Advertisement

Finding the Needle: A Study of the PE32 Rich Header and Respective Malware Triage

  • George D. WebsterEmail author
  • Bojan Kolosnjaji
  • Christian von Pentz
  • Julian Kirsch
  • Zachary D. Hanif
  • Apostolis Zarras
  • Claudia Eckert
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10327)

Abstract

Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hidden PE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in the PE32 format is a valuable asset for security analysts and has a breadth of future potential.

Keywords

Object File Visual Studio Rapid Triage Generate Source Code Malicious Sample 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Notes

Acknowledgments

We thank our shepherd Pavel Laskov and the reviewers for their valuable feedback. We are thankful to the Technical University of Munich for providing ample infrastructure to support our development efforts. Additionally, we thank the the German Federal Ministry of Education and Research under grant 16KIS0327 (IUNO) and the Bavarian State Ministry of Education, Science and the Arts as part of the FORSEC research association for providing funding for our infrastructure. We would also like to thank the United States Air Force for sponsoring George Webster in his academic pursuit. Lastly, we would like to thank Microsoft Digital Crimes Unit, VirusTotal, and Yara Exchange for their support and valuable discussions.

References

  1. 1.
    Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: Annual International Conference on Privacy Security and Trust (PST) (2010)Google Scholar
  2. 2.
    RCE Cafe. Microsoft’s Rich Signature (Undocumented) - Comments, February 2008. http://rcecafe.net/?p=27
  3. 3.
    Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: The First Workshop in Understanding Botnets (2007)Google Scholar
  4. 4.
    Mandiant Intelligence. APT1: Exposing One of China’s Cyber Espionage Units. 2013. Mandian.com
  5. 5.
    Jacob, G., Comparetti, P.M., Neugschwandtner, M., Kruegel, C., Vigna, G.: A static, packer-agnostic filter to detect similar malware samples. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 102–122. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-37300-8_6 CrossRefGoogle Scholar
  6. 6.
    Kendall, K., McMillan, C.: Practical malware analysis. In: Black Hat Conference, USA (2007)Google Scholar
  7. 7.
    Kolosnjaji, B., Zarras, A., Lengyel, T., Webster, G., Eckert, C.: Adaptive semantics-aware malware classification. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 419–439. Springer, Cham (2016). doi: 10.1007/978-3-319-40667-1_21 Google Scholar
  8. 8.
    Lifewire. Things They Didn’t Tell You About MS Link and the PE Header (29A) (2004)Google Scholar
  9. 9.
    Ligh, M., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. Wiley Publishing, Indianapolis (2010)Google Scholar
  10. 10.
    Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv. 2, 40–45 (2007)CrossRefGoogle Scholar
  11. 11.
    Mandiant. Tracking Malware With Import Hashing, January 2014. https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html
  12. 12.
    Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Annual Computer Security Applications Conference (ACSAC) (2007)Google Scholar
  13. 13.
    Microsoft. Microsoft Portable Executable and Common Object File Format Specification, Rev. 8.3 (2013)Google Scholar
  14. 14.
    Microsoft. Common Object File Format - KB121460 (2016). https://support.microsoft.com/en-us/kb/121460
  15. 15.
    Parkour, M., DiMino, A.: Deepend research, May 2015. http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.htm
  16. 16.
    Perdisci, R., Lanzi, A., Lee, W.: Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett. 29(14), 1941–1946 (2008)CrossRefGoogle Scholar
  17. 17.
    Pietrek, M.: An in-depth look into the win32 portable executable file format. MSDN Mag. 17(2), 80–90 (2002)Google Scholar
  18. 18.
    Pistelli, D.: Microsoft’s Rich Signature (Undocumented) (2012)Google Scholar
  19. 19.
    Roberts, J.-M.: Virus share, April 2016. https://virusshare.com/
  20. 20.
    Sarméjeanne, S.: The HTran tool used to hack into french companies, August 2011. https://www.lexsi.com/securityhub/the-htran-tool-used-to-hack-into-french-companies/?lang=en
  21. 21.
    Sherstobitoff, R.: Inside the world of the citadel trojan. Emergence 9 (2012)Google Scholar
  22. 22.
    Stephen, T.: Rich Header, January 2008. http://trendystephen.blogspot.de/2008/01/rich-header.html
  23. 23.
    Oreans Technologies. Themida - Advanced Windows Software Protection System, January 2016. http://www.oreans.com/themida.php
  24. 24.
    Tomonaga, S.: Classifying malware using import API and fuzzy hashing -impfuzzy-, May 2016. http://blog.jpcert.or.jp/2016/05/classifying-mal-a988.html
  25. 25.
    Webster, G.D., Hanif, Z.D., Ludwig, A.L.P., Lengyel, T.K., Zarras, A., Eckert, C.: SKALD: a scalable architecture for feature extraction, multi-user analysis, and real-time information sharing. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 231–249. Springer, Cham (2016). doi: 10.1007/978-3-319-45871-7_15 CrossRefGoogle Scholar
  26. 26.
    Wicherski, G.: peHash: a novel approach to fast malware clustering. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2009)Google Scholar
  27. 27.
    Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv. 6(5), 65–69 (2008)CrossRefGoogle Scholar
  28. 28.
    Zakorzhevsky, V.: Mediyes - the dropper with a valid signature, March 2012. https://securelist.com/blog/research/32397/mediyes-the-dropper-with-a-valid-signature-8/

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • George D. Webster
    • 1
    Email author
  • Bojan Kolosnjaji
    • 1
  • Christian von Pentz
    • 1
  • Julian Kirsch
    • 1
  • Zachary D. Hanif
    • 1
  • Apostolis Zarras
    • 1
  • Claudia Eckert
    • 1
  1. 1.Technical University of MunichMunichGermany

Personalised recommendations