Presentation is loading. Please wait.

Presentation is loading. Please wait.

Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin.

Published byTanya Stoffer Modified over 10 years ago

Similar presentations

Presentation on theme: "Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin."— Presentation transcript:

1 Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin

2 All about sophisticated detection and evasion techniques o Polymorphism, metamorphism, obfuscation… Modern malware research

3 All about sophisticated detection and evasion techniques o Polymorphism, metamorphism, obfuscation.. the world’s best malware detector the world’s simplest virus no changes to virus content against Topic of this talk

4 Malware researcher’s view of malware detection malware detector honeypot malware

5 users internet gateway malware detector parse infer file type How malware detectors work in practice internet intranet

6 Detection algorithms are type-specific Parsing depends on file type Detectors may skip less vulnerable types like MPEG efficiency Why must malware detectors infer file types? correctness

7 Parsing in malware detectors macros foo Archive filesHTML filesWord documents find macrosextract files remove whitespace characters

8 Parsing in malware detectors MS CAB MS CHMJavaScript PDF MS EXE ELF Adobe Flash RTF MS PPT(X) COFF bzip COM MS DLL 7-zipJAR GIF MP3 JPEG

9 Why must malware detectors parse before detection? Identify executable content o Macros in Word files o Code segments in PE, ELF o JavaScript in CHM Normalize input to a form suitable for detection o Decompress o Preprocess HTML Separate metadata from content detectors must parse lots of file formats

10 File-type inference and parsing take place in two different places internet infer file type parse if uninfected malware detectoruser application/OS parse difference = potential evasion infer file type

11 Exhibit A (CVE-2012-1419) TAR files: ustar at offset 257 mirc.ini files: [aliases] at offset 0 TAR archive eicar.com\0 header initial 100 bytes contains the name of first file ustar eicar.com

12 TAR files: ustar at offset 257 mirc.ini files: [aliases] at offset 0 TAR archive [aliases].com\0 header filename changes but the content is unmodified ustar Exhibit A (CVE-2012-1419) eicar.com

13 Vulnerable detectors

14 Exhibit B (CVE-2012-1463) Executable and Linkable Format (ELF) offset 5 1 : little-endian 2 : big-endian header 1 1

15 Exhibit B (CVE-2012-1463) offset 5 1 : little-endian 2 : big-endian header 2 2 Linux ELF loader does not use this byte but most malware detectors do Executable and Linkable Format (ELF)

16 Vulnerable detectors

17 Exhibit C (CVE-2012-1461) gzip eicar.tar eicar.tar.1eicar.tar.2 eicar.tar.gz most detectors cannot parse such files correctly but gunzip does

18 Vulnerable detectors

19 Exhibit D (CVE-2012-1459) TAR archive layout most detectors ignore checksum field length header 1 header 2 uninfected file checksum

20 Exhibit D (CVE-2012-1459) TAR archive layout length header 1 wrong checksum header 2 uninfected file most detectors ignore checksum field GNU tar ignores header with wrong checksum, extracts malware

21 Vulnerable detectors

22 Many more attacks 45 different CVE reports for previously unknown evasion exploits 9 file formats 13 applications

23 36 tested detectors – ALL vulnerable

24 You might be thinking… Aren’t these well-known bugs?

25 Response from AV vendors OMG! These exploits completely bypass our detection engines o Patches are being pushed out

26 You might be thinking… Aren’t these the same as browser content-sniffing bugs? No

27 Content-sniffing bugs in browsers MIME content sniffing in Web browsers can be exploited for XSS attacks o First reported by Palant (2007) and Nazario (2009) Defense for browsers [Barth et al.]: prefix-disjoint signatures… does not work for malware detectors o Signatures for many formats that detectors must deal with are not prefix-disjoint

28 You might be thinking… These attacks affect only archive formats

29 Does this affect only archive formats? No, we have attacks against ELF, PE, MS CHM, MS Word, etc. What is an archive format anyway? o Many modern formats (e.g. PDF, MS Word) allow embedding different types of content

30 You might be thinking… Behavioral detection will save us

31 No, behavioral detection will not save you infer file type parse malware detectoruser application/OS parse they must be exactly the same For behavioral detection to work here …. infer file type

32 Possible solutions Write better parsers On-access scanning o Does not work in network/cloud detectors Better integration of malware detectors with applications o Applications can share intermediate state after parsing with cloud/network detectors nonstarter only works for archive files

33

Download ppt "Abusing File Processing in Malware Detectors for Fun and Profit Suman Jana and Vitaly Shmatikov The University of Texas at Austin."

Similar presentations

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team 2001.09.18 (Nanjing)

InterScan AppletTrap Zhang Hong Trend Micro, AppletTrap Team (Nanjing)
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.

Sean Ford, Macro Cova, Christopher Kruegel, Giovanni Vigna University of California, Santa Barbara ACSAC 2009.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Course 201 – Administration, Content Inspection and SSL VPN

Course 201 – Administration, Content Inspection and SSL VPN
Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.

Malware Ge Zhang Karlstad Univeristy. Focus What malware are Types of malware How do they propagate How do they hide How to detect them.
1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 05 Malicious Software Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
CS 349: WebBase 1 What the WebBase can and can’t do?

CS 349: WebBase 1 What the WebBase can and can’t do?
Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.

Automated Web Patrol with Strider HoneyMonkeys Present by Zhichun Li.
0wning Antivirus Alex Wheeler Neel Mehta

0wning Antivirus Alex Wheeler Neel Mehta
Beyond Anti-Virus by Dan Keller 1987- Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”

Beyond Anti-Virus by Dan Keller Fred Cohen- Computer Scientist “there is no algorithm that can perfectly detect all possible computer viruses”
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.
Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.

Jarhead Analysis and Detection of Malicious Java Applets Johannes Schlumberger, Christopher Kruegel, Giovanni Vigna University of California Annual Computer.
CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:

CAS: A FRAMEWORK OF ONLINE DETECTING ADVANCE MALWARE FAMILIES FOR CLOUD-BASED SECURITY From: First IEEE International Conference on Communications in China:
CISC 879 - Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:

CISC Machine Learning for Solving Systems Problems Presented by: Akanksha Kaul Dept of Computer & Information Sciences University of Delaware SBMDS:
CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Viruses Cliff Zou Spring 2011.
©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

©2015 Check Point Software Technologies Ltd. 1 [Restricted] ONLY for designated groups and individuals Preventing the next breach or discovering the one.

Similar presentations

Ads by Google