BareCloud: Bare-metal Analysis-based Evasive Malware Detection

Transcription

1 BareCloud: Bare-metal Analysis-based Evasive Malware Detection Dhilung Kirat, Giovanni Vigna, Christopher Kruegel UC Santa Barbara USENIX Security 2014 San Diego, CA

2 Dynamic Malware Analysis Execute s Reports

3 Dynamic Malware Analysis Execute s Reports

4 Dynamic Malware Analysis Virtualization/Emulation Execute s Reports

5 Evasive Malware Dynamic Malware Analysis Virtualization/Emulation Execute s Reports

6 Evasive Malware Dynamic Malware Analysis Virtualization/Emulation Execute

7 Detect Analysis Environment Disk HKLM\Hardware\DeviceMap\Scsi HKLM\System\CurrentControlSet\Services\Disk\Enum Bios HKLM\Hardware\Description\System\SystemBiosVersion Keyboard/Mouse Presence of mouse, keyboard layout User Username, Windows Product ID Active user

8 Detect Analysis Environment CPU SIDT instruction CPU Emulation bug (including MMX instruction set) Vulnerability CVE VirtualBox Timing attack The virtualization and emulation systems add some level of overhead

9 Fully Undetectable (FUD)

10 Solutions? Dynamic Malware Analysis Execute s Reports

11 Transparent Analysis Dynamic Malware Analysis Execute s Reports

12 Transparent Analysis Execution Environment Monitoring Components

13 Dynamic Malware Analysis Transparency Visibility

14 Can we automatically identify evasive malware under reduced visibility?

15 BareCloud Dynamic Malware Analysis Bare-metal system Execute s Reports

16 BareCloud Dynamic Malware Analysis Bare-metal system Execute s Reports No in-guest monitoring component

17 BareCloud IPMI Dynamic Malware Analysis Bare-metal system Network Packets Network Activities iscsi LVM Snapshot SleuthKit File Activities

18 BareCloud IPMI Dynamic Malware Analysis Bare-metal system Network Packets Network Activities iscsi LVM Snapshot SleuthKit File Activities

19 BareCloud Baremetal

20 BareCloud Baremetal Ether

21 BareCloud Baremetal Ether Anubis

22 BareCloud Baremetal Ether Anubis VBox

23 BareCloud Baremetal Ether Anubis VBox

24 BareCloud Baremetal Ether Anubis VBox

25 Transient vs. Persistent All Ac>vi>es Normaliza>on Persistent Changes

26 Deviation Malware Analysis System Evasion Internal SoIware Environment Iden>cal setup Programed Randomiza>on Normalize behavior Hierarchical Similarity External Network Environment Simultaneous Execu>on Iden>cal External Network Consistent Reply

27 Comparison A B

28 Comparison A B JaccardSimilarity = A B A B

29 Comparison A B C Create file X Create file X Create file X Create file Y Create file Z Create file Y Modify file Z Create file Y Connect to C&C

30 Comparison A B C Create file X Create file X Create file X Create file Y Create file Z Create file Y Modify file Z Create file Y Connect to C&C

31 Comparison A B C Create file X Create file Y Create file Z Create file X Create file Y Modify file Z Create file X Create file Y Connect to C&C JaccardSimilarity(A, B) = 2/4 = JaccardSimilarity(A, C)

32 Comparison A B

33 Comparison A B What type of events? Filesystem? Network? Are events related to the same object? Same file? Same network endpoint? What type of opera>ons? Create? Delete? HTTP?

34 Similarity Hierarchy root Object Type Object Name Name AWribute

35 Similarity Hierarchy A Object Type root file Create file X Object Name C:\X C:\Y C:\Z Create file Y Create file Z Name AWribute

36 Similarity Hierarchy B Object Type root file Create file X Object Name C:\X C:\Y C:\Z Create file Y Modify file Z Name AWribute modify

37 Similarity Hierarchy C Object Type file root network Create file X Create file Y Connect to C&C Object Name Name AWribute C:\X C:\Y C&C Address hwp

38 Hierarchical Similarity A C root root Object Type file Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

39 Hierarchical Similarity A C Candidate Sets root root Object Type file Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

40 Hierarchical Similarity A C Candidate Sets root root Object Type file Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

41 Hierarchical Similarity A C Candidate Sets root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

42 Hierarchical Similarity A C Candidate Sets root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

43 Hierarchical Similarity A C root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Sim 2 = 2/3 Object Name C:\X C:\Y C&C Address Name Name hwp AWribute AWribute

44 Hierarchical Similarity A C root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Sim 2 = 2/3 Object Name C:\X C:\Y C&C Address Name Sim 3 = 1 Name hwp AWribute Sim 4 = 1 AWribute

45 Hierarchical Similarity A C root root Object Type file Sim 1 = 1/2 Object Type file network Object Name C:\X C:\Y C:\Z Sim 2 = 2/3 Object Name C:\X C:\Y C&C Address Name Sim 3 = 1 Name hwp AWribute Sim 4 = 1 AWribute Sim(A, C) = AVG(Sim 1 Sim 4 ) = 0.79

46 Hierarchical Similarity A B root root Object Type file Sim 1 = 1 Object Type file Object Name C:\X C:\Y C:\Z Sim 2 = 1 Object Name C:\X C:\Y C:\Z Name Sim 3 = 1/2 Name modify AWribute Sim 4 = 1 AWribute Sim(A, B) = AVG(Sim 1 Sim 4 ) = 0.87

47 Comparison A Create file X Create file Y Create file Z B Create file X Create file Y Modify file Z C Create file X Create file Y Connect to C&C JaccardSimilarity(A, B) == JaccardSimilarity(A, C) HierarchicalSim(A, B) > HierarchicalSim(A, C) 0.87 > 0.79

48 Deviation Score Distance Distance(A, B) = 1 - Sim(A, B) Baremetal Ether Deviation Score D Quadratic mean of the behavior distances with respect to the baremetal analysis Deviation Threshold t Evasive if D > t Anubis VBox

49 Evaluation Ground truth 111 evasive samples (29 families) 119 non-evasive samples (49 families) Calculated behavior Deviation score D Calculate Jaccard distance-based deviation JD Maximum Jaccard-distance among different behavior profiles of a malware Precision-recall analysis by varying the deviation threshold t

50 Evaluation Precision Hierarchical similarity Jaccard similarity Recall

51 Evaluation Precision Precision Recall t= Threshold (t)

52 Large-scale Evaluation Recent real-world malware feed observed by Anubis Randomly select samples with low system and low network activity high system and high network activity high system but low network activity Low system but high network activity 110,005 samples 4 months period beginning from July 2013

53 Large-scale Evaluation Environment Detection Count Percentage Anubis Ether VirtualBox All ,835 evasive malware out of 110,005 recent samples

54 Limitations Hardware vs software iscsi initiator Stalling code Wait for user input Advanced waiting Decoy reconnaissance Real hardware ID not randomized

55 Conclusions Evasive Malware is a real threat to the new wave of dynamic analysis based malware detection systems We presented a system that can detect these evasive malware automatically

56 Thank You!

57 Questions