1 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. [email protected] Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many

1

A Fistful of Wonderland

Tom Liston, Senior Security Analyst - InGuardians, [email protected]

Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many Look at

the Good, the Bad, and the Ugly of Malware Analysis on Virtual Platforms

Technologies for Critical Incident PreparednessConference & Exposition 2008

Copyright Intelguardians 2008 2

Who are you and why are you here?

• Tom Liston– Senior Security Analyst - InGuardians, Inc.– Handler - SANS Institute’s Internet Storm Center (ISC)– Founding member - ISC Malware Analysis Team– Co-Author (w/Ed Skoudis) - Counterhack Reloaded– Developer - LaBrea, an Open Source network tarpit– Technical Lead - InGuardian’s work on Virtual Machine

Detection and Escape

• InGuardians, Inc.– World class security consulting firm– Provides penetrating testing, architecture review, code

auditing, malware analysis, expert witnesses, and pure security research to government, military, and Fortune 100 companies


Through the Looking Glass…

• Virtualization is currently IT’s “hot product”– I’m going to assume you all

know what virtualization…

• And, why not?– Virtualization presents

several amazing benefits to companies using it

• Cost savings!• Space savings!• Infrastructure Redundancy!

• But, you folks in the “infrastructure” world are just starting to catch on…


Getting there first……and dragging the rest of you slackers with us.

• Those of us who do malware analysis were some of the first adopters of virtualization

• Why?– Virtual machines offer

huge benefits forthose of us who workwith malware

– In order to understandthose benefits, youneed to understanda little about modernmalware analysis


Modern Malware AnalysisIn a Nutshell

• Malware analysis isn’t about pouring over densely packed code listings– Stare at that stuff too long, and

you end up with squinty eyes…

• Modern malware analysis is a combination of:– Dead-code analysis– Behavioral analysis

• It is an iterative process– Behavioral analysis reinforces

the code analysis and vice versa

.text:0040127F push 1 ; flOptions

.text:00401281 call ds:HeapCreate

.text:00401287 mov hHeap, eax

.text:0040128C lea eax, [ebp+var_8]

.text:0040128F push eax

.text:00401290 mov [ebp+var_8], 8

.text:00401297 mov [ebp+var_4], 800h

.text:0040129E call ds:InitCommonControlsEx

.text:004012A4 push 28h

.text:004012A6 lea eax, [ebp+hInstance]

.text:004012A9 push edi

.text:004012AA push eax

.text:004012AB call memset

.text:004012B0 add esp, 0Ch

.text:004012B3 mov dword ptr [ebp-48h], offset


Behavioral Analysis!?! You RUN these things?

• Yep! All the time…• And that’s where virtualization comes into play…

– With virtual machines we have the ability to revert any changes made to our environment

– Additionally, using virtualization, I can create an entire network consisting of several target machines,all on their own isolated LAN, all within my laptop

• Test “worm-like” spreading behavior• Test botnet command and control• Monitor attempts to “phone home”

– We can, in essence, create a whole other world “through the looking glass”

• And, in theory, we can control and monitor EVERYTHING


A perfect malware world

• Virtualization allows us to create everything needed to provide the malware with a full simulation of whatever it needs– We can create VMs for multiple operating

systems and even multiple patch levels of a single operating system

– We can attach VMs providing whatever services a piece of malware might want to our “network”

• Webservers• Mailservers• IRC Servers• etc…


Trouble in Paradise• But REMEMBER:

– Virtualization platforms were designed for general purpose use

– Like “Wonderland,” they’re only a slightly warped version of our own reality

– And the stuff we’re dropping into them is… well… NASTY

– It’s sort of like dropping any Clint Eastwood character into Wonderland

• And let’s face it, Clint really only plays ONE character• It doesn’t matter if he’s wearing a cowboy hat or a

business suit… they’re all the same guy…

• So, we need to be careful…


What problems could there be?

Well, that annoying White Rabbit and that mouthy Queen better watch it…


Background

• In the fall of 2005, InGuardians was contracted by DHS to research the potential for both virtual machine detection and escape– The enormous market potential for

virtualization, caused concerns about the security implications of VM isolation

– At the time that we began our research, virtualization security had received little attention

• Tools and methodologies for investigating the security of this new technology didn’t exist

• We, essentially, had to “invent the wheel”


Assumptions…• Security issues are generally discovered by

examining assumptions– Challenging assumptions is the

cornerstone of security research

• Our research into detection/escape concerns highlights an ENORMOUS assumption that all virtualization users make– “There exists a high

degree of isolation between host and guest and between guests”

– This assumption is especiallydangerous when analyzingmalware


Detection• We began our research by investigating

the potential for an attacker (human or malcode) to detect that the machine that they’re on is virtualized– All available virtualization environments

are detectable– Additionally, we postulate that there are

several characteristics of the IA64 (x86) architecture that will make virtualization running on that architecture always be detectible


Detection: Bad• During the course of our research,

we discovered some of the first specimens of malware that detected virtualization and changed their behavior

• Over the lifetime of our research project, virtualization detection within malware blossomed– Now approximately 10% of the

specimens we see have some sort of virtualization detection

– These are the most interesting 10%, because they have something to hide

– Virtualization detection is now becoming integrated into many executable packers


Escape

• Think VM escape is impossible?– In July of 2007, InGuardians

demonstrated (for the first time publicly) an exploit that could, from within a guest, launch arbitrary code on the host• The vulnerability was discovered in

VMware Workstation, and has since been patched


Escape: Ugly

• While we’ve never seen or heard of “in the wild” malware capable of VM escape, it is especially important that we are aware that the possibility exists

• Don’t rely on the isolation provided by virtualization– Keep hosts of VMs used for

malware analysis air-gapped from production networks

– Periodically flatten and reinstall hosts


Conclusions• VM escape is the big, bad scary

possibility hanging over our heads• Detection is of more concern

– Malware that alters its behavior in a VM environment requires special handling

– Harden VMs against detection• Thwarting Virtual Machine Detection by Tom Liston and Ed

Skoudis• http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

– Examine code for VM detection routines• Hiding Virtualization from Attackers and Malware.

Carpenter, Liston, Skoudis, IEEE Security and Privacy, May-June 2007


Thank you!

• Questions, comments:

Tom [email protected](815) 342-7483

Slides available at: http://inguardians.com/tcip2008.pdf

Documents

1 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. [email protected] Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many