w1 w1-5 Rootkit PDF

Malicious Software and its Underground Economy
Two Sides to Every Story
Botnets detection & Rootkits

Lorenzo Cavallaro
Information Security Group Royal Holloway, University of London
Jun 17, 2013Week 1-5
(Week 1-5) Lorenzo Cavallaro (ISG@RHUL) Malware and its Underground Economy
Jun 17, 2013Week 1-5
1 / 32
BotMiner
Clustering Analysis of Network Trac- and Structure-Independent Botnet Detection
Botnet is characterized by
C&C communication Malicious activities
Botnet structure
Centralized P2P
Jun 17, 2013Week 1-5
2 / 32
Assumptions
Bots within the same botnet are characterized by similar malicious activities and C&C communications
Jun 17, 2013Week 1-5
3 / 32
Architecture
Jun 17, 2013Week 1-5
4 / 32
C-Plane Monitor
The C-plane monitor captures network ows and records information on who is talking to whom Each ow contains:
Time, duration IP, port Number of packets Bytes transferred
Jun 17, 2013Week 1-5
5 / 32
A-Plane Monitor
The A-plane monitor logs information on who is doing what It analyzes:

Outbound trac through the monitored network Detecting several malicious activities the internal hosts may perform
Jun 17, 2013Week 1-5
6 / 32
C-Plane Clustering
Be responsible for:
Reading the logs generated by the C-plane monitoring Finding clusters of machines that share similar communication patterns
Performs basic ltering Performs white listing Multi-step clustering
Jun 17, 2013Week 1-5
7 / 32
A-Plane Clustering
Client list with malicious activity Cluster according to activity type

Scan, spam, DDoS, binary downloading, exploit downloading
Cluster according to activity features
Jun 17, 2013Week 1-5
8 / 32
Cross-plane Correlation
The idea is to cross-check clusters in two plans to nd intersections A score s (h) is computer for each host h
Jun 17, 2013Week 1-5
9 / 32
Experiments
Jun 17, 2013Week 1-5
10 / 32
Experiments
BotMiner: clustering analysis of network trac for protocol- and structure-independent botnet detection ,
Gu, Guofei and Perdisci, Roberto and Zhang, Junjie and Lee, Wenke, In Proceedings of the 17th conference on Security symposium, 2008
Jun 17, 2013Week 1-5
10 / 32
Mining the Network Behavior of Bots

Previous Research: Horizontal Correlation
Pros Not bound to a particular infection life-cycle Correlation between communication and activity trac Content payload-oblivious Cons Cannot detect single infection Requires the presence of noisy behavior to start the detection
Jun 17, 2013Week 1-5
11 / 32

Previous Research: Horizontal Correlation
Pros Not bound to a particular infection life-cycle Correlation between communication and activity trac Content payload-oblivious Cons Cannot detect single infection Requires the presence of noisy behavior to start the detection
Jun 17, 2013Week 1-5
11 / 32

Previous Research: Vertical Correlation
Pros Detects single infection Cons Bound to a particular infection life-cycle C&C-structure dependent Content-based payload inspection Requires the presence of noisy behavior to start the detection
Jun 17, 2013Week 1-5
12 / 32

Previous Research: Vertical Correlation
Pros Detects single infection Cons Bound to a particular infection life-cycle C&C-structure dependent Content-based payload inspection Requires the presence of noisy behavior to start the detection
Jun 17, 2013Week 1-5
12 / 32
High-level idea Analyze network traces of bots to highlight interesting behaviors What is an interesting behavior? C&C communication Information theft Egg download . . . usually low-pace and stealthy activities Generally dicult to infer!
Jun 17, 2013Week 1-5
13 / 32
Jun 17, 2013Week 1-5
13 / 32
Jun 17, 2013Week 1-5
13 / 32
Inferring the Network Behavior of Bots
Simple Observation Network owsnot packetsdescribe processes network behaviors Mining properties from heterogeneous ows can be hard Group similar ows together Similar ows should describe a similar network behavior It is easier to infer cluster-level properties
Intra-cluster analysis to infer time-related properties Inter-cluster correlation analysiswhen possible
To optimize the results of the intra-cluster analysis To discover interesting behaviors in the absence of time-related properties
Jun 17, 2013Week 1-5
14 / 32
Simple Observation Network owsnot packetsdescribe processes network behaviors Mining properties from heterogeneous ows can be hard Group similar ows together Similar ows should describe a similar network behavior It is easier to infer cluster-level properties
Intra-cluster analysis to infer time-related properties Inter-cluster correlation analysiswhen possible
To optimize the results of the intra-cluster analysis To discover interesting behaviors in the absence of time-related properties
Jun 17, 2013Week 1-5
14 / 32
Simple Observation Network owsnot packetsdescribe processes network behaviors Mining properties from heterogeneous ows can be hard Group similar ows together Similar ows should describe a similar network behavior Network-based behavior models are automatically generated It is easier to infer cluster-level properties
No payload content inspection, i.e., encryption-oblivious Intra-cluster analysis to infer time-related properties Individual infected host detection Inter-cluster correlation analysiswhen possible Not triggered by noisy behavior To optimize the results of the intra-cluster analysis C&C-structure independent
To discover interesting behaviors in the absence of time-related properties
Jun 17, 2013Week 1-5
14 / 32
The Framework
Malware Network behavior monitoring
f2 =< p1 , p2 , , pn >
Network behavior 1 model generation 4

k =< f1 , f2 , , fn > C 1 =< f1 , f2 , , fn > C
2 =< f1 , f2 , , fn > C
Behavioral models 5
fn =< p1 , p2 , , pn >
Cn =< f1 , f2 , , fn >
Malware
Mining bots net behavior A1 Mining bots net behavior A2 Mining bots net behavior An
= C
{C i}
Malware
= {C i } C
Inter-cluster correlation analysis
Malware
} = {C i C
Optimization
Jun 17, 2013Week 1-5
= C
{C i V
i1
Ai }
f 1 =< p 1 , p 2 , , p n >
C1 =< f1 , f2 , , fn >
Flow Clustering
C2 =< f1 , f2 , , fn >
Cluster Analysis
15 / 32
Network Flow Clustering

What is this about? Just grouping similar ows to point out cluster-level properties Average linkage hierarchical clustering algorithm Simple network features N
Data exchange (two-way) Destination IP (IP) Destination port (P) Number of packets per ow
Simple Euclidean-based distance, d (, ), over ows F

d (a , b ) =
1 |N |
(x , y )2
x ,y N
a , b F
|x y | 0 (x , y ) = 1
if x , y [0, 1] if x , y {IP P} x = y otherwise

Jun 17, 2013Week 1-5 16 / 32
Network Flow Clustering

What is this about? Just grouping similar ows to point out cluster-level properties Average linkage hierarchical clustering algorithm Simple network features N
Data exchange (two-way) Destination IP (IP) Destination port (P) Number of packets per ow
Simple Euclidean-based distance, d (, ), over ows F

d (a , b ) =
1 |N |
(x , y )2
x ,y N
a , b F
|x y | 0 (x , y ) = 1
if x , y [0, 1] if x , y {IP P} x = y otherwise

Jun 17, 2013Week 1-5 16 / 32
Intra-cluster Analysis
Goal To mine time-related characteristic among similar ows Flows F in a cluster c are ordered based on their timestamps Dierences, , among ows timestamps are determined, and
(a) The Kolmogorov-Smirnov test, K-S(, X ), holds
c is said to be periodic with a periodicity that follows a sampling drawn from a known probability distribution X In our experiments, X = U (min , max ), where U (, ) is a uniform probability distribution dened between the min and max timestamps dierences encountered
(b) The Kolmogorov-Smirnov test, K-S(, X ), does not hold

F are created by following a dierent distribution, or F do not exhibit easy-to-mine time-related properties
Analyze multiple traces to nd similar clusters

Jun 17, 2013Week 1-5 17 / 32


Jun 17, 2013Week 1-5 17 / 32


Jun 17, 2013Week 1-5 17 / 32
Optimization
Performance Constraint for Online Detection The Kolmogorov-Smirnov test can be computationally intense We generally observe well-dened period(s), per-cluster
Often, just one period is observed (e.g., Torpig bots)
of the ows F are then clustered, and

Similar will end up in the same cluster p The period t is then characterized by and over p
Generalization to a multi-granularity periods analysis

Based on the concept of cluster density Never encountered in the examined real-world bots, so far Details in the paper
Jun 17, 2013Week 1-5
18 / 32
Inter-trace Cluster Correlation

Goal To provide a strong evidence of the importance of a cluster Previous analysis run on dierent traces Ti of bot samples Bi Clusters in Ti are compressed
Feature values are the mean, c , and standard deviation, c , over all the ows in a cluster
Similar clusters in the majority of runs i are selected, based on

Network similarity among any two clusters c and c Time-related similarity among any two clusters c and c
Well-dened periods Periods that follow a generic distribution, K-S(c , c ) c [c c , c + c ] c [c c , c + c ]
Basically, an output voting-based schema

Jun 17, 2013Week 1-5 19 / 32
Behavior Detection
Network Behavior Detection Model Generation Automatic generation of detection models as Bro NIDS policy A bots behavior detection consists in the verication of
Flow-cluster membership Flow(s)-cluster time-related properties
A set of ows FH emitted by a host H matches a cluster c , if

Flow membership and timing properties of c can be veried
A single match does not trigger an alarm

We allow spurious ows to match (limit false positives) Alarms raised when c is matched k = min(.5 | c | , Fday ) times
Jun 17, 2013Week 1-5
20 / 32
Evaluation
Goal To show that the models detect bots with very low false positives
Network Swiss ISP Greek University Trace 77.96 TB 835.78 TB # Conns 541, 466, 576 5, 259, 757, 228 Days 2 62 IP Space 786, 420 4, 096 IPs Flagged 8 6 Alerts 8 42 Alerts/Day 4.00 0.67
HTTP-, IRC-, and P2P-based bot samples
Jun 17, 2013Week 1-5
21 / 32
Evaluation
Model Generalization How much our detection models can generalize?
1 Models Coverage
0.8
% Coverage
0.6
0.4
0.2
0 0.3 0.4 0.5 0.6 Training set (% of total models) 0.7 0.8
Training set: randomly-selected models out of 308 IRC-based

Dierent percentage, i.e., from 30% to 80%
Models generalize half of the time (ten-fold cross validation)

Jun 17, 2013Week 1-5 22 / 32
Evaluation
Model Generalization How much our detection models can generalize?
1 Models Coverage
0.8
% Coverage
0.6
0.4
0.2
Mining the Network Behavior of Bots , Lorenzo Cavallaro,

0.3 0.4 0.5 0.6 Training set (% of total models) 0.7 0.8
Christopher Kruegel, and Giovanni Vigna, Technical Report 2009-12 Department of Computer Science, University California, Santa Training set: randomly-selected models out ofof 308 IRC-based Barbara (UCSB), 2009 i.e., from 30% to 80% Dierent percentage,
Models generalize half of the time (ten-fold cross validation)
Jun 17, 2013Week 1-5
22 / 32
Rootkits
(Hide your Malware)
Rootkits
A rootkit is a tool used to hide, to the system administrator, the presence of a malware on the system What to hide Files Registry keys Services
App App
Network connections Processes ...

App
User-mode Kernel-mode
Kernel & drivers
User-space vs kernel-space
Jun 17, 2013Week 1-5 24 / 32
Rootkits
A rootkit is a tool used to hide, to the system administrator, the presence of a malware on the system What to hide Files Registry keys Services
App App
Network connections Processes ...

App
User-mode Kernel-mode
Kernel & drivers
User-space vs kernel-space
Jun 17, 2013Week 1-5 24 / 32
Root-kit: hooking
Hijack the ow of the execution by modifying a code pointer Examples User-space : IAT Kernel-space : IDT, MSR, SSDT
Jun 17, 2013Week 1-5
25 / 32
Root-kit: IDT hooking

Interrupt Descriptor Table Interrupts and exceptions dispatching Hijacking of 1+ handlers (e.g., 0x2e KiSystemService)
App App App
User-space Sw int./Excep. Kernel-space
Handler
Interrupt &handleri
IDT
Jun 17, 2013Week 1-5
26 / 32

App App App
User-space Sw int./Excep. Kernel-space
Handler
Interrupt &handlerm
IDT
Malicious handler
Jun 17, 2013Week 1-5
26 / 32

Problems It is not possible to do ltering System calls cannot be intercepted if sysenter/syscall are used Easy to detect: if (IDT[0x2e] != KiSystemService) then ...
Jun 17, 2013Week 1-5
26 / 32
Root-kit: SSDT hooking

System Service Descriptor Table System calls dispatching Hijacking of 1+ descriptors (e.g., 0x74 NtOpenFile)
App App App
User-space Kernel-space
int/sysenter/syscall
Handler Syscall gate

&handleri
SSDT
Jun 17, 2013Week 1-5
27 / 32

App App App
User-space Kernel-space
int/sysenter/syscall
Handler Syscall gate

&handlerm
SSDT
Malicious handler
Jun 17, 2013Week 1-5
27 / 32

Problems Easy to detect: if (SSDT[0x74] != NtOpenFile) then ...
Jun 17, 2013Week 1-5
27 / 32
Root-kit: run-time patching
It is possible to intercept the execution in multiple points More dicult to detect (no common hooking point)
... NtOpenFile: movl $0x74, %eax movl $0x7ffe0300, %edx nop call *%edx ret $0x18 ...
Jun 17, 2013Week 1-5
28 / 32
... NtOpenFile: movl $0x74, %eax pushl MaliciousHandler ret call *%edx ret $0x18 ...
MaliciousHandler: ... movl $0x7ffe0300, %edx nop push addr ret
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Jun 17, 2013Week 1-5
28 / 32
Root-kit: Direct Kernel Object Manipulation (DKOM)

In memory alteration of a kernel structure No hook or patch necessary
EPROCESS
csrss.exe
EPROCESS
malware.exe
EPROCESS
svchost.exe
Jun 17, 2013Week 1-5
29 / 32

EPROCESS
csrss.exe
EPROCESS
malware.exe
EPROCESS
svchost.exe
Jun 17, 2013Week 1-5
29 / 32

EPROCESS
csrss.exe
EPROCESS
malware.exe
EPROCESS
svchost.exe
malware.exe disappears from the list of running processes Scheduling is thread-based
Jun 17, 2013Week 1-5
29 / 32

MODULE_ENTRY
ntfs.sys
MODULE_ENTRY
malware.sys
MODULE_ENTRY
pci.sys
C:\WINDOWS> drivers.exe ModuleName Code Data Bss Paged ... ntfs.sys 96000 7040 0 412544 malware.sys 3903 0 0 0 pci.sys 16000 1664 0 34176 ...
Init
LinkDate
14080 0 5632
Wed Aug 04 08:15:06 2004 Sat Mar 13 02:22:32 2010 Wed Aug 04 08:07:45 2004
Jun 17, 2013Week 1-5
29 / 32

MODULE_ENTRY
ntfs.sys
MODULE_ENTRY
malware.sys
MODULE_ENTRY
pci.sys
C:\WINDOWS> drivers.exe ModuleName Code Data Bss Paged ... ntfs.sys 96000 7040 0 412544 pci.sys 16000 1664 0 34176 ...
Init
LinkDate
14080 5632
Wed Aug 04 08:15:06 2004 Wed Aug 04 08:07:45 2004
Jun 17, 2013Week 1-5
29 / 32
Recommended Readings I
[1] M. Antonakakis, R. Perdisci, Y. Nadji, N. Vasiloglou, S. Abu-Nimeh, W. Lee, and D. Dagon. From throw-away trac to bots: detecting the rise of dga-based malware. In Proceedings of the 21st USENIX conference on Security symposium, Security12, pages 2424, Berkeley, CA, USA, 2012. USENIX Association. [2] L. Cavallaro, C. Kruegel, and G. Vigna. Mining the network behavior of bots. Technical Report 2009-12, Department of Computer Science, University of California at Santa Barbara (UCSB), CA, USA, July 2009. [3] G. Gu, R. Perdisci, J. Zhang, and W. Lee. Botminer: clustering analysis of network trac for protocol- and structure-independent botnet detection. In Proceedings of the 17th conference on Security symposium, SS08, pages 139154, Berkeley, CA, USA, 2008. USENIX Association. [4] R. Perdisci, W. Lee, and N. Feamster. Behavioral clustering of http-based malware and signature generation using malicious network traces. In Proceedings of the 7th USENIX conference on Networked systems design and implementation, NSDI10, pages 2626, Berkeley, CA, USA, 2010. USENIX Association.
Jun 17, 2013Week 1-5
30 / 32
Suggested Readings I
M. Cova, C. Kruegel, and G. Vigna. Detection and Analysis of Drive-by-Download Attacks and Malicious JavaScript Code. In Proceedings of the World Wide Web Conference (WWW), 2010. A. Lanzi, M. I. Sharif, and W. Lee. K-tracer: A system for extracting kernel malware behavior. In NDSS, 2009. E. Passerini, R. Paleari, L. Martignoni, and D. Bruschi. Fluxor: Detecting and monitoring fast-ux service networks. In Proceedings of the 5th international conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 08, pages 186206, Berlin, Heidelberg, 2008. Springer-Verlag. B. Stone-Gross, M. Cova, L. Cavallaro, B. Gilbert, M. Szydlowski, R. Kemmerer, C. Kruegel, and G. Vigna. Your botnet is my botnet: analysis of a botnet takeover. In Proceedings of the 16th ACM conference on Computer and communications security, CCS 09, pages 635647, New York, NY, USA, 2009. ACM
Jun 17, 2013Week 1-5
31 / 32
Suggested Readings II
L. Bilge, E. Kirda, C. Kruegel, and M. Balduzzi. Exposure: Finding malicious domains using passive dns analysis. In NDSS, 2011. A. Nappa, A. Fattori, M. Balduzzi, M. DellAmico, and L. Cavallaro. Take a Deep Breath: a Stealthy, Resilient and Cost-Eective Botnet Using Skype. In GI SIG SIDAR Conference on Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA), July 2010. T. Holz, M. Steiner, F. Dahl, E. Biersack, and F. Freiling. Measurements and mitigation of peer-to-peer-based botnets: a case study on storm worm. In Proceedings of the 1st Usenix Workshop on Large-Scale Exploits and Emergent Threats, LEET08, pages 9:19:9, Berkeley, CA, USA, 2008. USENIX Association.
Jun 17, 2013Week 1-5
32 / 32

w1 w1-5 Rootkit PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

w1 w1-5 Rootkit PDF

Uploaded by

Copyright:

Available Formats

Malicious Software and its Underground Economy

Two Sides to Every Story

Botnets detection & Rootkits

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

The A-plane monitor logs information on who is doing what It analyzes:

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Client list with malicious activity Cluster according to activity type

Cluster according to activity features

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Mining the Network Behavior of Bots

Jun 17, 2013Week 1-5

Inferring the Network Behavior of Bots

Jun 17, 2013Week 1-5

Inferring the Network Behavior of Bots

Jun 17, 2013Week 1-5

Inferring the Network Behavior of Bots

To discover interesting behaviors in the absence of time-related properties

Jun 17, 2013Week 1-5

Network behavior 1 model generation 4

Inter-cluster correlation analysis

Jun 17, 2013Week 1-5

Network Flow Clustering

Simple Euclidean-based distance, d (, ), over ows F

if x , y [0, 1] if x , y {IP P} x = y otherwise

Network Flow Clustering

Simple Euclidean-based distance, d (, ), over ows F

if x , y [0, 1] if x , y {IP P} x = y otherwise

(b) The Kolmogorov-Smirnov test, K-S(, X ), does not hold

Analyze multiple traces to nd similar clusters

(b) The Kolmogorov-Smirnov test, K-S(, X ), does not hold

Analyze multiple traces to nd similar clusters

(b) The Kolmogorov-Smirnov test, K-S(, X ), does not hold

Analyze multiple traces to nd similar clusters

of the ows F are then clustered, and

Generalization to a multi-granularity periods analysis

Jun 17, 2013Week 1-5

Inter-trace Cluster Correlation

Similar clusters in the majority of runs i are selected, based on

Basically, an output voting-based schema

A set of ows FH emitted by a host H matches a cluster c , if

A single match does not trigger an alarm

Jun 17, 2013Week 1-5