Chair of Network Architectures and Services Department of Informatics Technical University of Munich Sophisticated Approaches to Penetrate Highly Secured Systems Claes Adam Wendelin April 20, 2017 Chair of Network Architectures and Services Department of Informatics Technical University of Munich
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Contents Background System penetration Quantum insert Malware detection Static analysis Dynamic analysis Heuristic analysis Kernel integrity protection Bibliography A. Wendelin – Malware Detection 2
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Incentives • Economic • £27 billion • $1.7-$4.2 million • Information A. Wendelin – Malware Detection 3
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Advanced Persistent Threats Figure 1: APT attack pyramid [2] A. Wendelin – Malware Detection 4
Chair of Network Architectures and Services Department of Informatics Technical University of Munich System penetration • Quantum Insert • How does it work? • What is required? • Detection? Figure 2: Quantum insert [3] A. Wendelin – Malware Detection 5
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Techniques to detect malware • Static analysis • Dynamic analysis • Heuristic analysis • Kernel integrity protection A. Wendelin – Malware Detection 6
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Static analysis • Analyze binary to determine intent • Syntactic signature detection • Semantic signature detection • Pack to hinder analysis A. Wendelin – Malware Detection 7
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Static analysis using syntactic signature detection • What does the malware look like • Hash functions and databases • Weak against code obfuscation • Randomizing order of 10 independent submodules leads to 10!=3628800 permutations • Polymorphic and metamorphic malware Figure 3: Instruction reordering [1] A. Wendelin – Malware Detection 8
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Dynamic analysis • Execute malware to observe it • Emulated or real-time • Syntactic signature detection • Polymorphic malware • Semantic signature detection A. Wendelin – Malware Detection 9
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Dynamic analysis with semantic signature detection • How does the malware behave • System calls • Behavior graphs • Robust against code obfuscations • Behavior is hard to randomize • Generalization of signatures Figure 4: Behavior graph [5] A. Wendelin – Malware Detection 10
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Heuristic analysis • Machinelearning and data mining • Automation of malware specifications • Feature vector • System calls • OpCode • Robustness? • False positive rates A. Wendelin – Malware Detection 11
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Kernel integrity protection • The kernel rules the computer • input-output • running processes • network • Control manipulation • Pointer tampering • Data manipulation • Inconsistent data structures A. Wendelin – Malware Detection 12
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Kernel integrity protection with shadow pointers • Verify access to function pointers Figure 5: Shadow pointers [7] A. Wendelin – Malware Detection 13
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Kernel integrity protection with signed drivers • Digitally sign drivers • Assumes that signed code is safe • What if signed code is not safe? • Windows and VirtualBox • Return-oriented rootkits A. Wendelin – Malware Detection 14
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Return-oriented rootkits Figure 6: Return-oriented attacks [4] A. Wendelin – Malware Detection 15
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Conclusion • Detecting malware is hard A. Wendelin – Malware Detection 16
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Conclusion • Detecting malware is hard • Detecting malware is getting harder A. Wendelin – Malware Detection 17
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Conclusion • Detecting malware is hard • Detecting malware is getting harder • Syntactic signature detection is broken A. Wendelin – Malware Detection 18
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Conclusion • Detecting malware is hard • Detecting malware is getting harder • Syntactic signature detection is broken • Heuristics and behavior detection are promising areas A. Wendelin – Malware Detection 19
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Conclusion • Detecting malware is hard • Detecting malware is getting harder • Syntactic signature detection is broken • Heuristics and behavior detection are promising areas • Keeping kernel’s integrity is important A. Wendelin – Malware Detection 20
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Questions? • Claes Adam Wendelin • claesadam.wendelin@in.tum.de A. Wendelin – Malware Detection 21
Chair of Network Architectures and Services Department of Informatics Technical University of Munich [1] E. Al Daoud, I. H. Jebril, and B. Zaqaibeh. Computer virus strategies and detection methods. Int. J. Open Problems Compt. Math , 1(2):12–20, 2008. [2] P . Giura and W. Wang. Using large scale distributed computing to unveil advanced persistent threats. Science J , 1(3):93–105, 2012. [3] L. Haagsma. Deep dive into quantum insert. Online at https://blog. foxit. com/2015/04/20/deep-dive-into-quantuminsert , 2015. [4] R. Hund, T. Holz, and F. C. Freiling. Return-oriented rootkits: Bypassing kernel code integrity protection mechanisms. In USENIX Security Symposium , pages 383–398, 2009. A. Wendelin – Malware Detection 22
Chair of Network Architectures and Services Department of Informatics Technical University of Munich [5] C. Kolbitsch, P . M. Comparetti, C. Kruegel, E. Kirda, X.-y. Zhou, and X. Wang. Effective and efficient malware detection at the end host. In USENIX security symposium , pages 351–366, 2009. [6] J. Postel and J. Reynolds. File Transfer Protocol (FTP), 1985. https://tools.ietf.org/html/rfc959. [7] Z. Wang, X. Jiang, W. Cui, and X. Wang. Countering persistent kernel rootkits through systematic hook discovery. In International Workshop on Recent Advances in Intrusion Detection , pages 21– 38. Springer, 2008. A. Wendelin – Malware Detection 23
Recommend
More recommend
