Ofuscación de código utilizando generadores de números pseudoaleatorios

Code obfuscation using pseudo-random number generators


John Aycock
Juan M. Gutiérrez
Daniel M. Nunes

Se describe un nuevo método para la ofuscación de códigos maliciosos que utiliza códigos ya presentes en los sistemas: un generador de números pseudo-aleatorios. Esto también puede verse como una técnica anti-desmontaje y anti-depuración, dependiendo de su despliegue, debido a que el código real no existe hasta su ejecución - que se genera de forma dinámica por el generador de números pseudo-aleatorios. Se han usado xperimentos de todo un año para demostrar que esta técnica de ofuscación es viable para un adversario malicioso con acceso a una gran potencia computacional.


Palabras clave


Biografía del autor/a / Ver

John Aycock, University of Calgary, Alberta, Canada

Department of Computer Science University of Calgary 2500 University Drive NW Calgary, Alberta, Canada T2N 1N4

Daniel M. Nunes, University of Calgary, Alberta, Canada

Department of Computer Science University of Calgary 2500 University Drive NW Calgary, Alberta, Canada T2N 1N4.
Referencias / Ver

Franklin, J., Paxson, V., Perrig, A. & Savage, S. (2007). An inquiry into the nature and causes of the wealth of Internet miscreants. 14th ACM Conference on Computer and Communications Security (pp. 375-388). New York, New York, United States of America. doi:10.1145/1315245.1315292

Szappanos, G. (2007). Exepacker blacklisting. Virus Bulletin. Available: http://www.virusbtn.com/virusbulletin/archive/2007/10/vb200710-exepacker-blacklisting

Collberg, C., Thomborson, C. & Low, D. (1997). A taxonomy of obfuscating transformations. Technical Report 148. Available: https://researchspace.auckland.ac.nz/bitstream/handle/2292/3491/TR148.pdf

Rajab, M., Zarfoss, J., Monrose, F. & Terzis, A. (2007). My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. 1st Workshop on Hot Topics in Understanding Botnets (HotBots ’07). Available: https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/rajab/rajab.pdf

Sterling, T. (2005). Prosecutors say Dutch suspects hacked 1.5 million computers worldwide. Associated Press. Available: http://www.foxnews.com/story/2005/10/20/dutch-hackers-infected-15-million-computers/

Larkin, E. (2007). Storm worm’s virulence may change tactics. Network World, 2. Available: http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virulence.html

Holz, T., Steiner, M., Dahl, F., Biersack, E. & Freiling, F. (2008). Measurements and mitigation of peer-to-peer-based botnets: A case study on Storm Worm. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Available: https://www.usenix.org/legacy/events/leet08/tech/full_papers/holz/holz.pdf

Tiu, V. (2009). Confounded Conficker. Virus Bulletin, March, pp. 7–11.

F-Secure (2009). Calculating the size of the Downadup outbreak. Weblog: News from the Lab, 16 January 2009. Available: http://www.f-secure.com/weblog/archives/00001584.html

Finjan (2009). How a cybergang operates a network of 1.9 million infected computers. Available: http://www.finjan.com/MCRCblog.aspx?EntryId=2237

Porras, P., Saidi, H. & Yegneswaran, V. (2009). An analysis of Conficker’s logic and rendezvous points. SRI International Technical Report. Available: http://mtc.sri.com/Conficker

Riordan, J. & Schneier, B. (1998). Environmental key generation towards clueless agents. Mobile Agents and Security, 1419, pp. 15–24.

EICAR (2006). The anti-virus or anti-malware test file. Available: http://www.eicar.org/anti_virus_test_file.htm

Ferrie, P. (2010). Anti-unpacker tricks. Virus Bulletin, May, pp. 4–9.

Oreans Technology (2009). Code Virtualizer. Available: http://www.oreans.com/codevirtualizer.php

VMPsoft (2009). VMProtect. Available: http://vmpsoft.com/

Debaere, E. & Van Campenhout, J. (1990). Intrepretation and Instruction Path Coprocessing. ACM SIGPLAN Notices, 25(9), pp. 7-9.

Klint, P. (1981). Interpretation techniques. Software – Practice and Experience, 11(9), pp. 963–973.

Kuenning, G. (2007). Mersenne Twist pseudorandom number generator package, version 1.20. Available: http://www.cs.hmc.edu/∼geoff/mtwist.html

Toyofuku, T., Tabata, T. & Sakurai, K. (2005). Program obfuscation scheme using random numbers to complicate control flow. 1st International Workshop on Security in Ubiquitous Computing Systems, 3823, pp. 916-925.

Aycock, J. & Friess, N. (2006). Spam zombies from outer space. 15th Annual EICAR Conference, pp. 164–179.

Friess, N., Aycock, J. & Vogt, R. (2008). Black market botnets. Department of Computer Science, University of Calgary 2500 University Drive N.W., Calgary, Alberta, Canada.

Aycock, J., De Graaf, R. & Jacobson, M. (2006). Anti-disassembly using cryptographic hash functions. Journal in Computer Virology, 2(1), pp. 79–85.

Hemmingsen, R., Aycock, J. & Jacobson, M. (2007). Spam, phishing, and the looming challenge of big botnets. EU Spam Symposium.

White, S. (1989). Covert distributed processing with computer viruses. Advances in Cryptology – CRYPTO ’89 Proceedings, pp. 616– 619, LNCS 435.

Shoch, J. & Hupp, J. (1982). The “worm” programs – early experience with a distributed computation. Communications of the ACM, 25(3), pp. 172–180.

Anderson, D., Cobb, J., Korpela, E., Lebofsky, M. & Werthimer, D. (2002). SETI@home: An experiment in public-resource computing. Communications of the ACM, 45(11), pp. 56–61.

Sharif, M., Lanzi, A., Giffin, J. & Lee, W. (2009). Automatic reverse engineering of malware emulators. IEEE Symposium on Security and Privacy. Georgia Institute of Technology, USA.

Sistema OJS - Metabiblioteca |