Upload
nhi
View
57
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Automatic Discovery of Parasitic Malware. Abhinav Srivastava and Jonathon Giffin School of Computer Science Georgia Institute of Technology. Attack and Remediation. B. Malware. A. Network. App. C. App. Malware. Attack and Remediation. B. Malware. A. Infected machine -- B - PowerPoint PPT Presentation
Citation preview
Automatic Discovery of Parasitic Malware
Abhinav Srivastava and Jonathon Giffin
School of Computer ScienceGeorgia Institute of Technology
Automatic Discovery of Parasitic Malware 2
Attack and Remediation
Malware
App
App
B
C
A
Sept 16 2010
Malware
Network
Automatic Discovery of Parasitic Malware 3
Attack and Remediation
Malware
App
App
B
C
A
Sept 16 2010
Malware
Network
Infected machine -- B
Infected machine -- C
Automatic Discovery of Parasitic Malware 4
Attack and Remediation
Malware
App
App
B
C
A
Sept 16 2010
Malware
Network
Infected machine -- B
Infected machine -- CReimage the infected machines
Automatic Discovery of Parasitic Malware 5
Attack and Remediation
Malware
App
App
B
C
A
Sept 16 2010
Malware
Network
Infected machine -- B
Infected machine -- CReimage the infected machines
Our Goals
• Precise attribution of malicious activity• Processes (machine B and C)
• Identify true origin of malicious activity• Parasitic behaviors (machine C)
Automatic Discovery of Parasitic Malware 6
Parasitic BehaviorsC
Sept 16 2010
MalwareUserKernel
App
DLL
Automatic Discovery of Parasitic Malware 7
Parasitic BehaviorsC
Sept 16 2010
Malware
UserKernel
App
DLL
Automatic Discovery of Parasitic Malware 8
Challenges
• Network can pinpoint infected machines but not processes
• Host can observe parasitic behaviors but cannot distinguish between benign and malicious behaviors– For example: Debugger, Google toolbar
• Neither approach is perfect
Combine network and host information
Sept 16 2010
Automatic Discovery of Parasitic Malware 9
Pyrenee
• Goal: Identify parasitic malware
• Correlates network and host information
• Uses lightweight sensors
• Tamper-resistant
Sept 16 2010
Automatic Discovery of Parasitic Malware 10
Pyrenee Architecture
Untrusted VM(Windows XP)
Firewall
Trusted VM(Fedora)
Networksensor(NIDS)
Xen
App
User
Networkattribution
sensorCorrelation
engine
Networkattribution
sensor
Host attribution sensor
UserKernel Kernel
Sept 16 2010
VMI App
Automatic Discovery of Parasitic Malware 11
Pyrenee Architecture
Untrusted VM(Windows XP)
Firewall
Trusted VM(Fedora)
Networksensor(NIDS)
Xen
App
User
Networkattribution
sensorCorrelation
engine
Networkattribution
sensor
Host attribution sensor
UserKernel Kernel
Sept 16 2010
VMI
Malware
App
Records parasitic behaviors
Records end-point process (App)
Detects malicious
traffic
True origin: Malware
Automatic Discovery of Parasitic Malware 12
Threat Model
• Both user and kernel-level attacks are possible
• Our assumptions– Hypervisor & trusted VM are secure– Kernel data structures are at known places– Presence of driver verifier service
Sept 16 2010
Automatic Discovery of Parasitic Malware 13
Network Attribution Sensor (NAS)
• Kernel-level component– Identifies separate connections
• User-level component– For each connection determines local end-point in
untrusted VM
Sept 16 2010
Automatic Discovery of Parasitic Malware 14
Network Object Traversal
Source IP
PIDmatch
Drivers:
Source PortDestination IP
Destination Port
Linked list iteration
Processes:
tcpip.sysMODULE_ENTRY MODULE_ENTRY MODULE_ENTRY
Pointer
Process ID
Source IPSource Port
Destination IPDestination Port
Process ID
Source IPSource Port
Destination IPDestination Port
Process IDLinked list iteration
Process IDName
EPROCESS
Process IDName
Process IDName
EPROCESS EPROCESS
Linked list iteration
Output:Process namefrom EPROCESS
TCBTable
Sept 16 2010
Input: Port and IP
Automatic Discovery of Parasitic Malware 15
Host Attribution Sensor (HAS)
• NAS points to the local process end point
• HAS identifies true origin of malicious activities
• HAS operates from the hypervisor
• Divided in two components– User-level parasitism detector– Kernel-level parasitism detector
Sept 16 2010
Automatic Discovery of Parasitic Malware 16
User-level Parasitic BehaviorsC
Sept 16 2010
MalwareUserKernel
App
DLL
Automatic Discovery of Parasitic Malware 17
User-level Parasitic BehaviorsC
Sept 16 2010
MalwareUserKernel
Win dlls
App
Windows APIs
DLL
Automatic Discovery of Parasitic Malware 18
User-level Parasitism Model
Code Injection
handle = OpenProcess()
AllocateMemory(handle)
WriteMemory(handle)
CreateRemoteThread(handle)
handle = CreateProcess()
Sept 16 2010
Automatic Discovery of Parasitic Malware 19
User-level Parasitic BehaviorsC
Sept 16 2010
MalwareUserKernel
Win dlls
App
Windows APIs
DLL
Automatic Discovery of Parasitic Malware 20
Kernel-level Parasitic BehaviorsC
Sept 16 2010
Malware
UserKernel
App
DLL
Automatic Discovery of Parasitic Malware 21
Kernel-level Parasitic BehaviorsC
Sept 16 2010
Malware
UserKernel
App
Kernel Code
Kernel APIs
DLL
Automatic Discovery of Parasitic Malware 22
Kernel-level Parasitism Model
Code Injection
ZwOpenProcess()
KeAttachProcess()
ZwAllocateMemory()
KeInitializeApc()
KeInsertQueueApc()
Sept 16 2010
Automatic Discovery of Parasitic Malware 23
Kernel-level Parasitic BehaviorsC
Sept 16 2010
Malware
UserKernel
App
Kernel Code
Kernel APIs
DLL
Automatic Discovery of Parasitic Malware 24
Kernel-level Parasitic BehaviorsC
Sept 16 2010
Malware
UserKernel
App
Kernel Code
Xen Switch address space
Page fault
DLL
Automatic Discovery of Parasitic Malware 25
Kernel-level Parasitic BehaviorsC
Sept 16 2010
Malware
UserKernel
App
Kernel Code+
Trusted drivers
Xen Switch address space
Page fault
DLL
Automatic Discovery of Parasitic Malware 26
Correlation Engine
• Finds actual malicious code on the system
• Gathers data from all sensors
• Uses NAS to find the process
• Uses HAS to find parasitic behavior
Sept 16 2010
Automatic Discovery of Parasitic Malware 27
Security Evaluation
• Evaluated network- and host-attribution sensors’ effectiveness.
• Tested with applications to correctly correlate network connections to processes.– Example: Internet explorer, putty, winscp, and others.
• Tested the effectiveness of host-attribution sensor in identifying true origin of parasitic behaviors.
Sept 16 2010
Automatic Discovery of Parasitic Malware 28
Security Evaluation
Sept 16 2010
Malware Parasitic Behaviors Attribution
AdclickerBA Process-to-Process Correct
Conficker Process-to-Process Correct
Storm Kernel-to-Process Correct
Automatic Discovery of Parasitic Malware 29
Performance Evaluation
Operations Unmonitored Parasitic BehaviorAbsent %
Integer Math (Mops/sec) 126.5 124.8 1.34
Floating Point Math (Mops/sec) 468.4 444.3 5.14
Compression (KB/sec) 1500.9 1496.0 0.32
Encryption (MB/sec) 4.21 4.20 0.24
String Sorting (Thousand string/sec) 1103.3 1072.3 2.81
CPU Performance Test
Sept 16 2010
Automatic Discovery of Parasitic Malware 30
Performance Evaluation
Operations Unmonitored Parasitic BehaviorPresent %
Integer Math (Mops/sec) 126.5 92.5 26.88
Floating Point Math (Mops/sec) 468.4 439.5 6.17
Compression (KB/sec) 1500.9 1494.7 0.41
Encryption (MB/sec) 4.21 4.19 0.48
String Sorting (Thousand string/sec) 1103.3 1072.2 2.82
CPU Performance Test
Sept 16 2010
Automatic Discovery of Parasitic Malware 31
Performance Evaluation
Operations Unmonitored Parasitic BehaviorAbsent %
Allocate Small Block (MB/sec) 2707.4 2704.1 0.12
Write (MB/sec) 1967.0 1942.9 1.23
Memory Performance Test
Sept 16 2010
Automatic Discovery of Parasitic Malware 32
Performance Evaluation
Operations Unmonitored Parasitic BehaviorPresent %
Allocate Small Block (MB/sec) 2707.4 2322.3 14.22
Write (MB/sec) 1967.0 1931 1.83
Memory Performance Test
Sept 16 2010
Automatic Discovery of Parasitic Malware 33
Performance Evaluation
Operations Unmonitored Pyrenee %Page Loading (sec) 3.64 3.82 4.95
Network File Copy (sec) 38.00 39.00 2.63
Network Performance Test
Sept 16 2010
Automatic Discovery of Parasitic Malware 34
Conclusions
Sept 16 2010
Automatic Discovery of Parasitic Malware 35
Questions
Abhinav Srivastava Jonathon Giffin
[email protected]@cc.gatech.edu
…. or send us email:
Sept 16 2010