D-TIME: Distributed Threadless Independent Malware Execution for Runtime Obfuscation

An important aspect of malware design is to be able to evade detection. This is increasingly difficult to achieve with powerful runtime detection techniques based on behavioural and heuristic analysis. In this paper, we propose D-TIME, a new distributed threadless independent malware execution framework to evade runtime detection.

D-TIME splits a malware executable into small chunks of instructions and executes one chunk at a time in the context of an infected thread. It uses a Microsoft Windows feature called Asynchronous Procedure Call (APC) to facilitate chunk invocation; shared memory to coordinate between chunk executions; and a novel Semaphore based Covert Broadcasting Channel (SCBC) for communication between various chunk executions. The small size of the chunks along with the asynchronous nature of the execution makes runtime detection difficult, while the coordinated execution of the chunks leads to the intended malign action. D-TIME is designed to be self-regenerating ensuring high resilience of the system.

We evaluate D-TIME on a Microsoft Windows system with six different malware and demonstrate its undetectability with 10 different anti-virus software. We also study the CPU usage and its influence on Performance Counters.

Description of each module is given in the README of the respective directory.

DISCLAIMER: All the content provided on this site are for educational purposes only. The site is no way responsible for any misuse of the information

It is assumed that the reader has already gone through the research paper - "D-TIME: Distributed Threadless Independent Malware Execution for Runtime Obfuscation" (to be) published in WOOT'19. Understanding of this paper is crucial to understand the following steps.

Detailed instructions for each of the following steps are given in README of relevant directories or respective files.

Note 1: We recommend building the system in debug mode for the first time. Once you have understood the framework you can build the same in release mode.

Note 2: We recommend attempting the Offline Keylogger sample for the first time. It is the simplest sample that we have provided.

In Offline Phase, we create chunks that will be distributed across threads in the Online Phase. For this,

1. Build one of the sample malware.
2. Now we can use the malware binary(output of above build operation) to create malware chunks using splitter. splitter creates the chunks and writes them to separate files.
3. Follow the instructions provided under splitter to generate these files.

In the Online Phase, we inject the emulator to threads and execute malware chunks in a distributed fashion. emulator contains instructions to build the emulator along with a sample injector which will inject the emulators for you.

1. Go to d_time.h and correct the following variables:
   1. Uncomment #define __LOG__. This preprocessor variable logs the progress in blkLog.txt under temporary folder. Note that logging is drastically slow down D-TIME. For example, keylogger may not be able to capture all the keystrokes when logging is ON.
   2. Under #ifndef __SELF_INJECTION__ section, uncomment the applications you like to inject D-TIME into. Instructions regarding victim applications are given in the next section.
2. Go to main.cpp and make the following changes:
   1. #define _NBLOCKS and #define _NSEGMS should be set to the number of chunks and segments generated by IDA Pro Plugin. The plugin will log these numbers in IDA Pro Console at the end of execution.
   2. #define _NPROC is the number of victims. This should match the number of applications uncommented under #ifndef __SELF_INJECTION__.
3. Build the emulator.
4. Copy the chunk files generated in step 1 to your working directory of emulator.
5. Make sure that your victim processes are running.
6. Run emulator.exe.
   The emulator build contains the actual emulator code and a sample injector. It will:
   1. Read your chunks from the working directory and store them in shared memory.
   2. Inject the emulator to victim processes.
   3. Exit.
      The injected emulator will now execute the chunks and re-generate themselves to execute more chunks.
7. Tip: Adjust skip_count and whitelist_count arrays in main.cpp to control the threads targetted. Avoid targetting the main/most important threads. If these threads get busy with APC executions, it can easily hang the process.

We have tested the following applications as victims:

1. Chrome (version 74.0.3729.131)
2. Skype (version 8.45.0.41)
3. Opera (version 58.0.3135.132)
4. Acrobat Reader (version 19.10.20099.322322)
5. VLC (version 3.0.6)
6. Calculator (version 1803) (Calculator that comes with Windows 10 is 64 bit. Please use the calculator that comes with 32 bit Windows 7)

Though we have provided the versions we tested on, you can safely use the latest version of these software.