The Application of Compiler-based Obfuscation and Diversification for Program Signature Modification

Development of malware detection techniques leads to the evolution of anti-detection techniques. In this paper we discuss possibility of creating an automatic tool for signature modification. In this article we describe our experience in designing and development of such tool. For signature modification in Linux programs we implemented a tool based on LLVM compiler infrastructure and for Windows programs we used post-link instrumentation and optimization tool Syzygy. The former approach requires program source code, while the latter assumes only the presence of debug information. Diversifying and obfuscating transformations were implemented in both cases with the aim of changing the signature of program to prevent matching them the known patterns. Implemented transformations are bogus code insertion, function permutation, instruction substitution, ciphering of constant buffer. As a result we demonstrate proof-of-concept examples which confirm that it is possible to automatically change of program signature for avoiding detection by signature-based analysis. Furthermore we explain drawbacks of this technique and discuss the further ways of development.

diversification, obfuscation, signature analysis

1. LLVM Compiler Infrastructure. http://llvm.org/

2. GCC Compiler Infrastructure. https://gcc.gnu.org/

3. Radare2. http://radare.org/r/

4. Malware Source Collection. http://vxheaven.org.

5. Clam. http://www.clamav.net/

6. Malware Open Source Collection. https://github.com/ytisf/theZoo

7. Source-Free Binary Mutation for Offense and Defense. V. Mohan. 2014.

8. Algorithmic Diversity for Software Security. https://arxiv.org/abs/1312.3891

9. You and K. Yim, "Malware Obfuscation Techniques: A Brief Survey," Broadband, Wireless Computing, Communication and Applications (BWCCA), 2010 International Conference on, Fukuoka, 2010, pp. 297-300.

10. Ashu Sharma and S K Sahay. Article: Evolution and Detection of Polymorphic and Metamorphic Malwares: A Survey. International Journal of Computer Applications 90(2):7-11, March 2014.

11. Rad, B., Masrom, M. and Ibrahim, S. “Camouflage in Malware: From Encryption to Metamorphism”, International Journal of Computer Science and Network Security, 2012, 12: 74-83.

12. P. OKane, S. Sezer and K. McLaughlin, "Obfuscation: The Hidden Malware," in IEEE Security & Privacy, vol. 9, no. 5, pp. 41-47, Sept.-Oct. 2011.

13. doi: 10.1109/MSP.2011.98

14. Tom Brosch, Maik Morgenstern AV-Test GmbH. Runtime Packers: The Hidden Problem? Black Hat USA’06.https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Morgenstern.pdf

15. Ultimate Packer for eXecutables. http://upx.sourceforge.net/

16. ASPack. http://www.asprotect.ru/aspack.html

17. FSG. https://exelab.ru/_dl-nLh/pack/fsg20.rar

18. VMProtect. http://vmpsoft.com/

19. Themida. http://www.oreans.com/themida.php

20. ASProtect. http://www.asprotect.ru/asprotect64.html

21. AlphaPack Protector Report. https://github.com/graulito/alphapack

22. Application of Compiler Transformation Against Software Vulnerabilities Exploitation. A. Nurmukhametov, Sh. Kurmangaleev, V. Kaushan, S. Gaisaryan. Programming and Computer Software. 2015. V. 41, № 4. P. 231-236. Doi: 10.1134/S0361768815040052.

23. Lattner C. LLVM: An Infrastructure for Multi-Stage Optimization. Master’s thesis, Computer Science Dept., University of Illinois at Urbana-Champaign, Urbana, IL.

24. Philippe Beaucamps. Advanced Metamorphic Techniques in Computer Viruses. International Conference on Computer, Electrical, and Systems Science, and Engineering - CESSE'07, Nov 2007, Venice, Italy. 2007.

25. Syzygy Transformation Toolchain. url: https://github.com/google/syzygy/

26. Tamboli Teja. Metamorphic Code Generation from LLVM IR Bytecode: Master’s thesis. San Jose State University. San Jose. 2013.

27. Ivannikov V., Kurmangaleev S., Belevantsev A., Nurmukhametov A., Savchenko V., Matevosyan H., Avetisyan A. Implementing Obfuscating Transformations in the LLVM Infrastructure. Trudy ISP RAN/Proc. ISP RAS, vol. 26, issue 1, 2014. pp. 327-342. (in Russian). DOI: 10.15514/ISPRAS-2014-26(1)-12

28. Kurmangaleev S.F., Korchagin V.P., Savchenko V.V., Sargsyan S.S. Building obfuscation compiler based on LLVM infrastructure. Trudy ISP RAN/Proc. ISP RAS, vol. 23, 2012, pp. 77-92 (in Russian). DOI: 10.15514/ISPRAS-2012-23-5

29. Kurmangaleev S.F., Korchagin V.P., Matevosyan H.A. Description of the approach to development of the obfuscating compiler. Trudy ISP RAN/Proc. ISP RAS, vol. 23, 2012, pp. 67-76 (in Russian). DOI: 10.15514/ISPRAS-2012-23-4

30. Software Tamper Resistance: Obstructing Static Analysis of Programs: Tech. Rep.: Chenxi Wang, Jonathan Hill, John Knight [и др.]. Charlottesville, VA, USA: 2000.

31. Clam Antivirus Software. http://www.clamav.net/