Movatterモバイル変換

[0]ホーム
URL:

Skip to main content

Advertisement

Springer Nature Link
Log in

Finding the Needle: A Study of thePE32 Rich Header and Respective Malware Triage

  • Conference paper
  • First Online:

Abstract

Performing triage of malicious samples is a critical step in security analysis and mitigation development. Unfortunately, the obfuscation and outright removal of information contained in samples makes this a monumentally challenging task. However, the widely used Portable Executable file format (PE32), a data structure used by the Windows OS to handle executable code, contains hidden information that can provide a security analyst with an upper hand. In this paper, we perform the first accurate assessment of the hiddenPE32 field known as the Rich Header and describe how to extract the data that it clandestinely contains. We study 964,816 malware samples and demonstrate how the information contained in the Rich Header can be leveraged to perform rapid triage across millions of samples, including packed and obfuscated binaries. We first show how to quickly identify post-modified and obfuscated binaries through anomalies in the header. Next, we exhibit the Rich Header’s utility in triage by presenting a proof of concept similarity matching algorithm which is solely based on the contents of the Rich Header. With our algorithm we demonstrate how the contents of the Rich Header can be used to identify similar malware, different versions of malware, and when malware has been built under different build environment; revealing potentially distinct actors. Furthermore, we are able to perform these operations in near real-time, less than 6.73 ms on commodity hardware across our studied samples. In conclusion, we establish that this little-studied header in thePE32 format is a valuable asset for security analysts and has a breadth of future potential.

This is a preview of subscription content,log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide -see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Similar content being viewed by others

Notes

  1. 1.

    For simplicity, we will use the 32 bit version of the Portable Executable file format. The 64 bit version behaves similarly.

  2. 2.

    For a copy of the checksum algorithm, please see Sect. 8.

  3. 3.

    For a mapping ofProdID s that the MSVC Toolchain can generate, see Sect. 8.

References

  1. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: Annual International Conference on Privacy Security and Trust (PST) (2010)

    Google Scholar 

  2. RCE Cafe. Microsoft’s Rich Signature (Undocumented) - Comments, February 2008.http://rcecafe.net/?p=27

  3. Chiang, K., Lloyd, L.: A case study of the rustock rootkit and spam bot. In: The First Workshop in Understanding Botnets (2007)

    Google Scholar 

  4. Mandiant Intelligence. APT1: Exposing One of China’s Cyber Espionage Units. 2013.Mandian.com

  5. Jacob, G., Comparetti, P.M., Neugschwandtner, M., Kruegel, C., Vigna, G.: A static, packer-agnostic filter to detect similar malware samples. In: Flegel, U., Markatos, E., Robertson, W. (eds.) DIMVA 2012. LNCS, vol. 7591, pp. 102–122. Springer, Heidelberg (2013). doi:10.1007/978-3-642-37300-8_6

    Chapter  Google Scholar 

  6. Kendall, K., McMillan, C.: Practical malware analysis. In: Black Hat Conference, USA (2007)

    Google Scholar 

  7. Kolosnjaji, B., Zarras, A., Lengyel, T., Webster, G., Eckert, C.: Adaptive semantics-aware malware classification. In: Caballero, J., Zurutuza, U., Rodríguez, R.J. (eds.) DIMVA 2016. LNCS, vol. 9721, pp. 419–439. Springer, Cham (2016). doi:10.1007/978-3-319-40667-1_21

    Google Scholar 

  8. Lifewire. Things They Didn’t Tell You About MS Link and the PE Header (29A) (2004)

    Google Scholar 

  9. Ligh, M., Adair, S., Hartstein, B., Richard, M.: Malware Analyst’s Cookbook and DVD: Tools and Techniques for Fighting Malicious Code. Wiley Publishing, Indianapolis (2010)

    Google Scholar 

  10. Lyda, R., Hamrock, J.: Using entropy analysis to find encrypted and packed malware. IEEE Secur. Priv.2, 40–45 (2007)

    Article  Google Scholar 

  11. Mandiant. Tracking Malware With Import Hashing, January 2014.https://www.fireeye.com/blog/threat-research/2014/01/tracking-malware-import-hashing.html

  12. Martignoni, L., Christodorescu, M., Jha, S.: OmniUnpack: fast, generic, and safe unpacking of malware. In: Annual Computer Security Applications Conference (ACSAC) (2007)

    Google Scholar 

  13. Microsoft. Microsoft Portable Executable and Common Object File Format Specification, Rev. 8.3 (2013)

    Google Scholar 

  14. Microsoft. Common Object File Format - KB121460 (2016).https://support.microsoft.com/en-us/kb/121460

  15. Parkour, M., DiMino, A.: Deepend research, May 2015.http://www.deependresearch.org/2012/08/yara-signature-exchange-google-group.htm

  16. Perdisci, R., Lanzi, A., Lee, W.: Classification of packed executables for accurate computer virus detection. Pattern Recognit. Lett.29(14), 1941–1946 (2008)

    Article  Google Scholar 

  17. Pietrek, M.: An in-depth look into the win32 portable executable file format. MSDN Mag.17(2), 80–90 (2002)

    Google Scholar 

  18. Pistelli, D.: Microsoft’s Rich Signature (Undocumented) (2012)

    Google Scholar 

  19. Roberts, J.-M.: Virus share, April 2016.https://virusshare.com/

  20. Sarméjeanne, S.: The HTran tool used to hack into french companies, August 2011.https://www.lexsi.com/securityhub/the-htran-tool-used-to-hack-into-french-companies/?lang=en

  21. Sherstobitoff, R.: Inside the world of the citadel trojan. Emergence9 (2012)

    Google Scholar 

  22. Stephen, T.: Rich Header, January 2008.http://trendystephen.blogspot.de/2008/01/rich-header.html

  23. Oreans Technologies. Themida - Advanced Windows Software Protection System, January 2016.http://www.oreans.com/themida.php

  24. Tomonaga, S.: Classifying malware using import API and fuzzy hashing -impfuzzy-, May 2016.http://blog.jpcert.or.jp/2016/05/classifying-mal-a988.html

  25. Webster, G.D., Hanif, Z.D., Ludwig, A.L.P., Lengyel, T.K., Zarras, A., Eckert, C.: SKALD: a scalable architecture for feature extraction, multi-user analysis, and real-time information sharing. In: Bishop, M., Nascimento, A.C.A. (eds.) ISC 2016. LNCS, vol. 9866, pp. 231–249. Springer, Cham (2016). doi:10.1007/978-3-319-45871-7_15

    Chapter  Google Scholar 

  26. Wicherski, G.: peHash: a novel approach to fast malware clustering. In: USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET) (2009)

    Google Scholar 

  27. Yan, W., Zhang, Z., Ansari, N.: Revealing packed malware. IEEE Secur. Priv.6(5), 65–69 (2008)

    Article  Google Scholar 

  28. Zakorzhevsky, V.: Mediyes - the dropper with a valid signature, March 2012.https://securelist.com/blog/research/32397/mediyes-the-dropper-with-a-valid-signature-8/

Download references

Acknowledgments

We thank our shepherd Pavel Laskov and the reviewers for their valuable feedback. We are thankful to the Technical University of Munich for providing ample infrastructure to support our development efforts. Additionally, we thank the the German Federal Ministry of Education and Research under grant 16KIS0327 (IUNO) and the Bavarian State Ministry of Education, Science and the Arts as part of the FORSEC research association for providing funding for our infrastructure. We would also like to thank the United States Air Force for sponsoring George Webster in his academic pursuit. Lastly, we would like to thank Microsoft Digital Crimes Unit, VirusTotal, and Yara Exchange for their support and valuable discussions.

Author information

Authors and Affiliations

  1. Technical University of Munich, Munich, Germany

    George D. Webster, Bojan Kolosnjaji, Christian von Pentz, Julian Kirsch, Zachary D. Hanif, Apostolis Zarras & Claudia Eckert

Authors
  1. George D. Webster

    You can also search for this author inPubMed Google Scholar

  2. Bojan Kolosnjaji

    You can also search for this author inPubMed Google Scholar

  3. Christian von Pentz

    You can also search for this author inPubMed Google Scholar

  4. Julian Kirsch

    You can also search for this author inPubMed Google Scholar

  5. Zachary D. Hanif

    You can also search for this author inPubMed Google Scholar

  6. Apostolis Zarras

    You can also search for this author inPubMed Google Scholar

  7. Claudia Eckert

    You can also search for this author inPubMed Google Scholar

Corresponding author

Correspondence toGeorge D. Webster.

Editor information

Editors and Affiliations

  1. Stony Brook University, Stony Brook, New York, USA

    Michalis Polychronakis

  2. University of Bonn and Fraunhofer FKIE, Bonn, Germany

    Michael Meier

Rights and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Webster, G.D.et al. (2017). Finding the Needle: A Study of thePE32 Rich Header and Respective Malware Triage. In: Polychronakis, M., Meier, M. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2017. Lecture Notes in Computer Science(), vol 10327. Springer, Cham. https://doi.org/10.1007/978-3-319-60876-1_6

Download citation

Publish with us

Access this chapter

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 5719
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 7149
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide -see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

[8]ページ先頭
©2009-2025 Movatter.jp