Temporal search detecting hidden malware timebombs with virtual machines
Download
1 / 34

Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines - PowerPoint PPT Presentation


  • 80 Views
  • Uploaded on

Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines. Jedidiah R. Crandall Related paper accepted to ASPLOS-XII (pending shepherd approval) Joint work with Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines' - jana


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Temporal search detecting hidden malware timebombs with virtual machines

Temporal Search: Detecting Hidden Malware Timebombs with Virtual Machines

Jedidiah R. Crandall

Related paper accepted to ASPLOS-XII (pending shepherd approval)

Joint work with Gary Wassermann, Daniela A. S. de Oliveira, Zhendong Su, S. Felix Wu, and Frederic T. Chong

University of California, Davis and University of California, Santa Barbara


Conclusions
Conclusions Virtual Machines

  • Automated, behavior-based analysis not only faster, but potentially more accurate

  • Malware time-dependent behavior does not follow a linear timetable

  • Automated temporal search is possible but more work is needed


Automated behavior based analysis
Automated, Behavior-Based Analysis Virtual Machines

Faster and potentially more accurate

Automation

Traditional

malware

analysis

techniques

Appearance-based

Environment

Behavior-based


Why behavior based analysis 1
Why Behavior-Based Analysis? (1) Virtual Machines

“An ant, viewed as a behaving system, is quite simple. The apparent complexity of its behavior over time is largely a reflection of the complexity of the environment in which it finds itself.” –Herbert Simon


Why behavior based analysis 2
Why Behavior-Based Analysis? (2) Virtual Machines

  • Malware obfuscation

    • Packing, polymorphism, metamorphism, cryptovirology

  • Malware speed

  • Drawback: Blackbox (complexity you put into it = complexity you get out)


Other behavior based work
Other Behavior-Based Work Virtual Machines

  • “Siren: Detecting Evasive Malware”, Borders et al. Oakland 2006

  • “Behavior-based Spyware Detection”, Kirda et al. USENIX Security 2006

  • Probably many I’m missing and many more to come…


Automated temporal search
Automated Temporal Search Virtual Machines

  • Speedy analysis makes aversion possible (example: Sober.X)

  • Complexity of the environment

  • Kernel rootkits

  • Drawback: Automated techniques can be detected, averted, misled


Botnets
Botnets Virtual Machines

  • Malware obfuscation

    • Cryptocounters

  • Malware speed

    • Attack payload may be loaded minutes before it is executed

  • Difficulty of Analysis

    • Quirks in Gregorian calendar, file creation time dependency, time zones, various synchronization protocols, etc.


Outline
Outline Virtual Machines

  • Time Tutorial

  • Finding Timers

  • Formalizing Temporal Search

  • Lessons from Code Red, Kama Sutra, Sober.X, MyParty


Outline1
Outline Virtual Machines

  • Time Tutorial

  • Finding Timers

  • Formalizing Temporal Search

  • Lessons from Code Red, Kama Sutra, Sober.X, MyParty


Time hardware
Time Hardware Virtual Machines

  • PIT running at 1.193182 MHz

    • RAM refresh

    • PC speaker tone

    • Programmable interrupt

  • Others: CMOS real time clock, local APIC timers, ACPI timers, the Pentium CPU’s Time Stamp Counter, or the High Precision Event Timer


Os timekeeping
OS Timekeeping Virtual Machines

  • Linux kernel 2.4, PIT @ 100 Hz

    • Seconds since 1970

  • Linux kernel 2.6, PIT @ 1000 Hz

    • Ditto

  • Windows, PIT @ 64 Hz to 1000 Hz

    • Hectonanoseconds since 1600

  • Only epoch that matters is the CMOS on boot (or NTP, time protocol, …)

  • Shouldn’t make assumptions about the integrity of the OS kernel


Outline2
Outline Virtual Machines

  • Time Tutorial

  • Finding Timers

  • Formalizing Temporal Search

  • Lessons from Code Red, Kama Sutra, Sober.X, MyParty


Past work
Past Work Virtual Machines

  • “On Deriving Unknown Vulnerabilities…” Crandall et al. CCS 2005

  • Full-system symbolic execution on every machine instruction


Finding timers basic idea
Finding Timers: Basic Idea Virtual Machines

  • Run with PIT at different rates of perceived time

    • Correlation between PIT interrupts and updates of a physical memory location

  • Symbolic execution to discover a series

  • Predicate inversion to discover dependent timers or behaviors


Symbolic execution 1
Symbolic Execution (1) Virtual Machines

  • Linux “jiffies”:

  • Linux “xtime.tv_usec”:


Symbolic execution 2
Symbolic Execution (2) Virtual Machines

  • Not a timer (“xtime_lock”):


Predicate inversion 1
Predicate Inversion (1) Virtual Machines

  • Predicate on “xtime.tv_usec”:


Predicate inversion 2
Predicate Inversion (2) Virtual Machines

  • Discovering “xtime.tv_sec”:


Outline3
Outline Virtual Machines

  • Time Tutorial

  • Finding Timers

  • Formalizing Temporal Search

  • Lessons from Code Red, Kama Sutra, Sober.X, MyParty


Weakest precondition
Weakest Precondition Virtual Machines


Subversion
Subversion Virtual Machines

  • Detect VM

  • Don’t use Presburger arithmetic

  • Use homegrown version of NTP

  • Create a lot of noise


Outline4
Outline Virtual Machines

  • Time Tutorial

  • Finding Timers

  • Formalizing Temporal Search

  • Lessons from Code Red, Kama Sutra, Sober.X, MyParty


Vm based analysis
VM-based Analysis Virtual Machines

  • Working:

    • Code Red

    • MyParty.A

  • Not fully working (yet):

    • Sober.X

    • Kama Sutra

  • Our analysis could be wrong (we still need to clarify/independently confirm some of this)


Setup
Setup Virtual Machines

ARP cache poisoning, DNS spoofing, etc. using scapy

Windows XP @ 192.168.33.2

Host @ 192.168.33.1 w/ DNS, NTP, HTTP, TIME, etc.

Bochs emulator

w/ DACODA

tuntap interface


Code red eeye analysis
Code Red (eEye analysis) Virtual Machines

  • “Each worm thread checks the infected computer's system time.”

    • “If the date is past the 20th of the month (GMT), the thread will stop searching for systems to infect and will instead attack www.whitehouse.gov.” …

    • “If the date is between the 1st and the 19th of the month, this worm thread will not attack www.whitehouse.gov and will continue to try to find and infect new web servers.”


Code red caida analysis
Code Red CAIDA Analysis Virtual Machines

  • “The worm is programmed to stop infecting other machines on the 20th of every month. In its next attack phase, the worm launches a Denial-of-Service attack against www1.whitehouse.gov from the 20th-28th of each month.”

  • Only re-infection can turn a spreading host into a DoS host.


A thought
A Thought Virtual Machines

  • We need formal ways to specify malware behaviors for dissemination


Kama sutra
Kama Sutra Virtual Machines

  • “…programmed to overwrite files on Friday February 3, and the third day of every month thereafter.” (www.theregister.co.uk)

  • “But computer security groups … said few users lost data because of the bug. Experts speculated that the publicity prior to [the] trigger date may have prompted people to clean up machines and prepare defences [sic].” (BBC news)


Sober x
Sober.X Virtual Machines

  • Symantec Security Reponse: “Checks the network connection of the compromised computer, and the current date, by connecting to one of the following NTP servers on TCP port 37”

    • Lists 40 servers


Myparty
Myparty Virtual Machines

  • Mcaffee.com: “This virus only attempts to massmail itself on January 25, 26, 27, 28 or 29, 2002.”

  • Symantec Security Response: “This worm is capable of spreading itself only between January 25, 2002, and January 29, 2002”

  • Our analysis: equality check with file creation time

  • ????????


A thought1
A Thought Virtual Machines

  • Could we use weaknesses in a botnet’s time-dependent behavior to take it down (i.e. Sober.X, Code Red, Kama Sutra)?

  • Or any sort of behavior, for that matter.


Conclusions1
Conclusions Virtual Machines

  • Automated, behavior-based analysis not only faster, but potentially more accurate

  • Malware time-dependent behavior does not follow a linear timetable

  • Automated temporal search is possible but more work is needed


Future or ongoing work
Future (or ongoing) work Virtual Machines

  • Full-system deterministic replay

    • (ReVirt only works for UMLinux)

  • Replay-based entropy control

    • Malware’s use of entropy

    • Alternative to taint marking (challenges of tainting spelled out in Fenton’s 1973 Ph.D. thesis)


ad