Binary Analysis for Botnet Reverse Engineering & Defense. Dawn Song UC Berkeley

Transcription

1 Binary Analysis for Botnet Reverse Engineering & Defense Dawn Song UC Berkeley

2 Plans Building on BitBlaze to develop new techniques Automatic Reverse Engineering of C&C protocols of botnets Automatic rewriting of botnet traffic to facilitate botnet infiltration Vulnerability discovery of botnet

3 Preliminary Work Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering Binary code extraction and interface identification for botnet traffic rewriting Botnet analysis for vulnerability discovery

4 Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering Juan Caballero Pongsin Poosankam Christian Kreibich Dawn Song

5 Automatic Protocol Reverse- Engineering Process of extracting the application-level protocol used by a program, without the specification Automatic process Many undocumented protocols (C&C, Skype, Yahoo) Encompasses extracting: 1. the Protocol Grammar 2. the Protocol State Machine Message format extraction is prerequisite

6 Challenges for Active Botnet Infiltration Goal: Rewrite C&C messages on either 1. dialog Understand side both sides of C&C protocol Message structure Field semantics 2. Access to one side of dialog only 3. Handle encryption/obfuscation

7 Technical Contributions 1. Buffer deconstruction, a technique to extract the format of sent messages Ø Earlier work only handles received messages 2. Field semantics inference techniques, for messages sent and received 3. Designing and developing Dispatcher 4. Extending a technique to handle

8 Message Format Extraction Extract format of a single message Required by Grammar and State GET / Machine extraction HTTP/1.1 HTTP/ OK [Polygl ot] [Dispatc her]

9 Message Field Tree HTTP/ OK\r\n\r\n Status Line [0:16] MSG [0:18] Delimiter [17:18] Field Range: [3:3] Field Boundary: Fixed Field Semantics: Delimiter Field Keywords: <none> Target: Version Version [0:7] Delimiter [8:8] Status Code [9:11] Delimiter [12:12] Reason [13:14] Delimiter [15:16] Message format extraction has 2 steps: 1. Extract tree structure

10 Sent vs. Received Both protocol directions from single binary Different problems Taint information harder to leverage Focus on how message is constructed, not processed Different techniques needed: Tree structure Buffer Deconstruction

11 Outline Introduction Problem Techniques Buffer Deconstruction Field Semantics Inference Handling encryption Evaluation

12 Intuition Buffer Deconstruction Programs keep fields in separate memory buffers Combine those buffers to construct sent message Output buffer Holds message when send function invoked Or holds unencrypted message before

13 Buffer Deconstruction HTTP/ OK\r\n\r\n C(8) D(1 ) E( 3) A(17) F(1 ) Output Buffer (19) G(2 ) B(2) H(2 ) Message field tree = inverse of output buffer structure Output is structure of message field tree No field attributes, except range MSG [0:18] Status Line Delimit [0:16 [17:18] er ] [0:7 ] Versio [8:8 ] Delimit [9:11 ] [12:12 ] Delimit [13:14 ] Reaso n er er n Statu s Code [15:16 ] Delimit er

14 Field Attributes Inference Attributes capture extra information E.g., inter-field relationships Techniques identify Keywords Length fields Delimiters Variable-length field Arrays Attribute Field Range Field Boundary Field Semantics Field Keywords Value [StartOffset : EndOffset] Fixed, Length, Delimiter IP address, Timestamp, <list of keyworkds in field>

15 Field Semantics A field attribute in the message field tree Captures the type of data in the field Field Semantics Cookies Error codes File data File information Filenames Hash / Checksum Hostnames Keyboard input Keywords Length Padding Ports Registry data Sleep timers Host information Stored data IP addresses Timestamps Programs contain much semantic info leverage it! Semantics in welldefined functions and instructions Prototype Similar to type inference Differs for received and sent messages

16 Field Semantic Inference File GET /index.html path HTTP/1.1 HTTP/ OK Content-Length: 25 File length <html>hello world! </html> OU IN OU Tint stat(const char*path, Tstruct stat *buf); stat( index.html, &file_info); struct stat { off_t st_size; /* total size in bytes */ }

17 Detecting Encoding Functions Encoding functions = (de)compression, (de)(en)cryption, (de)obfuscation High ratio of arithmetic & bitwise instructions Use read/write set to identify buffers Work-in-progress on extracting and reusing encoding functions

18 MegaD C&C protocol C&C on tcp/443 using proprietary encryption Use Dispatcher s output to generate grammar 15 different messages seen (7 recv, 8 sent) 11 field semantics type MegaD_Messa ge = record { msg_len : uint16; encrypted_pay load:

19 MegaD Dialog C&C Server Test SMT P SMTP Test Server Cmd? Failed EHL O

20 MegaD Rewriting Test SMT P Get Template C&C Server SMTP Test Server Template Server Cmd? Success Failed EHL O Template? Gramma r

21 Summary Buffer deconstruction, a technique to extract the format of sent messages Field semantics inference techniques, for messages sent and received Designed and developed Dispatcher Extended technique to handle encryption Rewrote MegaD dialog using information extracted by Dispatcher