Presentation is loading. Please wait.

Presentation is loading. Please wait.

Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,

Published byMilo Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,"— Presentation transcript:

1 Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California, San Diego *Microsoft Research

2 2 Encountering new malware Have I seen this before? How closely related is it to what I have seen before?

3 3 Practical considerations ? New defense?

4 4 Theoretical considerations ? ? Evolutionary relationship?

5 5 Grouping similar malware together… Ultimately, construct malware families Anti-virus industry is active in this area

6 6 Motivation 710 new families 40,000 new variants Family and variant defined in ad-hoc fashion… Is there a systematic way to determine the nature of this diversity?

7 7 Exploit diversity Attacker MS RPC Request Exploit

8 8 Polymorphism Attacker Encrypted

9 9 Behind the encryption… Attacker

10 10 Differing constants Attacker Different IP address

11 11 Functional differences Attacker Waiting for a connection

12 12 Different code base Attacker Calling “tftp.exe”

13 13 ISystemActivator vulnerability 1,561 exploit attempts How different are they? 90 unique payloads

14 14 Our goal Automatically construct phylogeny, or family tree of exploits

15 15 Outline for this talk On classifying shellcodes Steps for systematically studying shellcodes –Trace collection –Shellcode extraction –Shellcode decryption –Comparing samples –Cluster analysis Post-hoc manual inspection to validate –Look at the code!

16 16 Why shellcodes? Our study focuses on exploits They are packaged with the exploit –First foreign code that executes on a newly infected machine –Part of exploit with most leeway for variation Primary challenge: collecting and analyzing shellcodes

17 17 Remote code injection attacks Victim Victim’s stack memory high low MS RPC Request Exploit Shellcode Flow of execution Decrypted shellcode Vulnerable buffer

18 18 Trace collection Studying 5 vulnerabilities Residential –2-day trace –Windows XP SP2 –29 unused DSL IP addresses –4,400 exploit samples Enterprise Trace –1 Hour –Active responders –5x /24 subnets –1,500 exploit samples

19 19 Shellcode extraction Shield (Sigcomm’04) –Framework for specifying network-based protocols and vulnerabilities –Extracts shellcodes from raw network packets

20 20 Shellcode decryption Shellcode is encrypted –Use shellcode’s own decryption loop! Limited emulation –Similar to generic decryption technique used for viruses

21 21 Comparing samples: Candidate metrics Edit distance –Too specific: non-code portions of payload made related exploits unnecessarily distant Structural distance –Control flow graph over basic blocks –Basic blocks summarized with a color/hash –Too general: did not capture subtle instruction variations between exploit families

22 22 Comparing samples: Final metric Exedit distance metric –Edit distance over executed parts of shellcode Distinguishes code from data Maintains instruction-level details Canonical string for shellcode

23 23 Cluster analysis Need to group samples using the exedit distance metric Agglomerative clustering –Each iteration, merge closest pair of clusters –Cluster distance = distance of furthest samples between two clusters

24 24 Results Caught exploits for 5 vulnerabilities over traces Summary for residential trace ExploitsUnique exploits Families SQL Resolution76721 LSASS1,769565 ISystemActivator1,561906 RemoteActivation338 2

25 25 ISystemActivator 10% clustering threshold Need to manually verify this… 6 families

26 26 ISystemActivator 4-byte decoding key Kernel-address loading function Function-finding block

27 27 ISystemActivator 4-byte decoding key Kernel-address loading function Function-finding block 4-byte encoding key Kernel base loaderFunction finder

28 28 ISystemActivator Longest payload Many function blocks in middle of payload

29 29 ISystemActivator Command-line call to “tftp.exe”

30 30 ISystemActivator Different instructions in parts, otherwise very similar

31 31 ISystemActivator “Bind” version “Connect-back” version

32 32 Conclusions Systematic method for classifying exploits –Exploit collection –Shellcode extraction and decryption –Shellcode comparison using exedit distance –Group exploits with clustering Similarity between samples in computed phylogenies corresponded well with observed differences Useful step toward automating malware classification

Download ppt "Finding Diversity in Remote Code Injection Exploits Justin Ma, John Dunagan, Helen J. Wang, Stefan Savage, Geoffrey M. Voelker *University of California,"

Similar presentations

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.

Wenke Lee and Nick Feamster Georgia Tech Botnet and Spam Detection in High-Speed Networks.
Discovering and Exploiting Program Phases Timothy Sherwood, Erez Perelman, Greg Hamerly, Suleyman Sair, Brad Calder CSE 231 Presentation by Justin Ma.

Discovering and Exploiting Program Phases Timothy Sherwood, Erez Perelman, Greg Hamerly, Suleyman Sair, Brad Calder CSE 231 Presentation by Justin Ma.
Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.

Chapter 19: Computer and Network Security Techniques Business Data Communications, 6e.
Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.

Joshua Mason, Sam Small Johns Hopkins University Fabian Monrose University of North Carolina Greg MacManus iSIGHT Partners 16th ACM CCS.
Network Intrusion Detection Systems Presented by Keith Elliott.

Network Intrusion Detection Systems Presented by Keith Elliott.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.

5/1/2006Sireesha/IDS1 Intrusion Detection Systems (A preliminary study) Sireesha Dasaraju CS526 - Advanced Internet Systems UCCS.
1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.

1 Real Time Polymorphic Shellcode Detection Evgeny Pinchuk Radware SOC Team.
On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.

On Deriving Unknown Vulnerabilities from Zero-Day Polymorphic Worm Exploits.
Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.

Inferring Internet Denial-of- Service Activity David Moore, Geoffrey M Voelker, Stefan Savage Presented by Yuemin Yu – CS290F – Winter 2005.
Chapter 9 Security 9.7 - 9.8 Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.

Chapter 9 Security Malware Defenses. Malware Can be used for a form of blackmail. Example: Encrypts files on victim disk, then displays message.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.

Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, and Stefan Savage Presenter: Martin Krogel.
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.

TDL3 Rootkit A Sans NewsBite Analysis by Marshall Washburn.
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.

Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms Zhichun Li 1, Lanjia Wang 2, Yan Chen 1 and Judy Fu 3 1 Lab.
Automated malware classification based on network behavior

Automated malware classification based on network behavior
Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.

Automatically Generating Models for Botnet Detection Peter Wurzinger, Leyla Bilge, Thorsten Holz, Jan Goebel, Christopher Kruegel, Engin Kirda Vienna University.
Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.
BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

BY ANDREA ALMEIDA T.E COMP DON BOSCO COLLEGE OF ENGINEERING.

Similar presentations

Ads by Google