Presentation is loading. Please wait.

Presentation is loading. Please wait.

Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft.

Published byIyanna Presser Modified over 9 years ago

Similar presentations

Presentation on theme: "Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft."— Presentation transcript:

1 Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft Research

2 Static – Dynamic Analysis Spectrum 2 Entirely staticEntirely runtime + High coverage - Low precision - May not scale + High coverage - Low precision - May not scale + High precision - High overhead - Low coverage + High precision - High overhead - Low coverage Symbolic execution DART, SAGE, KLEE + High precision + Scales reasonably well ? High coverage DART, SAGE, KLEE + High precision + Scales reasonably well ? High coverage Multi-execution + High precision + High scalability + High coverage - Watch out for resource usage + High precision + High scalability + High coverage - Watch out for resource usage

3 Blacklisting Malware in Search Results 3

4 Motivation 4 Haha, I cannot belive this guy actually does this!! LOL

5 5

6 Drive-by Malware Detection Landscape 6 runtime static online (browser-based) offline (honey-monkey) Nozzle [Usenix Security ’09] Zozzle [Usenix Security ’11] Instrumented browser Looks for heap sprays Moderately high overhead Instrumented browser Looks for heap sprays Moderately high overhead Mostly static detection Low overhead, high reach Can be deployed in browser Mostly static detection Low overhead, high reach Can be deployed in browser

7 7 Search Engine Crawling

8 detect crawler Server side 8 Malware Cloaking Source IP Request (User- Agent, Browser ID) detect vulnerable target Client side Fingerprint browser & plugin versions Do this using JavaScript if (navigator.userAgent.indexOf(‘IE 6’)>=0) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } if (navigator.userAgent.indexOf(‘IE 6’)>=0) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); }

9 Client-side Cloaking Defense Traditional Rozzle Single browser, one visit Appear as vulnerable as possible Single browser, one visit Appear as vulnerable as possible 9

10 Background and Related Work Drive-by Download – Exploit a client-side browser vulnerability and thus trigger a malware downloaded into client – It can be divided into Six steps. Description of Six Steps Comparing with JShield 10

11 Step One: visiting malicious web site On this stage, a benign user is visiting a malicious web site. Defense mechanism: if this web site is detected as malicious, a warning can be shown to prevent the benign user from visiting the web site (like Google Safe Browsing). 11

12 Step Two: Executing JavaScript After downloading contents to the client, JavaScript get executed. Related Work: Current works are trying to fully execute JavaScript to get a better detection rate. – Zozzle ([Usenix, 2011]): Executing JavaScript – Wepawet: Executing JavaScript and extracting JavaScript from pdf – Rozzle ([Oakland, 2012]): Symbolic execution + fingerprinting JavaScript 12

13 Step Three: Heap Spraying JavaScript will fill the heap with shellcode. Defense Mechanism: – Zozzle ([Usenix, 2011]): Machine learning – Nozzle ([Usenix, 2009]): Detecting if the heap is executable or not. 13

14 Step Four: Exploit a certain vulnerability JavaScript code will use certain pattern to trigger a native browser vulnerability. Defense mechanism: – BrowserShield: Rewrite JavaScript and check if an operation will trigger the vulnerability or not. For example, the length of an operation. 14

15 Step Five: Downloading malware After exploiting native browser vulnerability, malware is downloaded into client. Defense Mechanism: – Blade ([CCS, 2010]): Detect the GUI of downloading. If it is not from a normal GUI, reject the downloaded file. 15

16 Step Six: Executing malware After malware is downloaded, it will get executed. Related Work: – SpyProxy ([Usenix, 07]) – WebShield ([NDSS, 11]) – Provos et al. ([Usenix, 08]) 16

17 Background & Motivation: Cloaking Detecting Internet Malware Rozzle: Fighting Evasion Experiments Overview

18 Detecting Internet Malware 18 Dynamic Detection Nozzle Dynamic Detection Nozzle Static Detection Zozzle Static Detection Zozzle Zozzle: Low-overhead Mostly Static JavaScript Malware Detection [Usenix Security 2011] Bayesian classification of hierarchical features of the JavaScript abstract syntax tree. In the browser (after unpacking) Zozzle: Low-overhead Mostly Static JavaScript Malware Detection [Usenix Security 2011] Bayesian classification of hierarchical features of the JavaScript abstract syntax tree. In the browser (after unpacking)

19 Nozzle: Runtime Heap Spraying Detection 19 Normalized attack surface (NAS) good bad

20 // Shellcode var shellcode=unescape(‘%u9090%u9090%u9090%u9090%uceba%u11fa%u291f%ub1c9%udb33 […]′); bigblock=unescape(“%u0D0D%u0D0D”); headersize=20;shellcodesize=headersize+shellcode.length; while(bigblock.length<shellcodesize){bigblock+=bigblock;} heapshell=bigblock.substring(0,shellcodesize); nopsled=bigblock.substring(0,bigblock.length-shellcodesize); while(nopsled.length+shellcodesize<0×25000){nopsled=nopsled+nopsled+heapshell} // Spray var spray=new Array(); for(i=0;i<500;i++){spray[i]=nopsled+shellcode;} // Trigger function trigger(){ var varbdy = document.createElement(‘body’); varbdy.addBehavior(‘#default#userData’); document.appendChild(varbdy); try { for (iter=0; iter<10; iter++) { varbdy.setAttribute(‘s’,window); } } catch(e){ } window.status+=”; } document.getElementById(‘butid’).onclick(); shellcode unescape bigblock unescape %u0D0D%u0D0D shellcodesize shellcode.length bigblock.substring shellcodesize nopsled bigblock.substring bigblock.length shellcodesize nopsled.length shellcodesize nopsled nopsled nopsled heapshell spray spray nopsled shellcode varbdy.addBehavior #default#userData document.appendChild varbdy varbdy.setAttribute butid Zozzle: Static/Statistical Detection 20

21 Background & Motivation: Cloaking Detecting Internet Malware Rozzle: Fighting Evasion Experiments Overview

22 Environment Fingerprinting Prevents Detection Nozzle Zozzle if (navigator.userAgent.indexOf(‘IE 6’)>=0) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } if (navigator.userAgent.indexOf(‘IE 6’)>=0) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } 22 var adobe=new ActiveXObject(‘AcroPDF.PDF’); var adobeVersion=adobe.GetVariable (‘$version’); if (navigator.userAgent.indexOf(‘IE 6’)>=0 && adobeVersion == ’9.1.3’) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } var adobe=new ActiveXObject(‘AcroPDF.PDF’); var adobeVersion=adobe.GetVariable (‘$version’); if (navigator.userAgent.indexOf(‘IE 6’)>=0 && adobeVersion == ’9.1.3’) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } Is this a practical problem for our malware detectors? In 7.7% of JS files, code gets a reference to environment In 1.2%, code branches on such sensitive values 89.5% of malicious JS branches on such values In 7.7% of JS files, code gets a reference to environment In 1.2%, code branches on such sensitive values 89.5% of malicious JS branches on such values

23 Typical Malware Cloaking 23

24 More Complex Fingerprinting 24 Fingerprint: Q0193807F127J14

25 Avoiding Dynamic Crawlers 25

26 Avoiding Static Detection 26

27 How to Allocate Detection Resources? 1.4 1.5 2.0 9.0 9.1 10.0 8 9 10 … … Rozzle Clearly does not scale How many resources should be allocated to filter malicious sites? What if the site simply is not malicious? What if the site simply is not malicious? 27

28 Execute individual branches sequentially to increase coverage Static analysis: Retain much of runtime precision Branch on environment- sensitive checks No forking No snapshotting Branch on environment- sensitive checks No forking No snapshotting Symbolic execution: re- verting to a previous state similar to running multiple browsers in parallel Rozzle Multi-path execution framework for JavaScript Multiple browser profiles on single machine What it is/does Cluster of machines: too resource consuming What it is not 28

29 Multi-Execution in Rozzle var adobe=new ActiveXObject(‘AcroPDF.PDF’); var adobeVersion=adobe.GetVariable (‘$version’); if (navigator.userAgent.indexOf(‘IE 7’)>=0 && adobeVersion == ’9.1.3’) { var x=unescape(‘%u4149%u1982%u90 […]’); eval(x); } else if (adobeVersion == ’8.0.1’) { var x=unescape(‘%u4073%u8279%u77 […]’); eval(x); } … 29

30 Challenges 30 Consistent updates of variables Introduce concept of Symbolic Memory: Multiple concrete values associated with one variable New JavaScript data type Symbolic 3 subtypes symbolic value / formula / conditional Weak updates for conditional assignments Introduce concept of Symbolic Memory: Multiple concrete values associated with one variable New JavaScript data type Symbolic 3 subtypes symbolic value / formula / conditional Weak updates for conditional assignments

31 Symbolic Memory var userAgentString=0; userAgentString = navigator.userAgent; var isIE; isIE = (userAgentString.indexOf(‘IE’)>=0); … Variable: userAgentString Value: 0 Symbolic: no Variable: userAgentString Value: 0 Symbolic: no Variable: userAgentString Value: Symbolic: yes Variable: userAgentString Value: Symbolic: yes Hooks into engine, return symbolic values for Sensitive global objects: navigator.userAgent, navigator.platform, … Sensitive functions: ScriptEngine(), allocation of ActiveXObject, … Hooks into engine, return symbolic values for Sensitive global objects: navigator.userAgent, navigator.platform, … Sensitive functions: ScriptEngine(), allocation of ActiveXObject, … 31 Variable: isIE Value: = 0 > Symbolic: yes Variable: isIE Value: = 0 > Symbolic: yes

32 Symbolic Memory var isIE=false; var isIE7=false; if (navigator.userAgent.indexOf(‘IE’)>=0) { isIE=true; if (navigator.userAgent.indexOf(‘IE 7’)>=0) { isIE7=true; } if (isIE7) { … Variable: isIE7 Value: false Symbolic: no Variable: isIE7 Value: false Symbolic: no Variable: isIE Value: false Symbolic: no Variable: isIE Value: false Symbolic: no Current path predicate Value: =0 > Symbolic: yes Current path predicate Value: =0 > Symbolic: yes Variable: isIE Value: =0 > ? true : false Symbolic: yes Variable: isIE Value: =0 > ? true : false Symbolic: yes Current path predicate Value: =0 > && =0 > Symbolic: yes Current path predicate Value: =0 > && =0 > Symbolic: yes Variable: isIE7 Value: Symbolic: yes Variable: isIE7 Value: Symbolic: yes 32

33 Symbolic Memory index Of 0 0 ‘IE’ navigator. userAgent navigator. userAgent Variable: isIE Value: =0 > ? true : false Symbolic: yes Variable: isIE Value: =0 > ? true : false Symbolic: yes ? ? >= true false 33

34 Challenges Consistent updates of variables Handling loops Indirect control flow: Exception handling I/O Consistent updates of variables Handling loops Indirect control flow: Exception handling Loop condition might be symbolic, number of iterations unknown! Unroll k iterations (currently k=1) Instruction pointer checks (endless loops/recursion) Loop condition might be symbolic, number of iterations unknown! Unroll k iterations (currently k=1) Instruction pointer checks (endless loops/recursion) try -blocks regularly used to test availability of plugins ( ActiveXObjects ) catch -blocks set default values, cannot be ignored Execute catch -statement similar to else branch, add virtual if -condition: “ ActiveX supported ” try -blocks regularly used to test availability of plugins ( ActiveXObjects ) catch -blocks set default values, cannot be ignored Execute catch -statement similar to else branch, add virtual if -condition: “ ActiveX supported ” Handling symbolic values when they are… —… written to the DOM —… sent to a remote server —… executed (as part of eval ) Lazy evaluation to concrete values (only when needed) Handling symbolic values when they are… —… written to the DOM —… sent to a remote server —… executed (as part of eval ) Lazy evaluation to concrete values (only when needed) 34

35 Experiments Offline Controlled Experiment 7x more Nozzle detections Online Similar to Bing crawling Almost 4x more Nozzle detections 10.1% more Zozzle detections Overhead 1.1% runtime overhead 1.4% memory overhead 35

36 +595% runtime detections Offline Exploits hosted on our server Minimize external influences 70,000 known malicious scripts (flagged by Zozzle) Fully unrolled/de-obfuscated exploits, wrapped in HTML 36

37 List of URLs recently crawled by Bing Pre-filtering: Increase likelihood of finding malicious sites 57,000 URLs over the last week Online Dedicated machine for crawling the web Clone of the Bing malware crawler 37 Nozzle Detections 24 50 174 +203% runtime detections Zozzle Detections 225 2,510 156

38 List of URLs recently crawled by Bing Pre-filtering: Increase likelihood of finding malicious sites 57,000 URLs over the last week Online Dedicated machine for crawling the web Clone of the Bing malware crawler 38 2758 2600 2700 3000 3100 3200 3300

39 Overhead 500 randomly selected URLs crawled by Bing Slightly biased towards malicious sites (pre-filtering) Memory Overhead Median:0.6% 80 th Percentile:1.4% Runtime Overhead Median:0.0% 80 th Percentile:1.1% Average numbers of 3 repeated runs per configuration Base runs (cookie setup) 39

40 Overhead Numbers 40 1.0

41 For most sites, virtually no overhead Take Away 41 Tremendous impact on runtime detector due to increased path coverage Tremendous impact on runtime detector due to increased path coverage Visible impact on static detector Visible impact on static detector More important with growing trend to obfuscation Also improves other existing tools: Exposes detectors to additional site content

42 if (navigator.userAgent.toLowerCase().indexOf( "\x6D"+"\x73\x69\x65"+"\x20\x36")>0) document.write(" "); if (navigator.userAgent.toLowerCase().indexOf( "\x6D"+"\x73"+"\x69"+"\x65"+"\x20"+"\x37")>0) document.write(" "); try { var a; var aa=new ActiveXObject("Sh"+"ockw"+"av"+"e"+"Fl"+[…]); } catch(a) { } finally { if (a!="[object Error]") document.write(" "); } try { var c; var f=new ActiveXObject("O"+"\x57\x43"+"\x31\x30\x2E\x53"+[…]); } catch(c) { } finally { if (c!="[object Error]") { aacc = " "; setTimeout("document.write(aacc)", 3500); } Online … an example pulled from our DB… "\x6D"+"\x73\x69\x65 "+"\x20\x36" = "msie 6" "\x6D"+"\x73\x69\x65 "+"\x20\x36" = "msie 6" "\x6D"+"\x73"+"\x69"+"\ x65"+"\x20"+"\x37" = "msie 7" "\x6D"+"\x73"+"\x69"+"\ x65"+"\x20"+"\x37" = "msie 7" "O"+"\x57\x43"+"\x31\x30\x2E\x5 3"+"pr"+"ea"+"ds"+"he"+"et" = "OWC10.Spreadsheet" "O"+"\x57\x43"+"\x31\x30\x2E\x5 3"+"pr"+"ea"+"ds"+"he"+"et" = "OWC10.Spreadsheet" 42

43 Malware Roulette 43

44 Related Work Multipath Execution Symbolic Execution JavaScript Analysis Cloaking and Fingerprinting Multipath Execution Symbolic Execution JavaScript Analysis Godefroid et al, SAGE Saxena et al., A Symbolic Execution Framework for JavaScript Godefroid et al, SAGE Saxena et al., A Symbolic Execution Framework for JavaScript Cova et al, Detection and Analysis of Drive-by- Download Attacks and Malicious JavaScript Code Chen et al, WebPatrol: Automated Collection and Replay of Web-based Malware Scenarios Bisht et al, NoTamper: Automatic blackbox detection of parameter tampering opportunities in web app.s Cova et al, Detection and Analysis of Drive-by- Download Attacks and Malicious JavaScript Code Chen et al, WebPatrol: Automated Collection and Replay of Web-based Malware Scenarios Bisht et al, NoTamper: Automatic blackbox detection of parameter tampering opportunities in web app.s Eckersley, How Unique Is Your Web Browser? Plenty related research in binary malware analysis Eckersley, How Unique Is Your Web Browser? Plenty related research in binary malware analysis Moser et al., Exploring Multiple Execution Paths for Malware Analysis Brumley et al., MineSweeper Moser et al., Exploring Multiple Execution Paths for Malware Analysis Brumley et al., MineSweeper 44

45 Summary Rozzle: Multi-profile execution – Look as vulnerable as possible – Improve existing malware detectors Implementation: – Implemented on top of IE9’s JavaScript engine – Still some flaws, promising results Idea of multi-execution is promising in other contexts 45

46 Static – Dynamic Analysis Spectrum 46 Entirely staticEntirely runtime + High coverage - Low precision - May not scale + High coverage - Low precision - May not scale + High precision - High overhead - Low coverage + High precision - High overhead - Low coverage Symbolic execution DART, SAGE + High precision + Scales reasonably well ? High coverage DART, SAGE + High precision + Scales reasonably well ? High coverage Multi-execution + High precision + High scalability + High coverage - Watch out for resource usage + High precision + High scalability + High coverage - Watch out for resource usage

Download ppt "Rozzle De-Cloaking Internet Malware Presenter: Yinzhi Cao Slides by Ben Livshits with Clemens Kolbitsch, Ben Zorn, Christian Seifert, Paul Rebriy Microsoft."

Similar presentations

PHP I.

PHP I.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.

Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.

1 CSC 551: Web Programming Spring 2004 client-side programming with JavaScript  scripts vs. programs  JavaScript vs. JScript vs. VBScript  common tasks.
GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.

GATEKEEPER MOSTLY STATIC ENFORCEMENT OF SECURITY AND RELIABILITY PROPERTIES FOR JAVASCRIPT CODE Salvatore Guarnieri & Benjamin Livshits Presented by Michael.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.

1 Yinzhi Cao, Zhichun Li *, Vaibhav Rastogi, Yan Chen, and Xitao Wen Labs of Internet Security and Technology Northwestern University * NEC Labs America.
Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.

Overview Motivations Basic static and dynamic optimization methods ADAPT Dynamo.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.

Nozzle: A Defense Against Heap Spraying Attacks Ben Livshits Paruj Ratanaworabhan Ben Zorn.
Fast and Precise In-Browser JavaScript Malware Detection

Fast and Precise In-Browser JavaScript Malware Detection
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***

JShield: Towards Real-time and Vulnerability-based Detection of Polluted Drive-by Download Attacks Yinzhi Cao*, Xiang Pan**, Yan Chen** and Jianwei Zhuge***
An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.

An Empirical Study on the Rewritability of the with Statement in JavaScript Changhee Park (Joint work with Hongki Lee and Sukyoung Ryu) KAIST October.
S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.

S CRIPT G ARD Automatic Context-Sensitive Sanitization for Large-Scale Legacy Web Applications Prateek Saxena UC Berkeley David Molnar Microsoft Research.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Tutorial 10 Programming with JavaScript

Tutorial 10 Programming with JavaScript
Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.

Leveraging User Interactions for In-Depth Testing of Web Applications Sean McAllister, Engin Kirda, and Christopher Kruegel RAID ’08 1 Seoyeon Kang November.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google