RAID 2011 - Vrije Universiteit Amsterdam

Transcription

RAID 2011 - Vrije Universiteit Amsterdam
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
KLIMAX: Profiling Memory Write Patterns
to
Detect Keystroke-Harvesting Malware
Menlo Park, 21st September 2011
Stefano Ortolani - ortolani@cs.vu.nl
Cristiano Giuffrida - giuffrida@cs.vu.nl
Vrije Universiteit
Amsterdam,The Netherlands
Bruno Crispo - crispo@disi.unitn.it
Università di Trento
Trento, Italy
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Motivation
KLIMAX: Profiling Memory Write Patterns
2
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Motivation
KLIMAX: Profiling Memory Write Patterns
2
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Motivation
Malware is here to
stay.
Especially if it can access
private data.
KLIMAX: Profiling Memory Write Patterns
2
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
In a Nutshell ...
KLIMAX: Profiling Memory Write Patterns
3
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
In a Nutshell ...
•
State-of-the-art approaches detect when data
is leaked!
Leaking!
KLIMAX: Profiling Memory Write Patterns
3
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
In a Nutshell ...
•
State-of-the-art approaches detect when data
is leaked!
•
They all depend on the adopted window of
observation.
•
•
But real-world malware conceal theirself!
Leaking is delayed until the malware is able to
blend in with the background noise.
KLIMAX: Profiling Memory Write Patterns
3
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
In a Nutshell ...
•
State-of-the-art approaches detect when data
is leaked!
•
They all depend on the adopted window of
observation.
•
•
But real-world malware conceal theirself!
•
Let’s backtrack to the harvesting then!
Harvesting!
Leaking is delayed until the malware is able to
blend in with the background noise.
•
We measure the harvesting by
quantitatively profiling the memory.
•
An approach so application-agnostic allows
us to deal with a huge variety of malware.
KLIMAX: Profiling Memory Write Patterns
3
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Outline
•
•
•
•
•
•
Requirements.
Our approach, i.e. KLIMAX.
Technical challenges.
Architecture.
Detecting privacy-breaching malware.
Conclusions.
KLIMAX: Profiling Memory Write Patterns
4
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Infrastructure Requirements
•
•
•
•
Transparent
•
Application-agnostic.
Backward compatible
•
Retrofit existing applications and OSes.
Live deployable
•
Can be installed in production at any time.
Fine-grained
•
Distinguishes the nature of memory accesses.
KLIMAX: Profiling Memory Write Patterns
5
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Possible Approaches
•
Tracking memory usage is conceptually simple, but how to do it?
•
OS performance counters?
•
•
•
•
Have NO knowledge of single memory accesses. NOT fine-grained.
Snapshots?
•
Memory access dynamics is LOST.
Merely intercepting page-faults?
•
MISSES accesses. OS is not entirely in control.
Virtualization?
•
NOT live, and NOT fine-grained.
KLIMAX: Profiling Memory Write Patterns
6
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Our Approach
•
We designed a component running in kernel space forcibly monitoring
any memory write.
•
The monitoring is enabled on-demand, hence no overhead if no
analysis is in progress.
•
We control a set of monitoring parameters.
•
•
•
•
•
Monitoring time.
Processes and thread to be monitored.
Code regions: main binary or/and libraries.
Memory regions: heap, data segment.
We obtain in return a set of performance counters.
KLIMAX: Profiling Memory Write Patterns
7
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Our Approach
•
We designed a component running in kernel space forcibly monitoring
any memory write.
•
The monitoring is enabled on-demand, hence no overhead if no
analysis is in progress.
•
We control a set of monitoring parameters.
•
•
•
•
•
Monitoring time.
Processes and thread to be monitored.
Code regions: main binary or/and libraries.
Why not the
stack?
Memory regions: heap, data segment.
We obtain in return a set of performance counters.
KLIMAX: Profiling Memory Write Patterns
7
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
int main(char *argv, int argc) {
int i = 0;
int buff[SIZE];
while(1)
foo(buff, &i);
}
Top of the stack
return 0;
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
int main(char *argv, int argc) {
int i = 0;
int buff[SIZE];
Top of the stack
while(1)
locals of main - int
foo(buff, &i);
i, buff[]
return address of main
}
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
int main(char *argv, int argc) {
int i = 0;
int buff[SIZE];
Top of the stack
while(1)
locals of main - int
foo(buff, &i);
i, buff[]
return address of main
}
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
Top of the stack
int main(char *argv, int argc) {
locals of foo
int i = 0;
return address of foo
int buff[SIZE];
while(1)
foo(buff, &i);
params of foo - int
*buff, *v
locals of main - int
i, buff[]
return address of main
}
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
int main(char *argv, int argc) {
int i = 0;
int buff[SIZE];
Top of the stack
while(1)
locals of main - int
foo(buff, &i);
i, buff[]
return address of main
}
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
Top of the stack
int main(char *argv, int argc) {
locals of foo
int i = 0;
return address of foo
int buff[SIZE];
while(1)
foo(buff, &i);
params of foo - int
*buff, *v
locals of main - int
i, buff[]
return address of main
}
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
void foo(int * buff, int * v) {
buff[*v++] = 5;
}
int main(char *argv, int argc) {
int i = 0;
int buff[SIZE];
Top of the stack
while(1)
locals of main - int
foo(buff, &i);
i, buff[]
return address of main
}
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Long-Lived Stack Regions
•
The stack is not always transient ...
Solution
void foo(int * buff, int * v) {
buff[*v++] = 5;
Keep
track of the lowest
}
*argv, int argc) {
topintofmain(char
the stack.
int i = 0;
And monitor only stack
while(1)
regions below
the
foo(buff, &i);
lowest} top of the stack.
int buff[SIZE];
Top of the stack
locals of main - int
i, buff[]
return address of main
params of main - argv,
return 0;
argc
Bottom of the stack
}
KLIMAX: Profiling Memory Write Patterns
8
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Technical Challenges
•
Paging provides applications with a uniform and isolated
memory address space.
•
•
•
All the memory accesses are controlled by the hardware.
•
The intuition is to trigger a page fault for every
memory access.
The OS is only in charge of dealing with page faults.
A page fault may happen for different reasons: protection
fault, page swapped on disk... etc
KLIMAX: Profiling Memory Write Patterns
9
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Technical Challenges - Solution
(1) We override the owner bit of some of the OS page table entries
(PTE)
(2) Each memory access triggers a protection page fault.
(3) We disassemble the instruction to compute the number of bytes
accessed.
(4) We disable the protection and we allow the OS to resolve the
fake page-fault.
(5) The monitored process then executes as usual.
(6) The protection is then restored right after the processor
completed the execution of the faulting instruction.
KLIMAX: Profiling Memory Write Patterns
10
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Introducing KLIMAX
•
We implemented KLIMAX as a device-less driver on Windows XP
SP3.
•
•
We support unmodified kernel and applications.
•
KLIMAX’s two main components:
Current implementation features a thread-safe monitor.
•
Shadower follows the complex MM model of windows (see
Windows Internals).
•
Classifier introspects windows data structures and PE headers
to retrieve detailed process information.
KLIMAX: Profiling Memory Write Patterns
11
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Architecture and Interactions (1/2)
Windows Kernel (Ring 0)
Page
Fault
Handler
Page
Tables
3 - Restore PTE
5 - Forward INT 0E
Classifier
4 - Update Counters
2 - INT 0E
Shadower
IDT
Monitor
KLIMAX
6 - Single Step
1 - Page Fault
Monitored
Process
User-land (Ring 3)
KLIMAX: Profiling Memory Write Patterns
12
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Architecture and Interactions (2/2)
Windows Kernel (Ring 0)
Page
Fault
Handler
Page
Tables
3 - Override PTE
Classifier
4 - Shadow Query
2 - INT 01
Shadower
IDT
Monitor
KLIMAX
1 - Single Step
Monitored
Process
User-land (Ring 3)
KLIMAX: Profiling Memory Write Patterns
13
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
... and it works!
Let’s poke under the hood of modern browsers ...









•






                              

KLIMAX: Profiling Memory Write Patterns
14
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
KLIMAX for malware with keylogging behavior (1/2)
•
In our previous work [OGC10] we taunted a keylogger with some input
that looks real.
•
Our strategy comprised two contemporary phases:
•
•
Injection phase - the launch of the bait, i.e. the injection of the
keystrokes.
•
Monitor phase - in which we monitor all the processes.
A third phase, termed Detection phase, flags as a keylogger any
process exhibiting high correlation between:
•
•
The stream of keystrokes we injected.
The stream of bytes the process wrote on the hard drive.
KLIMAX: Profiling Memory Write Patterns
15
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
KLIMAX for malware with keylogging behavior (2/2)
•
Our old approach fails against malware postponing the leakage indefinitely
(no clear I/O activity).
•
In this scenario we can easily use KLIMAX and its ability to monitor each
memory write.
Windows Kernel (Ring 0)
Classifier
3a - Sample Injected
Injector
Shadower
Monitor
KLIMAX
3b - Memory Writes
Memory Writes
2 - Injection Pattern
4 - Writes Counters
1 - Attach to Process
Monitored
Process
Detector
User-land (Ring 3)
KLIMAX: Profiling Memory Write Patterns
16
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Evaluation - False Positives
•
We tested the worst case scenario, e.g. shortcut managers.
Keylogger
Standard API
RegisterHotKey
Correlation
HoeKey 1.13
√
√
negligible
KeyTweak 2.3.0
√
-
negligible
Hot Key Plus 1.01
√
√
negligible
AutoHotkey 1.0.96.00
√
√
~1
ZenKEY 2.3.9
√
√
negligible
Acquarius Soft Keyboard Hotkey 2.5
√
√
negligible
Hotkey Recorder Version 2
√
-
negligible
HotKey Magic 1.3.0
√
-
negligible
KLIMAX: Profiling Memory Write Patterns
17
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Evaluation - False Positives
•
We tested the worst case scenario, e.g. shortcut managers.
8 lines for its cfg file
makes AutoHotKey
a KeyLogger
Keylogger
Standard API
RegisterHotKey
Correlation
HoeKey 1.13
√
√
negligible
KeyTweak 2.3.0
√
-
negligible
Hot Key Plus 1.01
√
√
negligible
AutoHotkey 1.0.96.00
√
√
~1
ZenKEY 2.3.9
√
√
negligible
Acquarius Soft Keyboard Hotkey 2.5
√
√
negligible
Hotkey Recorder Version 2
√
-
negligible
HotKey Magic 1.3.0
√
-
negligible
KLIMAX: Profiling Memory Write Patterns
17
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Evaluation - False Negatives
Keylogger
25 Samples from
the Sandnet dataset.
[Ross11]
Correlation
Keylogging API
API used
√
√
~1
Trojan-Downloader.Win32.Zlob.vzd
-
-
negligible
Monitor.Win32.Perflogger.ca
-
-
negligible
Suspicious.Graybird.1
-
-
negligible
Trojan-Spy.Win32.SCKeyLog.am
-
-
negligible
Backdoor.Win32.IRCBot.ebt
-
-
negligible
√
√
0.74
-
-
negligible
BackDoor.Generic9.MQL
√
√
~1
Trojan.Win32.Agent.arim
-
-
negligible
√
√
0.78
Worm.Win32.AutoRun.adro
-
-
negligible
Trojan.Win32.Delf.eq
-
-
negligible
Net-Worm.Win32.Mytob.jxu
-
-
negligible
Trojan-Spy.Win32.SCKeyLog.au
-
-
negligible
√
√
√
0.98
-
negligible
-
-
negligible
√
-
negligible
Downloader.Rozena
-
-
negligible
Downloader.Banload.BDRQ
-
-
negligible
Heur.Trojan.Generic
-
-
negligible
PSW.Generic7.BNDX
-
-
negligible
Backdoor.Win32.Poison.pg
Worm.MSIL.PSW.d
Worm.Win32.Fujack.cr
PSW.Agent.7.AH
Backdoor.Ciadoor
Backdoor.Win32.Agent.su
Backdoor.Win32.G_Spot.20
Trojan-Spy.MSIL.KeyLogger.oa
KLIMAX: Profiling Memory Write Patterns
18
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Conclusions
•
Two main modes of detection:
•
•
Proactive detection - controlled by the user.
Reactive detection - monitors the processes that register the keylogging
callback.
•
•
Promising results from our evaluation against real-world malware.
•
•
•
Detecting keylogging malware is just the first application of KLIMAX.
False positives are due to poor programming practices.
KLIMAX can successfully monitor complex applications like modern web browsers.
More tuning-up is needed to improve the performance (e.g. overriding the writable bit).
KLIMAX: Profiling Memory Write Patterns
19
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo
RAID 2011 14th International Symposium on Recent Advances in Intrusion Detection
Thanks for your attention!
Any questions?
[OGC11] - Ortolani et al. - Bait your Hook: A Novel Detection Technique for Keyloggers
[Ros11] - Rossow et al. - Sandnet: Network Traffic Analysis of Malicious Software.
KLIMAX: Profiling Memory Write Patterns
20
Stefano Ortolani, Cristiano Giuffrida, Bruno Crispo