35
Automatic Discovery of Parasitic Malware Abhinav Srivastava and Jonathon Giffin School of Computer Science Georgia Institute of Technology

Automatic Discovery of Parasitic Malware

  • Upload
    nhi

  • View
    57

  • Download
    0

Embed Size (px)

DESCRIPTION

Automatic Discovery of Parasitic Malware. Abhinav Srivastava and Jonathon Giffin School of Computer Science Georgia Institute of Technology. Attack and Remediation. B. Malware. A. Network. App. C. App. Malware. Attack and Remediation. B. Malware. A. Infected machine -- B - PowerPoint PPT Presentation

Citation preview

Page 1: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware

Abhinav Srivastava and Jonathon Giffin

School of Computer ScienceGeorgia Institute of Technology

Page 2: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 2

Attack and Remediation

Malware

App

App

B

C

A

Sept 16 2010

Malware

Network

Page 3: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 3

Attack and Remediation

Malware

App

App

B

C

A

Sept 16 2010

Malware

Network

Infected machine -- B

Infected machine -- C

Page 4: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 4

Attack and Remediation

Malware

App

App

B

C

A

Sept 16 2010

Malware

Network

Infected machine -- B

Infected machine -- CReimage the infected machines

Page 5: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 5

Attack and Remediation

Malware

App

App

B

C

A

Sept 16 2010

Malware

Network

Infected machine -- B

Infected machine -- CReimage the infected machines

Our Goals

• Precise attribution of malicious activity• Processes (machine B and C)

• Identify true origin of malicious activity• Parasitic behaviors (machine C)

Page 6: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 6

Parasitic BehaviorsC

Sept 16 2010

MalwareUserKernel

App

DLL

Page 7: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 7

Parasitic BehaviorsC

Sept 16 2010

Malware

UserKernel

App

DLL

Page 8: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 8

Challenges

• Network can pinpoint infected machines but not processes

• Host can observe parasitic behaviors but cannot distinguish between benign and malicious behaviors– For example: Debugger, Google toolbar

• Neither approach is perfect

Combine network and host information

Sept 16 2010

Page 9: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 9

Pyrenee

• Goal: Identify parasitic malware

• Correlates network and host information

• Uses lightweight sensors

• Tamper-resistant

Sept 16 2010

Page 10: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 10

Pyrenee Architecture

Untrusted VM(Windows XP)

Firewall

Trusted VM(Fedora)

Networksensor(NIDS)

Xen

App

User

Networkattribution

sensorCorrelation

engine

Networkattribution

sensor

Host attribution sensor

UserKernel Kernel

Sept 16 2010

VMI App

Page 11: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 11

Pyrenee Architecture

Untrusted VM(Windows XP)

Firewall

Trusted VM(Fedora)

Networksensor(NIDS)

Xen

App

User

Networkattribution

sensorCorrelation

engine

Networkattribution

sensor

Host attribution sensor

UserKernel Kernel

Sept 16 2010

VMI

Malware

App

Records parasitic behaviors

Records end-point process (App)

Detects malicious

traffic

True origin: Malware

Page 12: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 12

Threat Model

• Both user and kernel-level attacks are possible

• Our assumptions– Hypervisor & trusted VM are secure– Kernel data structures are at known places– Presence of driver verifier service

Sept 16 2010

Page 13: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 13

Network Attribution Sensor (NAS)

• Kernel-level component– Identifies separate connections

• User-level component– For each connection determines local end-point in

untrusted VM

Sept 16 2010

Page 14: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 14

Network Object Traversal

Source IP

PIDmatch

Drivers:

Source PortDestination IP

Destination Port

Linked list iteration

Processes:

tcpip.sysMODULE_ENTRY MODULE_ENTRY MODULE_ENTRY

Pointer

Process ID

Source IPSource Port

Destination IPDestination Port

Process ID

Source IPSource Port

Destination IPDestination Port

Process IDLinked list iteration

Process IDName

EPROCESS

Process IDName

Process IDName

EPROCESS EPROCESS

Linked list iteration

Output:Process namefrom EPROCESS

TCBTable

Sept 16 2010

Input: Port and IP

Page 15: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 15

Host Attribution Sensor (HAS)

• NAS points to the local process end point

• HAS identifies true origin of malicious activities

• HAS operates from the hypervisor

• Divided in two components– User-level parasitism detector– Kernel-level parasitism detector

Sept 16 2010

Page 16: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 16

User-level Parasitic BehaviorsC

Sept 16 2010

MalwareUserKernel

App

DLL

Page 17: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 17

User-level Parasitic BehaviorsC

Sept 16 2010

MalwareUserKernel

Win dlls

App

Windows APIs

DLL

Page 18: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 18

User-level Parasitism Model

Code Injection

handle = OpenProcess()

AllocateMemory(handle)

WriteMemory(handle)

CreateRemoteThread(handle)

handle = CreateProcess()

Sept 16 2010

Page 19: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 19

User-level Parasitic BehaviorsC

Sept 16 2010

MalwareUserKernel

Win dlls

App

Windows APIs

DLL

Page 20: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 20

Kernel-level Parasitic BehaviorsC

Sept 16 2010

Malware

UserKernel

App

DLL

Page 21: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 21

Kernel-level Parasitic BehaviorsC

Sept 16 2010

Malware

UserKernel

App

Kernel Code

Kernel APIs

DLL

Page 22: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 22

Kernel-level Parasitism Model

Code Injection

ZwOpenProcess()

KeAttachProcess()

ZwAllocateMemory()

KeInitializeApc()

KeInsertQueueApc()

Sept 16 2010

Page 23: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 23

Kernel-level Parasitic BehaviorsC

Sept 16 2010

Malware

UserKernel

App

Kernel Code

Kernel APIs

DLL

Page 24: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 24

Kernel-level Parasitic BehaviorsC

Sept 16 2010

Malware

UserKernel

App

Kernel Code

Xen Switch address space

Page fault

DLL

Page 25: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 25

Kernel-level Parasitic BehaviorsC

Sept 16 2010

Malware

UserKernel

App

Kernel Code+

Trusted drivers

Xen Switch address space

Page fault

DLL

Page 26: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 26

Correlation Engine

• Finds actual malicious code on the system

• Gathers data from all sensors

• Uses NAS to find the process

• Uses HAS to find parasitic behavior

Sept 16 2010

Page 27: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 27

Security Evaluation

• Evaluated network- and host-attribution sensors’ effectiveness.

• Tested with applications to correctly correlate network connections to processes.– Example: Internet explorer, putty, winscp, and others.

• Tested the effectiveness of host-attribution sensor in identifying true origin of parasitic behaviors.

Sept 16 2010

Page 28: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 28

Security Evaluation

Sept 16 2010

Malware Parasitic Behaviors Attribution

AdclickerBA Process-to-Process Correct

Conficker Process-to-Process Correct

Storm Kernel-to-Process Correct

Page 29: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 29

Performance Evaluation

Operations Unmonitored Parasitic BehaviorAbsent %

Integer Math (Mops/sec) 126.5 124.8 1.34

Floating Point Math (Mops/sec) 468.4 444.3 5.14

Compression (KB/sec) 1500.9 1496.0 0.32

Encryption (MB/sec) 4.21 4.20 0.24

String Sorting (Thousand string/sec) 1103.3 1072.3 2.81

CPU Performance Test

Sept 16 2010

Page 30: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 30

Performance Evaluation

Operations Unmonitored Parasitic BehaviorPresent %

Integer Math (Mops/sec) 126.5 92.5 26.88

Floating Point Math (Mops/sec) 468.4 439.5 6.17

Compression (KB/sec) 1500.9 1494.7 0.41

Encryption (MB/sec) 4.21 4.19 0.48

String Sorting (Thousand string/sec) 1103.3 1072.2 2.82

CPU Performance Test

Sept 16 2010

Page 31: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 31

Performance Evaluation

Operations Unmonitored Parasitic BehaviorAbsent %

Allocate Small Block (MB/sec) 2707.4 2704.1 0.12

Write (MB/sec) 1967.0 1942.9 1.23

Memory Performance Test

Sept 16 2010

Page 32: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 32

Performance Evaluation

Operations Unmonitored Parasitic BehaviorPresent %

Allocate Small Block (MB/sec) 2707.4 2322.3 14.22

Write (MB/sec) 1967.0 1931 1.83

Memory Performance Test

Sept 16 2010

Page 33: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 33

Performance Evaluation

Operations Unmonitored Pyrenee %Page Loading (sec) 3.64 3.82 4.95

Network File Copy (sec) 38.00 39.00 2.63

Network Performance Test

Sept 16 2010

Page 34: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 34

Conclusions

Sept 16 2010

Page 35: Automatic Discovery of Parasitic Malware

Automatic Discovery of Parasitic Malware 35

Questions

Abhinav Srivastava Jonathon Giffin

[email protected]@cc.gatech.edu

…. or send us email:

Sept 16 2010