 . IEEE ( 2002 )

40. Shoshitaishvili , Y. , Wang , R. , Salls , C. , Stephens , N. , Polino , M. , Dutcher , A. , Grosen , J. , Feng , S. , Hauser , C. , Kruegel , C. , et al.: Sok:(state of) the art of war: O ensive techniques in binary analysis . In: 2016 IEEE Symposium on Security and Privacy (SP) . pp. 138 { 157 . IEEE ( 2016 )

41. Stepan , A. : Improving proactive detection of packed malware . Virus Bulletin 1 ( 2006 )

42. Szor , P. , Ferrie , P. : Hunting for metamorphic . In: Virus bulletin conference . Prague ( 2001 )

43. Troger , J. , Cifuentes , C. : Analysis of virtual method invocation for binary translation . In: Reverse Engineering , 2002 . Proceedings. Ninth Working Conference on. pp. 65 { 74 . IEEE ( 2002 )

44. Walenstein , A. , Mathur , R. , Chouchane , M.R. , Lakhotia , A. : Normalizing metamorphic malware using term rewriting . In: Source Code Analysis and Manipulation , 2006 . SCAM' 06 . Sixth IEEE International Workshop on. pp. 75 { 84 . IEEE ( 2006 )

45. Wong , W. , Stamp , M. : Hunting for metamorphic engines . Journal in Computer Virology 2 ( 3 ), 211 { 229 ( 2006 )

46. Xu , L. , Sun , F. , Su , Z. : Constructing precise control ow graphs from binaries . University of California, Davis, Tech. Rep ( 2009 )

47. You , I. , Yim , K. : Malware obfuscation techniques: A brief survey . In: Broadband, Wireless Computing, Communication and Applications (BWCCA) , 2010 International Conference on. pp. 297 { 300 . IEEE ( 2010 )