1 / 17

A Fistful of Wonderland

Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many Look at the Good, the Bad, and the Ugly of Malware Analysis on Virtual Platforms Technologies for Critical Incident Preparedness Conference & Exposition 2008. A Fistful of Wonderland.

jania
Download Presentation

A Fistful of Wonderland

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Clint Eastwood vs. Louis Carroll in aOne-Metaphor-Too-Many Look at the Good, the Bad, and the Ugly of Malware Analysis on Virtual PlatformsTechnologies for Critical Incident PreparednessConference & Exposition 2008 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. tom@inguardians.com

  2. Who are you and why are you here? • Tom Liston • Senior Security Analyst - InGuardians, Inc. • Handler - SANS Institute’s Internet Storm Center (ISC) • Founding member - ISC Malware Analysis Team • Co-Author (w/Ed Skoudis) - Counterhack Reloaded • Developer - LaBrea, an Open Source network tarpit • Technical Lead - InGuardian’s work on Virtual Machine Detection and Escape • InGuardians, Inc. • World class security consulting firm • Provides penetrating testing, architecture review, code auditing, malware analysis, expert witnesses, and pure security research to government, military, and Fortune 100 companies

  3. Through the Looking Glass… • Virtualization is currently IT’s “hot product” • I’m going to assume you all know what virtualization… • And, why not? • Virtualization presents several amazing benefits to companies using it • Cost savings! • Space savings! • Infrastructure Redundancy! • But, you folks in the “infrastructure” world are just starting to catch on…

  4. Getting there first……and dragging the rest of you slackers with us. • Those of us who do malware analysis were some of the first adopters of virtualization • Why? • Virtual machines offerhuge benefits forthose of us who workwith malware • In order to understandthose benefits, youneed to understanda little about modernmalware analysis

  5. Modern Malware AnalysisIn a Nutshell .text:0040127F push 1 ; flOptions .text:00401281 call ds:HeapCreate .text:00401287 mov hHeap, eax .text:0040128C lea eax, [ebp+var_8] .text:0040128F push eax .text:00401290 mov [ebp+var_8], 8 .text:00401297 mov [ebp+var_4], 800h .text:0040129E call ds:InitCommonControlsEx .text:004012A4 push 28h .text:004012A6 lea eax, [ebp+hInstance] .text:004012A9 push edi .text:004012AA push eax .text:004012AB call memset .text:004012B0 add esp, 0Ch .text:004012B3 mov dword ptr [ebp-48h], offset • Malware analysis isn’t about pouring over densely packed code listings • Stare at that stuff too long, and you end up with squinty eyes… • Modern malware analysis is a combination of: • Dead-code analysis • Behavioral analysis • It is an iterative process • Behavioral analysis reinforces the code analysis and vice versa

  6. Behavioral Analysis!?! You RUN these things? • Yep! All the time… • And that’s where virtualization comes into play… • With virtual machines we have the ability to revert any changes made to our environment • Additionally, using virtualization, I can create an entire network consisting of several target machines,all on their own isolated LAN, all within my laptop • Test “worm-like” spreading behavior • Test botnet command and control • Monitor attempts to “phone home” • We can, in essence, create a whole other world “through the looking glass” • And, in theory, we can control and monitor EVERYTHING

  7. A perfect malware world • Virtualization allows us to create everything needed to provide the malware with a full simulation of whatever it needs • We can create VMs for multiple operating systems and even multiple patch levels of a single operating system • We can attach VMs providing whatever services a piece of malware might want to our “network” • Webservers • Mailservers • IRC Servers • etc…

  8. Trouble in Paradise • But REMEMBER: • Virtualization platforms were designed for general purpose use • Like “Wonderland,” they’re only a slightly warped version of our own reality • And the stuff we’re dropping into them is… well… NASTY • It’s sort of like dropping any Clint Eastwood character into Wonderland • And let’s face it, Clint really only plays ONE character • It doesn’t matter if he’s wearing a cowboy hat or a business suit… they’re all the same guy… • So, we need to be careful…

  9. What problems could there be? Well, that annoying White Rabbit and that mouthy Queen better watch it…

  10. Background • In the fall of 2005, InGuardians was contracted by DHS to research the potential for both virtual machine detection and escape • The enormous market potential for virtualization, caused concerns about the security implications of VM isolation • At the time that we began our research, virtualization security had received little attention • Tools and methodologies for investigating the security of this new technology didn’t exist • We, essentially, had to “invent the wheel”

  11. Assumptions… • Security issues are generally discovered by examining assumptions • Challenging assumptions is the cornerstone of security research • Our research into detection/escape concerns highlights an ENORMOUS assumption that all virtualization users make • “There exists a high degree of isolation between host and guest and between guests” • This assumption is especiallydangerous when analyzingmalware

  12. Detection • We began our research by investigating the potential for an attacker (human or malcode) to detect that the machine that they’re on is virtualized • All available virtualization environments are detectable • Additionally, we postulate that there are several characteristics of the IA64 (x86) architecture that will make virtualization running on that architecture always be detectible

  13. Detection: Bad • During the course of our research, we discovered some of the first specimens of malware that detected virtualization and changed their behavior • Over the lifetime of our research project, virtualization detection within malware blossomed • Now approximately 10% of the specimens we see have some sort of virtualization detection • These are the most interesting 10%, because they have something to hide • Virtualization detection is now becoming integrated into many executable packers

  14. Escape • Think VM escape is impossible? • In July of 2007, InGuardians demonstrated (for the first time publicly) an exploit that could, from within a guest, launch arbitrary code on the host • The vulnerability was discovered in VMware Workstation, and has since been patched

  15. Escape: Ugly • While we’ve never seen or heard of “in the wild” malware capable of VM escape, it is especially important that we are aware that the possibility exists • Don’t rely on the isolation provided by virtualization • Keep hosts of VMs used for malware analysis air-gapped from production networks • Periodically flatten and reinstall hosts

  16. Conclusions • VM escape is the big, bad scary possibility hanging over our heads • Detection is of more concern • Malware that alters its behavior in a VM environment requires special handling • Harden VMs against detection • Thwarting Virtual Machine Detection by Tom Liston and Ed Skoudis • http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf • Examine code for VM detection routines • Hiding Virtualization from Attackers and Malware. Carpenter, Liston, Skoudis, IEEE Security and Privacy, May-June 2007

  17. Thank you! • Questions, comments: Tom Liston tom@inguardians.com (815) 342-7483 Slides available at: http://inguardians.com/tcip2008.pdf

More Related