In-Situ Malware Containment and Deception through Dynamic In- Process Virtualization

Sponsor: Department of Defense (DOD) Office of Naval Research (ONR)

Award Number: N00014-19-1-2364

Abstract:

The malware landscape has evolved from the domain of attention-seeking miscreants, into a diverse spectrum ranging from best-effort mass-market malware to highly sophisticated state sponsored attacks using implants, remote access Trojans, and advanced evasion techniques. While existing research mainly focuses on detection, classification, and prevention of various malware threats, this project turns the table on adversaries by using malware infections as a way to feed disinformation to miscreants. Specifically, information-stealing malware opens new deceptive strategies for defenders once a malware infection is detected. That is, if the defender can trick malware to report incorrect information to its author, the defender can launch a disinformation campaign, potentially costing the attacker more resources than a simple removal of a detected malware threat would inflict.

To this end, this project proposes to achieve this disinformation capability through a technique we call dynamic in-process virtualization (DIPV). This novel foundational technique is capable of isolating, instrumenting, and deceiving sophisticated malware directly on compromised systems without modifying the execution environment. DIPV assumes that a malware infection has been detected via existing means. However, instead of removing the malware or re-installing the system,DIPV seamlessly creates a dynamic virtualization environment around the identified malware sample. This environment constitutes a reference monitor that enforces complete mediation on all memory accesses and API and system call invocations on the virtualized malware sample.

To achieve the above-stated goals, DIPV incorporates four distinct and synergistic capabilities:virtualizer injection, dynamic instrumentation, dynamic virtualization, and data semantics recovery.The virtualizer injection component transforms a malware sample such that it includes the additional code and data required to perform the in-situ dynamic virtualization. Importantly,DIPV can instrument a malware binary either statically before the malware binary is loaded, or instrument an already executing malware process dynamically at runtime.

The dynamic instrumentation is responsible for ensuring that all memory accesses, interaction with the process environment, and control flow decisions are mediated appropriately. This is essential to DIPV~s capability to disguise its presence from malware.The dynamic virtualization component ensures that malware that verifies its integrity through, for example, cryptographic checksums will read the correct unmodified data. Furthermore, it will ensure that any dynamically generated (e.g., unpacked) code will be instrumented to guarantee complete mediation.

The final component of DIPV is the data semantics recovery. As DIPV aims at feeding disinformation to adversaries, the system has to be able to produce such deliberately wrong information at run time. To this end, DIPV will include human-guided as well as machine-learning powered mechanisms to provide disinformation that is semantically plausible when received by the adversary.

Finally, throughout the DIPV research effort, we will aggregate representative data-sets comprising custom-built canonical benign examples and real-world malware samples that we will useto assess the functionality, performance, and accuracy of our DIPV prototype implementation.If successful, DIPV will be a novel design point in the fight against malware. The current practice of detecting and specifically the removing of malware infections immediately tips off the adversary that their implant has been detected. With DIPV, the defender has a tool at their disposal that allows them to feed targeted disinformation to the adversary. If DIPV achieves its design goals, this capability allows defenders to inflict significantly higher costs to adversaries than current antimalware practices can.

For more information, click here.

Find in the DoD database here.