Malware: Prevenire (e curare) con strumenti open-source

Malware: Prevenire (e curare) con strumenti open-source Roberto Paleari roberto.paleari@emaze.net Linux Day 2011 Modena, 22 ottobre 2011

Who am I? PhD Research activities Malware analysis Systems & applications security Laboratorio di Sicurezza e Reti (LaSeR) Senior security consultant Penetration testing Reverse engineering Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 2

The rise of malicious code Number of new signatures 21,000,000 17,500,000 14,000,000 10,500,000 7,000,000 3,500,000 2003 2004 2005 2006 2007 2008 2009 2010 Period Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3

The rise of malicious code Today malware is a very lucrative activity Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3

The rise of malicious code Who lasts longer earns the most... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 3

Long lasting malware Spread/replicate fast Hide the presence on the system Obfuscate the code (e.g., encryption, polymorphism, metamorphism) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 4

Long lasting malware Spread/replicate fast Hide the presence on the system Obfuscate the code (e.g., encryption, polymorphism, metamorphism) Traditional signature-based approaches are not effective anymore! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 4

Wait... +?? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

Wait... +?? Why malware infects? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

Wait... +?? Why malware infects? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

Wait... +?? So, why should we care about malware? Linux is not free from malware! The majority of embedded devices runs Linux Many Linux users use Windows emulators (e.g., WINE) or virtual machines Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 5

How malware is detected today? Application code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

How malware is detected today? Application code + + A signature is a sequence of bytes that identifies a malicious sample Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

How malware is detected today? Application code + + + + + + Anti-malware tools are shipped with a database of known signatures Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

How malware is detected today? + + + + + + When a signature is found, the application is considered to be infected Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 6

Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Unpacking routine Malicious code Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

Why signature-based detection is not effective anymore? E.g., Packing Malicious code is hidden behind 1 + compression layers Unpacking is performed at run-time Unpacking routine Unpacking routine Malicious code > 80% malware samples are packed 200 packer families, with 2000 variants Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 7

Current trend for malware analysis and detection Static analysis is either too onerous or impossible (malware is obfuscated & self-modifying) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 8

Current trend for malware analysis and detection Static analysis is either too onerous or impossible (malware is obfuscated & self-modifying) Dynamic, behavior-based malware analysis Run the suspicious program and monitor its execution Does it behave maliciously? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 8

Dynamic analysis Run-time monitoring of closed-source applications Suspicious applications should be always executed inside a controlled environment! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 9

Dynamic analysis Run-time monitoring of closed-source applications Suspicious applications should be always executed inside a controlled environment! What kind of events can be observed? Interaction with the environment (e.g., files, networking activity, library functions) Interaction with the OS (e.g., system calls) Low-level information (e.g., registers and memory values) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 9

Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace $ ltrace /bin/ls 2>&1 head -n 20 libc_start_main(0x804e5f0, 1,... <unfinished...> setlocale(6, ) = it_it.iso-8859-15@euro bindtextdomain(coreutils, /usr/share/locale) = /usr/share/locale textdomain(coreutils) = coreutils cxa_atexit(0x8051860, 0, 0, 0xb7f01ff4, 0xbf95cf98) = 0 isatty(1) = 0 getenv(quoting_style) = NULL... getenv(block_size) = NULL getenv(columns) = NULL ioctl(1, 21523, 0xbf95cf6c) = -1... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace strace $ strace /bin/ls 2>&1 head -n 10 execve(/bin/ls, [/bin/ls], [/* 34 vars */]) = 0 brk(0) = 0x8e93000 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file) mmap2(null, 8192, PROT_READ PROT_WRITE, MAP_PRIVATE MAP_ANON, -1, 0) = 0xb7f74000 access(/etc/ld.so.preload, R_OK) = -1 ENOENT (No such file) open(/etc/ld.so.cache, O_RDONLY) = 3 fstat64(3, st_mode=s_ifreg 0644, st_size=58489,...) = 0 mmap2(null, 58489, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7f65000 close(3) = 0 access(/etc/ld.so.nohwcap, F_OK) = -1 ENOENT (No such file)... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

Dynamic analysis Tools All Linux distribution include several run-time monitoring tools lsof, netstat, /proc/<pid>/*, tcpdump,... ltrace strace... and what about? Most of these tools have a counterpart for For a nifty Windows system call tracer, try WUSSTrace :-) http://code.google.com/p/wusstrace/ Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 10

Dynamic analysis Do you want something more? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 11

Dynamic analysis Do you want something more? Introducing ProcessTap A dynamic tracing framework Leverages dynamic binary instrumentation to intercept the events of interest ProcessTap scripts are written in Python! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 11

Dynamic analysis ProcessTap: An example What ProcessTap scripts look like? 1 #!/usr/bin/env processtap 2 3 include("stdlib.h") 4 5 @function_entry(function_name == "malloc") 6 def malloc_entry(ctx): 7 print "[F] >>> %s called from %.8x with argument %u" % \ 8 (ctx.function_name, ctx.caller, ctx.args[0]) 9 10 @syscall_exit(syscall_name >> ["open", "close"]) 11 def fexit(ctx): 12 print "[S] <<< %s returning to %.8x" % (ctx.syscall_name, ctx.regs.rip) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 12

Dynamic analysis ProcessTap: An example What ProcessTap scripts look like? 1 $./examples/malloctrace.pcap -- /usr/bin/id 2 [*] Started parser (listening on 45352) 3 [*] Executable file: /usr/bin/id 4 [*] PTAP file:./examples/malloctrace.pcap 5 [*] Loaded 344 system calls 6 [*] Parsing stdlib.h (123 functions) 7 [*] Loaded probes: 8 [*] function_entry 9 [+] (function_name == @malloc) malloc_entry 10 [*] syscall_exit 11 [+] ((syscall_name == 5) (syscall_name == 6)) fexit 12 [*] Parsing /usr/bin/id [0000000008048114-000000000804f544] 13 [*] Parsing /lib/i386-linux-gnu/ld-2.13.so [00000000b5792000-00000000b57ae908] 14... 15 [S] <<< open returning to b771aef4 16 [S] <<< close returning to b771af2d 17 [*] Parsing /lib/i386-linux-gnu/libselinux.so.1 [00000000b52ef000-00000000b530dc3c] 18 [*] Parsing /lib/i386-linux-gnu/i686/cmov/libc-2.13.so [00000000b5112000-00000000b526b978] 19 [*] Parsing /lib/i386-linux-gnu/i686/cmov/libdl-2.13.so [00000000b4bf6000-00000000b4bf9078] 20... 21 [S] <<< open returning to b7704424 22 [S] <<< close returning to b7704424 23 uid=1000(roby) gid=1000(roby) groups=1000(roby),6(disk),20(dialout),24(cdrom),25(floppy), 24 29(audio),40(src),44(video),46(plugdev),107(fuse),109(netdev),110(lpadmin),114(vboxusers) 25 [*] Backend terminated with exit status 0 Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 12

Try it! http://code.google.com/p/processtap

Limitations of dynamic approaches Dynamic solutions are not free from limitations, especially when dealing with malicious applications Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

Limitations of dynamic approaches User-level approaches are not enough often includes kernel-level components In these situations, user-level anti-malware solutions are ineffective Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

Limitations of dynamic approaches User-level approaches are not enough often includes kernel-level components In these situations, user-level anti-malware solutions are ineffective Non-transparency The analysis tool can be detected If detects the analyzer, it behaves like Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

Limitations of dynamic approaches High run-time overhead End hosts have strict real-time constraints If the analysis takes too much, the detector assumes a suspicious program is Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

Limitations of dynamic approaches High run-time overhead End hosts have strict real-time constraints If the analysis takes too much, the detector assumes a suspicious program is How to remediate an infected system? Remediation procedures included in anti-malware tools are often impecise Can we generate these procedures automatically? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 14

Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15

Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Kernel-based analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15

Transparent and efficient analysis How to monitor the execution of a suspicious program? (worst-case scenario: kernel-level malware) Kernel-based analysis Out-of-the-box analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 15

Kernel-based approaches The analysis tool is implemented as a kernel module To analyze kernel-level code, these approaches leverage another kernel-level module... Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 16

Kernel-based approaches The analysis tool is implemented as a kernel module To analyze kernel-level code, these approaches leverage another kernel-level module...... it is like a dog chasing its tail! Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 16

Out-of-the-box approaches The analyzer leverages VM-introspection techniques The target system must be already running inside a VM Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 17

Out-of-the-box approaches The analyzer leverages VM-introspection techniques The target system must be already running inside a VM can detect when it is running inside a VM! Source: A fistful of red-pills (R. Paleari, L. Martignoni, G. Fresi Roglia, D. Bruschi) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 17

How to analyze kernel-level malware?? Kernel-based analysis Out-of-the-box analysis Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 18

How to analyze kernel-level malware? Exploit hardware support for virtualization to achieve both efficiency and transparency Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 18

Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R0 Kernel Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19

Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R3 App App App R0 Kernel R0 Kernel Root mode Hypervisor Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19

Hardware-assisted virtualization in a nutshell (Intel VT-x) R3 App App App R3 App App App R0 Kernel R0 Kernel Root mode Hypervisor The OS needs not to be modified The hardware guarantees transparency & isolation Minimal overhead Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 19

HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The framework is installed as the target system runs. It is completely separated and more privileged than the analyzed OS Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The analyzed OS needs not to be modified at all (i.e., the approach can be applied to closed-source OSes) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Exit Inspect Non-root mode Root mode Analysis tool Framework The analysis tool runs in an isolated execution environment (a defect in the tool does not affect the stability of the OS) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

HyperDbg An overview User process User process User mode Kernel mode Operating system kernel Non-root mode Root mode Analysis tool Framework At the end of the analysis, the infrastructure can be removed on-the-fly Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 20

HyperDbg Implementation User interface We cannot rely on the guest OS graphic libraries A small VGA driver to interact with the system s video card The driver is neither OS nor hardware dependent Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 21

HyperDbg Implementation User interface We cannot rely on the guest OS graphic libraries A small VGA driver to interact with the system s video card The driver is neither OS nor hardware dependent User interaction An user can activate HyperDbg by pressing an hot-key In non-root mode keystrokes are intercepted by leveraging VT-x functionalities (i.e., IOOperationPort events) In root mode a simple driver reads the keystrokes Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 21

HyperDbg Graphical user interface Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 22

Try it! http://code.google.com/p/hyperdbg It supports both and

Remediation of a system infected by a malware Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24

Remediation of a system infected by a malware To reinstall the system or to remediate the infection? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24

Remediation of a system infected by a malware To reinstall the system or to remediate the infection? Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 24

-specific material!

A sample malware 1. Generates random file and key names file = po + rand() + rand() + rand() +.exe key = rand() % 2? qv : vq 2. Drop malicious exe c:\windows\ + file 3. Start the new exe at boot KEY LOCAL MACHINE +...\Windows\CurrentVersion\Run\ + key, file 4. Infect system dll user32.dll 5. Hijack network traffic c:\windows\system32\drivers\etc\hosts, www.google.com, www.citibank.com 6. Delete main exe Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 26

Sound and complete remediation of malware infection 1. Generates random file and key names file = po + rand() + rand() + rand() +.exe key = rand() % 2? qv : vq 2. Drop malicious exe Remove malicious exe c:\windows\ + file 3. Start the new exe at boot Remove registry key KEY LOCAL MACHINE +...\Windows\CurrentVersion\Run\ + key, file 4. Infect system dll Restore original dll user32.dll 5. Hijack network traffic Remove malicious mappings c:\windows\system32\drivers\etc\hosts, www.google.com, www.citibank.com 6. Delete main exe Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 27

Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

Automatic generation of remediation procedures C 1 Behavior monitoring Cluster generalization C 2 C 3 Remediation procedure generation S 1 S 4 S 3 S 2 C1 C2 C3 High-level behavior analysis B 1 B 2 B 3 B 4 Behavior clustering Source: Automatic Generation of Remediation Procedures for Malware Infections (R. Paleari et al.) Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 28

Does it work? 100 80 % activities reverted 60 40 20 0 Files (primary) Files (ancillary) Reg. keys (primary) Reg. keys (ancillary) Processes (primary) Processes (ancillary) Our approach Nod32 Panda Kaspersky Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 29

Want to try it? Drop me a line ;-)

Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

Conclusions Roberto Paleari Malware: Prevenire (e curare) con strumenti open-source 31

Questions? Roberto Paleari roberto.paleari@emaze.net