KLIMAX: Profiling Memory Write Patterns to Detect Keystroke-Harvesting Malware Stefano Ortolani 1, Cristiano Giuffrida 1, and Bruno Crispo 2 1 Vrije Universiteit 2 University of Trento 左昌國 ADLab, NCU-CSIE 14 th International Symposium on Recent Advances in Intrusion Detection (RAID 2011)
Outline Introduction Approach Optimization Evaluation Discussion Related Work Conclusions 2
Introduction Keylogger detection Signature-based solutions Evasion techniques Signature producing time Behavior-based solutions (system calls or library calls invoking) False positives False negatives 3
Introduction This paper proposes a new behavior-based detection model KLIMAX : Kernel-Level Infrastructure for Memory And eXecution profiling Based on memory write pattern profiling Proactive and Reactive Previous work Stefano Ortolani, Cristiano Giuffrida, and Bruno Crispo, Bait your Hook: a Novel Detection Technique for Keyloggers, RAID 2010Bait your Hook: a Novel Detection Technique for Keyloggers Comparing I/O patterns FN: by delaying or disguising I/O activities 4
Approach To ascertain the correlation between the stream of issued keystrokes and the memory writes a process exhibits. High correlation means keylogging behaviors exist. No virtualization techniques Kernel-level solution Does not provide kernel rootkit detection 5
Approach 6
Detector The detector uses the statistical suite R to randomly generate patterns Write patterns received from the Injector Categorized: data, stack, heap Computing the correlation between 2 patterns PCC: Pearson product-moment Correlation Coefficient Injector A virtual keyboard driver Converting patterns into keystroke streams 7
Approach IDT – Interrupt Descriptor Table ref 8
Approach 9
Shadower Classifier 10
Approach 11
Optimization To reduce the false positives and false negatives Many benign applications would register callback functions to intercept keystroke event High correlation The callback mechanism is implemented in USER32.dll Transient memory write patterns on stacks at callback execution time(short-lived stack) avoid logging any memory writes performed by USER32.dll Identifying long-lived regions of the stack during execution Excluding any other stack region Adaptive algorithm to identify long-lived stack Initially, marking entire stack as long-lived stack As the execution progresses, sampling the stack pointer of each thread at regular time intervals and update the deepest value. 12
Evaluation Synthetic Evaluation 13
Evaluation 14
Evaluation False Positive Analysis Static binary analysis(or dynamic analysis) Standard API SetWindowsHookEx, GetKeyState, GetAsyncKeyState ( from USER32.dll) Hotkey registration API RegisterHotKey 15
Discussion The main strength of the detection strategy is to detect keylogging behavior within short windows of observation even for malware buffering data for a long time. False Positives If a benign application keeps sensitive data in global memory regions this is unnecessary behavior In the False Negative evaluation 2 samples represent that proactive method is not a good idea Event trigger based “reactive” should be good 16
Related Work Behavior-based approach (malware detection) Polymorphic malicious executable scanner by api sequence analysis Malware profiling Behavior-based spyware detection Effective and efficient malware detection at the end host API correlation Detecting bots based on keylogging activities Bait your hook: a novel detection technique for keyloggers 17
Conclusions KLIMAX: a kernel-level infrastructure to analyze and detect malware with generic keylogging behavior Can be deployed on unmodified Windows-based systems Proactive detection No false positives No false negatives (the keylogging bahavior is triggered within the window of observation) Reactive detection Policy-based reactive detection No false negatives in “general” case Antivirus misclassified several malware 18