A Beautiful Journey Lorenzo Cavallaro - - PowerPoint PPT Presentation

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

A Beautiful Journey

Lorenzo Cavallaro

<Lorenzo.Cavallaro@rhul.ac.uk>

Information Security Group Royal Holloway, University of London

Jan, 26 2012

Lorenzo Cavallaro A Beautiful Journey 1/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Who Am I?

Post-doc researcher, VU Amsterdam, working with: (Jan 2010–Dec 2011)

• Prof. Andy Tanenbaum

(OS dependability)

• Prof. Herbert Bos

(memory errors, malware analysis, and taint analysis)

Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008–Jan 2010)

• Prof. Giovanni Vigna and Prof. Christopher Kruegel

(malware analysis and detection)

Visiting PhD student, Stony Brook University, working with: (Sep 2006–Feb 2008)

• Prof. R. Sekar

(memory errors protections, taint analysis, malware analysis)

Lorenzo Cavallaro A Beautiful Journey 2/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Who Am I?

Post-doc researcher, VU Amsterdam, working with: (Jan 2010–Dec 2011)

• Prof. Andy Tanenbaum

(OS dependability)

• Prof. Herbert Bos

(memory errors, malware analysis, and taint analysis)

Post-doc researcher, UC at Santa Barbara, working with: (Apr 2008–Jan 2010)

• Prof. Giovanni Vigna and Prof. Christopher Kruegel

(malware analysis and detection)

Visiting PhD student, Stony Brook University, working with: (Sep 2006–Feb 2008)

• Prof. R. Sekar

(memory errors protections, taint analysis, malware analysis)

. . . Since Jan 2012, a happy Lecturer in the ISG :-)

Lorenzo Cavallaro A Beautiful Journey 2/52

A Beautiful Journey

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

(Some of the) Threats on the Internet

The Internet Bob

Home banking, e- commerce, e-mail, www, . . .

Mallory

Attacks

Lorenzo Cavallaro A Beautiful Journey 4/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

(Some of the) Threats on the Internet

The Internet Bob

Home banking, e- commerce, e-mail, www, . . . NIDS HIDS Memory errors (Offense) Disarming Protocol Verification

Mallory

Attacks

Lorenzo Cavallaro A Beautiful Journey 4/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

(Some of the) Threats on the Internet

The Internet Bob

Home banking, e- commerce, e-mail, www, . . . NIDS HIDS Memory errors (Offense) Disarming Protocol Verification

Mallory

Attacks

MalWeb

Phishing, C&C, FastFlux, Drive by Download

Lorenzo Cavallaro A Beautiful Journey 4/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

(Some of the) Threats on the Internet

The Internet Bob

Home banking, e- commerce, e-mail, www, . . . NIDS HIDS Memory errors (Offense) Disarming Protocol Verification

Mallory

Attacks

MalWeb

Phishing, C&C, FastFlux, Drive by Download Taint Analysis Limits Malware Analysis/Detection

Lorenzo Cavallaro A Beautiful Journey 4/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

(Some of the) Threats on the Internet

The Internet Bob

Home banking, e- commerce, e-mail, www, . . . NIDS HIDS Memory errors (Offense) Disarming Protocol Verification

Mallory

Attacks

MalWeb

Phishing, C&C, FastFlux, Drive by Download Taint Analysis Limits Malware Analysis/Detection

Pretty messy, huh?!

Lorenzo Cavallaro A Beautiful Journey 4/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Timeline of my research

1999 2000 2005 2006 2007 2008 2009 2010 2011 2012

Memory Error Protections (Diversification & Bounds Checking) Host Intrusion Detection Systems Network Intrusion Detection Systems Taint Analysis on Benign & (Limits on) Malicious Software Botnet Analysis & Detection OS Dependability & Hardware-supported Virtualization (Offense) Disarming Trusted Computing (Protocol Verification)

Lorenzo Cavallaro A Beautiful Journey 5/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Timeline of my research

1999 2000 2005 2006 2007 2008 2009 2010 2011 2012

Memory Error Protections Diversification (& Bounds Checking) Host Intrusion Detection Systems Network Intrusion Detection Systems Taint Analysis on Benign & (Limits on) Malicious Software Botnet Analysis & Detection OS Dependability & Hardware-supported Virtualization (Offense) Disarming Trusted Computing (Protocol Verification)

Lorenzo Cavallaro A Beautiful Journey 5/52

Diversified Process Replicæ

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Memory Error

A memory error occurs when an object accessed using a pointer expression is different from the one intended (the referent) Out-of-bounds access (e.g., buffer overflow) Access using a corrupted pointer (e.g., buffer overflow, format bug) Uninitialized pointer access, dangling pointers, . . . Memory error exploitation generally relies on Data corruption Gathering information on memory location addresses Ability to execute code (sometimes)

Lorenzo Cavallaro A Beautiful Journey 7/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Memory Error

A memory error occurs when an object accessed using a pointer expression is different from the one intended (the referent) Out-of-bounds access (e.g., buffer overflow) Access using a corrupted pointer (e.g., buffer overflow, format bug) Uninitialized pointer access, dangling pointers, . . . Memory error exploitation generally relies on Data corruption Gathering information on memory location addresses Ability to execute code (sometimes)

Lorenzo Cavallaro A Beautiful Journey 7/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Memory Error

A classic

Code Pointer Corruption

✞

i n t foo ( char ∗ i n p u t ) { char l b u f [ 6 4 ] ; i n t i ; f o r ( i = 0; i < s t r l e n ( i n p u t ) ; i ++) l b u f [ i ] = i n p u t [ i ] ; return 0;

✡ ✝ ✆

input saved return address saved frame pointer lbuf[63] lbuf[62] lbuf[0] High Addresses Low Addresses Stack Growth

Lorenzo Cavallaro A Beautiful Journey 8/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Memory Error

The exploit

Well-known way to subvert/divert a legal process execution flow Usually overwrite control-data with absolute known values:

Saved return addresses Application-specific function pointers “Other” function pointers (e.g., GOT, .dtors, C++ virtual pointers)

Not only related to control flow hijacking. . .

Lorenzo Cavallaro A Beautiful Journey 9/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Memory Error

The exploit

Well-known way to subvert/divert a legal process execution flow Usually overwrite control-data with absolute known values:

Saved return addresses Application-specific function pointers “Other” function pointers (e.g., GOT, .dtors, C++ virtual pointers)

Not only related to control flow hijacking. . . (buffer overflow, format string bug, integer overflow, etc)

Lorenzo Cavallaro A Beautiful Journey 9/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Biological Diversity Plays a crucial role for the survivability of every biological species Memory error exploits rely on using well-known memory addresses ⇒ Make systems appear different! Address Space Layout Randomization (ASLR) Fine-grained Address Space Randomization (ASR) Instruction Set Randomization (ISR)

Lorenzo Cavallaro A Beautiful Journey 10/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Biological Diversity Plays a crucial role for the survivability of every biological species Memory error exploits rely on using well-known memory addresses ⇒ Make systems appear different! Address Space Layout Randomization (ASLR) Fine-grained Address Space Randomization (ASR) Instruction Set Randomization (ISR)

Lorenzo Cavallaro A Beautiful Journey 10/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Examples: ASLR & Fine-grained ASR

0x08048000 0x0 0xbfffffff text data bss stack heap 0x40000000 mmap area 0x08048000 0x0 0xbfffffff text data bss stack heap 0x40000000 mmap area unmapped 0xbfXXXXXX 0x40XXX000 0x08048000 0x0 0xbfffffff text data bss stack 0x40000000 mmap area unmapped 0xbfXXXXXX 0x40XXX000 0x080XXXXX heap

Lorenzo Cavallaro A Beautiful Journey 11/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Limitations

Such forms of artificial diversity Require high entropy Rely on keeping secrets

. . . Disclosed by information leakage attacks . . . Defeated by brute forcing attacks

Hard to counteract

Partial memory overwriting attacks Most arbitrary data corruption

Provides probabilistic protection

Lorenzo Cavallaro A Beautiful Journey 12/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Limitations

Such forms of artificial diversity Require high entropy Rely on keeping secrets

. . . Disclosed by information leakage attacks . . . Defeated by brute forcing attacks

Hard to counteract

Partial memory overwriting attacks Most arbitrary data corruption

Provides probabilistic protection

Lorenzo Cavallaro A Beautiful Journey 12/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Limitations

Such forms of artificial diversity Require high entropy Rely on keeping secrets

. . . Disclosed by information leakage attacks . . . Defeated by brute forcing attacks

Hard to counteract

Partial memory overwriting attacks Most arbitrary data corruption

Provides probabilistic protection

Lorenzo Cavallaro A Beautiful Journey 12/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Artificial Diversity

Limitations

Such forms of artificial diversity Require high entropy Rely on keeping secrets

. . . Disclosed by information leakage attacks . . . Defeated by brute forcing attacks

Hard to counteract

Partial memory overwriting attacks Most arbitrary data corruption

Provides probabilistic protection

Lorenzo Cavallaro A Beautiful Journey 12/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Diversified Process Replicæ

Framework

Idea To couple the concepts of artificial diversity and process replication T, the tracer, creates Pr, a replica of P T makes P and Pr behave identically on benign input P and Pr are artificially diversified

⇒ Detect behavioral divergence caused by malicious input (i.e., memory error attacks)

Process Process Replica Replicator & Monitoring

Lorenzo Cavallaro A Beautiful Journey 13/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Process Replication

Rendez-vouz T synchronizes P and Pr at every system call invocation T checks for system call consistency (e.g., system call arguments, system call number) T simulates certain system calls (e.g., read, send)

It replicates input and handles output on I/O system calls It performs the system call once It returns “honest” results to P and Pr

T let P and Pr execute other system calls (e.g., brk) T carefully handles other system calls (e.g., mmap2)

Lorenzo Cavallaro A Beautiful Journey 14/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Process Replication

Rendez-vouz T synchronizes P and Pr at every system call invocation T checks for system call consistency (e.g., system call arguments, system call number) T simulates certain system calls (e.g., read, send)

It replicates input and handles output on I/O system calls It performs the system call once It returns “honest” results to P and Pr

T let P and Pr execute other system calls (e.g., brk) T carefully handles other system calls (e.g., mmap2)

Lorenzo Cavallaro A Beautiful Journey 14/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Process Replication

Rendez-vouz T synchronizes P and Pr at every system call invocation T checks for system call consistency (e.g., system call arguments, system call number) T simulates certain system calls (e.g., read, send)

It replicates input and handles output on I/O system calls It performs the system call once It returns “honest” results to P and Pr

T let P and Pr execute other system calls (e.g., brk) T carefully handles other system calls (e.g., mmap2)

Lorenzo Cavallaro A Beautiful Journey 14/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Process Diversification

Address Space Partitioning

0x08048000 text data bss heap stack 0x0 0xbfffffff unmapped 0x08048000 0x64023fff text data bss heap stack 0x0 0xbfffffff unmapped 0x68048000

Lorenzo Cavallaro A Beautiful Journey 15/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Effectiveness I

Code Pointer Corruption

✞

i n t foo ( char ∗ i n p u t ) { char l b u f [ 6 4 ] ; i n t i ; f o r ( i = 0; i < s t r l e n ( i n p u t ) ; i ++) l b u f [ i ] = i n p u t [ i ] ; return 0;

✡ ✝ ✆

input saved return address saved frame pointer lbuf[63] lbuf[62] lbuf[0] High Addresses Low Addresses Stack Growth input saved return address saved frame pointer lbuf[63] lbuf[62] lbuf[0] Unmapped Unmapped

Lorenzo Cavallaro A Beautiful Journey 16/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Effectiveness

Limitations

Does not address arbitrary (non-pointer) data corruption Fails against environment-dependent information leakage Non-determinism High overhead. . .

Lorenzo Cavallaro A Beautiful Journey 17/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Experimental Results

Throughput Penalties

100 conns, 4 sess/conn, 13 reqs/conn, ∼ 7.5MB web site

# Throughput MB/s (no DPR) MB/s (DPR) slowdown 1 thttpd (mmap) 12386.9 12238.8 1.20% 2 thttpd (mmap-nocache) 12718.4 12496.5 1.75% 3 thttpd (read) 12599.5 12117.4 ∼ 3.8% 4 thttpd (read-nocache) 12603.7 7086.3 ∼ 43.8% 5 thttpd (read-nocache-single) 9134.5 2838.1 ∼ 69%

Lorenzo Cavallaro A Beautiful Journey 18/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Experimental Results

Latency Penalties

100 conns, 4 sess/conn, 13 reqs/conn, ∼ 7.5MB web site

# Latency ms (real system) ms (DPR) slowdown 1 thttpd (mmap) 3.5 4.6 31% 2 thttpd (mmap-nocache) 3.5 4.5 29% 3 thttpd (read) 3.5 5.3 51% 4 thttpd (read-nocache) 3.7 21.6 ∼ 6x 5 thttpd (read-nocache-single) 166 646 ∼ 4x

Lorenzo Cavallaro A Beautiful Journey 19/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Take away

Promising approach to detect memory error attacks Multicore and Cloud technology could be of help!

Offloading of heavy-duty analysis for mobile security? Main challenges: working on binaries, self-relocation of .text, non-determinism, etc

Still non-control data are an issue here

Lorenzo Cavallaro A Beautiful Journey 20/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Take away

Promising approach to detect memory error attacks Multicore and Cloud technology could be of help!

Offloading of heavy-duty analysis for mobile security? Main challenges: working on binaries, self-relocation of .text, non-determinism, etc

Still non-control data are an issue here

Wait, still a lot of talking about memory errors. . .

Lorenzo Cavallaro A Beautiful Journey 20/52

Are Memory Corruptions still a Threat?

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

Looked up vulnerabilities and exploits over the past 15 years

60 120 180 240 1996 1998 2000 2002 2004 2006 2008 2010 60 120 180 240 #Vulnerabilities #Exploits Time Memory Corrupion Vulnerabilities/Exploits Memory Corruption Vulnerablities Memory Corruption Exploits

Linear growth of vulnerabilities between 1998 to 2007

Lorenzo Cavallaro A Beautiful Journey 22/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

Looked up vulnerabilities and exploits over the past 15 years

60 120 180 240 1996 1998 2000 2002 2004 2006 2008 2010 60 120 180 240 #Vulnerabilities #Exploits Time Memory Corrupion Vulnerabilities/Exploits Memory Corruption Vulnerablities Memory Corruption Exploits

Attackers being attracted since 2003

Lorenzo Cavallaro A Beautiful Journey 22/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

Looked up vulnerabilities and exploits over the past 15 years

60 120 180 240 1996 1998 2000 2002 2004 2006 2008 2010 60 120 180 240 #Vulnerabilities #Exploits Time Memory Corrupion Vulnerabilities/Exploits Memory Corruption Vulnerablities Memory Corruption Exploits

Remarkable downward trend started in 2007. Why?

Lorenzo Cavallaro A Beautiful Journey 22/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

The Fall

Total vulnerabilities and exploits compared against the memory errors category

500 1000 1500 2000 1996 1998 2000 2002 2004 2006 2008 2010 500 1000 1500 2000 #Vulnerabilities #Exploits Time Memory Corruptions VS Total Memory Corruption Vulnerablities Total Vulnerabilities Memory Corruption Exploits Total Exploits

Lorenzo Cavallaro A Beautiful Journey 23/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

The Fall

Total vulnerabilities and exploits compared against the memory errors category

500 1000 1500 2000 1996 1998 2000 2002 2004 2006 2008 2010 500 1000 1500 2000 #Vulnerabilities #Exploits Time Memory Corruptions VS Total Memory Corruption Vulnerablities Total Vulnerabilities Memory Corruption Exploits Total Exploits

Downward trend in the reported vulnerabilities may be caused by:

1 Less bugs found in source code 2 Less bugs reported 3 A combination of 1 and 2

Lorenzo Cavallaro A Beautiful Journey 23/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

Less bugs were found in source code

Hard to back this up

Number of lines of code (LoC) written each month still increases More LoC, more bugs (generally up to 75 bugs per 1000 LoC)

However, some changes in 2007 led to less found bugs

Web vulnerabilities trend matches that of total vulnerabilities Exponential growth (2003-2007) and drop (2007-2010) correlated to changes in web development Companies and web developers took web programming (a bit) more seriously

e.g., switch from home-made CMS to full fledged web frameworks

Lorenzo Cavallaro A Beautiful Journey 24/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat? I

Less bugs were reported: our speculation

1 The Great Recession

Before 2007, security experts were getting paid to look for bugs Things changed when companies ran out of money

Bug hunters fired or placed to do some “real” work

Results: less people searching for vulnerabilities

2 No full disclosure due to bounties

Ten years ago things were just different

You would even contact the corresponding administrator about your fix :-)

Today, large companies give out rewards to bug hunters (e.g., Google and Mozilla) as long as you don’t go public Real money is paid for your zero-day vulnerability (and exploit)

Lorenzo Cavallaro A Beautiful Journey 25/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat? II

Less bugs were reported: our speculation

3 Less fun

(some) developers used to spend their spare time finding bugs and hacking into programs Companies do not like public disclosure about their software New mitigation techniques may have made it harder

4 Criminal world

More and more people have really gone online

They buy items and use online banking systems

Criminals have been shifting online too! Companies send out rewards for finders of vulnerabilities, but useful zero-days in the underground world would yield even more

Very low chances such bugs will be reported as CVE, tho

Lorenzo Cavallaro A Beautiful Journey 26/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

Less bugs were found AND less bugs were reported

The drop in vulnerabilities may be actually caused by both previous statements The software industry has recently become more mature (more awareness) Web developers switched to more professional platforms Bugs are no longer reported to the public

Sold to either the program’s owner or the criminal underground Real Full Disclosure (the old fashioned Bugtraq) is almost over Discussions on how to walk the path of publishing a zero-day vulnerability

Lorenzo Cavallaro A Beautiful Journey 27/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Are Memory Corruptions still a Threat?

Less bugs were found AND less bugs were reported

The drop in vulnerabilities may be actually caused by both previous statements The software industry has recently become more mature (more awareness) Web developers switched to more professional platforms Bugs are no longer reported to the public

Sold to either the program’s owner or the criminal underground Real Full Disclosure (the old fashioned Bugtraq) is almost over Discussions on how to walk the path of publishing a zero-day vulnerability

. . . so, are memory corruptions still a threat?

Lorenzo Cavallaro A Beautiful Journey 27/52

The Aftermath of Memory Corruptions (Has anyone said malware?)

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Malicious Software (Malware) I

Software that fulfill the malicious intent of an attacker One of the most pressing security problems on the Internet

Bots written to take over a large number of hosts on the Internet Bots join a botnet, a network of compromised hosts Botnets are controlled by a malicious entity, e.g., the “botmaster”

The botmaster is a (cyber) criminal

Lorenzo Cavallaro A Beautiful Journey 31/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Malicious Software (Malware) II

Large-scale network probing (i.e., scanning activities) Launching Distributed Denial of Service (DDoS) attacks Sending large-scale unsolicited emails (SPAM) Click-fraud campaign Information theft Stealing personal data Shift from a for-fun activity towards a profit-oriented business

Lorenzo Cavallaro A Beautiful Journey 32/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Torpig

Trojan horse

Distributed via the Mebroot “malware platform” Injects itself into 29 different applications as DLL Steals sensitive information (passwords, HTTP POST data) HTTP injection for phishing Uses “encrypted” HTTP as C&C protocol Uses domain flux to locate C&C server

Mebroot

Spreads via drive-by downloads Sophisticated rootkit (overwrites master boot record)

Lorenzo Cavallaro A Beautiful Journey 33/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

The Torpig Botnet

Vulnerable web server

(1) (2)

Mebroot drive-by-download server

(4)

Torpig C&C server Injection server Mebroot C&C server

(3)

Victim client (becomes a bot)

GET / <iframe> GET /?gnh5 gnh5.exe Torpig DLLs Stolen data Config URL Phishing HTML (5) (6) (7)

Lorenzo Cavallaro A Beautiful Journey 34/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Torpig HTML Injection

Domains of interest (∼300) stored in configuration file When domain of interest visited

Torpig issues request to injection server Server specifies a trigger page on target domain and a URL on injection server to be visited when user visits trigger page

When user visits the trigger page

Torpig requests injection URL from injection server Torpig injects the returned content into the users browser

Content is HTML phishing form that asks for sensitive data

Reproduces look and style of target web site

Lorenzo Cavallaro A Beautiful Journey 35/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Phishing Page

Example: Wellsfargo

Lorenzo Cavallaro A Beautiful Journey 36/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Phishing Page

Example: Wellsfargo

Lorenzo Cavallaro A Beautiful Journey 36/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Domain Flux

Taking down a single bot has little effect on botmaster C&C servers are vulnerable to take down

If you use a static IP address, people will block or remove host If you use a DNS name, people will block or remove domain name

Domain flux

Idea is to have bots periodically generate new C&C domain names Often, use local date (system time) as input Botmaster needs to register one of these domains and respond properly so that bots recognize valid C&C server Defenders must register all domains to take down botnet

Lorenzo Cavallaro A Beautiful Journey 37/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Torpig Domain Flux

Each bot has

Same domain generation algorithm (DGA) Three fixed domains to be used if all else fails

DGA generates

weekly domain name (wd) daily domain name (dd)

Every 20 minutes bot attempts to connect in order to

wd.com, wd.net, wd.biz

If all three fail, then dd.com, dd.net, dd.biz If they also fail, then the three fixed domains

Criminals normally registered wd.com (and wd.net)

Lorenzo Cavallaro A Beautiful Journey 38/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Sinkholing Torpig C&C

Overview

Reverse engineered DGA and C&C protocol Observed domains for 01/25 02/15 unregistered Registered these domains ourselves Unfortunately, Mebroot pushed new Torpig binary on 02/04 We controlled the botnet for ∼10 days Data

8.7 GB Apache logs 69 GB pcap data (contains stolen information)

Lorenzo Cavallaro A Beautiful Journey 39/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Sinkholing Torpig C&C

Purchased hosting from two different hosting providers known to be unresponsive to complaints Registered wd.com and wd.net with two different registrars

One was suspended 01/31 due to abuse complaint

Set up Apache web servers to receive bot requests Recorded all network traffic Automatically downloaded and removed data from our hosting providers Enabled hosts a week early

Immediately received data from 359 infected machines

Lorenzo Cavallaro A Beautiful Journey 40/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Data Collection Principles

Principle 1: the sinkholed botnet should be operated so that any harm and/or damage to victims and targets of attacks would be minimized

Always responded with okn message Never sent new/blank configuration file

Principle 2: the sinkholed botnet should collect enough information to enable notification and remediation of affected parties

Worked with law enforcement (FBI and DoD Cybercrime units) Worked with bank security officers Worked with ISPs

Lorenzo Cavallaro A Beautiful Journey 41/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Data Collection

Data Type Data Items,(#) Mailbox account 54,090 Email 1,258,862 Form data 11,966,532 HTTP account 411,039 FTP account 12,307 POP account 415,206 SMTP account 100,472 Windows password 1,235,122

Figure: Data items sent to our C&C server by Torpig bots.

Lorenzo Cavallaro A Beautiful Journey 42/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Size Estimation

Count number of infections

Usually based on unique IP addresses Problematic: DHCP and NAT effects (we saw 1.2M unique IPs) Our count based on header information: 180K hosts (nids) seen

Lorenzo Cavallaro A Beautiful Journey 43/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Threats

Theft of financial data Denial of Service Proxy servers Privacy threats

Lorenzo Cavallaro A Beautiful Journey 44/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Threats

Theft of Financial Information

8,310 unique accounts from 410 financial institutions

Top 5: PayPal (1,770), Poste Italiane, Capital One, E*Trade, Chase 38% of credentials stolen from browsers password manager

1,660 credit cards

Top 3: Visa (1,056), Mastercard, American Express, Maestro, Discover US (49%), Italy (12%), Spain (8%) Typically, one CC per victim, but there are exceptions

Lorenzo Cavallaro A Beautiful Journey 45/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Value of the Financial Information

In a 2008 report on the underground economy, Symantec estimates

Credit card value at $.10 to $25.00 Bank account at $10.00 to $1,000.00

Using such values, 10 days of Torpig data valued at $83K to $8.3M

200 400 600 800 1000 1200 1400 01-21 01-23 01-25 01-27 01-29 01-31 02-02 02-04 02-06 10 100 1000 10000 100000 1e+06 1e+07 New bank accounts and credit cards (#) Value ($) Date New bank accounts and credit cards Max value Min value

Lorenzo Cavallaro A Beautiful Journey 46/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Take Away

Unique opportunity to understand

Potential for profit and malicious activity of botnet’s creators Characteristics of botnet victims

Previous evaluations of botnet sizes based on distinct IPs may be overestimated Botnet victims are users with poorly maintained machines and choose easily guessable passwords to protect sensitive data Interacting with registrars, hosting facilities, victim institutions, and law enforcement can be a complicated process

Lorenzo Cavallaro A Beautiful Journey 47/52

Where Are We Going?

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Where Are We Going? I

Emerging threats (Team Cymru, SysSec EU NoE)

Memory corruptions are still a threat (sometimes) we should accept the fact that malicious computation will eventually happen

How can we contain the damage (e.g., POLA)?

Advanced malware

Advanced botnets with stealthy and robust C&C Exploit social network, social engineering to propagate Cross-platform (to mobile) New distribution channels: software marketplaces

Services for Hire Virtualization-based malware (ring -1 malware)

Lorenzo Cavallaro A Beautiful Journey 49/52

A Beautiful Journey Memory Error Protections The Aftermath Conclusions

Where Are We Going? II

Emerging threats (Team Cymru, SysSec EU NoE)

Mobile malware

Large population Complex software with slow patch cycle Even without vulnerabilities, trojans can be successful

Mac malware Cloud Attacks Smart Grid, embedded, and SCADA security

Lorenzo Cavallaro A Beautiful Journey 50/52

A Beautiful Journey Thank you! Any questions?

Lorenzo “Gigi Sullivan” Cavallaro <Lorenzo.Cavallaro@rhul.ac.uk> http://www.isg.rhul.ac.uk/sullivan

(I wish I could have <sullivan@rhul.ac.uk> or <sullivan@isg.rhul.ac.uk> :-))