StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis

©2019 FireEye©2019 FireEye2
About Us
 Michael Sikorski
 Philip Tully
 Jay Gibble
 Matthew Haigh

©2019 FireEye
"HTTP 1.1 200 OK "

©2019 FireEye©2019 FireEye
One String can Make a Difference
4
NanoHTTPD webserver produces extra whitespace
Cobalt Strike Server Detection
Continued for 7 years
Detection signature
Track threat actors, identify C2 addresses
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/

Running Strings on larger
binaries produces tens of
thousands of strings.
5

Strings produces a ton of noise
mixed in with important
information.
6

What is a String
7
 N characters + NULL
No file format, context
0x31 0x33 0x33 0x37 0x00
– ‘1337’, right?
Not necessarily:
– memory address
– CPU instructions
– data used by the program

Wide Strings
8
 Also be referred to as Wide strings
 The Windows OS uses Wide strings internally
– Microsoft’s encoding standard is UTF-16 LE
 Each wide character is two bytes
 C-style wide character strings terminated with double NULL (0x00, 0x00)

Compilation
9
SourceCode
int main() {
printf("Derby");
return 0;
}
ObjectFile
"Derby"
.EXEBinary
.data
0x56000:
"Derby"
Strings persist on disk throughout the compilation process.

The Strings Program
10
!This program cannot be run in DOS mode.
??3@YAXPAX@Z
??2@YAPAXI@Z
__CxxFrameHandler
_except_handler3
WSAStartup() error: %d
User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows
NT 5.1)
GetLastInputInfo
SeShutdownPrivilege
%sIEXPLORE.EXE
SOFTWAREMicrosoftWindowsCurrentVersionApp
PathsIEXPLORE.EXE
[Machine IdleTime:] %d days + %.2d:%.2d:%.2d
[Machine UpTime:] %-.2d Days %-.2d Hours %-.2d Minutes
%-.2d Seconds
ServiceDll
SYSTEMCurrentControlSetServices%sParameters
if exist "%s" goto selfkill
del "%s"
attrib -a -r -s -h "%s"
Inject '%s' to PID '%d' Successfully!
cmd.exe /c
Hi,Master [%d/%d/%d %d:%d:%d]

Malware Triage
11
Customer
Suspected
compromise
Incident Response
Forensic analysis
Identify malware
sample
Reverse Engineer
Binary triage
Malware analysis
reverse engineers, SOC analysts, red teamers, incident responders, malware researchers

Knowing which strings are
relevant often requires highly
experienced analysts.
12

Strings Tells a Story
13
Relevance
domain names
IP addresses
URLs
filenames
registry paths
registry keys
HTTP user-agent strings
service configuration info
keylogger indicators
(e.g. ”[DELETE]”, “[BS]”
third party libraries
PDB strings
function names
debugging messages
command line help/usage options
OSINT
runtime artifacts
compiler artifacts
Windows APIs
library code
localizations
locations
languages
error messages
random byte sequences
format specifiers

Relevance is subjective and its
definition can vary significantly
across analysts.
14

Hypothesis and Goals
15
 Develop a tool that can:
– efficiently identify and prioritize strings
– based on relevance for malware analysis
StringSifter should:
– be easy to use
– generalize across:
– personas, use cases, downstream apps
– save time and money
 How does it work?

Rankings are Everywhere
16

 Search engines
– web
– e-commerce
 News Feeds
– social networks
 Recommender systems
– ads
– movies
– music
Our Favorite Products Serve Up Rankings
17

( )
 Create optimal ordering of a list of items
 Precise individual item scores less important
than their relative ordering
 In classification, regression, clustering we
predict a class or single score
 LTR rarely applied in security applications
Learning to Rank
18
f

 Rank items within unseen lists in a similar way to rankings within training lists
 Each item associated with a set of features and an ordinal integer label
 Ordinal label is the teaching signal that encodes relevance level
LTR as Supervised Learning
19

 Decision Trees
– greedily choose splits by Gini impurity
 Gradient Boosted Decision Trees (GBDTs)
– combine outputs from multiple Decision Trees
– reduce loss using gradient descent
– weighted sum of trees’ predictions as ensemble
 LightGBM
– GBDTs with an LTR objective function
Gradient Boosted Decision Trees
20

EMBER Training Dataset
21
 Endgame Malware BEnchmark for Research
– v1 (1.1 million PE files scanned on or before 2017)
 https://arxiv.org/abs/1804.04637
 https://github.com/endgameinc/ember
– 400k train + test malware binaries from v1
 malware defined as > 40 VT vendors say malicious
 Ran Strings on 400k malware binaries
– produced 3+ billion individual strings (24 GB)
– performed sampling
– labeled according to heuristics and FLARE hand-labeling

 Natural Language Processing
– Markov model
– Entropy rate, english KL divergence
– Scrabble scores
 Host, Network IoCs
 Malware Regexes
– encodings (base64)
– format specifiers
– user agents
Representing Strings as Features
22
t
%
F
0.02
0.07
0.01
0.2
0.2
0.01
0.03
0.14
0.05
threshold = 0.01
http://evil.com
SOFTWAREincludeevil.pdb
t%Ft
Vr}Y
0.018
0.014
0.007
0.001

quixotry ˈkwik-sə-trē (n.)
behavior inspired by idealistic
beliefs without regard to reality.
23

Example
24

 Normalized Discounted Cumulative Gain
– Normalized: divide DCG by ideal DCG on a
ground truth holdout dataset
– Discounted: divides each string’s predicted
relevance by a monotonically increasing
function (log of its ranked position)
– Cumulative: the cumulative gain or summed
total of every string’s relevance
– Gain: the magnitude of each string’s relevance
Evaluation
25

Results
26
StringSifter performs well on a holdout set of 7+ years of FLARE malware reports.

Putting it All Together
27

Open Sourcing StringSifter
28
 The tool is now live:
– https://github.com/fireeye/stringsifter
– pip install stringsifter
– Command line and Docker tools
 flarestrings <my_sample> | rank_strings
 Versatility
– FLOSS outputs
– live memory dumps

 Git + local pip install
– Easy access to source code
 Pip install from PyPi
– If you just want to use the tool
 Docker container
– Minimum impact to host
Install and Use
30
git clone https://github.com/fireeye/stringsifter.git
cd stringsifter
pip install -e .
flarestrings <my_sample> | rank_strings
pip install stringsifter
flarestrings <my_sample> | rank_strings
git clone https://github.com/fireeye/stringsifter.git
cd stringsifter
docker build -t stringsifter -f docker/Dockerfile .
docker run -v <malware_dir>:/samples -it stringsifter
flarestrings /samples/<my_sample> | rank_strings

 There are many versions of "strings"
– Gnu binutils, BSD, various windows implementations
– Inconsistent features
 flarestrings
– Pure python implementation of "strings"
– Consistent across platforms
– Prints both ASCII and wide strings
flarestrings *
31
* FLARE => FireEye Labs Advanced Reverse Engineering

flarestrings Demo
32

StringSifter rank_strings Demo
33

rank_strings Options
34

rank_strings with --scores
35

rank_strings with --min-score
36

 Rapid screening for potential capabilities
 Detect and handle packed / obfuscated binaries
– Tipoff for automated unpacker tooling
 Leverage feature vectors to focus triage
 Improve NLP
 Improve ranking performance on mach-o, ELF
Other Use Cases and Future Work
37

 Plug into your malware analysis stack
 Seeking critical feedback
– improve accuracy and utility
– pertinent edge cases, non-PE files
– contribute via GitHub Issues
 Beginners and experts alike
 Thank you for your attention!
Community Support
38
https://github.com/fireeye/stringsifter
pip install stringsifter

StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis

Similar to StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis (20)

Recently uploaded

Recently uploaded (20)

StringSifter: Learning to Rank Strings Output for Speedier Malware Analysis

Editor's Notes