1 / 40

Disk-Level Behavioral Virus Detection

ormand
Download Presentation

Disk-Level Behavioral Virus Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Disk-Level Behavioral Virus Detection David Evans University of Virginia work with Nathanael Paul, Adrienne Felt, and Sudhanva Gurumurthi http://www.cs.virginia.edu/malware

    2. www.cs.virginia.edu/malware Disk-Level Virus Detection 2 Stereotypical Malwarist, circa 2000

    3. www.cs.virginia.edu/malware Disk-Level Virus Detection 3 “ILoveYou” Worm Code

    4. www.cs.virginia.edu/malware Disk-Level Virus Detection 4 Detecting “ILoveYou” file.contains(“@GRAMMERSoft Group”) Signature Scanning Database of strings that are found in known viruses A/V scanner examines opened files (on-access) or stored files (on-demand) for that string

    5. www.cs.virginia.edu/malware Disk-Level Virus Detection 5 Stereotypical Malwarist, 2007

    6. www.cs.virginia.edu/malware Disk-Level Virus Detection 6 The Organized Malware Industry Multi-million dollar industry Vulnerability black market Zero-day exploits sell for ~$4000 Virus “professionals” Sell viruses, or use them to build botnets and rent spamming/phishing service See Peter Guttman’s talk

    7. www.cs.virginia.edu/malware Disk-Level Virus Detection 7 W32/Efish.A Multi-threaded, stealthy, parasitic Self-encrypted: each infection is encrypted with a new key No static strings to match except decryption code Slow polymorphic: the decryption code is modified with each infection Slow changes make it harder to develop and test signatures

    8. www.cs.virginia.edu/malware Disk-Level Virus Detection 8 De-Polymorphers [Kaspersky’s “Skeleton Detection”] [Christodorescu, Jha, + 2005, 2007] Reverse polymorphic transformations In theory, obfuscation is impossible (for some functions) [Barak+ 2001], so “con-fuscators” must be In practice: Con-fuscation is much harder than obfuscation Con-fuscators are too slow Virus obfuscators don’t need to be general or semantics-preserving

    9. www.cs.virginia.edu/malware Disk-Level Virus Detection 9 Emulators Emulate virus until it decrypts itself In theory, it should be possible to build a perfect emulator In practice, emulators are imperfect: Programs can determine if they are running in an emulator Several viruses exhibit anti-emulation techniques [Stepan06, Ciubotariu06] Performance concerns mean emulator can only run for beginning of execution

    10. www.cs.virginia.edu/malware Disk-Level Virus Detection 10 Circumvention A/V software runs on the host OS Malware can get below host: avoid or tamper with detection SubVirt [Samuel King & Peter Chen, Oakland 2006] BluePill [Joanna Rutkowska, Black Hat 2006]

    11. www.cs.virginia.edu/malware Disk-Level Virus Detection 11 Summary: Traditional Detection is Doomed Reactive: signatures only detect known viruses Static: code is easy to change and hard to analyze Circumventable: malware can get below the detector

    12. www.cs.virginia.edu/malware Disk-Level Virus Detection 12 Our Target: File-Infecting Viruses Spread by infecting executable files Includes complex, stealthy, polymorphic viruses Does not include all malware: Memory-Resident (spread by infecting processes in memory) Network Worms (spread without infecting executable files) Rootkits, spyware, etc. (don’t spread)

    13. www.cs.virginia.edu/malware Disk-Level Virus Detection 13 Ideal Solution Detect viruses: At a level malware can’t compromise Without disrupting non-malicious applications Without (overly) impacting performance Recognize the fundamental behavior of viruses, instead of relying on blacklists of known viruses Recover from infections seamlessly

    14. www.cs.virginia.edu/malware Disk-Level Virus Detection 14 Semi-Obvious Riddle What is: Available on almost every computer Able to see all disk activity And has processing power and memory comparable to ~2000 Apple II’s?

    15. www.cs.virginia.edu/malware Disk-Level Virus Detection 15 Even More Obvious Riddle What behavior do all file-infecting viruses have in common?

    16. www.cs.virginia.edu/malware Disk-Level Virus Detection 16 Disk-Level Behavioral Detection

    17. www.cs.virginia.edu/malware Disk-Level Virus Detection 17 Advantages of Disk-Level Behavioral Detection Difficult to Circumvent Runs below host OS Difficult to Evade Can’t hide disk events from disk: complete mediation Hard to change disk-level behavior Inexpensive Current disks have a (mostly idle) general purpose processor Typical seek request ~ 700,000 cycles

    18. www.cs.virginia.edu/malware Disk-Level Virus Detection 18 Three Major Challenges Semantic gap: need to interpret low-level read/write requests as file events Detectors: need to distinguish malicious disk traffic from non-malicious traffic Deployment: need to convince disk drive makers to deploy

    19. www.cs.virginia.edu/malware Disk-Level Virus Detection 19 The Semantic Gap

    20. www.cs.virginia.edu/malware Disk-Level Virus Detection 20 Bridging the Gap Object-based Storage (OSD) Semantic Disks [Sivathanu+ 2003, Arpaci-Dusseau+ 2006, Sivanthanu+ 2006] Our Solution (for now): Prototype collects traces at OS level Detector sees only what would be visible to a semantically-smart disk In progress: implementing at lower level

    21. www.cs.virginia.edu/malware Disk-Level Virus Detection 21 Developing Detectors

    22. www.cs.virginia.edu/malware Disk-Level Virus Detection 22 Windows PE File

    23. www.cs.virginia.edu/malware Disk-Level Virus Detection 23 Infecting a Windows PE File

    24. www.cs.virginia.edu/malware Disk-Level Virus Detection 24 First Generic Infection Rule

    25. www.cs.virginia.edu/malware Disk-Level Virus Detection 25 Additional Infection Rules

    26. www.cs.virginia.edu/malware Disk-Level Virus Detection 26 Evaluation: Detection Five selected viruses Detnat, Efish, Ganda, Simile, Tuareg Randomly selected 70 samples from http://www.offensivecomputing.net Classified as “virus” by at least one A/V vendor Eliminated those that didn’t run Depended on Windows version, crashed, etc. 28 samples remained Executed viruses, collected disk traces, checked against rules

    27. www.cs.virginia.edu/malware Disk-Level Virus Detection 27

    28. www.cs.virginia.edu/malware Disk-Level Virus Detection 28 Evaluation: Non-Disruption

    29. www.cs.virginia.edu/malware Disk-Level Virus Detection 29 False Positives

    30. www.cs.virginia.edu/malware Disk-Level Virus Detection 30 “Virus-Like” Programs Program Updates Signed updates using public key embedded in original executable Legacy solution: “trusted” button System Restores Restore from disk directly DRM Software, Virus Scanners Only to single-write rule: program installs, compilers

    31. www.cs.virginia.edu/malware Disk-Level Virus Detection 31 Virus Detection Results A simple, generic, behavioral, disk-level rule detects all file-infecting viruses in our sample A generic rule cannot detect malicious pre-infection behavior False positives seem solvable Requires either some reengineering of systems or annoyance to user

    32. www.cs.virginia.edu/malware Disk-Level Virus Detection 32 Virus-Specific Signatures Examine collected traces of virus execution Many generations, file infections Develop a disk-level signature that characterizes all executions Precise enough to avoid false positives Requires mechanisms for updating signatures on disk

    33. www.cs.virginia.edu/malware Disk-Level Virus Detection 33 W32/Parite

    34. www.cs.virginia.edu/malware Disk-Level Virus Detection 34 W32/Sality.L Sample (from vx.netlux.org repository) infected with both Sality and Linkbot.M Signature developed for Sality.L also matched Sality.M, O, and Q (but not K or earlier)

    35. www.cs.virginia.edu/malware Disk-Level Virus Detection 35 Summary: Virus-Specific Signatures Developed signatures for Efish, Ganda, Parite, Sality.L Perfect detection results: no missed executions, no false positives Still blacklisting (but much better than static blacklisting) After experience, ~1 day/signature Working on automating signature generation

    36. www.cs.virginia.edu/malware Disk-Level Virus Detection 36 Recap Virus writing pays Traditional virus detection is doomed Wrong level, too static, too reactive Disk processor can detect viruses: Sees all requests, powerful processor Simple rule can detect all file-infecting viruses with few false positives Specific, precise rules can detect malicious behavior exactly

    37. www.cs.virginia.edu/malware Disk-Level Virus Detection 37 Remaining Problems Bridging the semantic gap Working on a disk-level implementation Security against determined attacker Circumventing our rule is easy! Behavioral-morphing viruses? Resource exhaustion attacks Response and recovery Need secure channel to user Deployment

    38. www.cs.virginia.edu/malware Disk-Level Virus Detection 38 Mixed-Metaphor Mantra

    39. www.cs.virginia.edu/malware Disk-Level Virus Detection 39 Students

    40. www.cs.virginia.edu/malware Disk-Level Virus Detection 40 Thanks: Funding: NSF Cyber Trust Running the disk tracer: Jamie Burnham, Wei Le, Jie Li, Ronny Paul, Shahrukh Tarapore, Chris Taylor, Dan Williams Ideas, insights, comments: Shaun Hutton, Yan Huang, Anh Nguyen-Tuong, Mark Reis, Erik Riedel, Peter Szor, Shahrukh Tarapore, Chris Taylor

More Related