Reflective Memory Attacks Deep Dive: How They Work; Why They’re Hard to Detect

Like this? Share it with your network

Share

Reflective Memory Attacks Deep Dive: How They Work; Why They’re Hard to Detect

  • 1,674 views
Uploaded on

In a twisted sort of way, today’s threats are kind of thrilling. Hacker movies of yesterday have nothing on the reality of today.When I first learned how buffer overflows worked I was amazed. But......

In a twisted sort of way, today’s threats are kind of thrilling. Hacker movies of yesterday have nothing on the reality of today.When I first learned how buffer overflows worked I was amazed. But reflective memory attacks go way beyond “simple” buffer overflows.

Reflective memory attacks allows the bad guy to silently load large programs and execute them inside an already running process, using it’s memory, resources and authority. These attacks bypass common security technologies like AV and application whitelisting because they don’t drop any file onto the file system. They basically just allocate some memory, write the malicious code into it and then (usually) spin up a thread executing that code. That’s actually not a very unusual sequence of operations so it’s really hard to detect.

In this presentation, we will do a deep dive exclusively into reflective memory attacks. You will learn:
• How reflect memory attacks work
• Why they’re called reflective
• Why traditional security technologies don’t catch them
• Methods for detecting them
• Crippling performance problems caused by some detection methods
• Tradeoff between detection and performance
Joining me will be Dan Teal who invented CoreTrace (acquired by Lumension) Bouncer technology. Dan will shed light on this advanced topic and then briefly show how Lumension Endpoint Security Suite incorporates Bouncer technology to detect reflective memory attacks without hurting performance.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,674
On Slideshare
1,672
From Embeds
2
Number of Embeds
1

Actions

Shares
Downloads
25
Comments
0
Likes
1

Embeds 2

https://twitter.com 2

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Reflective Memory Attacks Deep Dive:How They Work;Why They’re Hard to Detect© 2013 Monterey Technology Group Inc.
  • 2. Brought to you bySpeaker Dan Teal, Senior Architectwww.lumension.com
  • 3. Preview of Key Points© 2013 Monterey Technology Group Inc.How did we get to where we are today withreflective memory attacks?How does reflective memory injection work?Why doesn’t AV or application whitelistingdetect it?What does a process look like that has beeninjected this way?How can it be detected via security software?
  • 4. How did we get to where we are today withreflective memory attacks?© 2013 Monterey Technology Group Inc.SimplescriptsBufferoverflowswith filedropsReflectivememoryinjection
  • 5. How does reflectivememory injection work?© 2013 Monterey Technology Group Inc.Relocatable code DLLs ThreadsMemorymanagement• Stack• Heap• Addresses/pointersFunction calls
  • 6. How does reflectivememory injection work?© 2013 Monterey Technology Group Inc.Malformedcontent sent toPCBuffer overflowShell codeactivatesDownloads largermalware fromInternetWrites malwaredirectly to heapmemory• No file accessDynamically linksreferences tofunction callsFlags memory asexecutableSpins up a threadto run themalware
  • 7. How does reflectivememory injection work?© 2013 Monterey Technology Group Inc. More details Write the library into the address space of the target process Pass execution to the Reflective Loader Determines its location in memory for parsing its own headers Parse kernel32.dll export table to calculate addresses of GetProcAddress and VirtualAlloc Allocate a contiguous block of memory for loading its image Load in its headers and sections Process its import table, loading additional libraries as neededand resolving imported function addresses Process its relocation table Call its entry point function, DLLMain
  • 8. In a way, Microsoft makesit easy© 2013 Monterey Technology Group Inc.• NtQueryVirtualMemory()• VirtualAllocEx()• NtReadVirtualMemory / NtWriteVirtualMemory• NtCreateThread()A process can access and manipulatethe address space of another process• When functions are used within the kernel, evenDRM protected processes can be accessed• This is why ProcessHacker has the option to installKProcessHackerEase of access is related to howWindows processes are created
  • 9. Why doesn’t AV orapplication whitelisting detect it?© 2013 Monterey Technology Group Inc. Nothing dropped onto the file system Does not use LoadLibrary()Will not show up in list of loaded modules for a process RMI places libraries into processes that are alreadyauthorized and runningDEP, ASLR, and other technologies great but not enough Blacklisting involves collecting a list of bad threatsignatures and preventing those apps from runningReactive: Always a step behind the latest threats Traditional signature based anti-virus is not enough
  • 10. What does a process look likethat has been injected this way?© 2013 Monterey Technology Group Inc.“At a process level the only indicators that the libraryexists is that there will be a chunk of allocatedmemory present, via VirtualAlloc, where the loadedlibrary resides. This memory will be marked asreadable, writable and executable. There will also bea thread of execution which will be, periodically atleast, executing code from this memory chunk.”Stephen FewerHarmony Securityhttp://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf
  • 11. How can it be detectedvia security software?© 2013 Monterey Technology Group Inc.SynchronouslyRock solid but prohibitively expense performance-wiseAsynchronouslyStack walking• Performance prohibitiveCorrelate processes with legitimate code• Catches the attack without impacting performance
  • 12. How can it be detectedvia security software?© 2013 Monterey Technology Group Inc.SynchronouslySequence of events• Allocate memory via VirtualAllocEx• Copy in the library• Link it in• Start a thread.Windows kernel only gives a few options forregistering for callbacks.Security software used to be able to hook the kernelto monitor VirtualAllocEx, but that is no longer anoption on x64 with PatchGuard.We can register to be notified when a thread isstarted but not when memory is allocated
  • 13. How can it be detectedvia security software?© 2013 Monterey Technology Group Inc.AsynchronouslyStack walking• Periodically analyze the call stack ofevery runningthread to ensure• that the instruction pointer in every stack frame pointsto legitimate• code• Pros: works very well if implemented correctly and canalso detect types of buffer overflows• Cons: performance impact
  • 14. How can it be detectedvia security software?© 2013 Monterey Technology Group Inc.AsynchronouslyLegitimate code correlation• Continually track every process from the kernel andcorrelate with legitimate code• Threads, memory regions, loaded module list (can bemanipulated)• Whitelisting provides great support for this – controlloading of kernel modules• Pros: Low performance impact• Cons: Limited to detecting library injection
  • 15. Let’s see detection in action…© 2013 Monterey Technology Group Inc.
  • 16. Brought to you bySpeaker• Dan Teal, Senior Architectwww.lumension.com
  • 17. More Information• Free Security Scanner Tools» Vulnerability Scanner – discover all OS andapplication vulnerabilities on your network» Application Scanner – discover all the appsbeing used in your network» Device Scanner – discover all the devicesbeing used in your networkhttp://www.lumension.com/special-offer/premium-security-tools.aspx• Lumension® Endpoint Managementand Security Suite» Online Demo Video:http://www.lumension.com/Resources/Demo-Center/Vulnerability-Management.aspx» Free Trial (virtual or download):http://www.lumension.com/endpoint-management-security-suite/free-trial.aspx• Get a Quote (and more)http://www.lumension.com/endpoint-management-security-suite/buy-now.aspx#217
  • 18. Q&A
  • 19. Global Headquarters8660 East Hartford DriveSuite 300Scottsdale, AZ 852551.888.725.7828info@lumension.com