Obfuscation experiment for some cryptominers.
The cryptominer
We took the Wasm cryptominer from bitcoinpeople.online.wasm, we passed it to
wasm-mutate for 1 hour, and we generated 18877 variants from the original
program. The mutation process is completely random. Since each new generated
variant serves as the seed for the next one, wasm-mutate is mutating the
original cryptominer iteratively.
After each binary is generated, we create an square image
where each byte in the binary was translated to a grayscale value, i.e. 0 to
255. Take a look to the result.
Another target
We did the same for a Wasm binary that we knew was not a crypto miner. Check the results.
Some preliminary conclusions
Denoising
We followed the agorithm proposed in the MINOS work [?], all images are “reshaped” to be 100x100 square pictures. This process is the first approximation from Wasm binaries to images. We simplified the next steps of MINOS to have a preliminary and manual evaluation of our obfuscation method.
We have observed two phenomena. First, after several iterations, the images from
wasm-mutate variants starts to
converge the pixel values of the images, i.e., during the image conversion a group of pixels
are approximated to the one single color value. This means that two any Wasm,
either crypto or not, might be convoluted to the same image.
Second, we
generated two variants population for two different binaries, inside this
population we found some variant pairs (a pair is compound of one variant for
the cryptminer and one variant of the non crypto program) that are much closer
in terms of imaging.
This means that our method does the trick for the human eye. We are currently
reproducing the implementation of the classifier to check if in fact
wasm-mutate can create undetected malware by state-of-the-art defenses.
Our final intuition is that malware classifiers based on the “imaging” of the Wasm binaries can be bypassed with the right obfuscation process.