Automatic Discovery of Parasitic Malware

1

Abhinav Srivastava and Jonathon Giffin (RAID,2010)School of Computer Science, Georgia Institute of Technology, USA

AUTOMATIC DISCOVERY OF PARASITIC MALWARE

2 OUTLINE

Introduction

Parasitic Malware

Architecture

Implementation Details

Evaluation

Conclusions

3

Parasitic behaviors help malware execute behaviors—such as spam generation, denial-of-service attacks, and propagation—without themselves raising suspicion

INTRODUCTION

App Malware

DLL

4

Network can pinpoint infected machines but not processes

Host can observe parasitic behaviors but cannot distinguish between benign and malicious behaviors–For example: Debugger, Google toolbar

Neither approach is perfectCombine network and host information

INTRODUCTION

5

Attackers are able to install malicious software on a victim computer system at both the user and kernel levels

Distinguish between trusted and untrusted drivers and isolate untrusted drivers in a separate address space

Assume that the malware will at some point send or receive network traffic that network-level intrusion detection systems (network sensors) are able to classify as malicious or suspicious

PARASITIC MALWARE-THREAT MODEL

6

Parasitic malware alters the execution behavior of existing benign processes as a way to evade detection.

These malware often abuse both Windows user and kernel API functions to induce parasitic behaviors

PARASITIC MALWARE-MALWARE BEHAVIORS

7

Number Source Target DescriptionCase 1A Process Process DLL and thread injection


Dynamically-linked library (DLL) injection allows one process to inject entire DLLs into the address space of a second process

OpenProcess()CreateProcess()

Target ProcessProcess Handle

VirtualAllocEx()

WriteProcessMemory()

Abc.dllCreateRemoteThread()

LoadLibrary()

8

Number Source Target DescriptionCase 1B Process Process Raw code and thread injection


A raw code injection attack is similar to a DLL injection in that user-space malware creates a remote thread of execution, but it does not require a malicious DLL to be stored on the victim’s computer system

9

Number Source Target DescriptionCase 2A Kernel driver Process DLL and thread alteration


Asynchronous Procedure Calls (APCs)A method of executing code asynchronously in the context of a particular thread and, therefore, within the address space of a particular process

Malicious drivers identify a process → allocate memory inside it → copy the malicious DLL to memory → create and initialize a new APC → execute the inserted code

http://msdn.microsoft.com/en-us/library/ms681951(VS.85).aspx

10

Number Source Target DescriptionCase 2B Kernel driver Process Raw code and thread alteration


Malicious kernel drivers inject raw code into a benign process and execute it using the APC

11

Number Source Target DescriptionCase 2C Kernel driver Process Kernel thread injection


Kernel thread injection is the method by which malicious drivers execute malicious functionality entirely inside the kernel

A kernel thread executing malicious functionality is owned by a user-level process, though the user-level process had not requested its creation

By default, these threads are owned by the System process, however a driver may also choose to execute its kernel thread on behalf of any running process

12ARCHITECTURE – DESIGN GOAL

Pyrenee

Accurate

Automatic, Runtime Detection

Resist Direct and Indirect Attacks

13 ARCHITECTUREDetect Malicious Traffic

Records end-point process(App)

True origin - Malware

Records parasitic behaviors

Malware

14 ARCHITECTURE-NIDS

Use off-the-shelf sensor identifies inbound or outbound network traffic of suspicion

Network Intrusion Detection System like BotHunter, Snort or Bro.

http://www.cyber-ta.org/releases/botHunter/BotHunter-Usenix07.pdf

http://www.usenix.org/event/lisa99/full_papers/roesch/roesch.pdf

15ARCHITECTURE-NETWORK ATTRIBUTION SENSOR

Given a network sensor (NIDS) alert for some suspicious traffic flow, the network attribution sensor is responsible for determining which process is the local endpoint of that flow in the untrusted VM

Two subcomponents: - one in the VM’s kernel space and one in user space

16ARCHITECTURE-HOST ATTRIBUTION SENSOR

User-level Parasitism

Monitors the runtime behavior of all processes executing within the victim VM by intercepting their system calls <Native API>

Intercepts all system calls, but it processes only those that may be used by a DLL or thread injection attackEX: NtOpenProcess, NtCreateProcess,etc.


Kernel-level Parasitic

Isolating in a separate address space and monitoring kernel APIs invoked by untrusted drivers through this new interface

19ARCHITECTURE-CORRELATION ENGINE

Finds actual malicious code on the system

Gathers data from all sensors- NIDS,NAS,HAS

Uses NIDS provides network alert information

Uses NAS to find the process

Uses HAS to find parasitic behavior

20IMPLEMENTATION DETAILS

Victim host – Windows XP SP2 in VM

Hypervisor – Xen 3.2

Pyrenee run on high privilege VM – Fedora Core 9


Fast Network Flow Discovery

Deployed the sensor’s packet filter inside the trusted VM’s kernel-space as a Linux kernel module

Set up untrusted VMs to use a virtual network interface bridged to the trusted VM

Inserted a hook into a bridge-based packet filtering framework called ebtables to view packets crossing the bridge


Introspection

Windows does not store network port and process name information in a single structure

Input : IP and port


Introspection - EPROCESS

http://www.nirsoft.net/kernel_struct/vista/EPROCESS.html

24

System Call Interpositioning and Parameter Extraction

Host attribution sensor requires information about system calls used as part of DLL or thread injection

Windows XP uses the fast x86 system-call instruction SYSENTER ( Transfers control to a system-call dispatch routine at an address specified in the IA32_SYSENTER _EIP register)

IMPLEMENTATION DETAILS

IA32_SYSENTER _EIPAddress not allocate to the guest OS

Fault

Hypervisor gain control

Records the system call number (in eax register)

Locate system-call parameters stored on the kernel stack (used edx register)

Extracts IN parameters

Get currently-executing process’ ID and thread ID (use FS segment selector → TIB)

Return

Two-step procedure to extract values of OUT parameters at system call return

Step 1 : Record the value present in an OUT parameter at the beginning of the system call

Step 2 : A thread returning to user mode at the completion of a system call will fault due to our manipulation.

IMPLEMENTATION DETAILS


Address Space Construction and Switching

Map untrusted driver code pages into the UPT and trusted kernel and driver code into the TPT

Pyrenee switches between the two address spaces depending upon the execution context


Untrusted driver

Kernel API

Execution Fault

(non-executable kernel code in the UPT)

Pyrenee in hypervisor

Check the entry point into TPT is vaild or not

VaildSwitches the address space by storing the value of TPT_CR3

InvaildRecords this behavior as an attack and raises an alarm


Interception of Driver Loading

Pyrenee intercepts all driver loading mechanisms

Rewrites the kernel’s binary code on driver loading paths automatically at runtime

29 EVALUATION

Malware Parasitic Behavior Attribution

Conficker worm Process to process Correct

Adclicker.BA trojan Process to process Correct

Storm worm Kernel to Process Correct

30 EVALUATION

Tested prototype on an Intel Core 2 Quad 2.66 GHz system.

Assigned 1 GB of memory to the untrusted Windows XP SP2 VM and 3 GB combined to the Xen hypervisor and the high privilege Fedora Core 9 VM

PassMark Performance Test – CPU and memory experiment

IBM Page Detailer and wget - measured networking overheads

31 EVALUATION

32 EVALUATION

33 CONCLUSIONS

Develop a well-reasoned malware detection architecture that finds unknown malware based on its undesirable network use

Works for both the user- and kernel-level malware

Satisfies protection and performance goals

Automatic Discovery of Parasitic Malware

Documents

Transcript of Automatic Discovery of Parasitic Malware