1 polymorphism and ids black hat briefings las vegas 2001 chad r. skipper sr. software engineer...

1

Polymorphism and IDS

Black Hat BriefingsBlack Hat Briefings

Las Vegas 2001Las Vegas 2001

Chad R. SkipperChad R. Skipper

Sr. Software EngineerSr. Software Engineer

Symantec Corp.Symantec Corp.

2

whoami

Chad R. SkipperChad R. Skipper

• Air Force - Air Force - systems counter intelligence, systems counter intelligence, OSI investigations, information warfare, OSI investigations, information warfare, and exploit intelligenceand exploit intelligence

• Trident Data Systems – Trident Data Systems – Network/Sys/Security AdministratorNetwork/Sys/Security Administrator

• L-3 Network Security/Symantec – Sr. L-3 Network Security/Symantec – Sr. Software EngineerSoftware Engineer• Signature DevelopmentSignature Development• IDS Evasion TechniquesIDS Evasion Techniques

[email protected]@symantec.com

3

Overview

• Evolution of malicious polymorphic codeEvolution of malicious polymorphic code

• Paradigm shiftParadigm shift

• Polymorphic codingPolymorphic coding• ADMmutate by K2 ADMmutate by K2 • http://www.ktwo.ca/http://www.ktwo.ca/

• TCPDumpsTCPDumps

• IDS ResponseIDS Response

4

Polymorphism

What is polymorphismWhat is polymorphism

• The ability to appear in many formsThe ability to appear in many forms

• Continuous change (unique coding)Continuous change (unique coding)

• Independent of encryptionIndependent of encryption

• Morphs regexp’s within attacksMorphs regexp’s within attacks

• Can exist on multiple platformsCan exist on multiple platforms

5

Evolution of Polymorphism

Simple VirusesSimple Viruses

• Replicates itself and is the easiest to Replicates itself and is the easiest to detectdetect

• Virus always makes an exact replica of Virus always makes an exact replica of itselfitself

• Detection: Scan for a sequence of bytes Detection: Scan for a sequence of bytes found in the virusfound in the virus

6


Encrypted VirusesEncrypted Viruses

• Response to detection was encrypting Response to detection was encrypting virusesviruses

• Hide the fixed bytes by encrypting the Hide the fixed bytes by encrypting the virusvirus

7


Encrypted VirusesEncrypted Viruses

• Consists of a virus decryption routine and Consists of a virus decryption routine and an encrypted virus bodyan encrypted virus body

• Uses encryption keys, but decryption Uses encryption keys, but decryption remained constant, thus detection was a remained constant, thus detection was a sequence of bytes of the decryption sequence of bytes of the decryption routineroutine

8


Encrypted Viruses Encrypted Viruses

• Executes decryption routineExecutes decryption routine• Gains control of the systemGains control of the system• Decrypts and gives control to virusDecrypts and gives control to virus• Infection occursInfection occurs• Copies itselfCopies itself• Encrypts itselfEncrypts itself• Attaches itself to a new programAttaches itself to a new program

9


Polymorphic VirusPolymorphic Virus

• Response to detection was polymorphismResponse to detection was polymorphism• Contains the encrypted body and Contains the encrypted body and

decryption routine decryption routine • Adds a mutation engine that generates Adds a mutation engine that generates

randomized decryption routines with each randomized decryption routines with each useuse

• Mutation engine and virus body are both Mutation engine and virus body are both encryptedencrypted

• Result is the virus body encryption and Result is the virus body encryption and decryption routines vary from infection to decryption routines vary from infection to infectioninfection

• NO FIXED SIGNATURENO FIXED SIGNATURE

10


Polymorphic VirusPolymorphic Virus

• Decrypts virus and mutation engineDecrypts virus and mutation engine• Transfers control to the virusTransfers control to the virus• Copies itself and the mutation engineCopies itself and the mutation engine• Invokes the mutation engineInvokes the mutation engine• Randomly generates decryption routineRandomly generates decryption routine• Virus is now unique from the prior virusVirus is now unique from the prior virus• Attaches to a new programAttaches to a new program

11


Problems with Polymorphic Virus DetectionProblems with Polymorphic Virus Detection

• Dark Avenger and MtEDark Avenger and MtE• Produces random programsProduces random programs• Billions-upon-billions of variationsBillions-upon-billions of variations

Polymorphic Virus DetectionPolymorphic Virus Detection

• One-by-one, line-by-line (Don’t think so)One-by-one, line-by-line (Don’t think so) Generic DecryptionGeneric Decryption

• SlowSlow Heuristic-Based Generic DecryptionHeuristic-Based Generic Decryption

• Heuristic guessesHeuristic guesses• False NegativesFalse Negatives

12


Polymorphic Virus Detection SolutionsPolymorphic Virus Detection Solutions

• Does not rely on heuristic guessesDoes not rely on heuristic guesses• Relies on rules or profiles specific to each Relies on rules or profiles specific to each

virusvirus• Rules out possibilities firstRules out possibilities first• Runs file in virtual machine (VM)Runs file in virtual machine (VM)• Looks for triggersLooks for triggers

13


Polymorphic Virus Detection SolutionsPolymorphic Virus Detection Solutions

• Load file into self-contained VM Load file into self-contained VM • Is this file .exe, .com, .sys…?Is this file .exe, .com, .sys…?• If .exe then A,B,C,D,and E are virus If .exe then A,B,C,D,and E are virus

behaviorsbehaviors• Suspect filesSuspect files

• A,B,CA,B,C• A,B,DA,B,D• D,B,ED,B,E

• Observes A, then “D,B,E” are outObserves A, then “D,B,E” are out• Observes B, then remaining are still inObserves B, then remaining are still in• Observes D, then “A,B,C” are out and Observes D, then “A,B,C” are out and

“A,B,D” are in“A,B,D” are in

14

The Paradigm Shift

Concepts used from Polymorphic VirusesConcepts used from Polymorphic Viruses

• Mutation engineMutation engine• Polymorphic algorithmPolymorphic algorithm• Morphing of the payload to includeMorphing of the payload to include

• Shell codeShell code• NOP’sNOP’s• Encoder/DecoderEncoder/Decoder• Non-Operational PaddingNon-Operational Padding

15

The Paradigm Shift

The intent of Polymorphic AttacksThe intent of Polymorphic Attacks

• To evade signature analysis of IDSTo evade signature analysis of IDS• Signature analysis looks atSignature analysis looks at

• Shell codeShell code• NOP’sNOP’s• Specific offsets within a payloadSpecific offsets within a payload• ASCIIASCII• HeadersHeaders

16

Encoding Process

Shell codeShell code

• Morphed prior to launch with each Morphed prior to launch with each subsequent morphing uniquesubsequent morphing unique

• ROT, MOVROT, MOV• XOR (exclusive-or) Randomly generated XOR (exclusive-or) Randomly generated

valuevalue• 0 xor 0 = 0 0 xor 0 = 0 • 0 xor 1 = 1 0 xor 1 = 1 • 1 xor 0 = 1 1 xor 0 = 1 • 1 xor 1 = 01 xor 1 = 0 • If the first or the second operand, but not If the first or the second operand, but not

both, is one, the result is one; otherwise both, is one, the result is one; otherwise the result is zero.the result is zero.

17

Encoding Process


• Randomly generated xor value of 0x23Randomly generated xor value of 0x23

• DNS – SnortDNS – Snort

alert UDP $EXTERNAL any -> $INTERNAL 53 alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; (msg: "IDS489/named-exploit-tsig-lsd"; content: "|content: "|3F 909090 EB3B 31DB 5F 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F2083EF7C 8D7710 897704 8D4F20|"; |"; classtype: system-attempt; reference: classtype: system-attempt; reference: arachnids,489;) arachnids,489;)

18

Encoding Process


• Shell code of: Shell code of: 0x0x 3F 909090 EB3B 31DB 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F205F 83EF7C 8D7710 897704 8D4F20

• XOR with with the value of 0x23XOR with with the value of 0x23• We get:We get: 0x 1C B3B3B3 C818 12F8 7C 0x 1C B3B3B3 C818 12F8 7C

A0CC5F AE5433 AA5427 AE6C03A0CC5F AE5433 AA5427 AE6C03

• This can give us over 64,000 This can give us over 64,000 permutations for 1 bytepermutations for 1 byte

• BTW, the computational overhead for this for NIDS may/will be substantial.

19

Encoding Process

NOP’sNOP’s

• No operation assembly processor No operation assembly processor instructioninstruction

• So, we substitute known NOP’s with other So, we substitute known NOP’s with other characters that do not affect the outcome characters that do not affect the outcome of the codeof the code

20

Encoding Process

NOP’sNOP’s

• Platform specific NOP’sPlatform specific NOP’s• AIX – 0x4ffffb82AIX – 0x4ffffb82• Digital – 0x47ff041fDigital – 0x47ff041f• HP – 0x0b390280HP – 0x0b390280• Intel – 0x90Intel – 0x90• SGI – 0x240f1234SGI – 0x240f1234• SPARC – 0x13c01ca6; 0xa61cc013, SPARC – 0x13c01ca6; 0xa61cc013,

0x801c40110x801c4011

21

Encoding Process

NOP’sNOP’s

• Substitutional NOP’s per K2Substitutional NOP’s per K2• IntelIntel

• 0x490x49• 0x4b0x4b• 0x450x45

• SPARCSPARC• 0xa21c80120xa21c8012• 0xb606401a0xb606401a• 0xa026e0420xa026e042

22

Encoding Process

Encoder/DecoderEncoder/Decoder

• My first thought was that we can detect My first thought was that we can detect the Encoder/Decoderthe Encoder/Decoder

• ““It would not be cool if the IDS vendor It would not be cool if the IDS vendor could simply detect our decoder.” - K2could simply detect our decoder.” - K2

• FAT CHANCE… This would be too easyFAT CHANCE… This would be too easy• Techniques used are multiple code paths, Techniques used are multiple code paths,

non-operational padding, and randomly non-operational padding, and randomly generated instructionsgenerated instructions

• Decoder processes the data after the Decoder processes the data after the overflowoverflow

23

Attacks

VictimAttacker

POWERFAULT DATA ALARM

Network IDS

24

TCPDumps (Normal)

454500 04e8 be81 4000 00 04e8 be81 4000 40064006 0f4c 0a0a 2a2a 0f4c 0a0a 2a2a

0a0a 2a05 0933 000a0a 2a05 0933 001919 70e1 3dc3 ad03 63b0 70e1 3dc3 ad03 63b0

8018 7d78 b342 0000 0101 080a 0400 22e18018 7d78 b342 0000 0101 080a 0400 22e1

008c 3e60 008c 3e60 909090 9090 9090 9090 9090 909090 9090 9090 9090 9090 9090

9090 9090 9090 9090 9090 9090 9090 90909090 9090 9090 9090 9090 9090 9090 9090

9090 9090 9090 9090 9090 9090 9090 90909090 9090 9090 9090 9090 9090 9090 9090

9090 9090 9090 9090 9090 9090 9090 90909090 9090 9090 9090 9090 9090 9090 9090

(Cut)(Cut)

9090 9090 9090 9090 eb48 9aff ffff ff079090 9090 9090 9090 eb48 9aff ffff ff07

ffc3 5e31 c089 46b4 8846 b988 4607 8946ffc3 5e31 c089 46b4 8846 b988 4607 8946

0c31 c050 b08d e8df ffff ff83 c404 31c00c31 c050 b08d e8df ffff ff83 c404 31c0

50b0 17e8 d2ff ffff 83c4 0431 c050 8d5e50b0 17e8 d2ff ffff 83c4 0431 c050 8d5e

0853 8d1e 895e 0853 b03b e8bb ffff ff830853 8d1e 895e 0853 b03b e8bb ffff ff83

c40c e8bb ffff ffc40c e8bb ffff ff2f 6269 6e2f 73682f 6269 6e2f 7368 ffff ffff

ffff ffff 7c6b 0408 7c6b 0408 7c6b 0408ffff ffff 7c6b 0408 7c6b 0408 7c6b 0408

7c6b 0408 7c6b 0408 7c6b 0408 7c6b 04087c6b 0408 7c6b 0408 7c6b 0408 7c6b 0408

25

TCPDumps (Polymorphed)454500 04e8 be81 4000 00 04e8 be81 4000 40064006 0f4c 0a0a 2a2a 0f4c 0a0a 2a2a0a0a 2a05 0933 000a0a 2a05 0933 001919 70e1 3dc3 ad03 63b0 70e1 3dc3 ad03 63b08018 7d78 b342 0000 0101 080a 0400 44758018 7d78 b342 0000 0101 080a 0400 4475008c 5fe5 008c 5fe5 494949 4b49 4949 4b49 494d4d 4df5 40f9 4040 4df5 40f9 40404d49 414b 484d49 414b 484545 4bf5 484d 4b4d 4549 4449 4bf5 484d 4b4d 4549 44494827 494a 434c 4b4d 4af9 f54a 4c4d 274c4827 494a 434c 4b4d 4af9 f54a 4c4d 274c414d 4c4c 4c27 494c 4a49 4140 414d 274c414d 4c4c 4c27 494c 4a49 4140 414d 274c4244 414b 4540 4940 f54c 4945 40f5 48f54244 414b 4540 4940 f54c 4945 40f5 48f54c4d 454d f54d 404d 4d27 f94b 4d4d 4b424c4d 454d f54d 404d 4d27 f94b 4d4d 4b42(CUT)(CUT)36aa 763c 5b31 c9b0 df6a 1866 5993 310636aa 763c 5b31 c9b0 df6a 1866 5993 31069383 e886 9640 968c c08c e083 c601 f5339383 e886 9640 968c c08c e083 c601 f533c046 85c0 46e2 e685 c085 c0eb 0bb0 346bc046 85c0 46e2 e685 c085 c0eb 0bb0 346bc087 e8c5 ffff ff7e 413e a6c9 5589 c331c087 e8c5 ffff ff7e 413e a6c9 5589 c33155b5 6207 6aff 7a82 2230 85be ec71 b57055b5 6207 6aff 7a82 2230 85be ec71 b570a647 fc66 1afb d4e9 5589 c3b5 6e72 0df6a647 fc66 1afb d4e9 5589 c3b5 6e72 0df6fac6 2bde 7889 c3c9 29b2 3807 6a26 b168fac6 2bde 7889 c3c9 29b2 3807 6a26 b168a225 b128 2328 3465 1a4d d48d 5589 c3b5a225 b128 2328 3465 1a4d d48d 5589 c3b56e7a d48d 5589 c319 c81f 5219 d91e c3c96e7a d48d 5589 c319 c81f 5219 d91e c3c95589 c3c9 d61d 0408 816b 0408 816b 04085589 c3c9 d61d 0408 816b 0408 816b 0408

26

TCPDumps (Polymorphed)454500 04e8 be81 4000 00 04e8 be81 4000 40064006 0f4c 0a0a 2a2a 0f4c 0a0a 2a2a0a0a 2a05 0933 000a0a 2a05 0933 001919 70e1 3dc3 ad03 63b0 70e1 3dc3 ad03 63b08018 7d78 b342 0000 0101 080a 0400 c60f8018 7d78 b342 0000 0101 080a 0400 c60f008c e181 008c e181 454b454b 44 444949 444a 4040 4342 4af9 444a 4040 4342 4af940f9 414b 444b 4c44 4845 4d40 4944 f94840f9 414b 444b 4c44 4845 4d40 4944 f948404b 484b 4af9 4b4a f94d 404a 2740 f94b404b 484b 4af9 4b4a f94d 404a 2740 f94bf941 4449 4327 4d44 48f5 45f9 4149 4341f941 4449 4327 4d44 48f5 45f9 4149 4341f545 4b40 4027 2745 48f5 f549 f544 4d4a f545 4b40 4027 2745 48f5 f549 f544 4d4a f5f5 2742 f54b 4c41 41f5 4927 444b 4941f5f5 2742 f54b 4c41 41f5 4927 444b 4941454d 42f9 f548 4d45 4b4c f545 4442 424d454d 42f9 f548 4d45 4b4c f545 4442 424d(CUT)(CUT)5896 83c0 4a68 9801 56bf 5b31 c091 c1e85896 83c0 4a68 9801 56bf 5b31 c091 c1e84a40 6a18 5889 c193 3106 9346 f946 c1e84a40 6a18 5889 c193 3106 9346 f946 c1e8aa8c c083 c601 9640 96c1 c0ed e2e9 8cc0aa8c c083 c601 9640 96c1 c0ed e2e9 8cc0eb06 e8c9 ffff ffd9 ea1e 2567 fea9 409feb06 e8c9 ffff ffd9 ea1e 2567 fea9 409ffe95 e1a9 c1df f92c 8910 0610 4751 36defe95 e1a9 c1df f92c 8910 0610 4751 36de0d67 7fc8 b1db 5747 fea9 401b c552 8e580d67 7fc8 b1db 5747 fea9 401b c552 8e5851e6 a870 d3a9 4067 8292 bba9 c106 32c651e6 a870 d3a9 4067 8292 bba9 c106 32c60905 3286 8808 b7cb b16d 5723 fea9 401b0905 3286 8808 b7cb b16d 5723 fea9 401bc55a 5723 fea9 40b7 633f d1b7 723e 4067c55a 5723 fea9 40b7 633f d1b7 723e 4067fea9 4067 7d3d 0408 cb6b 0408 cb6b 0408fea9 4067 7d3d 0408 cb6b 0408 cb6b 0408

27

Network Intrusion Response

Protocol AnalysisProtocol Analysis

• Application LayerApplication Layer

Physical

Data Link

Network

Transport

Session

Presentation

Application

28



• What protocol is it?What protocol is it?• IP, IPX…IP, IPX…

• If IP then is it TCP, UPD, ICMP…If IP then is it TCP, UPD, ICMP…• If TCP then is it HTTP, DNS, FTP…If TCP then is it HTTP, DNS, FTP…• If HTTP then apply HTTP signaturesIf HTTP then apply HTTP signatures• Determine if alert is neededDetermine if alert is needed

29



• Break the payload down into manageable Break the payload down into manageable partsparts

• Look for expected resultsLook for expected results• Anything out of that range – alertAnything out of that range – alert

Payload

Physical

Data Link

Network

Payload

Physical

Data Link

Network

Normal HTTPAbnormal HTTP

30



• Can detect polymorphic attacksCan detect polymorphic attacks

• ProactiveProactive

• Better performanceBetter performance

• Harder to evadeHarder to evade

• May be possible to create polymorphic May be possible to create polymorphic code that looks like normal traffic on some code that looks like normal traffic on some servicesservices

31


Pattern MatchingPattern Matching

• Searches for set patterns within packets, Searches for set patterns within packets, such as shell-code, NOP’s, and ASCIIsuch as shell-code, NOP’s, and ASCII

• Pattern matching is defeated by Pattern matching is defeated by polymorphic attackspolymorphic attacks

Payload

Physical

Data Link

Network

32


Snort Example – Pattern MatchingSnort Example – Pattern Matching

DNS - SnortDNS - Snort

alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; content: "|"IDS489/named-exploit-tsig-lsd"; content: "|3F 3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F208D4F20|"; classtype: system-attempt; reference: |"; classtype: system-attempt; reference: arachnids,489;) arachnids,489;)

TFN - SnortTFN - Snort

alert ICMP any any -> any any (msg: "IDS425/ddos-alert ICMP any any -> any any (msg: "IDS425/ddos-tfn2k-icmp_possible_communication"; itype: 0; tfn2k-icmp_possible_communication"; itype: 0; icmp_id: 0; content: "icmp_id: 0; content: "AAAAAAAAAAAAAAAAAAAA"; classtype: "; classtype: system-success; reference: arachnids,425;) system-success; reference: arachnids,425;)

33


Snort Example – Pattern MatchingSnort Example – Pattern Matching

X86 NOP’s - SnortX86 NOP’s - Snort

alert UDP $EXTERNAL any -> $INTERNAL any alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS362/shellcode-x86-nops-udp"; (msg: "IDS362/shellcode-x86-nops-udp"; content: "|content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 9090 90 90|"; classtype: system-attempt; |"; classtype: system-attempt; reference: arachnids,362;) reference: arachnids,362;)

34


Binary SignaturesBinary Signatures

• Detecting binary strings within protocols Detecting binary strings within protocols such as SMTPsuch as SMTP

• Attacks against text-only services could Attacks against text-only services could check for characters outside the standard check for characters outside the standard text rangetext range

• FTPFTP• Could pick up polymorphic attacksCould pick up polymorphic attacks

35


Packet SizePacket Size

• Detecting unusual large amounts of data Detecting unusual large amounts of data streamsstreams

• POP3, RPC, HTTP, FTPPOP3, RPC, HTTP, FTP• Can pick up polymorphic attacksCan pick up polymorphic attacks

Payload

Physical

Data Link

Network

36


Connection TimeConnection Time

• Abnormal connection time rates such as Abnormal connection time rates such as lengthy DNS collaborationlengthy DNS collaboration

• DNS, HTTP, RPC, etc…DNS, HTTP, RPC, etc…• Time basedTime based• ExpensiveExpensive• Could detect polymorphic attacks by Could detect polymorphic attacks by

timing the session between hoststiming the session between hosts

37


Outcome Detection – Success/FailureOutcome Detection – Success/Failure

• Able to detect response to attacksAble to detect response to attacks

• Able to detect “/bin/sh” leaving on port 53Able to detect “/bin/sh” leaving on port 53

• Could detect polymorphic attacksCould detect polymorphic attacks

• Another evasion technique is the response Another evasion technique is the response from the victim being from the victim being hashed/encrypted/scrambledhashed/encrypted/scrambled

38



• Solaris snmpXdmid - LAST STAGE OF Solaris snmpXdmid - LAST STAGE OF DELIRIUMDELIRIUM• NOP’s to serverNOP’s to server• 00 00 1C1C 00 00 00 00 00 00 4040 00 00 00 00 00 00 1111 FF FF FF FF FF FF 8080 00 00 00 00 00 00

1C1C 00 00 00 00 00 00 4040 00 00 00 00 00 00 1111 FF FF FF FF FF FF 8080 00 00 00 00 00 00 1C1C 00 00 00 00 00 00 4040 00 00 00 00 00 00 1111 FF FF FF FF FF FF 8080 00 00 00 00 00 00 1C1C 00 00

• //bin/ksh to serverbin/ksh to server• 00 08 00 00 00 00 08 00 00 00 2F2F 00 00 00 00 00 00 6262 00 00 00 00 00 00 6969 00 00

00 ...../...b...i..00 ...../...b...i..• 00 00 6E6E 00 00 00 00 00 00 2F2F 00 00 00 00 00 00 6B6B 00 00 00 00 00 00 7373 00 00

00 .n.../...k...s.. 00 .n.../...k...s.. • 00 00 6868 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00

00 .h.............. 00 .h..............

• uname –a to serveruname –a to server• 82 8C 82 8C 2F 62 69 6E 2F 75 6E 61 6D 65 20 2D 612F 62 69 6E 2F 75 6E 61 6D 65 20 2D 61

0A ../bin/uname -a0A ../bin/uname -a. .

39



• Solaris snmpXdmid - LAST STAGE OF Solaris snmpXdmid - LAST STAGE OF DELIRIUMDELIRIUM• Response to uname –aResponse to uname –a• 2E E1 53 75 6E 4F 53 20 73 61 2D 73 6F 6C 61 2E E1 53 75 6E 4F 53 20 73 61 2D 73 6F 6C 61

72 ..SunOS sa-solar 69 73 2D 30 32 20 35 2E 38 20 47 72 ..SunOS sa-solar 69 73 2D 30 32 20 35 2E 38 20 47 65 6E 65 72 69 is-02 5.8 Generi 63 20 73 75 6E 34 75 65 6E 65 72 69 is-02 5.8 Generi 63 20 73 75 6E 34 75 20 73 70 61 72 63 20 53 55 c sun4u sparc 4E 57 2C 55 20 73 70 61 72 63 20 53 55 c sun4u sparc 4E 57 2C 55

6C 74 72 61 2D 35 5F 31 30 0A NW,Ultra-5_10.6C 74 72 61 2D 35 5F 31 30 0A NW,Ultra-5_10. • Response to /etc/passwdResponse to /etc/passwd• 35 1C 72 6F 6F 74 3A 78 3A 30 3A 31 3A 53 75 70 35 1C 72 6F 6F 74 3A 78 3A 30 3A 31 3A 53 75 70

5.root:x:0:1:Sup 65 72 2D 55 73 65 72 3A 2F 3A 2F 73 62 69 5.root:x:0:1:Sup 65 72 2D 55 73 65 72 3A 2F 3A 2F 73 62 69 6E 2F er-User:/:/sbin/ 73 68 0A 64 61 65 6D 6F 6E 3A 78 3A 6E 2F er-User:/:/sbin/ 73 68 0A 64 61 65 6D 6F 6E 3A 78 3A 31 3A 31 3A sh.daemon:x:1:1: 0070: 3A 2F 3A 0A 62 69 6E 31 3A 31 3A sh.daemon:x:1:1: 0070: 3A 2F 3A 0A 62 69 6E 3A 78 3A 32 3A 32 3A 3A 2F :/:.bin:x:2:2::/ 3A 78 3A 32 3A 32 3A 3A 2F :/:.bin:x:2:2::/

40


Log AnalysisLog Analysis

• Event Viewer, /var/adm/messages/, Event Viewer, /var/adm/messages/, /var/log/syslog, etc./var/log/syslog, etc.

• Able to detect abnormal occurrences within Able to detect abnormal occurrences within the hostthe host

• Can detect polymorphic attacksCan detect polymorphic attacks• # more /var/adm/messages# more /var/adm/messages• May 25 11:55:09 sa-solaris-02 May 25 11:55:09 sa-solaris-02 dmispddmispd: : [ID 922709 daemon.error] One instance [ID 922709 daemon.error] One instance of this daemon is already running on of this daemon is already running on this machinethis machine

41

Host Intrusion Response

Access/Change AnalysisAccess/Change Analysis

• Changes to any audited fileChanges to any audited file

• Spawning of child processesSpawning of child processes

• Removal of any audited fileRemoval of any audited file

• Replacement of any audited fileReplacement of any audited file

• Can detect polymorphic attacksCan detect polymorphic attacks

42

Host Intrusion Response

Port ActivityPort Activity

• Unusual port activityUnusual port activity

• RPC – ttdb – active session to outside hostRPC – ttdb – active session to outside host

• Could detect polymorphic attacks as they Could detect polymorphic attacks as they occuroccur

43

Defeating Polymorphic

Attacks

44

Collect information from the network for real-time

monitoring

Assessment and Intrusion Detection (IDS)

Reenact common intrusionReenact common intrusionor attack scenariosor attack scenarios

ID and report network ID and report network vulnerabilities and vulnerabilities and suggest corrective suggest corrective

actionsactions

Inspect system configuration files, password files for weak passwords, and other system

objects for policy violations

Monitor audit and log dataActive “sensors” on servers and workstations monitor user actions and protect resources, applications,

and data

“Reactive”

(24 x 7)

IDS

“Proactive”

(scheduled)

Assessment

Host-Based Network-Based

45

Future trends from the past

State of NIDS detection is where Anti-Virus was State of NIDS detection is where Anti-Virus was in mid 90’sin mid 90’s

IDS Evasion is now just getting startedIDS Evasion is now just getting started

Polymorphic Virus Stats (SARC www.sarc.com)Polymorphic Virus Stats (SARC www.sarc.com)

• 1988 - 1988 - The first virus with variable key The first virus with variable key encryption (between infections)encryption (between infections)

• 1990 - Polymorphic viruses found in the 1990 - Polymorphic viruses found in the United States including V2Px, Virus-90 and United States including V2Px, Virus-90 and Virus-101 virusesVirus-101 viruses

• 1992 – First polymorphic e1992 – First polymorphic engine that could ngine that could be plugged into a virus as an add-onbe plugged into a virus as an add-on

• Today - ~2,000 – 5,000 polymorphic Today - ~2,000 – 5,000 polymorphic viruses today (Not all in the wild)viruses today (Not all in the wild)

46

Shameless Promotion

• Kevin Mandia – Foundstone• Incident Response – Investigative

Computer Crime

• www.amazon.com

47

Credits

K2 – K2 – www.ktwo.cawww.ktwo.ca

Jeru – www.newhackcity.net/~jeruJeru – www.newhackcity.net/~jeru

Snort – Snort – www.snort.orgwww.snort.org

SARC – SARC – www.sarc.comwww.sarc.com

Symantec – Symantec – www.symantec.comwww.symantec.com

48

That’s all folks

QUESTIONS????QUESTIONS????

1 polymorphism and ids black hat briefings las vegas 2001 chad r. skipper sr. software engineer...

Documents