1 / 33

Abusing File Processing in Malware Detectors for Fun and Profit

Abusing File Processing in Malware Detectors for Fun and Profit. Suman Jana and Vitaly Shmatikov The University of Texas at Austin. Modern malware research. All about sophisticated detection and evasion techniques Polymorphism, metamorphism, obfuscation… . Topic of this talk.

nicki
Download Presentation

Abusing File Processing in Malware Detectors for Fun and Profit

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin

  2. Modern malware research • All about sophisticated detection and evasion techniques • Polymorphism, metamorphism, obfuscation…

  3. Topic of this talk • All about sophisticated detection and evasion techniques • Polymorphism, metamorphism, obfuscation.. no changes to virus content against the world’s best malware detector the world’s simplest virus

  4. Malware researcher’s view of malware detection malware malware detector honeypot

  5. How malware detectors work in practice intranet internet gateway malware detector internet users infer file type parse

  6. Why must malware detectors infer file types? • Detection algorithms are type-specific • Parsing depends on filetype • Detectors may skip lessvulnerable types like MPEG correctness efficiency

  7. Parsing in malware detectors remove whitespace characters find macros extract files <a>foo<\a> macros <a> foo <\a> Word documents Archive files HTML files

  8. Parsingin malware detectors COM MS CAB COFF JavaScript MS CHM bzip JPEG ELF MS PPT(X) RTF GIF Adobe Flash MS EXE PDF MP3 MS DLL 7-zip JAR

  9. Why must malware detectors parse before detection? • Identify executable content • Macros in Word files • Code segments in PE, ELF • JavaScript in CHM • Normalize input to a form suitable for detection • Decompress • Preprocess HTML • Separate metadata from content detectors must parse lots of file formats

  10. File-type inference and parsingtake place in two different places malware detector user application/OS infer file type infer file type internet parse parse difference = potential evasion if uninfected

  11. Exhibit A (CVE-2012-1419) • TAR files: ustarat offset 257 • mirc.ini files: [aliases] at offset 0 TAR archive header initial 100 bytes contains the name of first file ustar eicar.com\0 eicar.com

  12. Exhibit A (CVE-2012-1419) • TAR files: ustarat offset 257 • mirc.ini files: [aliases] at offset 0 TAR archive header filename changes but the content is unmodified ustar [aliases].com\0 eicar.com

  13. Vulnerable detectors

  14. Exhibit B (CVE-2012-1463) Executable and Linkable Format (ELF) header offset 5 1 : little-endian 2 : big-endian 1

  15. Exhibit B (CVE-2012-1463) Executable and Linkable Format (ELF) Linux ELF loader does not use this byte but most malware detectors do header offset 5 1 : little-endian 2 : big-endian 2

  16. Vulnerable detectors

  17. Exhibit C (CVE-2012-1461) eicar.tar eicar.tar.gz gzip most detectors cannot parse such files correctly but gunzip does eicar.tar.1 eicar.tar.2

  18. Vulnerable detectors

  19. Exhibit D (CVE-2012-1459) TAR archive layout header 1 checksum length uninfected file most detectors ignore checksum field header 2

  20. Exhibit D (CVE-2012-1459) TAR archive layout header 1 wrong checksum length GNU tar ignores header with wrong checksum, extracts malware uninfected file most detectors ignore checksum field header 2

  21. Vulnerable detectors

  22. Many more attacks 45 different CVE reports for previously unknown evasion exploits 9 file formats 13 applications

  23. 36 tested detectors – ALL vulnerable

  24. You might be thinking… Aren’t these well-known bugs?

  25. Response from AV vendors • OMG! These exploits completely bypass our detection engines • Patches are being pushed out

  26. You might be thinking… Aren’t these the same as browser content-sniffing bugs? No

  27. Content-sniffing bugs in browsers • MIME content sniffing in Web browsers can be exploited for XSS attacks • First reported by Palant (2007) and Nazario (2009) • Defense for browsers [Barth et al.]: prefix-disjoint signatures… does not work for malware detectors • Signatures for many formats that detectors must deal with are not prefix-disjoint

  28. You might be thinking… These attacks affect only archive formats

  29. Does this affect only archive formats? • No, we have attacks against ELF, PE, MS CHM, MS Word, etc. • What is an archive format anyway? • Many modern formats (e.g. PDF, MS Word) allow embedding different types of content

  30. You might be thinking… Behavioral detection will save us

  31. No, behavioral detection will not save you malware detector user application/OS infer file type infer file type they must be exactly the same parse parse For behavioral detection to work here ….

  32. Possible solutions • Write better parsers • On-access scanning • Does not work in network/cloud detectors • Better integration of malware detectors with applications • Applications can share intermediate state after parsing with cloud/network detectors nonstarter only works for archive files

More Related