Malware: Prevenire (e curare) con strumenti open-source

Transcription

1 Malware: Prevenire (e curare) con strumenti open-source Roberto Paleari Linux Day 2011 Modena, 22 ottobre 2011

2 Who am I? PhD Research activities Malware analysis Systems & applications security Laboratorio di Sicurezza e Reti (LaSeR) Senior security consultant Penetration testing Reverse engineering Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 2

3 The rise of malicious code Number of new signatures 21,000,000 17,500,000 14,000,000 10,500,000 7,000,000 3,500, Period Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3

4 The rise of malicious code Today malware is a very lucrative activity Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3

5 The rise of malicious code Who lasts longer earns the most... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3

6 Long lasting malware Spread/replicate fast Hide the presence on the system Obfuscate the code (e.g., encryption, polymorphism, metamorphism) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 4

7 Long lasting malware Spread/replicate fast Hide the presence on the system Obfuscate the code (e.g., encryption, polymorphism, metamorphism) Traditional signature-based approaches are not effective anymore! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 4

8 Wait... +?? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

9 Wait... +?? Why malware infects? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

10 Wait... +?? Why malware infects? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

11 Wait... +?? So, why should we care about malware? Linux is not free from malware! The majority of embedded devices runs Linux Many Linux users use Windows emulators (e.g., WINE) or virtual machines Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

12 How malware is detected today? Application code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

13 How malware is detected today? Application code + + A signature is a sequence of bytes that identifies a malicious sample Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

14 How malware is detected today? Application code Anti-malware tools are shipped with a database of known signatures Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

15 How malware is detected today? When a signature is found, the application is considered to be infected Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

16 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

17 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

18 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

19 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Unpacking routine Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

20 Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Unpacking routine Malicious code > 80% malware samples are packed 200 packer families, with 2000 variants Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

21 Current trend for malware analysis and detection Static analysis is either too onerous or impossible (malware is obfuscated & self-modifying) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 8

22 Current trend for malware analysis and detection Static analysis is either too onerous or impossible (malware is obfuscated & self-modifying) Dynamic, behavior-based malware analysis Run the suspicious program and monitor its execution Does it behave maliciously? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 8

23 Dynamic analysis Run-time monitoring of closed-source applications Suspicious applications should be always executed inside a controlled environment! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 9

24 Dynamic analysis Run-time monitoring of closed-source applications Suspicious applications should be always executed inside a controlled environment! What kind of events can be observed? Interaction with the environment (e.g., files, networking activity, library functions) Interaction with the OS (e.g., system calls) Low-level information (e.g., registers and memory values) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 9

25 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

26 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace $ ltrace /bin/ls 2>&1 head -n 20 libc_start_main(0x804e5f0, 1,... <unfinished...> setlocale(6, ) = it_it.iso @euro bindtextdomain(coreutils, /usr/share/locale) = /usr/share/locale textdomain(coreutils) = coreutils cxa_atexit(0x , 0, 0, 0xb7f01ff4, 0xbf95cf98) = 0 isatty(1) = 0 getenv(quoting_style) = NULL... getenv(block_size) = NULL getenv(columns) = NULL ioctl(1, 21523, 0xbf95cf6c) = Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

27 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace strace $ strace /bin/ls 2>&1 head -n 10 execve(/bin/ls, [/bin/ls], [/* 34 vars */]) = 0 brk(0) = 0x8e93000 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file) mmap2(null, 8192, PROT_READ PROT_WRITE, MAP_PRIVATE MAP_ANON, -1, 0) = 0xb7f74000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat64(3, st_mode=s_ifreg 0644, st_size=58489,...) = 0 mmap2(null, 58489, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f65000 close(3) = 0 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file)... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

28 Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace strace... and what about? Most of these tools have a counterpart for For a nifty Windows system call tracer, try WUSSTrace :-) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

29 Dynamic analysis Do you want something more? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 11

30 Dynamic analysis Do you want something more? Introducing ProcessTap A dynamic tracing framework Leverages dynamic binary instrumentation to intercept the events of interest ProcessTap scripts are written in Python! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 11

31 Dynamic analysis ProcessTap: An example What ProcessTap scripts look like? 1 #!/usr/bin/env processtap 2 3 include("stdlib.h") 4 == "malloc") 6 def malloc_entry(ctx): 7 print "[F] >>> %s called from %.8x with argument %u" % \ 8 (ctx.function_name, ctx.caller, ctx.args[0]) 9 >> ["open", "close"]) 11 def fexit(ctx): 12 print "[S] <<< %s returning to %.8x" % (ctx.syscall_name, ctx.regs.rip) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 12

32 Dynamic analysis ProcessTap: An example What ProcessTap scripts look like? 1 $./examples/malloctrace.pcap -- /usr/bin/id 2 [*] Started parser (listening on 45352) 3 [*] Executable file: /usr/bin/id 4 [*] PTAP file:./examples/malloctrace.pcap 5 [*] Loaded 344 system calls 6 [*] Parsing stdlib.h (123 functions) 7 [*] Loaded probes: 8 [*] function_entry 9 [+] (function_name malloc_entry 10 [*] syscall_exit 11 [+] ((syscall_name == 5) (syscall_name == 6)) fexit 12 [*] Parsing /usr/bin/id [ f544] 13 [*] Parsing /lib/i386-linux-gnu/ld-2.13.so [ b b57ae908] [S] <<< open returning to b771aef4 16 [S] <<< close returning to b771af2d 17 [*] Parsing /lib/i386-linux-gnu/libselinux.so.1 [ b52ef b530dc3c] 18 [*] Parsing /lib/i386-linux-gnu/i686/cmov/libc-2.13.so [ b b526b978] 19 [*] Parsing /lib/i386-linux-gnu/i686/cmov/libdl-2.13.so [ b4bf b4bf9078] [S] <<< open returning to b [S] <<< close returning to b uid=1000(roby) gid=1000(roby) groups=1000(roby),6(disk),20(dialout),24(cdrom),25(floppy), 24 29(audio),40(src),44(video),46(plugdev),107(fuse),109(netdev),110(lpadmin),114(vboxusers) 25 [*] Backend terminated with exit status 0 Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 12

33 Try it!

34 Limitations of dynamic approaches Dynamic solutions are not free from limitations, especially when dealing with malicious applications Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

35 Limitations of dynamic approaches User-level approaches are not enough often includes kernel-level components In these situations, user-level anti-malware solutions are ineffective Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

36 Limitations of dynamic approaches User-level approaches are not enough often includes kernel-level components In these situations, user-level anti-malware solutions are ineffective Non-transparency The analysis tool can be detected If detects the analyzer, it behaves like Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

37 Limitations of dynamic approaches High run-time overhead End hosts have strict real-time constraints If the analysis takes too much, the detector assumes a suspicious program is Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

38 Limitations of dynamic approaches High run-time overhead End hosts have strict real-time constraints If the analysis takes too much, the detector assumes a suspicious program is How to remediate an infected system? Remediation procedures included in anti-malware tools are often impecise Can we generate these procedures automatically? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

39 Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15

40 Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Kernel-based analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15

41 Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Kernel-based analysis Out-of-the-box analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15

42 Kernel-based approaches The analysis tool is implemented as a kernel module To analyze kernel-level code, these approaches leverage another kernel-level module... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 16

43 Kernel-based approaches The analysis tool is implemented as a kernel module To analyze kernel-level code, these approaches leverage another kernel-level module it is like a dog chasing its tail! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 16

44 Out-of-the-box approaches The analyzer leverages VM-introspection techniques The target system must be already running inside a VM Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 17

45 Out-of-the-box approaches The analyzer leverages VM-introspection techniques The target system must be already running inside a VM can detect when it is running inside a VM! Source: A fistful of red-pills (R. Paleari, L. Martignoni, G. Fresi Roglia, D. Bruschi) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 17

46 How to analyze kernel-level malware?? Kernel-based analysis Out-of-the-box analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 18

47 How to analyze kernel-level malware? Exploit hardware support for virtualization to achieve both efficiency and transparency Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 18

48 Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R0 Kernel Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19

49 Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R3 App App App R0 Kernel R0 Kernel Root mode Hypervisor Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19

50 Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R3 App App App R0 Kernel R0 Kernel Root mode Hypervisor The OS needs not to be modified The hardware guarantees transparency & isolation Minimal overhead Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19

51 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

52 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The framework is installed as the target system runs. It is completely separated and more privileged than the analyzed OS Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

53 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The analyzed OS needs not to be modified at all (i.e., the approach can be applied to closed-source OSes) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

54 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The analysis tool runs in an isolated execution environment (a defect in the tool does not affect the stability of the OS) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

55 HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Non-root mode Root mode Analysis tool Framework At the end of the analysis, the infrastructure can be removed on-the-fly Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

56 HyperDbg Implementation User interface We cannot rely on the guest OS graphic libraries A small VGA driver to interact with the system s video card The driver is neither OS nor hardware dependent Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 21

57 HyperDbg Implementation User interface We cannot rely on the guest OS graphic libraries A small VGA driver to interact with the system s video card The driver is neither OS nor hardware dependent User interaction An user can activate HyperDbg by pressing an hot-key In non-root mode keystrokes are intercepted by leveraging VT-x functionalities (i.e., IOOperationPort events) In root mode a simple driver reads the keystrokes Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 21

58 HyperDbg Graphical user interface Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 22

59 Try it! It supports both and

60 Remediation of a system infected by a malware Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24

61 Remediation of a system infected by a malware To reinstall the system or to remediate the infection? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24

62 Remediation of a system infected by a malware To reinstall the system or to remediate the infection? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24

63 -specific material!

64 A sample malware 1. Generates random file and key names file = po + rand() + rand() + rand() +.exe key = rand() % 2? qv : vq 2. Drop malicious exe c:\windows\ + file 3. Start the new exe at boot KEY LOCAL MACHINE +...\Windows\CurrentVersion\Run\ + key, file 4. Infect system dll user32.dll 5. Hijack network traffic c:\windows\system32\drivers\etc\hosts, Delete main exe Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 26

65 Sound and complete remediation of malware infection 1. Generates random file and key names file = po + rand() + rand() + rand() +.exe key = rand() % 2? qv : vq 2. Drop malicious exe Remove malicious exe c:\windows\ + file 3. Start the new exe at boot Remove registry key KEY LOCAL MACHINE +...\Windows\CurrentVersion\Run\ + key, file 4. Infect system dll Restore original dll user32.dll 5. Hijack network traffic Remove malicious mappings c:\windows\system32\drivers\etc\hosts, Delete main exe Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 27

66 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

67 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

68 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

69 Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

70 Does it work? % activities reverted Files (primary) Files (ancillary) Reg. keys (primary) Reg. keys (ancillary) Processes (primary) Processes (ancillary) Our approach Nod32 Panda Kaspersky Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 29

71 Want to try it? Drop me a line ;-)

72 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

73 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

74 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

75 Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

76 Questions? Roberto Paleari