SECURITY OF THE SECURITY TOOLS. Fu-Hau Hsu National Central University. Background. Plenty of critical personal information is stored in computers Many commercial activities are proceeded through computers and networks. Results.
SECURITY OF THE SECURITY TOOLS Fu-Hau Hsu National Central University
Background • Plenty of critical personal information is stored in computers • Many commercial activities are proceeded through computers and networks.
Results • Computers become a major battlefield between attackers and computer users.
Solutions • Diverse security tools,have been developed to handle this critical work. • anti-virus software • auto-patch mechanisms • firewall • intrusion detection systems • and so on
New Problem • The complexity of these security tools increases. • The security tools become attack targets. • The security of the security tools also becomes a crucial issue.
Disable Anti-virus Software • Research has shown that diverse approaches have been developed to disable different anti-virus software.
Problems (1) • How to guarantee the normal operation of anti-virus software.
Problems (2) • If attackers can disable anti-virus software, is it possible that they can also change the behavior of the anti-virus software through replacing, injecting, or hooking code?
Impacts of Anti-virus Parasites • Given the fact that most, if not all, computers allow only one anti-virus application to be installed on them at one time, an attacker that can control the anti-virus application of a computer can fully command the computer without being detected.
Auto-Patch • How could a computer guarantee that the auto-patch code it executes is not malicious code?
Impacts • If the correctness of auto-patch code cannot be protected, instead of being a tool to seal the security breaches of a computer, auto-patch may become an efficient channel for attackers to intrude a computer or spread malicious code.
Purpose • We proposed ANtivirus Software Shield (ANSS) to protect antivirus software from being terminated by malware.
Arms Race between Malware Writers and Antivirus Programmers • The simplest way for a computer user to secure his computer is to install antivirus software on his computer. • 81% of computer users utilize antivirus software to protect their computers, which means over a hundred million computer users use antivirus software in the USA alone. • Attackers attempt to break any defense mechanism by • masquerading • social engineering • hindering antivirus software detection
Malware Self-Defense Techniques (1) • Disorder signature-based virus detection methods by • Transforming • Encoding • Compressing • Packing malware code. • Avoid executing themselves when they are monitored by • debuggers • hypervisors.
Malware Self-Defense Techniques (2) • Unmeaning bytes may also be inserted into malware to hinder static malware analysis. • More aggressive and dangerous malware may even directly disrupt the functionality of security solutions, especially antivirus software
Antivirus Terminator • Malware that terminates the execution of antivirus software without the consciousness of the antivirus software users is called an antivirus terminator.
Who Protect Antivirus? • The most effective solution to antivirus terminators is antivirus software itself.
The Problem • Even though antivirus companies claim that they have implemented protection mechanism to protect their products against antivirus terminators, our experimental results shown that techniques utilized by antivirus terminators to terminate antivirus software still could terminate antivirus software.
Null Debugger Method • An antivirus terminator can use APIDebugActiveProcess to attach itself to an antivirus process as a debugger to control it. • Then right after invoking DebugActiveProcess, the antivirus terminator exits. • Because the controller of the antivirus process does not exist, the process will crash immediately.
Dll Unloading Method • An antivirus terminator can use APIZwUnmapViewOfSection to unload some important dll files, such as ntdll.dll, from an antivirus process to erase some portions of the virtual address space of the antivirus process. • ntdll.dll defines many common used windows Native APIs, hence, once the dll file is unloaded from the antivirus process and an API in the dll file is invoked, the process will crash.
Process Termination Method • An antivirus terminator gets the handle of an antivirus process by calling APIOpenProcess with the process ID of the antivirus process. • Then the antivirus terminator can use APIs NtTerminateProcess or ZwTerminateProcess to terminate the antivirus process in the kernel level.
Close Message Method • An antivirus terminator can use APIFindWindow to search all windows running on the system to find the window matching the name of an antivirus software window (e.g. avguard of antivir or kavsvc of kaspersky). • Then the antivirus terminator continues sending messages, such as WM_CLOSE or WM_QUIT, to the related antivirus process by APIs SendMessage or PostMessage until the process is terminated.
Mouse Simulator Method • An antivirus terminator can use APISendInput to counterfeit a series of mouse events which lead to the suspension of an antivirus process. • E.g.: • An antivirus terminator may find the icon of an antivirus process first. • Then it forges a series of mouse events to move the cursor to the right lower corner of the screen, press the right button to expand a work menu, and then chose to suspend an antivirus process. • This approach was designed by us. Hence, we have not found an antivirus terminator in the wild utilizing this approach to terminate antivirus software.
Registry Modification Method (1) • An antivirus terminator can modify the registry so that a NULL debugger will be attached to an antivirus process when the antivirus process begins its execution. • The above steps will stop the execution of the antivirus process.
Registry Modification Method (2) • Besides, an antivirus terminator can also modify the registry to delete antivirus related processes from the startup process list; hence, the system will be booted without the protection of an antivirus process. • APIZwOpenKey can be used to open a registry key. • And APIZwSetValueKey can be used to modify a registry key value.
Thread Termination Method • An antivirus terminator can use APITerminateThread to terminate the threads of an antivirus process one by one till the antivirus process stops.
Table I: Methods Utilized by Various Malware to Terminate Antivirus Software
Combine Two or More Terminating Approaches • As Table I shown, attackers may combine two or three techniques together to strengthen their malware.
Most Popular Antivirus Software • 5 famous brands of antivirus software were used in our tests. • Avira Antivir Personal • Kaspersky Anti-virus 2012 • Norton Antivirus 2011 • ESET NOD32 Antivirus 4 • AVAST Free Antivirus 6.
Terminator Program • For each of the above methods we wrote a program, called terminator program, to see whether the approach alone can terminate antivirus. • None of them deems the above 7 programs as malware.
Impact of Terminator Programs • The results show that if a piece of malware bundles itself with one or more of the first 6 terminator programs; it becomes an effective antivirus terminator. • As a result, we believe antivirus terminators will become a severe threat to many computer systems which are usually protected by antivirus.
Frangible APIs • The Windows native APIs that are executed when the above 7 techniques are used to terminate antivirus software are called frangible APIs . • The native APIs may not be called directly by antivirus terminators, but are called by the APIs utilized by the antivirus terminators.
Intercept Windows API Calls • ANSS monitors invocations to frangible APIs. • Frangible APIs calls with parameters that will stop or suspend antivirus software are blocked by ANSS directly. • ANSS uses SSDT (System Service Descriptor Table) hooking to intercept and examine invocations of frangible APIs.
System Service Dispatch Table • The Windows kernel provides various system services for application programs to use. • Inside the kernel the addresses of these system services are stored in the SSDT, KiServiceTable.
Usage of SSDT • When a program issues a system call to execute a system service, kiSystemService looks up the SSDT to find the address of the corresponding system service. • Then kiSystemService uses the address to invoke the system service.
SSDT Hooking • Through SSDT hooking, ANSS modifies some function addresses stored in the KiServiceTable service descriptor table and replaces them with ANSSAPI handlers. • After an ANSSAPI completes its task, it invokes the original API.
ANSS Structure • ANSS consists of three components: interceptor, filter, and blocker.
Interceptor • When a program is going to invoke a frangible API, the interceptor intercepts the execution flow of the program and transfers the execution flow to the filter before the code of a frangible API is executed. • ANSS utilizes SSDT hooking to accomplish the above task.
Frangible APIs and ANSSAPIs • For each frangible API, there is a corresponding ANSSAPI in the ANSS filter. • In other words, an invocation to a frangible API is transferred to its corresponding ANSSAPI first through SSDT hooking.
Filter • Based on some build-in rules, the filter examines the parameters of the API call to filter out the intention to abuse the API that will terminate or suspend antivirus software. • For a normal API call, the filter transfers the execution flow back the original frangible API code.
Blocker • An API call with a malicious intention is further passed to the blocker which returns an error code, ACCESS_DENY, as the output of the API call. • Besides, the blocker prints out an error message to notify users that it just blocked an attack on the antivirus software.
Filter Rules • The ANSS filter utilizes various rules to prevent frangible APIs from being executed with malicious parameters.
Antivirus Process Handle Rule • The ANSS filter restrains an application from obtaining the process handle of an antivirus program, because once an attacker obtains the handles of an antivirus program, the attacker can terminate the program easily. • To get the process handle of an application program, attackers can use APIOpenProcess which utilizes frangible APINtOpenProcess inside the kernel land to finish its work.
NtTerminateProcess Rule • The filter does not allow an application to use NtTerminateProcess to terminate antivirus software.
DebugActiveProcess Rule • The filter does not allow an application to utilize DebugActiveProcess to attach itself as a debugger of antivirus software. • DebugActiveProcess uses frangible APINtDebugActiveProcess in the kernel address space to accomplish its task.