1 / 35

Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware. Abhinav Srivastava and Jonathon Giffin School of Computer Science Georgia Institute of Technology. Attack and Remediation. B. Malware. A. Network. App. C. App. Malware. Attack and Remediation. B. Malware. A. Infected machine -- B

nhi
Download Presentation

Automatic Discovery of Parasitic Malware

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Automatic Discovery of Parasitic Malware Abhinav Srivastava and Jonathon Giffin Schoolof Computer Science Georgia Institute of Technology

  2. Attack and Remediation B Malware A Network App C App Malware Automatic Discovery of Parasitic Malware

  3. Attack and Remediation B Malware A Infected machine -- B Infected machine -- C Network App C App Malware Automatic Discovery of Parasitic Malware

  4. Attack and Remediation B Malware A Infected machine -- B Infected machine -- C Reimage the infected machines Network App C App Malware Automatic Discovery of Parasitic Malware

  5. Attack and Remediation B • Our Goals • Precise attribution of malicious activity • Processes (machine B and C) • Identify true origin of malicious activity • Parasitic behaviors (machine C) Malware A Infected machine -- B Infected machine -- C Reimage the infected machines Network App C App Malware Automatic Discovery of Parasitic Malware

  6. Parasitic Behaviors C DLL App Malware User Kernel Automatic Discovery of Parasitic Malware

  7. Parasitic Behaviors C App DLL User Kernel Malware Automatic Discovery of Parasitic Malware

  8. Challenges • Network can pinpoint infected machines but not processes • Host can observe parasitic behaviors but cannot distinguish between benign and malicious behaviors • For example: Debugger, Google toolbar • Neither approach is perfect Combine network and host information Automatic Discovery of Parasitic Malware

  9. Pyrenee • Goal: Identify parasitic malware • Correlates network and host information • Uses lightweight sensors • Tamper-resistant Automatic Discovery of Parasitic Malware

  10. Pyrenee Architecture Trusted VM (Fedora) Untrusted VM (Windows XP) Network sensor (NIDS) App Network attribution sensor App VMI Correlation engine Firewall User User Kernel Kernel Network attribution sensor Xen Host attributionsensor Automatic Discovery of Parasitic Malware

  11. Pyrenee Architecture Detects malicious traffic Trusted VM (Fedora) Untrusted VM (Windows XP) Network sensor (NIDS) Records end-point process (App) App Network attribution sensor App VMI Correlation engine True origin: Malware Malware Firewall User User Kernel Kernel Network attribution sensor Xen Host attributionsensor Records parasitic behaviors Automatic Discovery of Parasitic Malware

  12. Threat Model • Both user and kernel-level attacks are possible • Our assumptions • Hypervisor & trusted VM are secure • Kernel data structures are at known places • Presence of driver verifier service Automatic Discovery of Parasitic Malware

  13. Network Attribution Sensor (NAS) • Kernel-level component • Identifies separate connections • User-level component • For each connection determines local end-point in untrusted VM Automatic Discovery of Parasitic Malware

  14. Network Object Traversal MODULE_ENTRY MODULE_ENTRY MODULE_ENTRY tcpip.sys Drivers: Linked list iteration TCBTable Pointer SourceIP Source IP Source IP SourcePort Source Port Source Port DestinationIP Destination IP Destination IP Input:Port and IP DestinationPort Destination Port Destination Port ProcessID Process ID Process ID Linked list iteration Output: Process name from EPROCESS PID match EPROCESS EPROCESS EPROCESS Processes: Process ID ProcessID Process ID Name Name Name Linked list iteration Automatic Discovery of Parasitic Malware

  15. Host Attribution Sensor (HAS) • NAS points to the local process end point • HAS identifies true origin of malicious activities • HAS operates from the hypervisor • Divided in two components • User-level parasitism detector • Kernel-level parasitism detector Automatic Discovery of Parasitic Malware

  16. User-level Parasitic Behaviors C DLL App Malware User Kernel Automatic Discovery of Parasitic Malware

  17. User-level Parasitic Behaviors C App DLL Win dlls Malware Windows APIs User Kernel Automatic Discovery of Parasitic Malware

  18. User-level Parasitism Model handle = OpenProcess() handle = CreateProcess() AllocateMemory(handle) WriteMemory(handle) CreateRemoteThread(handle) Code Injection Automatic Discovery of Parasitic Malware

  19. User-level Parasitic Behaviors C App DLL Win dlls Malware Windows APIs User Kernel Automatic Discovery of Parasitic Malware

  20. Kernel-level Parasitic Behaviors C App DLL User Kernel Malware Automatic Discovery of Parasitic Malware

  21. Kernel-level Parasitic Behaviors C App DLL User Kernel Kernel Code Malware Kernel APIs Automatic Discovery of Parasitic Malware

  22. Kernel-level Parasitism Model ZwOpenProcess() KeAttachProcess() ZwAllocateMemory() KeInitializeApc() KeInsertQueueApc() Code Injection Automatic Discovery of Parasitic Malware

  23. Kernel-level Parasitic Behaviors C App DLL User Kernel Kernel Code Malware Kernel APIs Automatic Discovery of Parasitic Malware

  24. Kernel-level Parasitic Behaviors C App DLL User Kernel Kernel Code Malware Page fault Xen Switch address space Automatic Discovery of Parasitic Malware

  25. Kernel-level Parasitic Behaviors C App DLL User Kernel Kernel Code + Trusted drivers Malware Page fault Xen Switch address space Automatic Discovery of Parasitic Malware

  26. Correlation Engine • Finds actual malicious code on the system • Gathers data from all sensors • Uses NAS to find the process • Uses HAS to find parasitic behavior Automatic Discovery of Parasitic Malware

  27. Security Evaluation • Evaluated network- and host-attribution sensors’ effectiveness. • Tested with applications to correctly correlate network connections to processes. • Example: Internet explorer, putty, winscp, and others. • Tested the effectiveness of host-attribution sensor in identifying true origin of parasitic behaviors. Automatic Discovery of Parasitic Malware

  28. Security Evaluation Automatic Discovery of Parasitic Malware

  29. Performance Evaluation CPU Performance Test Automatic Discovery of Parasitic Malware

  30. Performance Evaluation CPU Performance Test Automatic Discovery of Parasitic Malware

  31. Performance Evaluation Memory Performance Test Automatic Discovery of Parasitic Malware

  32. Performance Evaluation Memory Performance Test Automatic Discovery of Parasitic Malware

  33. Performance Evaluation Network Performance Test Automatic Discovery of Parasitic Malware

  34. Conclusions Automatic Discovery of Parasitic Malware

  35. Questions …. or send us email: Abhinav Srivastava Jonathon Giffin abhinav@cc.gatech.edu giffin@cc.gatech.edu Automatic Discovery of Parasitic Malware

More Related