480 likes | 679 Views
Polymorphism and IDS. Black Hat Briefings Las Vegas 2001 Chad R. Skipper Sr. Software Engineer Symantec Corp. whoami. Chad R. Skipper Air Force - systems counter intelligence, OSI investigations, information warfare, and exploit intelligence
E N D
Polymorphism and IDS Black Hat Briefings Las Vegas 2001 Chad R. Skipper Sr. Software Engineer Symantec Corp.
whoami • Chad R. Skipper • Air Force - systems counter intelligence, OSI investigations, information warfare, and exploit intelligence • Trident Data Systems – Network/Sys/Security Administrator • L-3 Network Security/Symantec – Sr. Software Engineer • Signature Development • IDS Evasion Techniques • cskipper@symantec.com
Overview • Evolution of malicious polymorphic code • Paradigm shift • Polymorphic coding • ADMmutate by K2 • http://www.ktwo.ca/ • TCPDumps • IDS Response
Polymorphism • What is polymorphism • The ability to appear in many forms • Continuous change (unique coding) • Independent of encryption • Morphs regexp’s within attacks • Can exist on multiple platforms
Evolution of Polymorphism • Simple Viruses • Replicates itself and is the easiest to detect • Virus always makes an exact replica of itself • Detection: Scan for a sequence of bytes found in the virus
Evolution of Polymorphism • Encrypted Viruses • Response to detection was encrypting viruses • Hide the fixed bytes by encrypting the virus
Evolution of Polymorphism • Encrypted Viruses • Consists of a virus decryption routine and an encrypted virus body • Uses encryption keys, but decryption remained constant, thus detection was a sequence of bytes of the decryption routine
Evolution of Polymorphism • Encrypted Viruses • Executes decryption routine • Gains control of the system • Decrypts and gives control to virus • Infection occurs • Copies itself • Encrypts itself • Attaches itself to a new program
Evolution of Polymorphism • Polymorphic Virus • Response to detection was polymorphism • Contains the encrypted body and decryption routine • Adds a mutation engine that generates randomized decryption routines with each use • Mutation engine and virus body are both encrypted • Result is the virus body encryption and decryption routines vary from infection to infection • NO FIXED SIGNATURE
Evolution of Polymorphism • Polymorphic Virus • Decrypts virus and mutation engine • Transfers control to the virus • Copies itself and the mutation engine • Invokes the mutation engine • Randomly generates decryption routine • Virus is now unique from the prior virus • Attaches to a new program
Evolution of Polymorphism • Problems with Polymorphic Virus Detection • Dark Avenger and MtE • Produces random programs • Billions-upon-billions of variations • Polymorphic Virus Detection • One-by-one, line-by-line (Don’t think so) • Generic Decryption • Slow • Heuristic-Based Generic Decryption • Heuristic guesses • False Negatives
Evolution of Polymorphism • Polymorphic Virus Detection Solutions • Does not rely on heuristic guesses • Relies on rules or profiles specific to each virus • Rules out possibilities first • Runs file in virtual machine (VM) • Looks for triggers
Evolution of Polymorphism • Polymorphic Virus Detection Solutions • Load file into self-contained VM • Is this file .exe, .com, .sys…? • If .exe then A,B,C,D,and E are virus behaviors • Suspect files • A,B,C • A,B,D • D,B,E • Observes A, then “D,B,E” are out • Observes B, then remaining are still in • Observes D, then “A,B,C” are out and “A,B,D” are in
The Paradigm Shift • Concepts used from Polymorphic Viruses • Mutation engine • Polymorphic algorithm • Morphing of the payload to include • Shell code • NOP’s • Encoder/Decoder • Non-Operational Padding
The Paradigm Shift • The intent of Polymorphic Attacks • To evade signature analysis of IDS • Signature analysis looks at • Shell code • NOP’s • Specific offsets within a payload • ASCII • Headers
Encoding Process • Shell code • Morphed prior to launch with each subsequent morphing unique • ROT, MOV • XOR (exclusive-or) Randomly generated value • 0 xor 0 = 0 • 0 xor 1 = 1 • 1 xor 0 = 1 • 1 xor 1 = 0 • If the first or the second operand, but not both, is one, the result is one; otherwise the result is zero.
Encoding Process • Shell code • Randomly generated xor value of 0x23 • DNS – Snort alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; content: "|3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20|"; classtype: system-attempt; reference: arachnids,489;)
Encoding Process • Shell code • Shell code of: 0x3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20 • XOR with with the value of 0x23 • We get: 0x 1C B3B3B3 C818 12F8 7C A0CC5F AE5433 AA5427 AE6C03 • This can give us over 64,000 permutations for 1 byte • BTW, the computational overhead for this for NIDS may/will be substantial.
Encoding Process NOP’s • No operation assembly processor instruction • So, we substitute known NOP’s with other characters that do not affect the outcome of the code
Encoding Process • NOP’s • Platform specific NOP’s • AIX – 0x4ffffb82 • Digital – 0x47ff041f • HP – 0x0b390280 • Intel – 0x90 • SGI – 0x240f1234 • SPARC – 0x13c01ca6; 0xa61cc013, 0x801c4011
Encoding Process • NOP’s • Substitutional NOP’s per K2 • Intel • 0x49 • 0x4b • 0x45 • SPARC • 0xa21c8012 • 0xb606401a • 0xa026e042
Encoding Process • Encoder/Decoder • My first thought was that we can detect the Encoder/Decoder • “It would not be cool if the IDS vendor could simply detect our decoder.” - K2 • FAT CHANCE… This would be too easy • Techniques used are multiple code paths, non-operational padding, and randomly generated instructions • Decoder processes the data after the overflow
TCPDumps (Normal) 4500 04e8 be81 4000 4006 0f4c 0a0a 2a2a 0a0a 2a05 0933 0019 70e1 3dc3 ad03 63b0 8018 7d78 b342 0000 0101 080a 0400 22e1 008c 3e60 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 9090 (Cut) 9090 9090 9090 9090 eb48 9aff ffff ff07 ffc3 5e31 c089 46b4 8846 b988 4607 8946 0c31 c050 b08d e8df ffff ff83 c404 31c0 50b0 17e8 d2ff ffff 83c4 0431 c050 8d5e 0853 8d1e 895e 0853 b03b e8bb ffff ff83 c40c e8bb ffff ff2f 6269 6e2f 7368 ffff ffff ffff 7c6b 0408 7c6b 0408 7c6b 0408 7c6b 0408 7c6b 0408 7c6b 0408 7c6b 0408
TCPDumps (Polymorphed) 4500 04e8 be81 4000 4006 0f4c 0a0a 2a2a 0a0a 2a05 0933 0019 70e1 3dc3 ad03 63b0 8018 7d78 b342 0000 0101 080a 0400 4475 008c 5fe5 4949 4b49 494d 4df5 40f9 4040 4d49 414b 4845 4bf5 484d 4b4d 4549 4449 4827 494a 434c 4b4d 4af9 f54a 4c4d 274c 414d 4c4c 4c27 494c 4a49 4140 414d 274c 4244 414b 4540 4940 f54c 4945 40f5 48f5 4c4d 454d f54d 404d 4d27 f94b 4d4d 4b42 (CUT) 36aa 763c 5b31 c9b0 df6a 1866 5993 3106 9383 e886 9640 968c c08c e083 c601 f533 c046 85c0 46e2 e685 c085 c0eb 0bb0 346b c087 e8c5 ffff ff7e 413e a6c9 5589 c331 55b5 6207 6aff 7a82 2230 85be ec71 b570 a647 fc66 1afb d4e9 5589 c3b5 6e72 0df6 fac6 2bde 7889 c3c9 29b2 3807 6a26 b168 a225 b128 2328 3465 1a4d d48d 5589 c3b5 6e7a d48d 5589 c319 c81f 5219 d91e c3c9 5589 c3c9 d61d 0408 816b 0408 816b 0408
TCPDumps (Polymorphed) 4500 04e8 be81 4000 4006 0f4c 0a0a 2a2a 0a0a 2a05 0933 0019 70e1 3dc3 ad03 63b0 8018 7d78 b342 0000 0101 080a 0400 c60f 008c e181 454b 4449 444a 4040 4342 4af9 40f9 414b 444b 4c44 4845 4d40 4944 f948 404b 484b 4af9 4b4a f94d 404a 2740 f94b f941 4449 4327 4d44 48f5 45f9 4149 4341 f545 4b40 4027 2745 48f5 f549 f544 4d4a f5f5 2742 f54b 4c41 41f5 4927 444b 4941 454d 42f9 f548 4d45 4b4c f545 4442 424d (CUT) 5896 83c0 4a68 9801 56bf 5b31 c091 c1e8 4a40 6a18 5889 c193 3106 9346 f946 c1e8 aa8c c083 c601 9640 96c1 c0ed e2e9 8cc0 eb06 e8c9 ffff ffd9 ea1e 2567 fea9 409f fe95 e1a9 c1df f92c 8910 0610 4751 36de 0d67 7fc8 b1db 5747 fea9 401b c552 8e58 51e6 a870 d3a9 4067 8292 bba9 c106 32c6 0905 3286 8808 b7cb b16d 5723 fea9 401b c55a 5723 fea9 40b7 633f d1b7 723e 4067 fea9 4067 7d3d 0408 cb6b 0408 cb6b 0408
Network Intrusion Response • Protocol Analysis • Application Layer
Network Intrusion Response • Protocol Analysis • What protocol is it? • IP, IPX… • If IP then is it TCP, UPD, ICMP… • If TCP then is it HTTP, DNS, FTP… • If HTTP then apply HTTP signatures • Determine if alert is needed
Network Intrusion Response • Protocol Analysis • Break the payload down into manageable parts • Look for expected results • Anything out of that range – alert Abnormal HTTP Normal HTTP
Network Intrusion Response • Protocol Analysis • Can detect polymorphic attacks • Proactive • Better performance • Harder to evade • May be possible to create polymorphic code that looks like normal traffic on some services
Network Intrusion Response • Pattern Matching • Searches for set patterns within packets, such as shell-code, NOP’s, and ASCII • Pattern matching is defeated by polymorphic attacks
Network Intrusion Response Snort Example – Pattern Matching DNS - Snort alert UDP $EXTERNAL any -> $INTERNAL 53 (msg: "IDS489/named-exploit-tsig-lsd"; content: "|3F 909090 EB3B 31DB 5F 83EF7C 8D7710 897704 8D4F20|"; classtype: system-attempt; reference: arachnids,489;) TFN - Snort alert ICMP any any -> any any (msg: "IDS425/ddos-tfn2k-icmp_possible_communication"; itype: 0; icmp_id: 0; content: "AAAAAAAAAA"; classtype: system-success; reference: arachnids,425;)
Network Intrusion Response Snort Example – Pattern Matching X86 NOP’s - Snort alert UDP $EXTERNAL any -> $INTERNAL any (msg: "IDS362/shellcode-x86-nops-udp"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; classtype: system-attempt; reference: arachnids,362;)
Network Intrusion Response • Binary Signatures • Detecting binary strings within protocols such as SMTP • Attacks against text-only services could check for characters outside the standard text range • FTP • Could pick up polymorphic attacks
Network Intrusion Response • Packet Size • Detecting unusual large amounts of data streams • POP3, RPC, HTTP, FTP • Can pick up polymorphic attacks
Network Intrusion Response • Connection Time • Abnormal connection time rates such as lengthy DNS collaboration • DNS, HTTP, RPC, etc… • Time based • Expensive • Could detect polymorphic attacks by timing the session between hosts
Network Intrusion Response • Outcome Detection – Success/Failure • Able to detect response to attacks • Able to detect “/bin/sh” leaving on port 53 • Could detect polymorphic attacks • Another evasion technique is the response from the victim being hashed/encrypted/scrambled
Network Intrusion Response • Outcome Detection – Success/Failure • Solaris snmpXdmid - LAST STAGE OF DELIRIUM • NOP’s to server • 00 1C 00 00 00 40 00 00 00 11 FF FF FF 80 00 00 00 1C 00 00 00 40 00 00 00 11 FF FF FF 80 00 00 00 1C 00 00 00 40 00 00 00 11 FF FF FF 80 00 00 00 1C 00 • /bin/ksh to server • 00 08 00 00 00 2F 00 00 00 62 00 00 00 69 00 00 ...../...b...i.. • 00 6E 00 00 00 2F 00 00 00 6B 00 00 00 73 00 00 .n.../...k...s.. • 00 68 00 00 00 00 00 00 00 04 00 00 00 00 00 00 .h.............. • uname –a to server • 82 8C 2F 62 69 6E 2F 75 6E 61 6D 65 20 2D 61 0A ../bin/uname -a.
Network Intrusion Response • Outcome Detection – Success/Failure • Solaris snmpXdmid - LAST STAGE OF DELIRIUM • Response to uname –a • 2E E1 53 75 6E 4F 53 20 73 61 2D 73 6F 6C 61 72 ..SunOS sa-solar 69 73 2D 30 32 20 35 2E 38 20 47 65 6E 65 72 69 is-02 5.8 Generi 63 20 73 75 6E 34 75 20 73 70 61 72 63 20 53 55 c sun4u sparc 4E 57 2C 55 6C 74 72 61 2D 35 5F 31 30 0A NW,Ultra-5_10. • Response to /etc/passwd • 35 1C 72 6F 6F 74 3A 78 3A 30 3A 31 3A 53 75 70 5.root:x:0:1:Sup 65 72 2D 55 73 65 72 3A 2F 3A 2F 73 62 69 6E 2F er-User:/:/sbin/ 73 68 0A 64 61 65 6D 6F 6E 3A 78 3A 31 3A 31 3A sh.daemon:x:1:1: 0070: 3A 2F 3A 0A 62 69 6E 3A 78 3A 32 3A 32 3A 3A 2F :/:.bin:x:2:2::/
Network Intrusion Response • Log Analysis • Event Viewer, /var/adm/messages/, /var/log/syslog, etc. • Able to detect abnormal occurrences within the host • Can detect polymorphic attacks • # more /var/adm/messages • May 25 11:55:09 sa-solaris-02 dmispd: [ID 922709 daemon.error] One instance of this daemon is already running on this machine
Host Intrusion Response • Access/Change Analysis • Changes to any audited file • Spawning of child processes • Removal of any audited file • Replacement of any audited file • Can detect polymorphic attacks
Host Intrusion Response • Port Activity • Unusual port activity • RPC – ttdb – active session to outside host • Could detect polymorphic attacks as they occur
Protocol Analysis Vulnerability Assessment Outcome Detection Defeating Polymorphic Attacks Firewalls Host IDS
Assessment and Intrusion Detection (IDS) Network-Based Reenact common intrusion or attack scenarios ID and report network vulnerabilities and suggest corrective actions Host-Based Inspect system configuration files, password files for weak passwords, and other system objects for policy violations “Proactive” (scheduled) Assessment Monitor audit and log data Active “sensors” on servers and workstations monitor user actions and protect resources, applications, and data “Reactive” (24 x 7) IDS Collect information from the network for real-time monitoring
Future trends from the past • State of NIDS detection is where Anti-Virus was in mid 90’s • IDS Evasion is now just getting started • Polymorphic Virus Stats (SARC www.sarc.com) • 1988 - The first virus with variable key encryption (between infections) • 1990 - Polymorphic viruses found in the United States including V2Px, Virus-90 and Virus-101 viruses • 1992 – First polymorphic engine that could be plugged into a virus as an add-on • Today - ~2,000 – 5,000 polymorphic viruses today (Not all in the wild)
Shameless Promotion • Kevin Mandia – Foundstone • Incident Response – Investigative Computer Crime • www.amazon.com
Credits • K2 – www.ktwo.ca • Jeru – www.newhackcity.net/~jeru • Snort – www.snort.org • SARC – www.sarc.com • Symantec – www.symantec.com
That’s all folks • QUESTIONS????