Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis

462 views

Published on

FireEye's 2019 DerbyCon presentation by Philip Tully, Matthew Haigh, Jay Gibble, and Michael Sikorski

Published in: Software
  • Note: due to the animations and videos present in the slides, we recommend downloading them and viewing the PowerPoint slideshow, rather than previewing them above or converting the file to a PDF.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis

  1. 1. ©2019 FireEye
  2. 2. ©2019 FireEye©2019 FireEye2 About Us  Michael Sikorski  Philip Tully  Jay Gibble  Matthew Haigh
  3. 3. ©2019 FireEye "HTTP 1.1 200 OK "
  4. 4. ©2019 FireEye©2019 FireEye One String can Make a Difference 4 NanoHTTPD webserver produces extra whitespace Cobalt Strike Server Detection Continued for 7 years Detection signature Track threat actors, identify C2 addresses https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
  5. 5. ©2019 FireEye©2019 FireEye Running Strings on larger binaries produces tens of thousands of strings. 5
  6. 6. ©2019 FireEye©2019 FireEye Strings produces a ton of noise mixed in with important information. 6
  7. 7. ©2019 FireEye©2019 FireEye What is a String 7  N characters + NULL No file format, context 0x31 0x33 0x33 0x37 0x00 – ‘1337’, right? Not necessarily: – memory address – CPU instructions – data used by the program
  8. 8. ©2019 FireEye©2019 FireEye Wide Strings 8  Also be referred to as Wide strings  The Windows OS uses Wide strings internally – Microsoft’s encoding standard is UTF-16 LE  Each wide character is two bytes  C-style wide character strings terminated with double NULL (0x00, 0x00)
  9. 9. ©2019 FireEye©2019 FireEye Compilation 9 SourceCode int main() { printf("Derby"); return 0; } ObjectFile "Derby" .EXEBinary .data 0x56000: "Derby" Strings persist on disk throughout the compilation process.
  10. 10. ©2019 FireEye©2019 FireEye The Strings Program 10 !This program cannot be run in DOS mode. ??3@YAXPAX@Z ??2@YAPAXI@Z __CxxFrameHandler _except_handler3 WSAStartup() error: %d User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1) GetLastInputInfo SeShutdownPrivilege %sIEXPLORE.EXE SOFTWAREMicrosoftWindowsCurrentVersionApp PathsIEXPLORE.EXE [Machine IdleTime:] %d days + %.2d:%.2d:%.2d [Machine UpTime:] %-.2d Days %-.2d Hours %-.2d Minutes %-.2d Seconds ServiceDll SYSTEMCurrentControlSetServices%sParameters if exist "%s" goto selfkill del "%s" attrib -a -r -s -h "%s" Inject '%s' to PID '%d' Successfully! cmd.exe /c Hi,Master [%d/%d/%d %d:%d:%d]
  11. 11. ©2019 FireEye©2019 FireEye Malware Triage 11 Customer Suspected compromise Incident Response Forensic analysis Identify malware sample Reverse Engineer Binary triage Malware analysis reverse engineers, SOC analysts, red teamers, incident responders, malware researchers
  12. 12. ©2019 FireEye©2019 FireEye Knowing which strings are relevant often requires highly experienced analysts. 12
  13. 13. ©2019 FireEye©2019 FireEye Strings Tells a Story 13 Relevance domain names IP addresses URLs filenames registry paths registry keys HTTP user-agent strings service configuration info keylogger indicators (e.g. ”[DELETE]”, “[BS]” third party libraries PDB strings function names debugging messages command line help/usage options OSINT runtime artifacts compiler artifacts Windows APIs library code localizations locations languages error messages random byte sequences format specifiers
  14. 14. ©2019 FireEye©2019 FireEye Relevance is subjective and its definition can vary significantly across analysts. 14
  15. 15. ©2019 FireEye©2019 FireEye Hypothesis and Goals 15  Develop a tool that can: – efficiently identify and prioritize strings – based on relevance for malware analysis StringSifter should: – be easy to use – generalize across: – personas, use cases, downstream apps – save time and money  How does it work?
  16. 16. ©2019 FireEye©2019 FireEye Rankings are Everywhere 16
  17. 17. ©2019 FireEye©2019 FireEye  Search engines – web – e-commerce  News Feeds – social networks  Recommender systems – ads – movies – music Our Favorite Products Serve Up Rankings 17
  18. 18. ©2019 FireEye©2019 FireEye ( )  Create optimal ordering of a list of items  Precise individual item scores less important than their relative ordering  In classification, regression, clustering we predict a class or single score  LTR rarely applied in security applications Learning to Rank 18 f
  19. 19. ©2019 FireEye©2019 FireEye  Rank items within unseen lists in a similar way to rankings within training lists  Each item associated with a set of features and an ordinal integer label  Ordinal label is the teaching signal that encodes relevance level LTR as Supervised Learning 19
  20. 20. ©2019 FireEye©2019 FireEye  Decision Trees – greedily choose splits by Gini impurity  Gradient Boosted Decision Trees (GBDTs) – combine outputs from multiple Decision Trees – reduce loss using gradient descent – weighted sum of trees’ predictions as ensemble  LightGBM – GBDTs with an LTR objective function Gradient Boosted Decision Trees 20
  21. 21. ©2019 FireEye©2019 FireEye EMBER Training Dataset 21  Endgame Malware BEnchmark for Research – v1 (1.1 million PE files scanned on or before 2017)  https://arxiv.org/abs/1804.04637  https://github.com/endgameinc/ember – 400k train + test malware binaries from v1  malware defined as > 40 VT vendors say malicious  Ran Strings on 400k malware binaries – produced 3+ billion individual strings (24 GB) – performed sampling – labeled according to heuristics and FLARE hand-labeling
  22. 22. ©2019 FireEye©2019 FireEye  Natural Language Processing – Markov model – Entropy rate, english KL divergence – Scrabble scores  Host, Network IoCs  Malware Regexes – encodings (base64) – format specifiers – user agents Representing Strings as Features 22 t % F 0.02 0.07 0.01 0.2 0.2 0.01 0.03 0.14 0.05 threshold = 0.01 http://evil.com SOFTWAREincludeevil.pdb t%Ft Vr}Y 0.018 0.014 0.007 0.001
  23. 23. ©2019 FireEye©2019 FireEye quixotry ˈkwik-sə-trē (n.) behavior inspired by idealistic beliefs without regard to reality. 23
  24. 24. ©2019 FireEye©2019 FireEye Example 24
  25. 25. ©2019 FireEye©2019 FireEye  Normalized Discounted Cumulative Gain – Normalized: divide DCG by ideal DCG on a ground truth holdout dataset – Discounted: divides each string’s predicted relevance by a monotonically increasing function (log of its ranked position) – Cumulative: the cumulative gain or summed total of every string’s relevance – Gain: the magnitude of each string’s relevance Evaluation 25
  26. 26. ©2019 FireEye©2019 FireEye Results 26 StringSifter performs well on a holdout set of 7+ years of FLARE malware reports.
  27. 27. ©2019 FireEye©2019 FireEye Putting it All Together 27
  28. 28. ©2019 FireEye©2019 FireEye Open Sourcing StringSifter 28  The tool is now live: – https://github.com/fireeye/stringsifter – pip install stringsifter – Command line and Docker tools  flarestrings <my_sample> | rank_strings  Versatility – FLOSS outputs – live memory dumps
  29. 29. ©2019 FireEye Tools demo
  30. 30. ©2019 FireEye©2019 FireEye  Git + local pip install – Easy access to source code  Pip install from PyPi – If you just want to use the tool  Docker container – Minimum impact to host Install and Use 30 git clone https://github.com/fireeye/stringsifter.git cd stringsifter pip install -e . flarestrings <my_sample> | rank_strings pip install stringsifter flarestrings <my_sample> | rank_strings git clone https://github.com/fireeye/stringsifter.git cd stringsifter docker build -t stringsifter -f docker/Dockerfile . docker run -v <malware_dir>:/samples -it stringsifter flarestrings /samples/<my_sample> | rank_strings
  31. 31. ©2019 FireEye©2019 FireEye  There are many versions of "strings" – Gnu binutils, BSD, various windows implementations – Inconsistent features  flarestrings – Pure python implementation of "strings" – Consistent across platforms – Prints both ASCII and wide strings flarestrings * 31 * FLARE => FireEye Labs Advanced Reverse Engineering
  32. 32. ©2019 FireEye©2019 FireEye flarestrings Demo 32
  33. 33. ©2019 FireEye©2019 FireEye StringSifter rank_strings Demo 33
  34. 34. ©2019 FireEye©2019 FireEye rank_strings Options 34
  35. 35. ©2019 FireEye©2019 FireEye rank_strings with --scores 35
  36. 36. ©2019 FireEye©2019 FireEye rank_strings with --min-score 36
  37. 37. ©2019 FireEye©2019 FireEye  Rapid screening for potential capabilities  Detect and handle packed / obfuscated binaries – Tipoff for automated unpacker tooling  Leverage feature vectors to focus triage  Improve NLP  Improve ranking performance on mach-o, ELF Other Use Cases and Future Work 37
  38. 38. ©2019 FireEye©2019 FireEye  Plug into your malware analysis stack  Seeking critical feedback – improve accuracy and utility – pertinent edge cases, non-PE files – contribute via GitHub Issues  Beginners and experts alike  Thank you for your attention! Community Support 38 https://github.com/fireeye/stringsifter pip install stringsifter

×