Upload
rahul-mohandas
View
1.268
Download
2
Embed Size (px)
Citation preview
McAfee Confidential
.
Rahul Mohandas | Intel Security
Ravi Sahita | Intel Labs
Detecting Evasive Malware in the Sandbox—The Latest from McAfee and Intel Labs
McAfee Confidential
.
Speakers
2
Rahul MohandasResearch Manager
Intel Security
Ravi SahitaPrincipal Engineer
Intel Labs
McAfee Confidential
.
Agenda
• Evolution of Targeted Malware Attacks and Defenses
• Sandboxing Challenges
• McAfee Advanced Threat Defense Technology
• Use Cases: Sandbox Evasion
• Platform Opportunities
• Summary
3
McAfee, and the McAfee logo are registered trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.
McAfee Confidential
.
How did we get here?
Evolution of Malware Attacks and Defenses
4
A large number of enterprises had breaches over the past year.
What can be done to better protect the network against these
cyberthreats?
Reactive
• md5/URL blacklists
Proactive
• Heuristics/ protocol analysis
Predictive
• Static/ behavioral and predictive analytics
• Malware attribution
Evolution of defenses shown as
Attack [Defense]
McAfee Confidential
.
State of Targeted Attacks
5
Intel & McAfee Confidential
2010 2011 2012 2013 2014
Duqu
Flame
Gauss
Mahdi
VOHO
Shamoon
01-SEP-2011
02-MAY-2012
01-JUN-2012
JUL-2012
15-AUG-2012
Beebus
Ladyboyle
MiniDuke
RSA hackMAR-2011
FEB-2013
Naikon
NetTraveler
JUN--2013
SAFE
SunShop
MAY--2013
30-MAY--2012
Gotham
ZEGOSTAPR-2013
DeputyDog19-AUG-2013
EvilGrab
IceFog
Kimsuky
Guodl
Taidoor
The3bug
Web2Crew
DEC-2012
Project Blitzkrieg
Shiqiang
APR-2014
QuarianOCT-2013
Havex
PittytigerJuly-2014
Intel Confidential -- Internal Use Only
Quarian v2
AUG-2014
McAfee Confidential
.
Sandboxing Challenges
6
• Hook-detection/skipping.
• Self/VM fingerprinting.
• System tampering.
• Interaction-based.
• Latent behavior.
• Timing analysis.
• And so on …
Evasion
McAfee Confidential
.
7
Advanced Threat Defense TechnologySandboxing approach and future challenges
McAfee Confidential
.
McAfee Advanced Threat Defense
• Using static and dynamically derived program behavior.
• Provides advanced sandboxing capabilities:
• Virtual CPUs.
• Anti-anti-debugging.
• Need to unpack to get to original executable code for analysis:
• Detect variants.
• Understand potential paths.
• Provide unpacked code for further analysis.
8
VM 1 VM 2 VM N
Sample Sample Sample
VM1 VM2 VM N
VMM
McAfee Confidential
.
Dynamic and Static Code Analysis
9
Analyze
Static AnalysisDynamic Analysis
Analyze
Unpacking
Disassembly of Code
Calculate Latent Code
Familial Resemblance
Runtime DLLs
Network Operations
File Operations
Process Operations
Delayed Execution
McAfee Confidential
.
Sandbox Evasion
10
• Use assembly code to bypass hooks:
• Replace sleep() with an induced delay loop.
• Bypasses sandboxes that have default analysis timeouts.
• Family classification to the rescue.
Advanced: inline assembly
McAfee Confidential
.
11
Sandbox Evasion: Inline Assembly
McAfee Confidential
.
12
McAfee Confidential
.
Quarian Evolution: Timeline
13
Sample: ce1efSimilarity: 97%
Prototype AddedSimilarity: 100%
Sample: 1d6b587Similarity: 83.54%
Sample: c0e5746dd
Similarity: 68.09%
Sample: 93807cff6
Similarity: 68.18%
Dec ’11
March ’12
Jan ’12
August ’13
July ’12
March ’14
Sample: f3862
Similarity: 66.72%
McAfee Confidential
.
Sandbox Evasion
14
• APT actor active since 2011.
• Checks presence of registry key, exits if not found.
• Evades all known sandboxes relying on behavior only.
• Detected by McAfee® Advanced Threat Defense using static code analysis.
Quarian: AppId Check
McAfee Confidential
.
15
Quarian Evolution: Static Code Analysis
McAfee Confidential
.
16
Platform OpportunitiesImproving malware analysis
McAfee Confidential
.
Improving Malware Sandbox: Goals
17
VMM
VM1
Enhance Instrumentation to Observe
Zero-Day/Obfuscated Behavior.
VM 2 VM n • Memory access and execution analysis.
• Kernel/user rootkit-like behavior.
• API, control flow attacks.
• Unpacking, de-obfuscating code.
… without impacting analysis throughput
Intel CPUs
McAfee Confidential
.
CPU extended page tables (EPTs) as memory monitoring domains
OS-Independent Behavioral Memory Monitoring
18
CPU0
Hypervisor
Intel® VT-x with EPT
VM0
Extended Page Table
(EPT) Domains
EPT
Walker
Execution Crossing
EPT Domains or Data
Accesses Cause Events.host physical
address
Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)
Application
Code/Data
(RX/RW)
DLL
Code (RX)
DLL
Code (RO)
Application
Code/Data
(RO/NP)
Data
(RW)
Data
(NP)
• Observe read, write, or execution
from memory.
• Critical data structure tracking.
• Critical API execution tracking
without circumvention.
McAfee Confidential
.
Addressing Technical Challenges
• Factors limiting memory monitoring:
• Hardware context-switch time.
• Filtering uninteresting events with minimal overhead:
• Monitoring data accesses requires filtering due to 4,000 page sharing.
• Analyzing execution patterns:
• Without requiring single-stepping of all execution.
19
McAfee Confidential
.
Minimize exposure of VMM to reduce malware evasion opportunities
Hardware-Accelerated Behavioral Memory Analysis
20
CPU0
Hypervisor
Intel® VT-x with EPT
VM0
Extended
Page Tables
EPT
Walker
Report EPT violations via #VE.EPTP list is indexed
by VMFUNC.
Intel® Virtualization Technology for IA-32, Intel® 64 and Intel® Architecture (Intel® VT-x)
• VM Function (VMFUNC) to switch EPTs or
memory views without VMExits.
• Virtualization Exceptions (#VE) to directly
notify guest of EPT access violations
without VMExits.
Memory
View 1
Memory
View 2
VMFUNC
#VE
Physical pages
McAfee Confidential
.
Accelerating Behavior-Induced Events
21
• Behavioral memory monitoring policies setup
via EPT domains.
• VMM opts in to convert induced EPT violation
(observed events) to #VE.
• Monitoring software can use VMFUNC to
switch views in order to analyze memory
accesses and continue sandboxed execution.
VMM
VM Sandbox
EPT Domains
Monitoring
Service
Monitored
App
1. Handle #VE
3. Complete analysis
WRITE
Access
Policy#VE
#VE info
EPT Domains
Intel CPUs
VMFUNC
VMFUNC
2. Set up single
step or emulate
McAfee Confidential
.
Hardware Extensions for Improving Malware Sandbox
22
VMMw/ Introspection Extensions
Intel CPUs
Windows/
Android VM1
Enhanced Instrumentation to Observe
Zero-Day/Obfuscated Behavior• Memory access and execution analysis.
• Kernel/user rootkit behavior.
• API, control flow attacks.
• Unpacking, de-obfuscating code.Sandboxing
Engine
Memory
Views
Processor Features Pass-Through
Enhanced Sandboxing
VM 2 VM n
- VMFUNC (low latency memory view switching).
- Virtualization Exceptions (low latency memory monitoring).
- …
CPU Extensions
Memory
Views
Sandboxing
Engine
Sandboxing
Engine
McAfee Confidential
.
Malware
OSVM Tools
Monitored API
Addressing Evasion Challenges
23
Intel CPUs
Capabilites that can be enabled via
hardware-enhanced introspection and family
classification:
1. Hook-detection/skip avoidance.
2. Fingerprinting mitigation.
3. Kernel tamper detection.
4. User detection.
5. Latent behavior detection.
6. Timing virtualization.
1
32
4
VMM
6
Microsoft
Windows/
Android VM1
5
McAfee Confidential
.
24
Looking AheadConcluding thoughts
McAfee Confidential
.
Future Directions and Research
• Finer-grain memory monitoring CPU primitives.
• Processor capabilities to detect/prevent malicious behavior via strong control-flow tracking.
• Machine-learning techniques to automate deeper analysis.
• Human interactivity modeling to expose latent code.
• Exploration of native hardware sandbox to reduce malware evasion opportunities.
25
McAfee Confidential
.
Conclusion
• Combination of behavior and family classification addresses gaps to
detect advanced malware.
• Hardware and software co-design to stay ahead of malware
approaches.
• Evolving the McAfee Advanced Threat Defense platform:
• Software improvements via open hypervisors.
• Hardware-based differentiation to improve analysis.
• Ongoing research to stay ahead of evasion techniques.
26
McAfee Confidential
.
27
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo are registered
trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries. Other marks and brands may be claimed as the property of
others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are
provided without warranty of any kind, express or implied. Copyright © 2014 McAfee, Inc.