1、A Look at Current Malware Problems and Their Solutions,Tzi-cker Chiueh,2,The Malware Problem,Malware: any program that enters a user machine with malicious intentions, e.g. compromise, hijack or steal The malware problem: how to detect them AND remove them after the fact if necessary Malware detecti
2、on: Network-based Host-based: Symantec is here Remediation is a less explored area, but is increasingly more important Being able to detect a malware program exists on a machine but not able to remove it cleanly is not good enough Data-only attack: phishing,3,How do they get in?,Exploiting bugs in s
3、oftware applications, e.g. buffer overflow vulnerability Entice a user to load and/or install an executable via social engineering, e.g., “password cracking software for porn sites” Embed code within legitimate data, e.g. include an IFrame in a legitimate web page that points to a malicious Javascri
4、pt script Bottom line: As soon as a new way of introducing code into a system is discovered, the hacker will exploit it,4,Vulnerability-Based Attack,Mostly exploit memory bugs/errors in vulnerable programs Buffer overflow: access A23 when A has only twenty elements Integer overflow: assign a negativ
5、e number to an unsigned integer Input argument list overflow: access the fifth argument of a call to printf() with three arguments, e.g. printf(“The answer of Question %d is %d n”, ID, answer) Types of exploits: Code injection Return to libc Data attack,5,Three-Step Recipe,Overflow some data structu
6、re in the victim program, e.g. the stack Sneak a weapon into an airplane Hijack the control of the victim program, e.g. injected code gets executed Take control of the cockpit Perform damaging actions through system calls, e.g. create a remote shell Use the hijacked airplane as a weapon,6,Defenses,S
7、topping any of the three steps will do Preventing overflow through run-time checks Bounds checking, e.g., CASH Integer overflow prevention, e.g., RICH Format string attack prevention, e.g. Lisbon Preventing unauthorized control flow transfer Randomization of address space layout or instruction set C
8、ontrol flow integrity check Preventing illegitimate system calls Checking the order, sites, and arguments of every system call, e.g. PAID, which automatically derives program-specific sandboxing policy,7,Graceful Post-Detection Recovery,Detecting attacks is not enough: In many cases terminating the
9、victimized process is not always an acceptable option Example: Outlook keeps crashing when an incoming email exploits a buffer overflow vulnerability in it Challenge: Upon detecting an attack, how to automatically clean up side effects left by the attack, resume the application, and possibly bypass
10、the attack input next time Idea: Identify a place in victim program that is ready to handle error condition and clean up, e.g., a call site to a COM function Automatically locate such places for each vulnerability exploited,8,Current Consensus,In practice, the vulnerability-based attack problem is l
11、argely contained Non-executable bit (NX) and address space layout randomization (ASLR) can catch most of the low-hanging fruits Do not handle return-to-libc and data attacks System call pattern monitoring (such as PAID) provides a last line of defense Research focus shifts to Automated attack signat
12、ure generation Automated patch generation,9,Malicious Binary Download/Install,Almost always requires user action: Executable (adware, spyware, Trojan horse) Broswer helper object (BHO) ActiveX control Still, many users are susceptible to such social engineering attacks Bug is in a humans brain Ideal
13、 solution: When a piece of executable binary is downloaded, check if it is malicious,10,Blacklisting Approach to Malware Detection,Signature-based scanning: hash value or byte string Still the dominant approach used in AV industry, because of its low false positive rate ( 0.1%) Is running out of ste
14、am because of the packer problem Decoupling of malware creation and obfuscation Signature explosion creates performance overhead and bandwidth cost problem Behavior-based detection API or system call sequence, e.g. open() read() write() High-level behavior, e.g., “copy itself to everyone in address
15、book” Combination of behaviors: FP rate is a main concern,11,Whitelisting Approach to Malware Detection,Trend: malware is increasingly customized and targeted Financial gain consideration encourages keeping low profile Number of malware may be greater than that of goodware Idea: only binaries in the
16、 goodware list are allowed to run Useful for enterprise and maybe even some consumer machines Challenges: How to create a reasonably complete goodware database? How to evolve the goodware list with new versions and updates without human intervention?,12,Remediation,Being able to detecting a malware
17、program is half of the solution if it always persists on the victim machine Signature-based remediation does not work very well Need a generic solution that can capture all the side effects of a malware program and undo them. This is non-trivial because System/application state modifications through
18、 special API calls Lost update problem: A B C,13,Non-Process Threat (NPT),Threat Model: attacker injects a malicious DLL into a legitimate process, which is convicted by malware detection system because network packets it sends Problem: how to identify the DLL(s) that are in the function call chain
19、of a hijacked process when its outgoing malicious network traffic is detected Log the control tarnsfers among DLLs: Enter DLL1, enter DLL2, exit DLL2, enter DLL3, enter DLL4, exit DLL4, detected Control DLLs : DLL1 DLL 3,14,Culprit DLL Identification,Problem Statement: Given an arbitrary DLL that is
20、 to be inserted into an arbitrary process, identify all interactions between the DLL and the main program Calls to and returns from exported functions in the DLL Calls to and returns from non-exported internal functions in the DLL Accesses to DLLs internal data structures directly Calls from the DLL
21、 to functions in the main program and their returns Accesses from the DLL to data structures in main program,15,Browser-based Attack,Web browser is the most popular application users use to interact with the Internet Complicated (and buggy) piece of software Designed to handle a wide variety of inpu
22、t formats, e.g., HTML, XML, Javascript, VBscript, etc. Increasingly becomes a major target of attacks Machine compromise Identity/credential theft,16,Classification,Rogue browser helper object (BHO) or extensions: a form of binary malware Use browser inputs such as JavaScript scripts, ActiveX contro
23、ls, malformed HTML or VML contents to hijack the control of or crash a hosting web browser Example: MOBB, VML numcolors heap overflow, HTML Layout and Positioning buffer overflow Web 2.0 attack: Leverage Ajax technology to turn a hosting web browser into a zombie attack source against other machines
24、 Drive-by pharming, click fraud, Ajax worms,17,Web 2.0 Attack,Downloaded JavaScript scripts that attack other machines rather than host machine Cross-site scripting (XSS): Reflective: A sends an email to V an incorrect URL destined to T, and T returns to V an error message Persistent: A posts someth
25、ing to Xs profile in Myspace and V views Xs profile Cross-site request forging (CSRF): When a victim user V logs into a site S, a malicious injected script performs operations against S on behalf of V, e.g. changing your Gmail accounts forwarding address or issuing a stock trade,18,Defense Strategy,
26、Fundamental question: how can one determine if a piece of script code is doing such bad things as Port/vulnerability scanning Carrying out E-transactions using stolen cookies Propagating malicious scripts through social network sites (e.g. Myspace worm) Hints: Attempts to circumvent Same Origin poli
27、cy DNS pharming, Google Translate gateway Does not interact with the user,19,Counter Measures,Ensuring a web site never sends out unauthorized scripts as part of its response to an end user WASC system Ensuring a web browser only executes scripts authorized by a web site Need new standard Preventing
28、 a script from knowing the URLs associated with sensitive Web services Randomize the URLs of sensitive web services Preventing DNS poisoning by pinning down DNS map entries within a user session,20,New Security Features in IE 8.0,Turns on NX and ASLR by default for both the browser core and extensio
29、ns Supports per-site access control to ActiveX control Renders each tab using a separate process Does NOT solve the Web 2.0 attack problem,21,General Lessons,Bad guys are not that good Many low-hanging-fruit research projects are available Good enough solutions usually do the job Robustness of secur
30、ity solutions is very important in commercial products No crash, no DoS, and no (noticeable) slow-down How to turn out research with real-world impacts Test your techniques on the Windows platform Reduce false positive rate to close to zero Keep performance overhead to under 5-10% Pay extra attentio
31、n to the trade-off between solution completeness and technology deployability, 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.,Thank You!,Tzi-cker Chiueh Tzi-cker_,
