"egg" - A stealth fine grained code analyzer

825 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
825
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

"egg" - A stealth fine grained code analyzer

  1. 1. Fourteenforty Research Institute, Inc. http://www.fourteenforty.jp “egg” - A Stealth fine grained code analyzer Satoshi TANDA Senior Software Engineer
  2. 2. Fourteenforty Research Institute, Inc. / 32 Agenda • Background and problems • Introduce “egg” – Demonstration its basic functions • Implementation (Taint tracing approach in ring-0) – Demonstration of the taint tracing behavior • Discuss a limitation of “egg” • Conclusion 2
  3. 3. Fourteenforty Research Institute, Inc. / 32 Too many malwares! • We can’t manually analyze each malware. • Automatic approaches have become more important. 3 0 10 20 30 40 50 60 70 80 90 100 2001 yr 2003 yr 2005 yr 2007 yr The percentage of packed malwares 80% of malwares ware packed in 2007 Source: 2001-2005 : McAfee Sage vol.1 issue 1 2007 : Panda Research (http://research.pandasecurity.com/malwareformation-statistics/)
  4. 4. Fourteenforty Research Institute, Inc. / 32 Problems of traditional dynamic analyzers • We can’t get useful information for more intensive analysis. • We can’t analyze a kernel mode code. • It’s difficult to analyze a spreading malware over the process. 4
  5. 5. Fourteenforty Research Institute, Inc. / 32 Innovative analyzers (based on VM environments) • Innovative analyzers have already resolved the above problems – Anubis – Ether • It’s able to analyze a kernel mode code and perform an instruction level analysis. – BitBlaze and Renovo • Also these analyze a spreading malware automatically with approach called “taint tracing”. • However these systems are detected by VM detection techniques 5
  6. 6. Fourteenforty Research Institute, Inc. / 32 Summary table of problems Type of system Traditional Innovative (Based on virtual environments) Getting useful information Insufficient Good Analyzing a kernel mode code Insufficient Good Analyzing a spreading malware. Insufficient Good Not affected by VM detection techniques Good Insufficient 6 • I developed “egg” to try and resolve these problems.
  7. 7. Fourteenforty Research Institute, Inc. / 32 What is egg? • “egg” is a dynamic analyzer based on a Windows device driver. • egg has following capabilities: 1. It can obtain more detailed information. 2. It can analyze a kernel mode code. 3. It can automatically trace a spreading malware. • Of course, It’s not affected by VM detection techniques. • Also most common anti-debug tech can’t detect “egg”. 7
  8. 8. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 8 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped );
  9. 9. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 9 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped ); call to kernel32.dll!ReadFile( Arg 1 : 00000064 = File : ¥Device¥HarddiskVolume1¥WINDOWS¥(...) , Arg 3 : 00000800(2048) )
  10. 10. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 1. API arguments for IN, OUT (,INOUT), and return value 10 BOOL WINAPI ReadFile( __in HANDLE hFile, __out LPVOID lpBuffer, __in DWORD nNumberOfBytesToRead, __out_opt LPDWORD lpNumberOfBytesRead, __inout_opt LPOVERLAPPED lpOverlapped ); call to kernel32.dll!ReadFile( Arg 1 : 00000064 = File : ¥Device¥HarddiskVolume1¥WINDOWS¥(...) , Arg 3 : 00000800(2048) ) returned from kernel32.dll!ReadFile( Arg 2 : 0012F184 - 0012F983 is dumped as ¥(...)¥(...)ReadFile_Arg02.bin ) => 00000001(1)
  11. 11. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 11 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  12. 12. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 12 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  13. 13. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 13 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  14. 14. Fourteenforty Research Institute, Inc. / 32 What kind of information does ”egg” collect? 2. Callgraph 3. Branch information 14 Callgraph (made with Graphviz) Branch Info (with IDA Pro)
  15. 15. Fourteenforty Research Institute, Inc. / 32 Demonstration of basic functions(movie) • Analyzing sample.exe. • Sample.exe overwrites original beep driver (beep.sys). • Then restarts beep service to install this driver in the kernel. • “egg” analyzes sample.exe and the modified beep driver. 15
  16. 16. Fourteenforty Research Institute, Inc. / 32 Implementation of the fine-grained code analysis • Based on the page protection and the trap flag. • Published by the paper “Stealth Breakpoints”. • We can run analysis codes for each instruction execution. • It can applies to both a kernel and user modes, and even works transparently in the user mode code. 16 Stealth Breakpoints http://www.acsac.org/2005/abstracts/72.html
  17. 17. Fourteenforty Research Institute, Inc. / 32 What is taint tracing? • It can automatically trace suspicious elements. • A suspicious element is marked as tainted. • A taint automatically influences new elements that used tainted elements. 17 NEW Tainted NOT Tainted Tainted Some suspicious sources
  18. 18. Fourteenforty Research Institute, Inc. / 32 An overview of taint tracing approach of “egg” 18 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File • egg takes a novel approach to implement the taint tracing. • In case of egg, “Elements” are Files, Virtual memory and Threads.
  19. 19. Fourteenforty Research Institute, Inc. / 32 An overview of taint tracing approach of “egg” 19 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File • egg takes a novel approach to implement the taint tracing. • In case of egg, “Elements” are Files, Virtual memory and Threads.
  20. 20. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 20 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using API PsSetLoadImageNotifyRoutine
  21. 21. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 21 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the page protection (eXecute Disable bit)
  22. 22. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 22 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the File system filter driver
  23. 23. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 23 Taint File Taint Memory Thread Taint Thread Taint MemoryTaint File 1. Specify 2. Map in Mem 3. Execute 4. Write to Mem 4. Write to File Using the page protection (Write/Read bit)
  24. 24. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • For thread safety, egg hooks thread switching function (called SwapContext). • Therefore egg can notice a thread switching. 24 Process Memory Thread (not tainted) Thread (tainted) Thread (not tainted) Waiting WaitingRunning on processor Process memory has not been modified yet.
  25. 25. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • When taint thread becomes active, egg changes every process memory to read-only. 25 Process Memory Thread (tainted) Thread (not tainted) Thread (not tainted) Waiting WaitingRunning on processor Currently, process memory is read-only. If a thread tries to write somewhere, the processor causes an exception. egg catches this exception as taint event.
  26. 26. Fourteenforty Research Institute, Inc. / 32 Implementation of taint tracing in ring-0 • When taint thread becomes inactive, egg restores every page protection. 26 Process Memory Thread (not tainted) Thread (not tainted) Thread (not tainted) Waiting WaitingRunning on processor Process memory protection is restored.
  27. 27. Fourteenforty Research Institute, Inc. / 32 Tracking the cross-process memory operation • To trace cross-process memory operation, egg hooks context switching function (called KiSwapProcess). • Therefore egg can notice cross-process memory operation. 27 malware.exe Process Memory Thread (tainted) Running on processor CR3 explorer.exe Process Memory Read-only Have not been changed
  28. 28. Fourteenforty Research Institute, Inc. / 32 Tracking the cross-process memory operation • When taint thread is running on other process memory, its process memory will be changed to read-only. 28 malware.exe Process Memory Thread (tainted) Running on processor CR3 explorer.exe Process Memory egg can trace cross-process memory operation. (e.g. WriteProcessMemory) Restored Read-only
  29. 29. Fourteenforty Research Institute, Inc. / 32 Demonstration of the taint tracing function(movie) • The sample is the thread injection code. • Sample malware called “injector.exe” injects to notepad.exe with VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. • Injected thread calls AllocConsole and WriteConsole in infinite loop. • egg will trace the injected thread. 29
  30. 30. Fourteenforty Research Institute, Inc. / 32 Problem of same privilege • egg has limitation against kernel mode code. – egg is visible and breakable from kernel mode malware. • This limitation is result of trade off for avoiding detection by the VM detection. 30
  31. 31. Fourteenforty Research Institute, Inc. / 32 Conclusion • We can save time by using egg. • In the future, I will try to improve its stability and usability. 31 Type of system egg Traditional Innovative Getting useful information Good Insufficient Good Analyzing a kernel mode code Better Insufficient Good Analyzing a spreading malware. Good Insufficient Good Not affected by VM detection techniques Good Good Insufficient
  32. 32. Fourteenforty Research Institute, Inc. / 32 Acknowledgement • Junichi Murakami @FFR • Darren Willis @FFR 32
  33. 33. 33 ありがとうございました Fourteenforty Research Institute, Inc. 株式会社 フォティーンフォティ技術研究所 http://www.fourteenforty.jp 発表者肩書き 発表者氏名 発表者メールアドレス Thank you! Senior Software Engineer Satoshi TANDA <tanda@fourteenforty.jp>

×