Enabling Worm and Malware Investigation Using Virtualization


Published on

Enabling Worm and Malware Investigation Using Virtualization - From Dongyan Xu, Xuxian Jiang

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Enabling Worm and Malware Investigation Using Virtualization

    1. 1. Enabling Worm and Malware Investigation Using Virtualization (Demo and poster this afternoon) Dongyan Xu , Xuxian Jiang CERIAS and Department of Computer Science Purdue University
    2. 2. The Team <ul><li>Lab FRIENDS </li></ul><ul><ul><li>Xuxian Jiang (Ph.D. student) </li></ul></ul><ul><ul><li>Paul Ruth (Ph.D. student) </li></ul></ul><ul><ul><li>Dongyan Xu (faculty) </li></ul></ul><ul><li>CERIAS </li></ul><ul><ul><li>Eugene H. Spafford </li></ul></ul><ul><li>External Collaboration </li></ul><ul><ul><li>Microsoft Research </li></ul></ul>
    3. 4. Our Goal <ul><li>In-depth understanding of increasingly sophisticated worm/malware behavior </li></ul>
    4. 5. Outline <ul><li>Motivation </li></ul><ul><li>An integrated approach </li></ul><ul><ul><li>Front-end : Collapsar (Part I) </li></ul></ul><ul><ul><li>Back-end : vGround (Part II) </li></ul></ul><ul><ul><li>Bringing them together </li></ul></ul><ul><li>On-going work </li></ul>Virtualization
    5. 6. The Big Picture Proxy ARP Domain A Domain B GRE Worm Analysis Worm Analysis Worm Capture
    6. 7. Front-End: Collapsar Enabling Worm/Malware Capture * X. Jiang, D. Xu, “Collapsar: a VM-Based Architecture for Network Attack Detention Center”, 13 th USENIX Security Symposium (Security’04), 2004. Part I
    7. 8. General Approach <ul><li>Promise of honeypots </li></ul><ul><ul><li>Providing insights into intruders’ motivations, tactics, and tools </li></ul></ul><ul><ul><ul><li>Highly concentrated datasets w/ low noise </li></ul></ul></ul><ul><ul><ul><li>Low false-positive and false negative rate </li></ul></ul></ul><ul><ul><li>Discovering unknown vulnerabilities/exploitations </li></ul></ul><ul><ul><ul><li>Example: CERT advisory CA-2002-01 (solaris CDE subprocess control daemon – dtspcd) </li></ul></ul></ul>
    8. 9. Current Honeypot Operation <ul><li>Individual honeypots </li></ul><ul><ul><li>Limited local view of attacks </li></ul></ul><ul><li>Federation of distributed honeypots </li></ul><ul><ul><li>Deploying honeypots in different networks </li></ul></ul><ul><ul><li>Exchanging logs and alerts </li></ul></ul><ul><li>Problems </li></ul><ul><ul><li>Difficulties in distributed management </li></ul></ul><ul><ul><li>Lack of honeypot expertise </li></ul></ul><ul><ul><li>Inconsistency in security and management policies </li></ul></ul><ul><ul><ul><li>Example: log format, sharing policy, exchange frequency </li></ul></ul></ul>
    9. 10. Our Approach: Collapsar <ul><li>Based on the HoneyFarm idea of Lance Spitzner </li></ul><ul><li>Achieving two (seemingly) conflicting goals </li></ul><ul><ul><li>Distributed honeypot presence </li></ul></ul><ul><ul><li>Centralized honeypot operation </li></ul></ul><ul><li>Key ideas </li></ul><ul><ul><li>Leveraging unused IP addresses in each network </li></ul></ul><ul><ul><li>Diverting corresponding traffic to a “detention” center (transparently) </li></ul></ul><ul><ul><li>Creating VM-based honeypots in the center </li></ul></ul>Virtualization
    10. 11. Collapsar Architecture VM-based Honeypot Redirector Redirector Redirector Correlation Engine Management Station Production Network Production Network Production Network Collapsar Center Attacker Front-End
    11. 12. Comparison with Current Approaches <ul><li>Overlay-based approach (e.g., NetBait , Domino overlay) </li></ul><ul><ul><li>Honeypots deployed in different sites </li></ul></ul><ul><ul><li>Logs aggregated from distributed honeypots </li></ul></ul><ul><ul><li>Data mining performed on aggregated log information </li></ul></ul><ul><ul><li>Key difference: where the attacks take place </li></ul></ul><ul><ul><li>(on-site vs. off-site) </li></ul></ul>
    12. 13. Comparison with Current Approaches <ul><li>Sinkhole networking approach (e.g., iSink ) </li></ul><ul><ul><li>“ Dark” space to monitor Internet abnormality and commotion (e.g. msblaster worms) </li></ul></ul><ul><ul><li>Limited interaction for better scalability </li></ul></ul><ul><ul><li>Key difference: contiguous large address blocks ( vs. scattered addresses) </li></ul></ul>
    13. 14. Comparison with Current Approaches <ul><li>Low-interaction approach (e.g., honeyd , iSink ) </li></ul><ul><ul><li>Highly scalable deployment </li></ul></ul><ul><ul><li>Low security risks </li></ul></ul><ul><ul><li>Key difference: emulated services ( vs. real things) </li></ul></ul><ul><ul><ul><li>Less effective to reveal unknown vulnerabilities </li></ul></ul></ul><ul><ul><ul><li>Less effective to capture 0-day worms </li></ul></ul></ul>
    14. 15. Collapsar Design <ul><li>Functional components </li></ul><ul><ul><li>Redirector </li></ul></ul><ul><ul><li>Collapsar Front-End </li></ul></ul><ul><ul><li>Virtual honeypots </li></ul></ul><ul><li>Assurance modules </li></ul><ul><ul><li>Logging module </li></ul></ul><ul><ul><li>Tarpitting module </li></ul></ul><ul><ul><li>Correlation module </li></ul></ul>
    15. 16. Collapsar Deployment <ul><li>Deployed in a local environment for a two-month period in 2003 </li></ul><ul><li>Traffic redirected from five networks </li></ul><ul><ul><li>Three wired LANs </li></ul></ul><ul><ul><li>One wireless LAN </li></ul></ul><ul><ul><li>One DSL network </li></ul></ul><ul><li>~ 5 0 honeypots analyzed so far </li></ul><ul><ul><li>Internet worms ( MSBlaster, Enbiei, Nachi ) </li></ul></ul><ul><ul><li>Interactive intrusions ( Apache, Samba ) </li></ul></ul><ul><ul><li>OS: Windows, Linux, Solaris, FreeBSD </li></ul></ul>
    16. 17. Incident: Apache Honeypot/VMware <ul><li>Vulnerabilities </li></ul><ul><ul><li>Vul 1: Apache (CERT® CA-2002-17) </li></ul></ul><ul><ul><li>Vul 2: Ptrace (CERT® VU-6288429) </li></ul></ul><ul><li>Time-line </li></ul><ul><ul><li>Deployed: 23:44:03pm, 11/24/03 </li></ul></ul><ul><ul><li>Compromised: 09:33:55am, 11/25/03 </li></ul></ul><ul><li>Attack monitoring </li></ul><ul><ul><li>Detailed log </li></ul></ul><ul><ul><ul><li>http://www.cs.purdue.edu/homes/jiangx/collapsar </li></ul></ul></ul>
    17. 18. Incident: Windows XP Honeypot/VMware <ul><li>Vulnerability </li></ul><ul><ul><li>RPC DCOM Vul. (Microsoft Security Bulletin MS03-026) </li></ul></ul><ul><li>Time-line </li></ul><ul><ul><li>Deployed: 22:10:00pm, 11/26/03 </li></ul></ul><ul><ul><li>MSBlaster: 00:36:47am, 11/27/03 </li></ul></ul><ul><ul><li>Enbiei: 01:48:57am, 11/27/03 </li></ul></ul><ul><ul><li>Nachi: 07:03:55am, 11/27/03 </li></ul></ul>
    18. 19. Summary (Front-End) <ul><li>A novel front-end for worm/malware capture </li></ul><ul><ul><li>Distributed presence and centralized operation of honeypots </li></ul></ul><ul><ul><li>Good potential in attack correlation and log mining </li></ul></ul><ul><li>Unique features </li></ul><ul><ul><li>Aggregation of Scattered unused (dark) IP addresses </li></ul></ul><ul><ul><li>Off-site (relative to participating networks) attack occurrences and monitoring </li></ul></ul><ul><ul><li>Real services for unknown vulnerability revelation </li></ul></ul>
    19. 20. Back-End: vGround Enabling Worm/Malware Analysis Part II * X. Jiang, D. Xu, H. J. Wang, E. H. Spafford, “Virtual Playgrounds for Worm Behavior Investigation”, 8 th International Symposium on Recent Advances in Intrusion Detection (RAID’05), 2005.
    20. 21. Basic Approach <ul><li>A dedicated testbed </li></ul><ul><ul><li>Internet-inna-box (IBM) , Blended Threat Lab (Symantec) </li></ul></ul><ul><ul><li>DETER </li></ul></ul><ul><li>Goal: understanding worm behavior </li></ul><ul><ul><li>Static a nalysis/ e xecution t race </li></ul></ul><ul><ul><ul><li>Reverse Engineering ( IDA Pro, GDB, … ) </li></ul></ul></ul><ul><ul><li>Worm experiment within a limited scale </li></ul></ul><ul><ul><li>Result: </li></ul></ul><ul><ul><ul><li>Only enabling relatively static analysis within a small scale </li></ul></ul></ul>
    21. 22. The Reality – Worm Threats <ul><li>Speed, Virulence, & Sophistication of Worms </li></ul><ul><ul><li>Flash/Warhol Worms </li></ul></ul><ul><ul><li>Polymorphic/Metamorphic Appearances </li></ul></ul><ul><ul><li>Zombie Networks ( DDoS Attacks , Spam ) </li></ul></ul><ul><li>What we also need </li></ul><ul><ul><li>A h igh- f idelity , large-scale , live but safe w orm p layground </li></ul></ul>
    22. 23. A Worm Playground Picture by Peter Szor, Symantec Corp.
    23. 24. Requirements <ul><li>Cost & Scalability </li></ul><ul><ul><li>How about a topology with 2000+ nodes? </li></ul></ul><ul><li>Confinement </li></ul><ul><ul><li>In-house private use? </li></ul></ul><ul><li>Management & us er c onvenience </li></ul><ul><ul><li>Diverse environment requirement </li></ul></ul><ul><ul><li>Recovery from damages from a worm experiment </li></ul></ul><ul><ul><ul><li>re-installation, re-configuration, and reboot … </li></ul></ul></ul>
    24. 25. Our Approach <ul><li>vGround </li></ul><ul><ul><li>A virtualization-based approach </li></ul></ul><ul><li>Virtual Entities: </li></ul><ul><ul><li>Leveraging current virtual machine techniques </li></ul></ul><ul><ul><li>Designing new virtual networking techniques </li></ul></ul><ul><li>User Configurability </li></ul><ul><ul><li>Customizing every node (end-hosts/routers) </li></ul></ul><ul><ul><li>Enabling flexible experimental topologies </li></ul></ul>Virtualization
    25. 26. An Example Run : Internet Worms A shared infrastructure (e.g. PlanetLab) A worm playground Virtual Physical
    26. 27. Key Virtualization Techniques <ul><li>Full-System Virtualization </li></ul><ul><li>Network Virtualization </li></ul>
    27. 28. Full-System Virtualization <ul><li>Emerging and New VM Techniques </li></ul><ul><ul><li>VMware, Xen, Denali, UML </li></ul></ul><ul><ul><li>Supporting for real-world services </li></ul></ul><ul><ul><ul><li>DNS, Sendmail, Apache w/ “ native” vulnerabilities </li></ul></ul></ul><ul><li>Adopted technique: UML </li></ul><ul><ul><li>Deployability </li></ul></ul><ul><ul><li>Convenience/Resource Efficiency </li></ul></ul>
    28. 29. User-Mode Linux ( http://user-mode-linux.sf.net ) <ul><li>System-Call Virtualization </li></ul><ul><li>User-Level Implementation </li></ul>Host OS Kernel Device Drivers Hardware Device Drivers MMU Guest OS Kernel UM User Process 1 ptrace UM User Process 2
    29. 30. New Network Virtualization <ul><li>Link Layer Virtualization </li></ul><ul><li>User-Level Implementation </li></ul>Host OS Virtual Node 2 Virtual Switch 1 IP-IP Virtual Node 1
    30. 31. User Configurability <ul><li>Node Customization </li></ul><ul><ul><li>System Template </li></ul></ul><ul><ul><ul><li>End Node ( BIND, Apach, Sendmail, … ) </li></ul></ul></ul><ul><ul><ul><li>Router ( RIP, OSPF, BGP, … ) </li></ul></ul></ul><ul><ul><ul><li>Firewall ( iptables ) </li></ul></ul></ul><ul><ul><ul><li>Sniffer/IDS ( bro, snort ) </li></ul></ul></ul><ul><li>Topology Customization </li></ul><ul><ul><li>Language </li></ul></ul><ul><ul><ul><li>Network, Node </li></ul></ul></ul><ul><ul><li>Toolkits </li></ul></ul>
    31. 32. Project Planetlab-Worm template slapper { image slapper.ext2 cow enabled startup { /etc/rc.d/init.d/httpd start } } template router { image router.ext2 routing ospf startup { /etc/rc.d/init.d/ospfd start } } router R1 { superclass router network eth0 { switch AS1_lan1 address } network eth1 { switch AS1_AS2 address } } switch AS1_lan1 { unix_sock sock/as1_lan1 host planetlab6.millennium. berkeley.edu } switch AS1_AS2 { udp_sock 1500 host planetlab6.millennium. berkeley.edu } node AS1_H1 { superclass slapper network eth0 { switch AS1_lan1 address gateway } } node AS1_H2 { superclass slapper network eth0 { switch AS1_lan1 address gateway } } switch AS2_lan1 { unix_sock sock/as2_lan1 host planetlab1.cs.purdue.edu } switch AS2_AS3 { udp_sock 1500 host planetlab1.cs.purdue.edu } node AS2_H1 { superclass slapper network eth0 { switch AS2_lan1 address gateway } } node AS2_H2 { superclass slapper network eth0 { switch AS2_lan1 address gateway } } switch AS3_lan1 { unix_sock sock/as3_lan1 host planetlab8.lcs.mit.edu } router R2 { superclass router network eth0 { switch AS2_lan1 address } network eth1 { switch AS1_AS2 address } network eth2 { switch AS2_AS3 address } } node AS3_H1 { superclass slapper network eth0 { switch AS3_lan1 address gateway } } node AS3_H2 { superclass slapper network eth0 { switch AS3_lan1 address gateway } } router R3 { superclass router network eth0 { switch AS3_lan1 address } network eth1 { switch AS2_AS3 address } } AS1_H1 R1 AS1_H2 AS2_H1 AS2_H2 R2 R3 AS3_H1 AS3_H2 Networked Node Network System Template
    32. 33. Features <ul><li>Scalability </li></ul><ul><ul><li>3000 v irtual h osts in 10 p hysical n odes </li></ul></ul><ul><li>Iterative Experiment Convenience </li></ul><ul><ul><li>Virtual node generation time: 60 seconds </li></ul></ul><ul><ul><li>Boot-strap time: 90 seconds </li></ul></ul><ul><ul><li>Tear-down time: 10 seconds </li></ul></ul><ul><li>Strict Confinement </li></ul><ul><li>High Fidelity </li></ul>
    33. 34. Evaluation <ul><li>Current Focus </li></ul><ul><ul><li>Worm behavior reproduction </li></ul></ul><ul><li>Experiments </li></ul><ul><ul><li>Probing, exploitation, payloads, and propagation </li></ul></ul><ul><li>Further Potentials – on-going work </li></ul><ul><ul><li>Routing worms / Stealthy worms </li></ul></ul><ul><ul><li>Infrastructure security (BGP) </li></ul></ul>
    34. 35. Experiment Setup <ul><li>Two Real-World Worms </li></ul><ul><ul><li>Lion , Slapper , and their variants </li></ul></ul><ul><li>A vGround Topology </li></ul><ul><ul><li>10 virtual networks </li></ul></ul><ul><ul><li>1500 virtual Nodes </li></ul></ul><ul><ul><li>10 physical machines in an ITaP cluster </li></ul></ul>
    35. 36. Evaluation <ul><li>Target Host Distribution </li></ul><ul><li>Detailed Exploitation Steps </li></ul><ul><li>Malicious Payloads </li></ul><ul><li>Propagation Pattern </li></ul>
    36. 37. Probing: Target Network Selection Lion Worms Slapper Worms 13 243 80,81 http://www.iana.org/assignments/ipv4-address-space .
    37. 38. Exploitation (Lion) 1: Probing 2: Exploitation! 3: Propagation!
    38. 39. Exploitation (Slapper) 1: Probing 2: Exploitation! 3: Propagation!
    39. 40. Malicious Payload (Lion)
    40. 41. Propagation Pattern and Strategy <ul><li>Address-Sweeping </li></ul><ul><ul><li>Randomly choose a Class B address (a.b.0.0) </li></ul></ul><ul><ul><li>Sequentially scan hosts a.b.0.0 – a.b.255.255 </li></ul></ul><ul><li>Island-Hopping </li></ul><ul><ul><li>Local subnet preference </li></ul></ul>
    41. 42. Propagation Pattern and Strategy <ul><li>Address-Sweeping (Slapper Worm) </li></ul>Infected Hosts: 2% Infected Hosts: 5% Infected Hosts: 10% 192.168.a.b
    42. 43. Propagation Pattern and Strategy <ul><li>Island-Hopping </li></ul>Infected Hosts: 2% Infected Hosts: 5% Infected Hosts: 10%
    43. 44. Summary (Back-End) <ul><li>vGround – the back-end </li></ul><ul><ul><li>A Virtualization-Based Worm Playground </li></ul></ul><ul><ul><li>Properties: </li></ul></ul><ul><ul><ul><li>High Fidelity </li></ul></ul></ul><ul><ul><ul><li>Strict Confinement </li></ul></ul></ul><ul><ul><ul><li>Good Scalability </li></ul></ul></ul><ul><ul><ul><ul><li>3000 Virtual Hosts in 10 Physical Nodes </li></ul></ul></ul></ul><ul><ul><ul><li>High Resource Efficiency </li></ul></ul></ul><ul><ul><ul><li>Flexible and Efficient Worm Experiment Control </li></ul></ul></ul>
    44. 45. Combining Collapsar and vGround Domain A Domain B GRE Worm Analysis Worm Analysis Worm Capture
    45. 46. Conclusions <ul><li>An integrated virtualization-based platform for worm and malware investigation </li></ul><ul><ul><li>Front-end : Collapsar </li></ul></ul><ul><ul><li>Back-end : vGround </li></ul></ul><ul><li>Great potential for automatic </li></ul><ul><ul><li>Characterization of unknown service vulnerabilities </li></ul></ul><ul><ul><li>Generation of 0-day worm signatures </li></ul></ul><ul><ul><li>Tracking of worm contaminations </li></ul></ul>
    46. 47. On-going Work <ul><li>More real-world evaluation </li></ul><ul><ul><li>Stealthy worms </li></ul></ul><ul><ul><li>Polymorphic worms </li></ul></ul><ul><li>Additional capabilities </li></ul><ul><ul><li>Collapsar center federation </li></ul></ul><ul><ul><li>On-demand honeypot customization </li></ul></ul><ul><ul><li>Worm/malware contamination tracking </li></ul></ul><ul><ul><li>Automated signature generation </li></ul></ul>
    47. 48. Thank you. Stop by our poster and demo this afternoon! For more information: Email: d [email_address] URL: http://www.cs.purdue.edu/~dxu Google: “ Purdue Collapsar Friends ”