320 likes | 440 Views
Finding Diversity in Remote Code Injection Exploits. Justin Ma , John Dunagan , Helen J. Wang , Stefan Savage , Geoffrey M. Voelker *University of California, San Diego *Microsoft Research. Encountering new malware. Have I seen this before?
E N D
Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California, San Diego *Microsoft Research
Encountering new malware Have I seen this before? How closely related is it to what I have seen before?
Practical considerations New defense? ?
Theoretical considerations Evolutionary relationship? ? ?
Grouping similar malware together… • Ultimately, construct malware families • Anti-virus industry is active in this area
Motivation 710 new families 40,000 new variants Family and variant defined in ad-hoc fashion… Is there a systematic way to determine the nature of this diversity?
Exploit diversity MS RPC Request Exploit Attacker
Polymorphism Encrypted Attacker
Behind the encryption… Attacker
Differing constants Different IP address Attacker
Functional differences Waiting for a connection Attacker
Different code base Calling “tftp.exe” Attacker
ISystemActivator vulnerability How different are they? 1,561 exploit attempts 90 unique payloads
Our goal • Automatically construct phylogeny, or family tree of exploits
Outline for this talk • On classifying shellcodes • Steps for systematically studying shellcodes • Trace collection • Shellcode extraction • Shellcode decryption • Comparing samples • Cluster analysis • Post-hoc manual inspection to validate • Look at the code!
Why shellcodes? • Our study focuses on exploits • They are packaged with the exploit • First foreign code that executes on a newly infected machine • Part of exploit with most leeway for variation • Primary challenge: collecting and analyzing shellcodes
Remote code injection attacks low MS RPC Request Exploit Vulnerable buffer Flow of execution Shellcode Decrypted shellcode Victim high Victim’s stack memory
Trace collection • Studying 5 vulnerabilities • Residential • 2-day trace • Windows XP SP2 • 29 unused DSL IP addresses • 4,400 exploit samples • Enterprise Trace • 1 Hour • Active responders • 5x /24 subnets • 1,500 exploit samples
Shellcode extraction • Shield (Sigcomm’04) • Framework for specifying network-based protocols and vulnerabilities • Extracts shellcodes from raw network packets
Shellcode decryption • Shellcode is encrypted • Use shellcode’s own decryption loop! • Limited emulation • Similar to generic decryption technique used for viruses
Comparing samples:Candidate metrics • Edit distance • Too specific: non-code portions of payload made related exploits unnecessarily distant • Structural distance • Control flow graph over basic blocks • Basic blocks summarized with a color/hash • Too general: did not capture subtle instruction variations between exploit families
Comparing samples:Final metric • Exedit distance metric • Edit distance over executed parts of shellcode • Distinguishes code from data • Maintains instruction-level details Canonical string for shellcode
Cluster analysis • Need to group samples using the exedit distance metric • Agglomerative clustering • Each iteration, merge closest pair of clusters • Cluster distance = distance of furthest samples between two clusters
Results • Caught exploits for 5 vulnerabilities over traces • Summary for residential trace
ISystemActivator 10% clustering threshold Need to manually verify this… 6 families
ISystemActivator 4-byte decoding key Kernel-address loading function Function-finding block
4-byte encoding key Kernel base loader Function finder ISystemActivator 4-byte decoding key Kernel-address loading function Function-finding block
ISystemActivator Longest payload Many function blocks in middle of payload
ISystemActivator Command-line call to “tftp.exe”
ISystemActivator Different instructions in parts, otherwise very similar
ISystemActivator “Connect-back” version “Bind” version
Conclusions • Systematic method for classifying exploits • Exploit collection • Shellcode extraction and decryption • Shellcode comparison using exedit distance • Group exploits with clustering • Similarity between samples in computed phylogenies corresponded well with observed differences • Useful step toward automating malware classification