Keynote SSTIC 2009 – Use of Data Tainting for malware analysis.

Presentation : Florent Marceau

Regardless of the attack vector (whether it's a classic attack, a browser attack, a frame injection attack, etc.), malware installs itself on the target machine and causes unusual (often stealthy) behavior.

The problem is as follows: how to detect these behaviors, without needing to do too much reverse engineering.
This is all the more difficult as there are more and more of them, which are hiding themselves better and better, with obfuscated code and stream encryption.

The goal of the project is to propose a solution generic, automated, non-intrusive, and which operates in a viable execution time.

The solution adopted was a total virtualization, combined with data conditioning (track tagged data, regardless of type: CPU, RAM, disk, network)
By positioning itself between the CPU and RAM, marked movements can be more easily monitored, and since it is not about monitoring all the data, the execution time is not impacted in a major way (but still impacted).

The demonstration is performed with Brazilian banking malware, which contains its own virtual machine to hide its illicit behavior.

The solution was correct., and in an acceptable time, detected the changes, and recorded all the data, which can be viewed (network data, disk data).

While still quite theoretical, this method has some drawbacks. Indeed, the vComplete system automation is easily detectable, but unfortunately indispensable to ensure that no malicious interaction is made on the malicious tool detection process.

This remains a very good approach for analyzing the behavior of dubious software, or analyzing the effects of known malware, in order to implement detection or disinfection solutions.