hypervisor based analysis of macos malware
play

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd - PowerPoint PPT Presentation

May 09, 2023 •335 likes •706 views

Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019 whoami Technical Lead @ VMRay M. Sc. IT-Security Released first preview version of macOS sandbox in March @c1truz_ 2 Structure of this Talk => => Why?

  1. Hypervisor-based Analysis of macOS Malware Felix Seele June 2 nd 2019

  2. whoami • Technical Lead @ VMRay • M. Sc. IT-Security • Released first preview version of macOS sandbox in March @c1truz_ 2

  3. Structure of this Talk => => Why? How? Challenges Motivation Background Virtual Machine Introspection 3

  4. The Marketing Pitch Need better tools for efficient and sound, automated analysis of macOS malware! 4

  5. State of the Art • Many tools to monitor different aspects of the system: ProcInfo, BlockBlock - Goals: dtrace (fs_usage, dtruss, …) - Firewalls Full visibility of function calls at - • => every level (soundness) Debugger - ✗ No function call tracer Isolation & Transparency • (like ltrace ) Efficiency & Automation • ✗ Tools run inside analysis VM ✗ No automation 5

  6. Full Visibility of Function Calls [NSData dataWithContentsOfURL :] CFURLRequestCreate(...) Foundation.framework Evil.app high-level application frameworks socket(...) CFNetwork.framework connect(...) syscall 97 syscall 98 low-level system libraries libsystem_kernel.dylib kernelspace kernel 6

  7. Isolation & Performance • Analysis system must be higher privileged than the analyzed sample • Full system visibility requires hypervisor-level analysis • Emulators are extremely slow, unsuited for full system Hypervisor analysis • Hardware-assisted virtualization provides isolation Kernelspace with small performance overhead Userspace → How to instrument the hypervisor for malware analysis? 7

  8. Two-Dimensional Paging Address translation 101 (x86_64) Virtual Address Physical Address 0x00000 00 10 ad 5f 000 PDPT PDT PML4T PT Memory r-x CR3 8

  9. Two-Dimensional Paging Address translation 101 (x86_64) Virtual Address Physical Address Execution will cause page fault and trap to kernel! EXC_BAD_ACCESS (code=2, address=0x7ffeefbff408) 0x00000 00 10 ad 5f 000 PDPT PDT PML4T PT Memory rw- CR3 9

  10. Two-Dimensional Paging Second-level page tables Virtual Machine Hypervisor r-x r-x Guest Virtual Guest Physical Host Physical Memory Memory Memory 10

  11. Two-Dimensional Paging Second-level page tables Execution will cause page fault and trap Virtual Machine Hypervisor to hypervisor! r-x r-- Guest Virtual Guest Physical Host Physical Memory Memory Memory 11

  12. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory regions into two sets: Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework libsystem_kernel.dylib kernel 12

  13. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory regions into two sets: ✗ Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework • One of the sets is executable, the other libsystem_kernel.dylib non-executable kernel 13

  14. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory ✗ regions into two sets: Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework • One of the sets is executable, the other libsystem_kernel.dylib non-executable kernel 14

  15. Two-Dimensional Paging Using TDP to monitor API calls • Divide memory regions into two sets: Set A: Target - Evil.app Foundation.framework executable Set B: System libraries - and kernel CFNetwork.framework ✗ • One of the sets is executable, the other libsystem_kernel.dylib non-executable kernel 15

  16. Two-Dimensional Paging Summary • Approach was presented first by Carsten Willems and Ralf Hund 1) • Transparency & Isolation: Page permission are only modified outside of the guest No modifications to the OS necessary - Not detectable, even from the kernel - • Efficiency: Calls are intercepted at the highest level possible Preserves high-level semantics - Simplifies behavior analysis - 1) https://www.syssec.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/11/26/TR-HGI-2012-002.pdf 16

  17. Virtual Machine Introspection 17

  18. Virtual Machine Introspection The basics Objective-C ??? Inter-Process Communication Resolve function and syscalls Function Call Monitoring Extract parameters Parse virtual address space Virtual Memory Resolve loaded libraries Process creation & termination Process Monitoring Process & thread switches Process information 18

  19. Objective-C Runtime Introspection Extracting function call parameters [0040.706] -[NSString writeToFile:(NSString *) atomically:(BOOL)] Arguments in rdx, rcx, r8, … Instance Method Pointer to object in rdi • Need to know the class to extract value NSString • Can’t trust the function prototype (class clusters, protocols) NSCFString NSPathStore2 => Need to determine class at runtime NSCFConstantString 19

  20. Objective-C Runtime Introspection Finding an object’s class 0x011dffff87f471d8 0x011dffff87f471d8 & ISA_MASK struct objc_object { 0x100503930 union isa_t { = 0x7fff87f471d8 struct objc_class *cls; uintptr_t bits; } } struct objc_class : objc_object { // Class ISA; Class superclass; // +0x08 #define ISA_MASK 0x00007ffffffffff8ULL cache_t cache; // +0x10 “__NSCFConstantString” struct { class_data_bits_t bits; // +0x20 uintptr_t nonpointer : 1; } 4 pointer derefs and 1 string read 👏 uintptr_t has_assoc : 1; uintptr_t has_cxx_dtor : 1; uintptr_t shiftcls : 44; uintptr_t magic : 6; struct class_rw_t { struct class_ro_t { uintptr_t weakly_referenced : 1; uint32_t flags; // +0x00 uint32_t flags; // +0x00 uintptr_t deallocating : 1; uint32_t version; // +0x04 // ... uintptr_t has_sidetable_rc : 1; const class_ro_t *ro; // +0x08 const char *name; // +0x18 uintptr_t extra_rc : 8; // ... } }; } 20

  21. Objective-C Runtime Introspection Finding an object’s class (the efficient way) 0x011dffff87f471d8 & ISA_MASK struct objc_object { 0x100503930 union isa_t { = 0x7fff87f471d8 struct objc_class *cls; uintptr_t bits; } } __DATA 00007fff87e12000-00007fff87f55000 rw-/rwx SM=COW /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation __DATA + 0x1351D8 000000000057a340 s _OBJC_CLASS_$___NSCFCharacterSet 000000000057a1d8 s _OBJC_CLASS_$___NSCFConstantString 000000000057a390 s _OBJC_CLASS_$___NSCFData 000000000057a020 s _OBJC_CLASS_$___NSCFDictionary 21

  22. Objective-C Runtime Introspection Finding an object’s class (the efficient way) • Need to know the location of DATA segments in memory • Not trivial due to the use of dyld shared caches • But: Only one pointer deref required + compare to precomputed offsets • Next: Reconstruct the objects internal data representation - Fairly straightforward for CoreFoundation (open-source) - Needs to be done for every class that should be reconstructed from the hypervisor • Idea: Automatically extract even unknown classes using Objective-C’s ivar information 22

  23. Objective-C Runtime Introspection Example Code Analysis Log NSLog(@"Hello, World!"); [0045.565] NSLog (format="Hello, World!") [0045.706] +[NSProcessInfo processInfo] NSProcessInfo *processInfo = [NSProcessInfo processInfo]; returned 0x7f9a3740d080 NSLog(@"Process ID is: %d", [processInfo processIdentifier]); [0045.706] -[NSProcessInfo<0x7f9a3740d080> processIdentifier] returned 488 [0045.706] NSLog (format="Process ID is: %d") NSString *username = [processInfo userName]; [0045.706] -[NSProcessInfo<0x7f9a3740d080> userName] returned="xsbgsz” NSFileManager *filemgr = [NSFileManager defaultManager]; NSString *filename = [[filemgr currentDirectoryPath] [0045.824] +[NSFileManager defaultManager] stringByAppendingPathComponent:@"user.txt"]; returned 0x7f9a37402850 [0045.824] -[NSFileManager<0x7f9a37402850> currentDirectoryPath] returned="/Users/xsbgsz" [username writeToFile:filename [0045.916] -[NSString<0x7f9a3740d150> stringByAppendingPathComponent:"user.txt"] atomically:YES returned="/Users/xsbgsz/user.txt” encoding:NSStringEncodingConversionAllowLossy error:nil]; [0045.916] -[NSString<0x7a736762737865> writeToFile:"/Users/xsbgsz/user.txt" atomically:1 encoding:0x1 error:0x0] returned 1 NSLog(@"Content written to path: %@\n", filename); [0045.923] NSLog (format="Content written to path: %@\n") 23

  24. Inter-Process Communication • XPC is used heavily on macOS Install and control LaunchAgents/Daemons - XPC-based Launch processes out of context ( open(1) ) - RPC Remote Procedure Calls - ... - CFPort MIG XPC messages • Used by > 90% of samples • Can be used to evade dynamic malware Mach messages analysis systems https://thecyberwire.com/events/docs/IanBeer_JSS_Slides.pdf 24

Recommend

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing

Reverse Engineering by Crayon: Game Changing Hypervisor and Visualization Analysis Game Changing Hypervisor Based Malware Analysis and Visualization Danny Quist Danny Quist Lorie Liebrock New Mexico Tech Computer Science Dept. Offensive

898 views • 64 slides
Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al

Apposcopy: Semantics- Based Detection of Android Malware through Static Analysis By Feng et al [FSE 14] Presented by Maaz Ahmad The Malware Problem (Feb, 2015) Motive Security Labs estimates 16 million infected mobile devices. [1]

828 views • 30 slides
Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal

Entrapment: Tricking Malware with Transparent, Scalable Malware Analysis Paul Royal paul@gtisc.gatech.edu Agenda Modern Malware Obfuscations, Server-side Polymorphism, Collection Volume Malware Analysis Detection

504 views • 27 slides
GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI

GOODWARE DRUGS FOR MALWARE: ON-THE-FLY MALWARE ANALYSIS AND CONTAINMENT DAMIANO BOLZONI CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS AGENDA Something about malware Malware internals Current analysis

398 views • 27 slides
Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the

Android Malware Analysis on Attacks and Defense Android malware Android malware With the explosive growth of mobile device market and usage, there is an increasing number of malicious mobile applications targeting these devices and

819 views • 44 slides
MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our

MacOS &amp; iOS Maintenance MacOS Maintenance iOS Maintenance (the iPad will be used as our example for all your iDevices including iPhones, iPod touches, and iPods) TOP TEN Your iPad is fragile Battery life is exhaustible TIPS

330 views • 15 slides
Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that

Getting started with malware analysis Judith van Stegeren Definitions Malware : any software that does something that causes harm to a user, computer or network, including viruses, trojan horses, worms, rootkits, scareware and spyware. Malware

119 views • 9 slides
Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp;

Machine Virtualization: Efficient Hypervisors, Stealthy Malware Muli Ben-Yehuda Technion &amp; Hypervisor Technologies and Consulting Ltd Muli Ben-Yehuda (Technion &amp; Hypervisor) Efficient Hypervisors, Stealthy Malware Cyberday, 2013 1 /

553 views • 21 slides
A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND

A CUCKOOS EGG IN THE MALWARE NEST ON-THE-FLY SIGNATURE-LESS MALWARE ANALYSIS, DETECTION AND CONTAINMENT FOR LARGE NETWORKS CHRISTIAAN SCHADE TWENTE SECURITY LAB UNIVERSITY OF TWENTE THE NETHERLANDS MALWARE WARS In the last

313 views • 14 slides
T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide

T owards Network Containment in Malware Analysis Systems Mariano Graziano, Corrado Leita, Davide Balzarotti ACSAC, Orlando, Florida, 3-7 December 2012 Malware Analysis Scenario Analysis based on Sandboxes (API Hooking, Emulation)

798 views • 23 slides
Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal

Impeding Automated Malware Analysis with Environment-sensitive Malware Chengyu Song , Paul Royal and Wenke Lee College of Computing Georgia Institute of Technology Agenda l Background l Defeating Automated Malware Analysis Host

1.28k views • 28 slides
Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark

Getting Started with .NET Core 2.0 on macOS (and Windows, too) Jeremy Clark www.jeremybytes.com @jeremybytes What is .NET Core? Cross-Platform .NET Runs on macOS, Linux, and Windows Can be compiled to machine code based on

1.17k views • 15 slides
Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests

Introduction Research Question Background Dataset Approach Results Conclusion Identifying Infections with Spamming Malware in a Network, based on Analysis of DNS MX Requests Bas Vlaszaty Bas.Vlaszaty@os3.nl Universiteit van Amsterdam

899 views • 89 slides
CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu

CS7038 - Malware Analysis - Wk07.2 Malware Research Online Coleman Kane kaneca@mail.uc.edu February 22, 2018 Exploring the Online Ecosystem One nice aspect of malware analysis is that, since much of it originates online and

119 views • 10 slides
When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis

When Malware is Packin Heat; Limits of Machine Learning Classifiers Based on Static Analysis Features Hojjat Aghakhani , Fabio Gri*, Francesco Mecca, Mar0na Lindorfer, Stefano Ortolani, Davide Balzaro*, Giovanni Vigna, Christopher Kruegel

1.01k views • 53 slides
CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane

CS7038 - Malware Analysis - Wk03.1 Malware Taxonomy and Terminology Coleman Kane kaneca@mail.uc.edu January 24, 2017 Why Classification is Important Malware classification helps us in multiple ways. Here are a couple key ways:

787 views • 16 slides
More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based

More Malware Last Class Worms: Morris Worm Stuxnet Conficker Web-based malware: Exploit kits Fake AV Ransomware Today (continuation) How Malware Spreads Adware Computer Virus A type of malicious

647 views • 23 slides
MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me

MazeWalker Enriching static malware analysis and more Yevgeny Kulakov @p_h_0_e_n_i_x About Me Malware RE @ Trusteer, IBM, Seculert binary analysis automation sandbox development Now in vEYE Security on software container

591 views • 48 slides
How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement

How does Malware Use RDTSC? A Study on Operations Executed by Malware with CPU Cycle Measurement Yoshihiro Oyama University of Tsukuba 1 Background Many malware programs execute operations for analysis evasion Detection of

346 views • 31 slides
Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer

Overview Malware Halting 1. Malware 2. Software diversity Part I: Method Development 3. Computer immunization Kjell Jrgen Hole Simula@UiB 4. Epidemiological model 5. Malware halting analysis 6. Malware halting method Last updated

672 views • 29 slides
Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos

Instruction-Level Steganography for Covert Trigger-Based Malware Dennis Andriesse and Herbert Bos VU University Amsterdam DIMVA 2014 Introduction Trigger-Based Malware Trigger-based malware (TBM) remains dormant until a specific trigger E.g.

586 views • 14 slides
Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev

Examples of modern malware Malware Analysis Seminar Meeting 7 Cody Cutler, Anton Burtsev Stuxnet (2009) Organization Core a large .dll file 2 encrypted configuration files Dropper component Core in a stub section

703 views • 43 slides
CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7,

CS7038 - Malware Analysis - Wk05.1 Static Analyzers Coleman Kane kaneca@mail.uc.edu February 7, 2017 Signature-based Anti-Virus Systems By far, the most popular weapon against cyber attacks is signature-based antivirus software. When

709 views • 12 slides
Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware

Anti-anti-malware (part 3) / Stack Smashing 1 last time various kinds of armored malware malware that evades analysis 2 logistics: LEX homework detect push ret pattern using fmex probably easier than TRICKY 3 upcoming exam next Wednesday

496 views • 48 slides

More recommend