Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov

Slides:



Advertisements
Similar presentations
Chapter 17: WEB COMPONENTS
Advertisements

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
By Hiranmayi Pai Neeraj Jain
Review: Software Security David Brumley Carnegie Mellon University.
Framing Signals— A Return to Portable Shellcode
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Chapter 9 Comparing Web Technologies. Agenda Browser Hypertext Markup Language (HTML) Common Gateway Interface Web Application Server Plug-in.
Buffer Overflow By: John Quach and Napoleon N. Valdez.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
Security+ Guide to Network Security Fundamentals, Third Edition
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Computer Security and Penetration Testing
Browser Exploitation Framework (BeEF) Lab
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Introduction to HP LoadRunner Getting Familiar with LoadRunner >>>>>>>>>>>>>>>>>>>>>>
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
Malware Fighting Spyware, Viruses, and Malware Ch 4.
Hands-On Virtual Computing
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
A Crawler-based Study of Spyware on the Web Authors: Alexander Moshchuk, Tanya Bragin, Steven D.Gribble, and Henry M. Levy University of Washington 13.
Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
1 © 2004, Cisco Systems, Inc. All rights reserved. CISCO CONFIDENTIAL Using Internet Explorer 7.0 to Access Cisco Unity 5.0(1) Web Interfaces Unity 5.0(1)
CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Interception and Analysis Framework for Win32 Scripts (not for public release) Tim Hollebeek, Ph.D.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
CSE 4481 Computer Security Lab Mark Shtern. INTRODUCTION.
Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.
Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.
Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
VMWare Workstation Installation. Starting Vmware Workstation Go to the start menu and start the VMware Workstation program. *Note: The following instructions.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Operating Systems Security
0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.
Understand Malware LESSON Security Fundamentals.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Mark Shtern.  Our life depends on computer systems  Traffic control  Banking  Medical equipment  Internet  Social networks  Growing number of.
Selenium server By, Kartikeya Rastogi Mayur Sapre Mosheca. R
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
1 Offensive technologies Fall 2015 Lecture 4 – The MalwareLab - reprise Luca Allodi
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
TUF: Secure Software Updates Justin Cappos NYU Poly Computer Science and Engineering.
Tips for using Java with Internet Explorer
Let’s look at an example
Return Oriented Programming
Protecting Memory What is there to protect in memory?
Web Concepts Lesson 2 ITBS2203 E-Commerce for IT.
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Smashing the Stack for Fun and Profit
Week 2: Buffer Overflow Part 2.
Return-to-libc Attacks
Presentation transcript:

Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov Bromium Inc., Cupertino CA ) –

 Laboratory to measure malware as a “software artifact”  Does the malware/exploit work?  Under which circumstances?  How does it perform under different assumptions?  Disconnected from the network  At the moment located in Povo2, Floor 1  Soon to be moved and renovated

VICTIM 1VICTIM 2VICTIM 3 Malware Distribution Server (MDS) Virtualizes: XPSP0 XP SP1 XP SP2 XPSP3 Virtualizes Vista SP0 Vista SP1 Vista SP2 Virtualizes Seven SP0 Seven SP1

 Python infrastructure  Automatically operate on Virtual Machines  Create, delete, restore VM Snapshots  Automatically install and verify software configurations on the VMs  Configuration file contains list of software  Script pushes the software on VM, lunches silent install  Possibility to verify the install with a batch file  Firefox, Opera, Java, Quicktime, Flash, Adobe Reader  Automated mechanism to verify exploit successfulness.  Fully modularized - Easy to add functionalities / software/malware

1.Requests web page to malicious server 2.Receives HTML exploit page 3.If exploit is successful, shellcode downloads malware of some sort 4.Computer is infected 1 2 3

 Question: How resilent are cybercrime ekits to software updates?  Exploit kits span from ( )  How we chose the exploit kits ▪ Release date ▪ Popularity (as reported in industry reports) ▪ CrimePack, Eleonore, Bleeding Life, Shaman, …  Software: most popular one  Windows XP, Vista, Seven ▪ All service packs are treated like independent operating systems  Browsers: Firefox, Internet explorer  Plugins: Flash, Acrobat Reader, Java  247 software versions  spanning from 2005 to 2013  We randomly generate 180 sw combinations (times 9 Operating Systems) to be the configurations we test

Malware Distribution Server (MDS) Exploit kit 1 Exploit kit 2.. Exploit kit 10 Virtualizes Vista SP0 -Conf Vista SP1 -Conf Vista SP2 -Conf Virtualizes Seven SP0 -Conf Seven SP1 -Conf Virtualizes: XPSP0 -Conf XP SP1 -Conf XP SP2 -Conf XPSP3 -Conf

 One configuration for: Windows XP Service Pack 2  Firefox  Flash  Acrobat Reader  Quicktime  Java  One configuration for: Windows Seven Service Pack 1  Firefox  Flash  Acrobat Reader  Quicktime: No version  Java 6.27

VICTIM 1 Malware Distribution Server (MDS) Victim 2Victim 3 Virtual Box Interface Windows XP Service Pack 0 Windows XP Service Pack 0 Control Scripts in Python Linux Ubuntu Firefox Plugin 1 Plugin 1 “Install configuration 1” 1.Pushes installers, installs software 2.Checks Install: push batch file on VM 3.Saves Configuration snapshot Plugin 2 Plugin 2 Plugin 3 Plugin 3 Plugin 4 Plugin 4 Pushes installers, installs softwareChecks install: push batch file on VM ✓ ✓✓ ✓ ✓ Saves Configuration snapshot Configuration Snapshot “Lunch against Exploit Kits” For x in 1..10: Restore(“Configuration snapshot”) Lunch(VM, EKIT(x)) Delete(“Configuration snapshot”) Restore Configuration Snapshot Lunch(VM, EKIT(1)) Configuration Snapshot (attacked) Lunch(VM, EKIT(x)) Restore Configuration snapshot Delete(“Configuration snapshot”) “Install configuration 2” …. “Install configuration 180” …. “End”

VICTIM 1VICTIM 2VICTIM 3 Malware Distribution Server (MDS) GET /Exploit Kit/ HTTP/1.1 Send Exploit If exploit is successful -> Requests “Casper” From MDS Set “Successful”= 1 In MDS table Infections Casper The “good-ghost-in-the-browser” malware

 MalwareLab & Ekits:  CSET ’13: MalwareLab: Experimentation with Cybercrime Attack Tools.  ESSoS ’13: Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts.  Exploitation 101  [BOOK] HACKING: The Art of Exploitation – Erickson  Phrack Magazine: Smashing The Stack For Fun And Profit  Advanced exploitation  Usenix ’11 – Q: Exploit Hardening Made Easy  Blackhat JUST-IN-TIME CODE REUSE: THE MORE THINGS CHANGE, THE MORE THEY STAY THE SAME  Usenix ’14 - ROP is Still Dangerous: Breaking Modern Defenses  Usenix ‘14 - Size Does Matter: Why Using Gadget - Chain Length to Prevent Code-Reuse Attacks is Hard  IEEE Symposium on Security & Privacy ’14: Framing Signals — A Return to Portable Shellcode  Tools  Damn Vulnerable Linux  gcc, gdb  MalwareLab

 Exploit kit inner workings  Overview of an exploit  Acrobat Reader, CVE  Demo of attack

 Buffer overflow: a variable can grow arbitrarily big in memory  No control over its size  If the attacker can control the variable, he can write into memory outside of the variable boundaries  It is possible to hijack program execution by redirecting it to a shellcode injected by the attacker  Shellcode can execute actions such as downloading and executing malware

RET Instruction n NOP …. RET Return Address in stack frame First byte where the overflow starts Variable’s first byte Memory space affected by Buffer Overflow Shellcode Instruction 1 RET overfill NOP Sled High memory address Low memory address

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.