Titolo:  PowerDrive: Accurate De-obfuscation and Analysis of PowerShell Malware
Data di pubblicazione:  2019
Autori:  Ugarte, Denis; Maiorca, Davide; Cara, Fabrizio; Giacinto, Giorgio
Presenza coautori internazionali:  no
Lingua:  Inglese
Titolo del libro:  Detection of Intrusions and Malware, and Vulnerability Assessment
ISBN:  978-3-030-22037-2
Editore:  Springer
Tutti i curatori:  Roberto Perdisci, Clémentine Maurice, Giorgio Giacinto, Magnus Almgren
Volume:  11543
Pagina iniziale:  1
Pagina finale:  21
Numero di pagine:  21
Digital Object Identifier (DOI):  http://dx.doi.org/10.1007/978-3-030-22038-9_12
Codice identificativo Scopus:  2-s2.0-85067790860
Codice identificativo ISI:  WOS:000502716000012
Revisione (peer review):  Comitato scientifico
Nome del convegno:  Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA)
Periodo del convegno:  19-20 Giugno 2019
Luogo del convegno:  Goteborg (Svezia)
Abstract:  PowerShell is nowadays a widely-used technology to administrate and manage Windows-based operating systems. However, it is also extensively used by malware vectors to execute payloads or drop additional malicious contents. Similarly to other scripting languages used by malware, PowerShell attacks are challenging to analyze due to the extensive use of multiple obfuscation layers, which make the real malicious code hard to be unveiled. To the best of our knowledge, a comprehensive solution for properly de-obfuscating such attacks is currently missing. In this paper, we present PowerDrive, an open-source, static and dynamic multi-stage de-obfuscator for PowerShell attacks. Power-Drive instruments the PowerShell code to progressively de-obfuscate it by showing the analyst the employed obfuscation steps. We used Power-Drive to successfully analyze thousands of PowerShell attacks extracted from various malware vectors and executables. The attained results show interesting patterns used by attackers to devise their malicious scripts. Moreover, we provide a taxonomy of behavioral models adopted by the analyzed codes and a comprehensive list of the malicious domains contacted during the analysis.
Tipologia: 4.1 Contributo in Atti di convegno

File in questo prodotto:
Non ci sono file associati a questo prodotto.

Questionario e social

Condividi su: