Code obfuscation using pseudo-random number generators

Ofuscación de código utilizando generadores de números pseudoaleatorios

##plugins.themes.bootstrap3.article.main##

John Aycock University of Calgary, Alberta, Canada
Juan M. Gutiérrez Independent Researcher Arequipa, Peru
Daniel M. Nunes University of Calgary, Alberta, Canada
Abstract
We describe a novel method for malicious code obfuscation that uses code already present in systems: a pseudo-random number generator. This can also be seen as an antidisassembly and anti-debugging technique, depending on deploy- ment, because the actual code does not exist until run – it is generated dynamically by the pseudo-random number generator. A year’s worth of experiments are used to demonstrate that this technique is a viable code obfuscation option for a malicious adversary with access to large amounts of computing power.
Keywords

##plugins.themes.bootstrap3.article.details##

Author Biographies / See

John Aycock, University of Calgary, Alberta, Canada

Department of Computer Science University of Calgary 2500 University Drive NW Calgary, Alberta, Canada T2N 1N4.

Daniel M. Nunes, University of Calgary, Alberta, Canada

Department of Computer Science University of Calgary 2500 University Drive NW Calgary, Alberta, Canada T2N 1N4.
References / See

Franklin, J., Paxson, V., Perrig, A. & Savage, S. (2007). An inquiry into the nature and causes of the wealth of Internet miscreants. 14th ACM Conference on Computer and Communications Security (pp. 375-388). New York, New York, United States of America. doi:10.1145/1315245.1315292

Szappanos, G. (2007). Exepacker blacklisting. Virus Bulletin. Available: http://www.virusbtn.com/virusbulletin/archive/2007/10/vb200710-exepacker-blacklisting

Collberg, C., Thomborson, C. & Low, D. (1997). A taxonomy of obfuscating transformations. Technical Report 148. Available: https://researchspace.auckland.ac.nz/bitstream/handle/2292/3491/TR148.pdf

Rajab, M., Zarfoss, J., Monrose, F. & Terzis, A. (2007). My botnet is bigger than yours (maybe, better than yours): why size estimates remain challenging. 1st Workshop on Hot Topics in Understanding Botnets (HotBots ’07). Available: https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/rajab/rajab.pdf

Sterling, T. (2005). Prosecutors say Dutch suspects hacked 1.5 million computers worldwide. Associated Press. Available: http://www.foxnews.com/story/2005/10/20/dutch-hackers-infected-15-million-computers/

Larkin, E. (2007). Storm worm’s virulence may change tactics. Network World, 2. Available: http://www.networkworld.com/news/2007/080207-black-hat-storm-worms-virulence.html

Holz, T., Steiner, M., Dahl, F., Biersack, E. & Freiling, F. (2008). Measurements and mitigation of peer-to-peer-based botnets: A case study on Storm Worm. 1st USENIX Workshop on Large-Scale Exploits and Emergent Threats. Available: https://www.usenix.org/legacy/events/leet08/tech/full_papers/holz/holz.pdf

Tiu, V. (2009). Confounded Conficker. Virus Bulletin, March, pp. 7–11.

F-Secure (2009). Calculating the size of the Downadup outbreak. Weblog: News from the Lab, 16 January 2009. Available: http://www.f-secure.com/weblog/archives/00001584.html

Finjan (2009). How a cybergang operates a network of 1.9 million infected computers. Available: http://www.finjan.com/MCRCblog.aspx?EntryId=2237

Porras, P., Saidi, H. & Yegneswaran, V. (2009). An analysis of Conficker’s logic and rendezvous points. SRI International Technical Report. Available: http://mtc.sri.com/Conficker

Riordan, J. & Schneier, B. (1998). Environmental key generation towards clueless agents. Mobile Agents and Security, 1419, pp. 15–24.

EICAR (2006). The anti-virus or anti-malware test file. Available: http://www.eicar.org/anti_virus_test_file.htm

Ferrie, P. (2010). Anti-unpacker tricks. Virus Bulletin, May, pp. 4–9.

Oreans Technology (2009). Code Virtualizer. Available: http://www.oreans.com/codevirtualizer.php

VMPsoft (2009). VMProtect. Available: http://vmpsoft.com/

Debaere, E. & Van Campenhout, J. (1990). Intrepretation and Instruction Path Coprocessing. ACM SIGPLAN Notices, 25(9), pp. 7-9.

Klint, P. (1981). Interpretation techniques. Software – Practice and Experience, 11(9), pp. 963–973.

Kuenning, G. (2007). Mersenne Twist pseudorandom number generator package, version 1.20. Available: http://www.cs.hmc.edu/∼geoff/mtwist.html

Toyofuku, T., Tabata, T. & Sakurai, K. (2005). Program obfuscation scheme using random numbers to complicate control flow. 1st International Workshop on Security in Ubiquitous Computing Systems, 3823, pp. 916-925.

Aycock, J. & Friess, N. (2006). Spam zombies from outer space. 15th Annual EICAR Conference, pp. 164–179.

Friess, N., Aycock, J. & Vogt, R. (2008). Black market botnets. Department of Computer Science, University of Calgary 2500 University Drive N.W., Calgary, Alberta, Canada.

Aycock, J., De Graaf, R. & Jacobson, M. (2006). Anti-disassembly using cryptographic hash functions. Journal in Computer Virology, 2(1), pp. 79–85.

Hemmingsen, R., Aycock, J. & Jacobson, M. (2007). Spam, phishing, and the looming challenge of big botnets. EU Spam Symposium.

White, S. (1989). Covert distributed processing with computer viruses. Advances in Cryptology – CRYPTO ’89 Proceedings, pp. 616– 619, LNCS 435.

Shoch, J. & Hupp, J. (1982). The “worm” programs – early experience with a distributed computation. Communications of the ACM, 25(3), pp. 172–180.

Anderson, D., Cobb, J., Korpela, E., Lebofsky, M. & Werthimer, D. (2002). SETI@home: An experiment in public-resource computing. Communications of the ACM, 45(11), pp. 56–61.

Sharif, M., Lanzi, A., Giffin, J. & Lee, W. (2009). Automatic reverse engineering of malware emulators. IEEE Symposium on Security and Privacy. Georgia Institute of Technology, USA.

OJS System - Metabiblioteca |