hunt for malicious code
TRANSCRIPT
-
8/14/2019 Hunt for Malicious Code
1/23
Ryan Berg
Co-Founder and Chief Scientist
March 2009
-
8/14/2019 Hunt for Malicious Code
2/23
Objectives & Agenda
Very high level overview of malicious code
Categories and types of malicious code (malcode)
Detailed understanding of how malicious code works
Triggering events
System interactions
Methods of detections
Profiling
Location, location, location
Whos at risk
-
8/14/2019 Hunt for Malicious Code
3/23
Red Alert!
Hacking is illegal. Period.Dont be tempted to try this at home!
Using the examples and techniques learned in thispresentation without permission can result in
termination of employment and/or criminalpenalties
-
8/14/2019 Hunt for Malicious Code
4/23
Its in your code
The focus is NOT on:
Process breakdown
Insertion of malicious code on deployed environment Infrastructure attacks
Attacking OS flaws, network flaws,
User stupidity Clicking on the executable file in email
Spyware
Installed when user installs downloaded program
The focus is on:
Bad stuff in the source code you build, use, and acquire
Copyright 2009 Ounce Labs, Inc. All rights reserved.
-
8/14/2019 Hunt for Malicious Code
5/23
What is it?
Deliberate or inadvertent security vulnerabilities that allow a hostile personor a program to gain access and control of applications and data.
// Lets gather some information about the users browsing history
String userHome = System.getProperty("user.home" ) + "\\Local Settings\\Temporary Internet Files";StringBuffer browserFiles = new StringBuffer();
if (dir.isDirectory()) {
File[] children = new File(userHome).listFiles();
for (int i=0; i
-
8/14/2019 Hunt for Malicious Code
6/23
Deliberate vs. Inadvertent
Deliberate vulnerabilities are introduced on purpose
Inadvertent vulnerabilities are a programmingmistake
A good attacker will make the malicious code lookinadvertent
A Better attacker will make it hard to find
Does it matter?
6
-
8/14/2019 Hunt for Malicious Code
7/23
-
8/14/2019 Hunt for Malicious Code
8/23
What is a triggering event?
An event that initiates the execution of malicious code
Time Event
After 12/31/1999
Logic Event
Employee record deactivated in DB The ten millionth read of a sensor
If an input value equals a hardcoded constant
Dynamic Loading Events InstanceOf
Hook in loading of DLL
Unsolicited Function Calls
-
8/14/2019 Hunt for Malicious Code
9/23
Examples
Easter Eggs
An overly confident employee/developer has introduced code that willproduce a shrine to their programming abilities when 99999 is entered into a
zip code field from a website.
Spyware
An open source project wishes to track all the users of its application andsends a message to the home server every time the application is run.
Logic Bombs
Logic triggered
A terrorist who has gained employment at the power company introduces a piece oflogic that increments the value of temperature sensor after the ten millionth reading
of that sensor.
Event triggered
A disgruntled employee introduces malicious code into an application that is tied to aspecific date or time. The date or time acts as a trigger and the malicious code is notexecuted until weeks or months after the employee has left.
9
-
8/14/2019 Hunt for Malicious Code
10/23
Famous Easter Eggs Playful in nature!
Most common in gaming software
Cheats
Microsoft Excel 97 - Flight Simulator
Open a new workbook, Press F5 Enter X97:L97 and press Enter Press Tab once, to move to column M Hold Control and Shift, right-click Chart Wizard icon on the Standard toolbar
Spy Hunter in Excel 2000
Under file menu, do 'Save as Web Page'. Say 'Publish Sheet' and 'Add Interactivity'
Save to some htm page on your drive. Load the htm page with IE. You should have Excel in the middle of the page. Scroll to row 2000, column WC. Select row 2000, and tab so that WC is the
active column. Hold down Shift+Crtl+Alt and click the Office logo in the upper-left.
Copyright 2009 Ounce Labs, Inc. All rights reserved.
-
8/14/2019 Hunt for Malicious Code
11/23
Firefox 3.0.3 and Open Office 3.0 RC2 Beta
Copyright 2009 Ounce Labs, Inc. All rights reserved.
-
8/14/2019 Hunt for Malicious Code
12/23
Lessons Learned
The moral is obvious. You can't trust code that youdid not totally create yourself. (Especially code from
companies that employ people like me.) No amountof source-level verification or scrutiny will protect you
from using untrusted code. (Ken Thompson)
Copyright 2009 Ounce Labs, Inc. All rights reserved.
-
8/14/2019 Hunt for Malicious Code
13/23
Thompson C Compiler Trojan
13
Modified the C compiler
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
Login backdoor for debugging purposes
Used code pattern for password verification
Embedded in into the C compiler to recognize pattern
Generated code to accepted correct password for username Generated additional code to accept special debugging password
Compiler written to insert back-door when compiles itself
Back-door inserted when login compiled
Back-door inserted when C compiler source is compiled
Modify C compiler source to remove back-door
Back-door inserted when C compiler source is compiled
Each successive iteration will always include the back door!
http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdfhttp://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf -
8/14/2019 Hunt for Malicious Code
14/23
How do you detect and stop malcode?
Process and Procedures
Segregation of duties
Controls in SDLC
Manual Analysis
Limited by reviewer expertise
Limited by reviewer fatigue
Time consuming for large applications
Automated Analysis
Difficult to detect logic events
Critical assets unknown
Hybrid Analysis (Manual and Automated)
Domain expert helps identify critical assets
Software doesnt get fatigue
Expertise is in the signatures
Produces reduced code set for manual review
-
8/14/2019 Hunt for Malicious Code
15/23
Profiling isnt always a bad thing!
Represents a comprehensive set of interactions with criticalassets
Identifies and classifies all technologies in use
Eliminates the need to look at ALL the code
Location of interaction with critical assets
Identifies locational hotspots
-
8/14/2019 Hunt for Malicious Code
16/23
Detecting Malicious Code:Defining Critical Assets
Malcode must interact with a critical asset
Applications have a common set of critical assets
Dynamic code instantiations System calls
Thread management
External communications
Security controls
Programming control
Applications have custom critical assets
Determined by business
Inventory control Specific hardware assets
Applications shouldnt use unexpected technologies
Complex graphics in a web application
-
8/14/2019 Hunt for Malicious Code
17/23
Profiling: What are my critical assets?
Standard language APIs
Identify business-critical assets
(examples)
Adjustments to heat sensor Inventory updates
Report card grades Guidance control hardware
Copyright 2009 Ounce Labs, Inc. All rights reserved.
Dynamic Class loaders Library loaders Java Native Interface Class instantiations
System File I/O Windows Registry
Memory allocation Privilege changes Operating system calls
Thread Management Interactive manipulations Process termination
External Network communications Data repositories User Input
Security Controls Authentication Authorization
Programming Controls Compilers Debuggers Credential management Standard vulnerability signatures
-
8/14/2019 Hunt for Malicious Code
18/23
Profile Standard Asset Example - WebGoat
Identified getNumVisits() as critical asset
Identify asset as a technology or a mechanism
Run a scan
Look at all technologies and mechanisms in use
Validate suspicious technologies
Should there be an email interface
Should there be socket connections
Should there be date checks (very noisy)
Should dynamic code be loaded
-
8/14/2019 Hunt for Malicious Code
19/23
-
8/14/2019 Hunt for Malicious Code
20/23
Profile Event Triggers
Identify hard coded strings triggers
Identify time checks
Direct function calls do not have triggers
Identified by interaction with critical resource
-
8/14/2019 Hunt for Malicious Code
21/23
MalCode Detection DEMO
Static analysis assists the manual process
Multiple tools required in the toolset
Multiple techniques involved
-
8/14/2019 Hunt for Malicious Code
22/23
Where is the malicious code?
Open source software
Your custom applications
Third party applications Thompson Compiler example
-
8/14/2019 Hunt for Malicious Code
23/23
Questions & Answers