automatic discovery of parasitic malware
DESCRIPTION
Automatic Discovery of Parasitic Malware. Abhinav Srivastava and Jonathon Giffin (RAID,2010) School of Computer Science, Georgia Institute of Technology, USA. Outline. Introduction Parasitic Malware Architecture Implementation Details Evaluation Conclusions. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/1.jpg)
1
Abhinav Srivastava and Jonathon Giffin (RAID,2010)School of Computer Science, Georgia Institute of Technology, USA
AUTOMATIC DISCOVERY OF PARASITIC MALWARE
![Page 2: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/2.jpg)
2 OUTLINE
Introduction
Parasitic Malware
Architecture
Implementation Details
Evaluation
Conclusions
![Page 3: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/3.jpg)
3
Parasitic behaviors help malware execute behaviors—such as spam generation, denial-of-service attacks, and propagation—without themselves raising suspicion
INTRODUCTION
App Malware
DLL
![Page 4: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/4.jpg)
4
Network can pinpoint infected machines but not processes
Host can observe parasitic behaviors but cannot distinguish between benign and malicious behaviors–For example: Debugger, Google toolbar
Neither approach is perfectCombine network and host information
INTRODUCTION
![Page 5: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/5.jpg)
5
Attackers are able to install malicious software on a victim computer system at both the user and kernel levels
Distinguish between trusted and untrusted drivers and isolate untrusted drivers in a separate address space
Assume that the malware will at some point send or receive network traffic that network-level intrusion detection systems (network sensors) are able to classify as malicious or suspicious
PARASITIC MALWARE-THREAT MODEL
![Page 6: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/6.jpg)
6
Parasitic malware alters the execution behavior of existing benign processes as a way to evade detection.
These malware often abuse both Windows user and kernel API functions to induce parasitic behaviors
PARASITIC MALWARE-MALWARE BEHAVIORS
![Page 7: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/7.jpg)
7
Number Source Target DescriptionCase 1A Process Process DLL and thread injection
PARASITIC MALWARE-MALWARE BEHAVIORS
Dynamically-linked library (DLL) injection allows one process to inject entire DLLs into the address space of a second process
OpenProcess()CreateProcess()
Target ProcessProcess Handle
VirtualAllocEx()
WriteProcessMemory()
Abc.dllCreateRemoteThread()
LoadLibrary()
![Page 8: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/8.jpg)
8
Number Source Target DescriptionCase 1B Process Process Raw code and thread injection
PARASITIC MALWARE-MALWARE BEHAVIORS
A raw code injection attack is similar to a DLL injection in that user-space malware creates a remote thread of execution, but it does not require a malicious DLL to be stored on the victim’s computer system
![Page 9: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/9.jpg)
9
Number Source Target DescriptionCase 2A Kernel driver Process DLL and thread alteration
PARASITIC MALWARE-MALWARE BEHAVIORS
Asynchronous Procedure Calls (APCs)A method of executing code asynchronously in the context of a particular thread and, therefore, within the address space of a particular process
Malicious drivers identify a process → allocate memory inside it → copy the malicious DLL to memory → create and initialize a new APC → execute the inserted code
![Page 10: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/10.jpg)
10
Number Source Target DescriptionCase 2B Kernel driver Process Raw code and thread alteration
PARASITIC MALWARE-MALWARE BEHAVIORS
Malicious kernel drivers inject raw code into a benign process and execute it using the APC
![Page 11: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/11.jpg)
11
Number Source Target DescriptionCase 2C Kernel driver Process Kernel thread injection
PARASITIC MALWARE-MALWARE BEHAVIORS
Kernel thread injection is the method by which malicious drivers execute malicious functionality entirely inside the kernel
A kernel thread executing malicious functionality is owned by a user-level process, though the user-level process had not requested its creation
By default, these threads are owned by the System process, however a driver may also choose to execute its kernel thread on behalf of any running process
![Page 12: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/12.jpg)
12ARCHITECTURE – DESIGN GOAL
Pyrenee
Accurate
Automatic, Runtime Detection
Resist Direct and Indirect Attacks
![Page 13: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/13.jpg)
13 ARCHITECTUREDetect Malicious Traffic
Records end-point process(App)
True origin - Malware
Records parasitic behaviors
Malware
![Page 14: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/14.jpg)
14 ARCHITECTURE-NIDS
Use off-the-shelf sensor identifies inbound or outbound network traffic of suspicion
Network Intrusion Detection System like BotHunter, Snort or Bro.
![Page 15: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/15.jpg)
15ARCHITECTURE-NETWORK ATTRIBUTION SENSOR
Given a network sensor (NIDS) alert for some suspicious traffic flow, the network attribution sensor is responsible for determining which process is the local endpoint of that flow in the untrusted VM
Two subcomponents: - one in the VM’s kernel space and one in user space
![Page 16: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/16.jpg)
16ARCHITECTURE-HOST ATTRIBUTION SENSOR
User-level Parasitism
Monitors the runtime behavior of all processes executing within the victim VM by intercepting their system calls <Native API>
Intercepts all system calls, but it processes only those that may be used by a DLL or thread injection attackEX: NtOpenProcess, NtCreateProcess,etc.
![Page 17: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/17.jpg)
17ARCHITECTURE-HOST ATTRIBUTION SENSOR
![Page 18: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/18.jpg)
18ARCHITECTURE-HOST ATTRIBUTION SENSOR
Kernel-level Parasitic
Isolating in a separate address space and monitoring kernel APIs invoked by untrusted drivers through this new interface
![Page 19: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/19.jpg)
19ARCHITECTURE-CORRELATION ENGINE
Finds actual malicious code on the system
Gathers data from all sensors- NIDS,NAS,HAS
Uses NIDS provides network alert information
Uses NAS to find the process
Uses HAS to find parasitic behavior
![Page 20: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/20.jpg)
20IMPLEMENTATION DETAILS
Victim host – Windows XP SP2 in VM
Hypervisor – Xen 3.2
Pyrenee run on high privilege VM – Fedora Core 9
![Page 21: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/21.jpg)
21IMPLEMENTATION DETAILS
Fast Network Flow Discovery
Deployed the sensor’s packet filter inside the trusted VM’s kernel-space as a Linux kernel module
Set up untrusted VMs to use a virtual network interface bridged to the trusted VM
Inserted a hook into a bridge-based packet filtering framework called ebtables to view packets crossing the bridge
![Page 22: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/22.jpg)
22IMPLEMENTATION DETAILS
Introspection
Windows does not store network port and process name information in a single structure
Input : IP and port
![Page 23: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/23.jpg)
23IMPLEMENTATION DETAILS
Introspection - EPROCESS
![Page 24: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/24.jpg)
24
System Call Interpositioning and Parameter Extraction
Host attribution sensor requires information about system calls used as part of DLL or thread injection
Windows XP uses the fast x86 system-call instruction SYSENTER ( Transfers control to a system-call dispatch routine at an address specified in the IA32_SYSENTER _EIP register)
IMPLEMENTATION DETAILS
IA32_SYSENTER _EIPAddress not allocate to the guest OS
Fault
Hypervisor gain control
Records the system call number (in eax register)
Locate system-call parameters stored on the kernel stack (used edx register)
Extracts IN parameters
Get currently-executing process’ ID and thread ID (use FS segment selector → TIB)
Return
![Page 25: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/25.jpg)
Two-step procedure to extract values of OUT parameters at system call return
Step 1 : Record the value present in an OUT parameter at the beginning of the system call
Step 2 : A thread returning to user mode at the completion of a system call will fault due to our manipulation.
IMPLEMENTATION DETAILS
![Page 26: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/26.jpg)
26IMPLEMENTATION DETAILS
Address Space Construction and Switching
Map untrusted driver code pages into the UPT and trusted kernel and driver code into the TPT
Pyrenee switches between the two address spaces depending upon the execution context
![Page 27: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/27.jpg)
27IMPLEMENTATION DETAILS
Untrusted driver
Kernel API
Execution Fault
(non-executable kernel code in the UPT)
Pyrenee in hypervisor
Check the entry point into TPT is vaild or not
VaildSwitches the address space by storing the value of TPT_CR3
InvaildRecords this behavior as an attack and raises an alarm
![Page 28: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/28.jpg)
28IMPLEMENTATION DETAILS
Interception of Driver Loading
Pyrenee intercepts all driver loading mechanisms
Rewrites the kernel’s binary code on driver loading paths automatically at runtime
![Page 29: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/29.jpg)
29 EVALUATION
Malware Parasitic Behavior Attribution
Conficker worm Process to process Correct
Adclicker.BA trojan Process to process Correct
Storm worm Kernel to Process Correct
![Page 30: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/30.jpg)
30 EVALUATION
Tested prototype on an Intel Core 2 Quad 2.66 GHz system.
Assigned 1 GB of memory to the untrusted Windows XP SP2 VM and 3 GB combined to the Xen hypervisor and the high privilege Fedora Core 9 VM
PassMark Performance Test – CPU and memory experiment
IBM Page Detailer and wget - measured networking overheads
![Page 31: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/31.jpg)
31 EVALUATION
![Page 32: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/32.jpg)
32 EVALUATION
![Page 33: Automatic Discovery of Parasitic Malware](https://reader036.vdocuments.mx/reader036/viewer/2022062501/56816468550346895dd6546f/html5/thumbnails/33.jpg)
33 CONCLUSIONS
Develop a well-reasoned malware detection architecture that finds unknown malware based on its undesirable network use
Works for both the user- and kernel-level malware
Satisfies protection and performance goals