automatic discovery of parasitic malware
DESCRIPTION
Automatic Discovery of Parasitic Malware. Abhinav Srivastava and Jonathon Giffin (RAID,2010) School of Computer Science, Georgia Institute of Technology, USA. Outline. Introduction Parasitic Malware Architecture Implementation Details Evaluation Conclusions. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
1
Abhinav Srivastava and Jonathon Giffin (RAID,2010)School of Computer Science, Georgia Institute of Technology, USA
AUTOMATIC DISCOVERY OF PARASITIC MALWARE
2 OUTLINE
Introduction
Parasitic Malware
Architecture
Implementation Details
Evaluation
Conclusions
3
Parasitic behaviors help malware execute behaviors—such as spam generation, denial-of-service attacks, and propagation—without themselves raising suspicion
INTRODUCTION
App Malware
DLL
4
Network can pinpoint infected machines but not processes
Host can observe parasitic behaviors but cannot distinguish between benign and malicious behaviors–For example: Debugger, Google toolbar
Neither approach is perfectCombine network and host information
INTRODUCTION
5
Attackers are able to install malicious software on a victim computer system at both the user and kernel levels
Distinguish between trusted and untrusted drivers and isolate untrusted drivers in a separate address space
Assume that the malware will at some point send or receive network traffic that network-level intrusion detection systems (network sensors) are able to classify as malicious or suspicious
PARASITIC MALWARE-THREAT MODEL
6
Parasitic malware alters the execution behavior of existing benign processes as a way to evade detection.
These malware often abuse both Windows user and kernel API functions to induce parasitic behaviors
PARASITIC MALWARE-MALWARE BEHAVIORS
7
Number Source Target DescriptionCase 1A Process Process DLL and thread injection
PARASITIC MALWARE-MALWARE BEHAVIORS
Dynamically-linked library (DLL) injection allows one process to inject entire DLLs into the address space of a second process
OpenProcess()CreateProcess()
Target ProcessProcess Handle
VirtualAllocEx()
WriteProcessMemory()
Abc.dllCreateRemoteThread()
LoadLibrary()
8
Number Source Target DescriptionCase 1B Process Process Raw code and thread injection
PARASITIC MALWARE-MALWARE BEHAVIORS
A raw code injection attack is similar to a DLL injection in that user-space malware creates a remote thread of execution, but it does not require a malicious DLL to be stored on the victim’s computer system
9
Number Source Target DescriptionCase 2A Kernel driver Process DLL and thread alteration
PARASITIC MALWARE-MALWARE BEHAVIORS
Asynchronous Procedure Calls (APCs)A method of executing code asynchronously in the context of a particular thread and, therefore, within the address space of a particular process
Malicious drivers identify a process → allocate memory inside it → copy the malicious DLL to memory → create and initialize a new APC → execute the inserted code
10
Number Source Target DescriptionCase 2B Kernel driver Process Raw code and thread alteration
PARASITIC MALWARE-MALWARE BEHAVIORS
Malicious kernel drivers inject raw code into a benign process and execute it using the APC
11
Number Source Target DescriptionCase 2C Kernel driver Process Kernel thread injection
PARASITIC MALWARE-MALWARE BEHAVIORS
Kernel thread injection is the method by which malicious drivers execute malicious functionality entirely inside the kernel
A kernel thread executing malicious functionality is owned by a user-level process, though the user-level process had not requested its creation
By default, these threads are owned by the System process, however a driver may also choose to execute its kernel thread on behalf of any running process
12ARCHITECTURE – DESIGN GOAL
Pyrenee
Accurate
Automatic, Runtime Detection
Resist Direct and Indirect Attacks
13 ARCHITECTUREDetect Malicious Traffic
Records end-point process(App)
True origin - Malware
Records parasitic behaviors
Malware
14 ARCHITECTURE-NIDS
Use off-the-shelf sensor identifies inbound or outbound network traffic of suspicion
Network Intrusion Detection System like BotHunter, Snort or Bro.
15ARCHITECTURE-NETWORK ATTRIBUTION SENSOR
Given a network sensor (NIDS) alert for some suspicious traffic flow, the network attribution sensor is responsible for determining which process is the local endpoint of that flow in the untrusted VM
Two subcomponents: - one in the VM’s kernel space and one in user space
16ARCHITECTURE-HOST ATTRIBUTION SENSOR
User-level Parasitism
Monitors the runtime behavior of all processes executing within the victim VM by intercepting their system calls <Native API>
Intercepts all system calls, but it processes only those that may be used by a DLL or thread injection attackEX: NtOpenProcess, NtCreateProcess,etc.
17ARCHITECTURE-HOST ATTRIBUTION SENSOR
18ARCHITECTURE-HOST ATTRIBUTION SENSOR
Kernel-level Parasitic
Isolating in a separate address space and monitoring kernel APIs invoked by untrusted drivers through this new interface
19ARCHITECTURE-CORRELATION ENGINE
Finds actual malicious code on the system
Gathers data from all sensors- NIDS,NAS,HAS
Uses NIDS provides network alert information
Uses NAS to find the process
Uses HAS to find parasitic behavior
20IMPLEMENTATION DETAILS
Victim host – Windows XP SP2 in VM
Hypervisor – Xen 3.2
Pyrenee run on high privilege VM – Fedora Core 9
21IMPLEMENTATION DETAILS
Fast Network Flow Discovery
Deployed the sensor’s packet filter inside the trusted VM’s kernel-space as a Linux kernel module
Set up untrusted VMs to use a virtual network interface bridged to the trusted VM
Inserted a hook into a bridge-based packet filtering framework called ebtables to view packets crossing the bridge
22IMPLEMENTATION DETAILS
Introspection
Windows does not store network port and process name information in a single structure
Input : IP and port
23IMPLEMENTATION DETAILS
Introspection - EPROCESS
24
System Call Interpositioning and Parameter Extraction
Host attribution sensor requires information about system calls used as part of DLL or thread injection
Windows XP uses the fast x86 system-call instruction SYSENTER ( Transfers control to a system-call dispatch routine at an address specified in the IA32_SYSENTER _EIP register)
IMPLEMENTATION DETAILS
IA32_SYSENTER _EIPAddress not allocate to the guest OS
Fault
Hypervisor gain control
Records the system call number (in eax register)
Locate system-call parameters stored on the kernel stack (used edx register)
Extracts IN parameters
Get currently-executing process’ ID and thread ID (use FS segment selector → TIB)
Return
Two-step procedure to extract values of OUT parameters at system call return
Step 1 : Record the value present in an OUT parameter at the beginning of the system call
Step 2 : A thread returning to user mode at the completion of a system call will fault due to our manipulation.
IMPLEMENTATION DETAILS
26IMPLEMENTATION DETAILS
Address Space Construction and Switching
Map untrusted driver code pages into the UPT and trusted kernel and driver code into the TPT
Pyrenee switches between the two address spaces depending upon the execution context
27IMPLEMENTATION DETAILS
Untrusted driver
Kernel API
Execution Fault
(non-executable kernel code in the UPT)
Pyrenee in hypervisor
Check the entry point into TPT is vaild or not
VaildSwitches the address space by storing the value of TPT_CR3
InvaildRecords this behavior as an attack and raises an alarm
28IMPLEMENTATION DETAILS
Interception of Driver Loading
Pyrenee intercepts all driver loading mechanisms
Rewrites the kernel’s binary code on driver loading paths automatically at runtime
29 EVALUATION
Malware Parasitic Behavior Attribution
Conficker worm Process to process Correct
Adclicker.BA trojan Process to process Correct
Storm worm Kernel to Process Correct
30 EVALUATION
Tested prototype on an Intel Core 2 Quad 2.66 GHz system.
Assigned 1 GB of memory to the untrusted Windows XP SP2 VM and 3 GB combined to the Xen hypervisor and the high privilege Fedora Core 9 VM
PassMark Performance Test – CPU and memory experiment
IBM Page Detailer and wget - measured networking overheads
31 EVALUATION
32 EVALUATION
33 CONCLUSIONS
Develop a well-reasoned malware detection architecture that finds unknown malware based on its undesirable network use
Works for both the user- and kernel-level malware
Satisfies protection and performance goals