research-article

Cubismo: decloaking server-side malware via cubist program analysis

Authors:

Abbas Naderi-Afooshteh,

Anh Nguyen-Tuong,

Mandana Bagheri-Marzijarani,

Jack W. DavidsonAuthors Info & Claims

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

Pages 430 - 443

https://doi.org/10.1145/3359789.3359821

Published: 09 December 2019 Publication History

Abstract

Malware written in dynamic languages such as PHP routinely employ anti-analysis techniques such as obfuscation schemes and evasive tricks to avoid detection. On top of that, attackers use automated malware creation tools to create numerous variants with little to no manual effort.

This paper presents a system called Cubismo to solve this pressing problem. It processes potentially malicious files and decloaks their obfuscations, exposing the hidden malicious code into multiple files. The resulting files can be scanned by existing malware detection tools, leading to a much higher chance of detection. Cubismo achieves improved detection by exploring all executable statements of a suspect program counterfactually to see through complicated polymorphism, metamorphism and, obfuscation techniques and expose any malware.

Our evaluation on a real-world data set collected from a commercial web hosting company shows that Cubismo is highly effective in dissecting sophisticated metamorphic malware with multiple layers of obfuscation. In particular, it enables VirusTotal to detect 53 out of 56 zero-day malware samples in the wild, which were previously undetectable.

References

[1]

A free online service for analysis of files and URLs enabling the identification of malicious content. 2016. VirusTotal. https://www.virustotal.com. (2016).

[2]

Anonymous. 2019. Anonymized-for-review. https://www.anonymous.com/. (2019).

[3]

Avast Software. 2019. Avast Antivirus. https://www.avast.com/. (2019).

[4]

Avast Software. 2019. AVG Antivirus. https://www.avg.com/. (2019).

[5]

b374k. 2019. PHP Webshell with handy features. https://github.com/b374k/b374k. (2019).

[6]

Baidu. 2019. Baidu Antivirus. http://sd.baidu.com/. (2019).

[7]

Michael Bailey, Jon Oberheide, Jon Andersen, Zhuoqing Morley Mao, Farnam Jahanian, and Jose Nazario. 2007. Automated Classification and Analysis of Internet Malware. RAID (2007).

[8]

Davide Balzarotti, Marco Cova, Christoph Karlberger, Christopher Kruegel, Engin Kirda, and Giovanni Vigna. 2010. Efficient detection of split personalities in malware. In NDSS 2010, 17th Annual Network and Distributed System Security Symposium, February 28th-March 3rd, 2010, San Diego, USA. San Diego, UNITED STATES. http://www.eurecom.fr/publication/3022

[9]

Ulrich Bayer, Imam Habibi, Davide Balzarotti, and Engin Kirda. 2009. A View on Current Malware Behaviors. LEET (2009).

[10]

Bkav Corporation. 2019. Bkav Internet Security. http://www.bkav.com/bkav-internet-security. (2019).

[11]

Tim Blazytko, Moritz Contag, Cornelius Aschermann, and Thorsten Holz. 2017. Syntia: Synthesizing the semantics of obfuscated code. In USENIX Security Symposium. Usenix.

[12]

Kevin Borgolte, Christopher Kruegel, and Giovanni Vigna. 2013. Delta: automatic identification of unknown web-based infection campaigns. ACM.

[13]

David Brumley, Cody Hartwig, Zhenkai Liang, James Newsome, Dawn Song, and Heng Yin. 2008. Automatically Identifying Trigger-based Behavior in Malware. Springer US, Boston, MA, 65--88.

[14]

Jian Chang, Krishna K. Venkatasubramanian, Andrew G. West, and Insup Lee. 2013. Analyzing and Defending Against Web-based Malware. ACM Comput. Surv. 45, 4, Article 49 (Aug. 2013), 35 pages.

Digital Library

[15]

Vitaly Chipounov, Volodymyr Kuznetsov, and George Candea. 2011. S2E: A Platform for In-vivo Multi-path Analysis of Software Systems. In Proceedings of the Sixteenth International Conference on Architectural Support for Programming Languages and Operating Systems (ASPLOS XVI). ACM, New York, NY, USA, 265--278.

Digital Library

[16]

Christian Johansson. 2017. Doesn't support comments outside of namespaces declared with bracketed syntax. https://github.com/nikic/PHP-Parser/issues/412. (2017). Accessed: 2019-05-30.

[17]

Nicolas Christin. 2012. Traveling the Silk Road: A measurement analysis of a large anonymous online marketplace. arXiv.org (July 2012). arXiv:1207.7139v2

[18]

Mihai Christodorescu and Somesh Jha. 2004. Testing malware detectors. ISSTA (2004), 34.

[19]

M Christodorescu, S Jha, S A Seshia, D Song, and R E Bryant. 2005. Semantics-Aware Malware Detection. In 2005 IEEE Symposium on Security and Privacy (S&P'05). IEEE, 32--46.

[20]

Christine Council and Sammi Seaman. 2016. ClamAV. https://www.clamav.net/. (2016).

[21]

Artem Dinaburg, Paul Royal, Monirul Sharif, and Wenke Lee. 2008. Ether: Malware Analysis via Hardware Virtualization Extensions. In Proceedings of the 15th ACM Conference on Computer and Communications Security (CCS '08). ACM, New York, NY, USA, 51--62.

Digital Library

[22]

Manuel Egele, Maverick Woo, Peter Chapman, and David Brumley. 2014. Blanket Execution: Dynamic Similarity Testing for Program Binaries and Components. In Proceedings of the 23rd USENIX Conference on Security Symposium (SEC'14). USENIX Association, Berkeley, CA, USA, 303--317. http://dl.acm.org/citation.cfm?id=2671225.2671245

[23]

Mariano Graziano, Davide Canali, Leyla Bilge, Andrea Lanzi, and Davide Balzarotti. 2015. Needles in a Haystack - Mining Information from Public Dynamic Analysis Sandboxes for Malware Intelligence. USENIX Security Symposium (2015).

[24]

William T. Hallahan, Anton Xue, Maxwell Troy Bland, Ranjit Jhala, and Ruzica Piskac. 2019. Lazy Counterfactual Symbolic Execution. In Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation (PLDI 2019). ACM, New York, NY, USA, 411--424.

Digital Library

[25]

Mark Hills. 2015. Evolution of dynamic feature usage in PHP. In 22nd IEEE International Conference on Software Analysis, Evolution, and Reengineering, SANER 2015, Montreal, QC, Canada, March 2--6, 2015. 525--529.

[26]

Inscapsula. 2017. 2017 Data Breach Investigations Report. https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf. (2017).

[27]

Inscapsula. 2017. How Backdoors Bypass Security Solutions with Advanced Camouflage Techniques. https://www.incapsula.com/blog/backdoor-malware-analysis-obfuscation-techniques.html. (2017).

[28]

Luca Invernizzi and Paolo Milani Comparetti. 2012. EvilSeed - A Guided Approach to Finding Malicious Web Pages. IEEE Symposium on Security and Privacy (2012).

Digital Library

[29]

ionCube Ltd. 2019. ionCube. https://www.ioncube.com/phpencoder.php. (2019).

[30]

Roberto Jordaney, Kumar Sharad, Santanu K Dash, Zhi Wang, Davide Papini, Ilia Nouretdinov, and Lorenzo Cavallaro. 2017. Transcend: Detecting concept drift in malware classification models. In PROCEEDINGS OF THE 26TH USENIX SECURITY SYMPOSIUM (USENIX SECURITY'17). USENIX Association, 625--642.

Digital Library

[31]

Nenad Jovanovic, Christopher Kruegel, and Engin Kirda. 2006. Precise alias analysis for static detection of web application vulnerabilities. PLAS (2006).

[32]

Alexandros Kapravelos, Yan Shoshitaishvili, Marco Cova, Christopher Kruegel, and Giovanni Vigna. 2013. Revolver - An Automated Approach to the Detection of Evasive Web-based Malware. USENIX Security Symposium (2013).

[33]

Amin Kharraz, Sajjad Arshad, Collin Mulliner, William K Robertson, and Engin Kirda. 2016. UNVEIL - A Large-Scale, Automated Approach to Detecting Ransomware. USENIX Security Symposium (2016).

[34]

Kyungtae Kim, I Luk Kim, Chung Hwan Kim, Yonghwi Kwon, Yunhui Zheng, Xiangyu Zhang, and Dongyan Xu. 2017. J-force: Forced execution on javascript. In Proceedings of the 26th international conference on World Wide Web. International World Wide Web Conferences Steering Committee, 897--906.

Digital Library

[35]

Clemens Kolbitsch, Paolo Milani Comparetti, Christopher Kruegel, Engin Kirda, Xiaoyong Zhou, and XiaoFeng Wang. 2009. Effective and Efficient Malware Detection at the End Host. In Proceedings of the 18th Conference on USENIX Security Symposium (SSYM'09). USENIX Association, Berkeley, CA, USA, 351--366. http://dl.acm.org/citation.cfm?id=1855768.1855790

Digital Library

[36]

Clemens Kolbitsch, Benjamin Livshits, Benjamin Zorn, and Christian Seifert. 2012. Rozzle: De-cloaking Internet Malware. In Proceedings of the 2012 IEEE Symposium on Security and Privacy (SP '12). IEEE Computer Society, Washington, DC, USA, 443--457.

Digital Library

[37]

C Kruegel. 2014. Full system emulation: Achieving successful automated dynamic analysis of evasive malware. Proc BlackHat USA Security Conference (2014).

[38]

Charles Lim and Kalamullah Ramli. 2014. Mal-ONE: A unified framework for fast and efficient malware detection. In 2014 IEEE 2nd International Conference on Technology, Informatics, Management, Engineering & Environment (TIME-E). IEEE, 1--6.

[39]

Martina Lindorfer, Clemens Kolbitsch, and Paolo Milani Comparetti. 2011. Detecting Environment-sensitive Malware. In Proceedings of the 14th International Conference on Recent Advances in Intrusion Detection (RAID'11). Springer-Verlag, Berlin, Heidelberg, 338--357.

[40]

mobilefish.coml. 2019. Simple online PHP obfuscator. https://www.mobilefish.com/services/phpobfuscator/phpobfuscator.php. (2019).

[41]

Andreas Moser, Christopher Kruegel, and Engin Kirda. 2007. Exploring Multiple Execution Paths for Malware Analysis. In 2007 IEEE Symposium on Security and Privacy (SP '07). IEEE, 231--245.

[42]

Naderi-Afooshteh, Abbas and Kwon, Yonghwi and Nguyen-Tuong, Anh and Bagheri-Marzijarani, Mandana and Davidson, Jack. 2019. CUBISMO Research Artifacts. https://cubismo.s3.amazonaws.com/cubismo.html. (2019).

[43]

NBS Systems. 2016. PHP Malware Finder. https://github.com/nbs-system/php-malware-finder. (2016).

[44]

Nikita Popov. 2019. PHP-Parser. https://github.com/nikic/PHP-Parser. (2019). Accessed: 2019-05-30.

[45]

Fei Peng, Zhui Deng, Xiangyu Zhang, Dongyan Xu, Zhiqiang Lin, and Zhendong Su. 2014. X-Force - Force-Executing Binary Programs for Security Applications. USENIX Security Symposium (2014).

[46]

Michalis Polychronakis and Niels Provos. 2008. Ghost Turns Zombie - Exploring the Life Cycle of Web-based Malware. LEET (2008).

[47]

R-fx Networks. 2016. Linux Malware Detect. https://www.rfxn.com/projects/linux-malware-detect/. (2016).

[48]

Max Schäfer, Manu Sridharan, Julian Dolby, and Frank Tip. 2013. Dynamic determinacy analysis. In ACM SIGPLAN Notices, Vol. 48. ACM, 165--174.

Digital Library

[49]

James Scott. 2017. Signature Based Malware Detection is Dead. (2017).

[50]

Kyle Soska and Nicolas Christin. 2014. Automatically Detecting Vulnerable Websites Before They Turn Malicious. USENIX Security Symposium (2014).

[51]

Cristian-Alexandru Staicu and Michael Pradel. 2018. Freezing the web: A study of redos vulnerabilities in javascript-based web servers. In 27th USENIX Security Symposium (USENIX Security 18). 361--376.

[52]

Sucuri. 2017. Hacked Website Report 2017. https://www.fortinet.com/content/dam/fortinet/assets/threat-reports/Fortinet-Threat-Report-Q2-2017.pdf. (2017).

[53]

Bo Sun, Akinori Fujino, and Tatsuya Mori. 2016. POSTER: Toward Automating the Generation of Malware Analysis Reports Using the Sandbox Logs. ACM, New York, New York, USA.

[54]

Symantec. 2019. 2019 Internet Security Threat Report. https://www.symantec.com/security-center/threat-report. (2019).

[55]

Vojtěch Sokol. 2019. srcProtector for PHP. http://phpobfuscator.net/. (2019).

[56]

Gérard Wagener, Radu State, and Alexandre Dulaunoy. 2008. Malware behaviour analysis. Journal in Computer Virology 4, 4 (2008), 279--287.

[57]

Weihang Wang, Yunhui Zheng, Xinyu Xing, Yonghwi Kwon, Xiangyu Zhang, and Patrick Eugster. 2016. WebRanz: Web Page Randomization for Better Advertisement Delivery and Web-bot Prevention. In Proceedings of the 2016 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE 2016). ACM, New York, NY, USA, 205--216.

Digital Library

[58]

Michelle Y Wong and David Lie. 2018. Tackling runtime-based obfuscation in Android with TIRO. In 27th USENIX Security Symposium (USENIX Security 18). 1247--1262.

Digital Library

[59]

Peter M Wrench and Barry V W Irwin. 2014. Towards a sandbox for the deobfuscation and dissection of PHP malware. In 2014 Information Security for South Africa (ISSA). IEEE, 1--8.

[60]

Peter M Wrench and Barry V W Irwin. 2015. Towards a PHP webshell taxonomy using deobfuscation-assisted similarity analysis. ISSA (2015).

[61]

Zhaoyan Xu, Lingfeng Chen, Guofei Gu, and Christopher Kruegel. 2012. PeerPress: Utilizing Enemies' P2P Strength Against Them. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS '12). ACM, New York, NY, USA, 581--592.

Digital Library

[62]

Zend Technologies Ltd. 2015. Zend Guard. http://www.zend.com/en/products/zend-guard. (2015).

Cited By

Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Hannousse ANait-Hamoud MYahiouche S(2022)A deep learner model for multi-language webshell detectionInternational Journal of Information Security10.1007/s10207-022-00615-522:1(47-61)Online publication date: 18-Oct-2022
https://doi.org/10.1007/s10207-022-00615-5
Hannousse AYahiouche S(2021) RF-DNN 2 : An ensemble learner for effective detection of PHP Webshells 2021 International Conference on Artificial Intelligence for Cyber Security Systems and Privacy (AI-CSP)10.1109/AI-CSP52968.2021.9671226(1-6)Online publication date: 20-Nov-2021
https://doi.org/10.1109/AI-CSP52968.2021.9671226
Show More Cited By

Index Terms

Cubismo: decloaking server-side malware via cubist program analysis
1. Security and privacy

Recommendations

Stealth attacks: An extended insight into the obfuscation effects on Android malware

In order to effectively evade anti-malware solutions, Android malware authors are progressively resorting to automatic obfuscation strategies. Recent works have shown, on small-scale experiments, the possibility of evading anti-malware engines by ...
Obfuscation: The Hidden Malware

A cyberwar exists between malware writers and antimalware researchers. At this war's heart rages a weapons race that originated in the 80s with the first computer virus. Obfuscation is one of the latest strategies to camouflage the telltale signs of ...
Testing malware detectors

In today's interconnected world, malware, such as worms and viruses, can cause havoc. A malware detector (commonly known as virus scanner) attempts to identify malware. In spite of the importance of malware detectors, there is a dearth of testing ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ACSAC '19: Proceedings of the 35th Annual Computer Security Applications Conference

December 2019

821 pages

ISBN:9781450376280

DOI:10.1145/3359789

Conference Chair:
David Balenson
SRI International

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 09 December 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ACSAC '19

ACSAC '19: 2019 Annual Computer Security Applications Conference

December 9 - 13, 2019

Puerto Rico, San Juan, USA

Acceptance Rates

ACSAC '19 Paper Acceptance Rate 60 of 266 submissions, 23%;

Overall Acceptance Rate 104 of 497 submissions, 21%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
200
Total Downloads

Downloads (Last 12 months)11
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Usui TOtsuki YKawakoya YIwamura MMatsuura K(2022)Script Tainting Was Doomed From The Start (By Type Conversion): Converting Script Engines into Dynamic Taint Analysis FrameworksProceedings of the 25th International Symposium on Research in Attacks, Intrusions and Defenses10.1145/3545948.3545969(380-394)Online publication date: 26-Oct-2022
https://dl.acm.org/doi/10.1145/3545948.3545969
Hannousse ANait-Hamoud MYahiouche S(2022)A deep learner model for multi-language webshell detectionInternational Journal of Information Security10.1007/s10207-022-00615-522:1(47-61)Online publication date: 18-Oct-2022
https://doi.org/10.1007/s10207-022-00615-5
Hannousse AYahiouche S(2021) RF-DNN 2 : An ensemble learner for effective detection of PHP Webshells 2021 International Conference on Artificial Intelligence for Cyber Security Systems and Privacy (AI-CSP)10.1109/AI-CSP52968.2021.9671226(1-6)Online publication date: 20-Nov-2021
https://doi.org/10.1109/AI-CSP52968.2021.9671226
Hannousse AYahiouche S(2021)Handling webshell attacksComputers and Security10.1016/j.cose.2021.102366108:COnline publication date: 29-Dec-2021
https://dl.acm.org/doi/10.1016/j.cose.2021.102366

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents