hookfinder identifying and understanding malware hooking
play

HookFinder: Identifying and Understanding Malware Hooking Behaviors - PowerPoint PPT Presentation

May 04, 2023 •97 likes •373 views

HookFinder: Identifying and Understanding Malware Hooking Behaviors Heng Yin Zhenkai Liang Dawn Song Carnegie Mellon Univ Carnegie Mellon Univ UC Berkeley Coll Of William and Mary Carnegie Mellon Univ 1 What is a hook? Malware

  1. HookFinder: Identifying and Understanding Malware Hooking Behaviors Heng Yin Zhenkai Liang Dawn Song Carnegie Mellon Univ Carnegie Mellon Univ UC Berkeley Coll Of William and Mary Carnegie Mellon Univ 1

  2. What is a hook? • Malware registers its own function (i.e. hook) into the target location (i.e. hook site) • Later, data in the hook site is loaded into EIP, and the execution is redirected into malware’s own function. NewZwOpenKey Hook Install the address of NewZwOpenKey Execution is redirected ZwOpenKey SSDT (System Service Descriptor Table) Hook Site Sony Rootkit: an example of SSDT hooking 2

  3. Why are hooks important? • Malware needs to place hooks to achieve its malicious intents: – Rootkits want to intercept and tamper with critical system states – Network sniffers eavesdrop on incoming network traffic – Stealth backdoors intercept network stack to establish stealthy communication channels – Spyware, keyloggers and password thieves … 3

  4. Current techniques are insufficient • Some tools detect hooks by checking known memory regions for suspicious entries – E.g., VICE [Butler:2004], IceSword, System Virginity Verifier[Rukowska:2005] – Code sections, IAT/EAT, SSDT, IRP tables – They become futile when malware uses new hooking mechanisms • Malware writers strive for new hooking mechanisms – E.g., Two kernel backdoors (Deepdoor and Uay) overwrite only a small portion in NDIS (i.e., Network Driver Interface Specification) data block – All existing tools cannot detect this kind of hooks 4

  5. Our Approach • We propose a system to automatically detect and analyze ( previously unknown ) hooks – Given an unknown malicious binary – Identify if it installs any hooks (with no prior knowledge) – Understand hooking mechanism » Provide detailed information about how it installs these hooks • When a sample employs a novel hooking mechanism, we can identify and understand it instantly – Update detection/prevention policy, to detect/prevent the similar hooks in the future 5

  6. Outline • Motivation • Approach Overview • HookFinder Design and Implementation • Experimental Evaluation • Summary 6

  7. Intuition • A hook is one of the impacts ( i.e., state changes ) to the system made by malware • This impact redirects the execution into the malicious code. Malware Impact Execution jumps into Malicious code Hook Site We can detect and analyze hooks by marking and tracking impacts. 7

  8. Our Techniques • Hook Detection: Fine-grained Impact Analysis – Mark initial impacts – Track impacts propagation (and generate Impact Trace) – Detect affected control flow • Hook Analysis: Semantics-aware Impact Dependency Analysis – Backward data dependency analysis on Impact Trace – Combine OS-level semantics information – Generate a dependency graph: Hook Graph 8

  9. Outline • Motivation • Approach Overview • HookFinder Design and Implementation • Evaluation • Summary 9

  10. HookFinder – System Overview Hook Analyzer Semantics Impact Analysis Hook Impact Trace Extractor Engine Detector Whole-system Emulator Hook Graphs We build HookFinder on top of TEMU, which is a dynamic binary analysis component in the BitBlaze Project 10

  11. Semantics Extractor • Whole-system Emulator only provides a hardware- level view – E.g., states of memory, registers, and I/O devices • We need an OS-level view – Which process/module/thread is running currently? – What is the function name, if malware calls an external function – What is the symbol name, if malware reads a symbol • TEMU provides this functionality – See [Yin et al:2007] and this paper for more details Semantics Impact Analysis Hook Extractor Engine Detector 11

  12. Impact Analysis Engine • Mark Initial Impacts (memory and register writes) – In malware’s module – In external function calls – In dynamically generated code Challenge: identify dynamically generated code Observation: dynamically generated code is part of impacts made by malware Solution: check if the code region is marked • Track impact propagation – Track data dependency (like in dynamic taint analysis) » Check propagation through disks – Check immediate operands » Because malware can manipulate immediate operands Semantics Impact Analysis Hook Extractor Engine Detector 12

  13. Hook Detector • Detect when a hook is used – Condition 1: Program counter (i.e, EIP in x86) is marked – Condition 2: The execution jumps into the malicious code Semantics Impact Analysis Hook Extractor Engine Detector 13

  14. How HookFinder Detects Hooks in Sony Rootkit Syntax: op src, dst ... … aries.sys+ee6: mov ZwOpenKey, %edi … In Malicious aries.sys+f56: mov 1(%edi), %eax Code aries.sys+f59: mov KeServiceDescriptorTable, %ecx aries.sys+f5f: mov (%ecx), %ecx aries.sys+f61: movl aries.sys+66e, (%ecx, %eax, 4) … … ntoskrnl.exe+8051: movl (%edi, %eax, 4), %ebx ntoskrnl.exe+8069: call *%ebx … … A hook is detected: 1) EIP is marked 2) The execution is redirected into aries.sys 14

  15. Hook Analyzer • Generate hardware-level hook graph – Perform backward dependency analysis on the impact trace • Transform into OS-level graph – Combine OS-level semantic information • Simplify hook graph – If two adjacent nodes belong to the same external function call, merge them into one node – If two adjacent nodes are direct copy instructions (e.g., mov, push, pop), merge them into one node 15

  16. Hook Graph for Sony Rootkit aries.sys+ee6: aries.sys+f59: mov ZwOpenKey, %edi mov KeServiceDescriptorTable, %ecx aries.sys+f56: aries.sys+f5f: mov 1(%edi), %eax mov (%ecx), %ecx Impacted Address This hook is installed aries.sys+f61: movl aries.sys+66e, (%ecx, %eax, 4) ntoskrnl.exe+8051: movl (%edi, %eax, 4), %ebx This hook is activated ntoskrnl.exe+8069: call *%ebx 16

  17. Outline • Motivation • Approach Overview • HookFinder Design and Implementation • Evaluation • Summary 17

  18. Summarized Results Sample Category Runtime Impact Hooks Trace Online Offline Total Malicious Troj/Keylogg-LF Keylogger 6min 9min 3.7G 2 1 Troj/Thief Password 4min <1min 143M 1 1 Thief AFXRootkit Rootkit 6min 33min 14G 4 3 CFSD Rootkit 4min 2min 2.8G 5 4 Sony Rootkit Rootkit 4min <1min 25M 4 4 Vanquish Rootkit 6min 12min 4.4G 11 11 Hacker Defender Rootkit 5min 27min 7.4G 4 1 Uay Backdoor Backdoor 4min <1min 117M 5 2 Legitimate hooks: PsCreateSystemThread, CreateThread, CreateRemoteThread, StartServiceDispatcher 18

  19. Detailed Analysis of Uay Static Point: Protocol Handler (h) NdisRegisterProtocol arg2 returned from NdisRegisterProtocol uay.sys+16a0: mov 0x10(%esi), %esi Uay walks through a list of registered protocols and places the hook into one uay.sys+16a0: mov 0x10(%esi), %esi entry (with offset 0x40) … Hook Site = MEM[MEM[h+10]+10]+40 uay.sys+1589: lea 0x40(%esi), %eax NDIS.sys+115b: mov %eax, (%ecx) Call: NdisAllocateMemoryWithTag … … uay.sys+fcd: mov %eax, (%edi) NDIS.sys+22faa: call *0x40(%eax) 19

  20. Related Work • Hook Detection – VICE [Butler:2004], IceSword, System Virginity Verifier[Rukowska:2005] • Dynamic Taint Analysis – Detect exploits [Costa:sosp05] [Crandall et al:2004] [Newsome et al:2005], [Portokalidis et al:2006], [Suh et al:2004] – Data lifetime analysis [Chow et al:2004] – Dynamic spyware analysis [Egele et al:2007] – Detect and analyze privacy-breaching malware [Yin et al:2007] – Extract protocol format [Caballero et al:2007] – Prevent cross-site scripting [Vogt et al:2007] 20

  21. Summary • We proposed fine-grained impact analysis – Characterize malware’s impacts on the system environment – Observe if one of the impacts is used to redirect the execution into the malicious code – Capture intrinsic characteristics of hooking behavior, and thus it can identify novel hooks • We devised semantics-aware impact dependency analysis – Extract hooking mechanism in form of hook graphs • We developed HookFinder • We analyzed 8 representative malware samples – HookFinder is able to identify and analyze new hooks in Uay 21

  22. Thanks! For more information and related projects, please visit our BitBlaze website at http://bitblaze.cs.berkeley.edu 22

  23. Discussion 1 • Exploit control dependency switch(a) { case 1: b=1; break; case 2: b=3; break; …} – Not feasible, since we track all initial impacts 23

  24. Discussion 2 • Not exhibit hooking behavior when tested – Bypass redpill test by feeding in fake inputs – Slow down the frequency of PIT to disguise the performance slowdown – Explore multiple execution paths [Moser:2007, Brumley:2007] 24

  25. Discussion 3 • “Return-into-libc” attacks: register an address of a system function – Hard to find a candidate function – Hard to prepare compatible call stack – Will consider it in the future work 25

  26. Key Factors in Hooking Mechanism • Hook Type – Data Hook: interpreted as data (e.g., jump target) – Code Hook: interpreted as code (e.g., jump instruction) • Implanting methods – Direct write » What is the static point? • Global symbol, or result of a function call » How to infer the hook site? – Call an external function » Which function is called? • E.g., SetWindowsHookEx, memcpy, WriteProcessMemory » What is the argument list? 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I?

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I?

The State of Hooking into Drupal Track: Symfony The State of Hooking into Drupal who am I? Nida Ismail Shah Developer at Acquia drupal.org: nidaismailshah twitter: @nidaismailshah nidashah.com Overview Hooks - What,

924 views • 60 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Introduction Research Question Background Dataset Approach Results Conclusion Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests Bas Vlaszaty Bas.Vlaszaty@os3.nl Universiteit van Amsterdam

899 views • 89 slides
Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide

Understanding Linux Malware Emanuele Cozzi 1 , Mariano Graziano 2 , Yanick Fratantonio 1 , Davide Balzarotti 1 1 EURECOM 2 Cisco Systems, Inc. IEEE Symposium on Security &amp; Privacy, May 2018 Malware and operating systems Malware and operating

690 views • 57 slides
Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 ,

Leopard: Understanding the Threat of Blockchain Domain Name Based Malware Zhangrong Huang 1,2 , Ji Huang 1,2 , and Tianning Zang 2 1.School of Cyber Security, UCAS 2.Institute of Information Engineering, CAS Existing Techniques Used by Malware

638 views • 30 slides
Identifying Dormant Functionality in Malware Programs Paolo Milani Comparetti Vienna University

Identifying Dormant Functionality in Malware Programs Paolo Milani Comparetti Vienna University

Int. Secure Systems Lab Vienna University of Technology Identifying Dormant Functionality in Malware Programs Paolo Milani Comparetti Vienna University of Technology Guido Salvaneschi Polotecnico di Milano Engin Kirda Institute Eurecom

726 views • 31 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

540 views • 42 slides
Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware

Malware What is malware? Malware: malicious software worm ransomware adware virus trojan horse etc. and how do we fight it? AV software Firewalls Filtering Patching Writing more secure software

568 views • 22 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
Learning Objectives Identifying Medicare eligible claimants Understanding CMS MSP

Learning Objectives Identifying Medicare eligible claimants Understanding CMS MSP

10/3/2017 Learning Objectives Identifying Medicare eligible claimants Understanding CMS MSP Enforcement Mechanisms Investigating, Disputing and Resolving Medicare Conditional Payments Determining if and when an MSA is appropriate

484 views • 10 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
The Arts Engagement Project at the University of Michigan Identifying and understanding the

The Arts Engagement Project at the University of Michigan Identifying and understanding the

The Arts Engagement Project at the University of Michigan Identifying and understanding the impacts of co-curricular arts engagement on student development at the University level Deb Mexicotte Gabriel Harp Veronica Stanich a2ru Annual

1.43k views • 110 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
WIFLE Announces the Establishment of the Elizebeth Smith Friedman Intelligence Award of Excellence

WIFLE Announces the Establishment of the Elizebeth Smith Friedman Intelligence Award of Excellence

WIFLE Announces the Establishment of the Elizebeth Smith Friedman Intelligence Award of Excellence At Dedication of the ATF National Headquarters Auditorium in Honor of Prohibition Investigator and Cryptanalyst Elizebeth Smith Friedman On

536 views • 5 slides
ATF 2013 Media Briefing 7th June 2012 ATF 2013 2 HOST COMMITEE Host of 32 nd ATF in 2013

ATF 2013 Media Briefing 7th June 2012 ATF 2013 2 HOST COMMITEE Host of 32 nd ATF in 2013

www.atflaos.com ATF 2013 Media Briefing 7th June 2012 ATF 2013 2 HOST COMMITEE Host of 32 nd ATF in 2013 Ministry of Information, Culture Previously hosted ATF in 2004 and Tourism (MICT), (Jan 30 to Feb 7) Lao PDR Appointed ATF

378 views • 14 slides
HDS Facility Expansion Engineering &amp; Permitting HERITAGE DISPOSAL &amp; STORAGE, LLC DWIGHT

HDS Facility Expansion Engineering &amp; Permitting HERITAGE DISPOSAL &amp; STORAGE, LLC DWIGHT

HDS Facility Expansion Engineering &amp; Permitting HERITAGE DISPOSAL &amp; STORAGE, LLC DWIGHT MILLER, PARAMETRIX MARK VESS, HDS May 24, 2016 PRESENTATION OUTLINE Factors considered in this presentation 1. Additional factors 2.

615 views • 25 slides
REL Data Work Group A Community Driven Project Concerns about REL data were initiated by a

REL Data Work Group A Community Driven Project Concerns about REL data were initiated by a

Collecting Race, Ethnicity, and Language (REL) Data in Minnesota Health Insurance Exchange August 29, 2012 REL Data Work Group A Community Driven Project Concerns about REL data were initiated by a group of leaders of communities affected

421 views • 6 slides
Research Project Presentation Overview 8-10 min multimedia presentation Present each

Research Project Presentation Overview 8-10 min multimedia presentation Present each

Research Project Presentation Overview 8-10 min multimedia presentation Present each section of your research paper Exclude the Abstract and Works Cited pages Engages the audience through performance and design

446 views • 5 slides
5 Questions to Test your Webinar Do you ask questjons? Presentation Do you heighten

5 Questions to Test your Webinar Do you ask questjons? Presentation Do you heighten

5 Questions to Test your Webinar Do you ask questjons? Presentation Do you heighten emotjons? Skills Do you boomerang? Do you focus on ideas? Do you extend lessons? 1 www.vignetueslearning.com

308 views • 6 slides
Storm &amp; Disaster Team Through-out Florida and the Southeast Able to Feed 3000 plus people

Storm &amp; Disaster Team Through-out Florida and the Southeast Able to Feed 3000 plus people

Storm &amp; Disaster Team Through-out Florida and the Southeast Able to Feed 3000 plus people per day. Additional Cookers available as needed. 44 Self Sustainable Mobile Kitchen. Can operate 7 continuous days without additional electrical

473 views • 13 slides
PHELPS What is Phelps? Picture helps for ideas How is it used? By asking ques&gt;ons

PHELPS What is Phelps? Picture helps for ideas How is it used? By asking ques&gt;ons

17/08/17 PHELPS What is Phelps? Picture helps for ideas How is it used? By asking ques&gt;ons Who? Doing what? Where? Construc8ng a sentence with Who, doing what, when, how Pictures 1 17/08/17 subject doing what how

308 views • 5 slides

More recommend