Intrusion Detection and Malware AnalysisMalware collection

Pavel LaskovWilhelm Schickard Institute for Computer Science

Motivation for malware collection

Understanding vulnerabilities and attack techniquesDevelopment of protection and neutralization toolsUnderstanding the attacker communities and their “businessmodels”.

Malware collection tools

Honeypot: an isolated, unprotected and monitored system,containing seemingly valuable for attacker resources, aimedat collecting examples of malicious activity.Honeyclient: an automated client-side vulnerable systemexecuted in a controlled environment.Honeynet: a distributed collection of honeypots and emailfilters intended for a large-scale collection and observationofmalware

Honeypot taxonomy

Low-interaction: simple daemonssimulating network services; noexploitation.Medium-interaction: emulatedvulnerabilities for attracting andexecuting malware in a controlledenvironment.High-interaction: real systemscommunicating with malware in acontrolled environment.

Low-interaction honeypots

(+) Low security risks due to emulation(+) Simple installation and recovery(+) Suitable for analysis of automatic attacks(+) High scalability(−) Not suitable for detection of interactive attacks due to limited

emulated functionality(−) Hardly suitable for acquisition of malware binaries

High-interaction honeypots

(+) Suitable for detection and acquision of any malware kinds(−) Time and resource consuming installation and maintenance(−) High security risks: additional security mechanisms are

required(−) Virtualization can be detected by malware

Medium-interaction honeypots

(+) A relatively wide exploit coverage(+) Extensive monitoring and collection functionality(+) Full virtualization not necessary(+) Relative ease of deployment and maintenance(+) Low to moderate security risks (egress outbreak)(−) Manual emulation of vulnerabiliies still necessary(−) Detection of novel exploits not always reliable

A honeypot example: Nepenthes170 P. Baecher et al.

Fig. 1. Concept behind nepenthes platform

– Submission modules take care of the downloaded malware, e.g., by savingthe binary to a hard disc, storing it in a database, or sending it to anti-virusvendors.

– Logging modules log information about the emulation process and help ingetting an overview of patterns in the collected data.

In addition, several further components are important for the functionalityand efficiency of the nepenthes platform: shell emulation, a virtual filesystem foreach emulated shell, geolocation modules, sniffing modules to learn more aboutnew activity on specified ports, and asynchronous DNS resolution.

The schematic interaction between the different components is depicted inFigure 1 and we introduce the different building blocks in the next paragraphs.

Vulnerability modules are the main factor of the nepenthes platform. They en-able an effective mechanism to collect malware. The main idea behind these mod-ules is the following observation: in order to get infected by autonomous spreadingmalware, it is sufficient to only emulate the necessary parts of a vulnerable ser-vice. So instead of emulating thewhole service,we only need to emulate the relevantparts and thus are able to efficiently implement this emulation. Moreover, this con-cepts leads to a scalable architecture and the possibility of large-scale deploymentdue to only moderate requirements on processing resources and memory. Often theemulation can be very simple: we just need to provide some minimal information atcertain offsets in the network flow during the exploitation process. This is enoughto fool the autonomous spreading malware and make it believe that it can actu-ally exploit our honeypot. This is an example of the deception techniques used inhoneypot-based research. With the help of vulnerability modules we trigger an in-coming exploitation attempt and eventually we receive the actual payload, whichis then passed to the next type of modules.

Shellcode parsing modules analyze the received payload and extract automat-ically relevant information about the exploitation attempt. Currently, only one

Vulnerability modules: emulate vulnerable parts of networkservices.Shellcode parsers: analyse shellcode to locate its source.Fetch modules: download binaries from remote locations.Submission modules: store binaries in a specified location.

Nepenthes vulnerability modules

Poor man’s implementation of the original vulnerabilitySend N fixed strings, random junks, exploit “stages”Dismiss intermediate received stagesRecord final stage and use in payload

Example:

ConsumeLevel LSASSDialogue::incomingData(Message *msg) {

m_buffer->add(msg->getMsg(), msg->getSize());

char reply[512];

for (int32_t i = 0; i < 512; i++) {

reply[i] = rand() % 256;

}

}

Nepenthes shellcode analysis

Analyze the incoming payload and extract malware locationshellcode-signature module

Signature-controlled shellcode analyzerPerl-compatible RE patterns for commonly seen shellcodeIdentify parameters of shellcode (ports, URIs, . . .)

Shell emulator with arbitrary commands

Nepenthes download module

Download the actual malware from previously generatedURLSeveral modules for various protocol:

HTTP(S), (T)FTP, RCP, . . .“Proprietary” malware protocols:

CSend and CReceive from AgoBotLinkBind and LinkConnectback from linkbot

RFC-incompliant implementations of HTTP and FTP

Honeyclients

Objective: detection of attacks directed at client-sidesoftware, mostly web browsers:

browser exploits“drive-by downloads”typo-squatting

Applications:security analysis of web sitesfinding malicious content distribution sitesdetection of new browser exploitsmalware collection

Browser exploitation via redirection

Source: Yi-Min Wang, Microsoft Research

Honeyclient example: HoneyMonkey

A VM-based high interactionhoneyclient, running a vulnerablebrowser.Automatic detection of redirectionrelationships between contentdistribution sitesDetection of zero-day attacks

HoneyMonkey architecture

Stage 1: N URLs per VM,unpatched WinXP,

no redirection analysis

Stage 1: N URLs per VM,unpatched WinXP,

no redirection analysis

Stage 1: N URLs per VM,unpatched WinXP,

no redirection analysis

Stage 2: 1 URL per VM,unpatched WinXP SP2,

redirection analysis

Stage 3: 1 URL per VM,patched WinXP SP2,redirection analysis

“Interesting” URLs

Zero-day exploits

Exploit URLs

Exploit URL topologygraph

Analysis of exploitURL density

Access blocking

Vulnerability patching

HoneyMonkey deployment results

Results were obtained in May-June 2005 on a list of 16,190 URLswith known bad content (pornography, adware distribution, someshopping and freeware screensaver sites).

HoneyMonkey configuration Exploit num./freq.Stage 1, fully unpatched 207 (1.3%)Stage 2, fully unpatched (SP1) 688 (4.2%)Stage 2, fully unpatched (SP2) 204 (1.3%)Stage 3, SP2 partially patched 17 (0.1%)Stage 3, SP2 fully patched 0 (0%)

In July 2005, 27 URLs were discovered that distributed azero-day exploit.

From honeypots to honeynets

Goals:Wide coverage of up-to-date “malware landscape”Fast discovery new malware strains

Challenges:Maintenance: deployment by less qualified administratorsSecurity: avoid potential infection of host systemsAutomation: adjust to potentially unknown vulnerabilitiesScalability: infrastructure for storing massive amounts ofmalwareUtility: interface for analysis toolsStealth: should not be detectable by malware

Honeynet example: SGNET

Message extraction from TCP flowsGeneration and refinement of a finite state machine modelfor a communication protocol used by malwareGeneration of a honeyd-compatible script for implementationof a finite-state machine.Communication interface for interaction with the repositoryand analysis components.

Lessons learned

Malware collection is a crucial prerequisite for understandingnew malware threats and development of appropriateprotection tools.The main difficulty of malware collection lies in having to dealwith highly dynamic and heterogeneous exploitationtechniques.Special attention has to be paid to stealthy operation andsecurity features for malware collection.

Recommended reading

Paul Baecher, Markus Koetter, Thorsten Holz, Maximillian Dornseif, andFelix C. Freiling.The Nepenthes platform: An efficient approach to collect malware.In Recent Adances in Intrusion Detection (RAID), pages 165–184, 2006.

Corrado Leita, Marc Dacier, and Frédéric Massicotte.Automatic handling of protocol dependencies and reaction to 0-day attackswith ScriptGen based honeypots.In Recent Adances in Intrusion Detection (RAID), pages 185–205, 2006.

Niels Provos and Thorsten Holz.Virtual Honeypots: From Botnet Tracking to Intrusion Detection.Addison Wesley, 2007.

Yi-Ming Wang, Doug Beck, Xuxuan Jiang, and Roussi Roussev.Automated web patrol with Strider HoneyMonkeys: Finding web sites thatexploit browser vulnerabilities.In Proc. of Network and Distributed System Security Symposium (NDSS),2006.