network level polymorphic shellcode detection using
play

Network-level Polymorphic Shellcode Detection using Emulation - PowerPoint PPT Presentation

Dec 22, 2023 •222 likes •771 views

Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas Anagnostakis, and Evangelos Markatos Institute of Computer Science Foundation for Research and Technology Hellas Crete, Greece DIMVA06 - 13

  1. Network-level Polymorphic Shellcode Detection using Emulation Michalis Polychronakis, Kostas Anagnostakis, and Evangelos Markatos Institute of Computer Science Foundation for Research and Technology – Hellas Crete, Greece DIMVA’06 - 13 July 2006 FORTH-ICS Michalis Polychronakis 1

  2. Outline � Introduction – related work � Evasion techniques � Emulation-based detection � Performance evaluation � Open issues FORTH-ICS Michalis Polychronakis 2

  3. Remote System Compromise Attacker/worm exploits a software vulnerability 1 Place the attack code into a buffer 2 Divert the execution flow of the vulnerable process Stack/heap/integer overflow � Format string abuse � Arbitrary data corruption � 3 Execute the injected code ( shellcode ) Performs arbitrary operations under the privileges of the process � that has been exploited \xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00 FORTH-ICS Michalis Polychronakis 3

  4. Signature-based Detection � Hand-crafted signatures GET default.ida?NNNNNNNNNNN… � � Also for unknown attacks Generic signatures for suspicious code sequences � NOP sleds, system calls, … � � Automated signature generation Honeycomb, Earlybird, Autograph, PADS, Polygraph, Hamsa, … � Common idea: find invariant parts among multiple attack instances � Then turned into token subsequences � regular expressions � Effective only for noisy worm-like attacks � FORTH-ICS Michalis Polychronakis 4

  5. Polymorphism (1/2) � Naïve encryption decryptor encrypted data � The decryptor remains the same in each attack instance � Easy to fingerprint using typical string signatures attack code � NOP code interspersion NOPs � NOPs’ type/position/number varies in each instance � Can be fingerprinted using regular expressions FORTH-ICS Michalis Polychronakis 5

  6. Polymorphism (2/2) � Code obfuscation/metamorphism � Instruction substitution � Code block transposition push 0xF3 mov eax,0xF3 � Register reassignment pop eax � Dead code insertion � Hard to fingerprint using regexps if applied extensively � Combination of all techniques decryptor encrypted data � Signature extraction becomes infeasible FORTH-ICS Michalis Polychronakis 6

  7. Static Analysis Based Detection Recent proposals heuristically identify malicious code inside network � flows using static binary code analysis [Kruegel’05, Chinchani’05, Payer’05, Wang’06] � Step forward – beyond pattern-matching � Do not depend on invariant content � Basic steps � Disassembly 1 Control Flow Graph extraction 2 Initial approaches focused only on the � shellcodes’ sled component Abstract Payload Execution [Kruegel’02] � Pioneer network-level static analysis work Orthogonal to above approaches � FORTH-ICS Michalis Polychronakis 7

  8. Static Analysis Resistant Shellcode (1/4) � Static binary code analysis is generally accurate for compiled and well-structured binaries � Shellcode is not normal code! � Written/tweaked at assembly level: complete freedom… � The attacker can specially craft the shellcode to hinder disassembly and CFG extraction � Anti-disassembly tricks � Indirect addressing jmp ebx � Self-modifying code FORTH-ICS Michalis Polychronakis 8

  9. Static Analysis Resistant Shellcode (2/4) � Running example � Encrypted shellcode generated by the Countdown engine of the Metasploit Framework � Slightly modified with a self-modification \x6A\x7F\x59\xE8\xFF\xFF\xFF\xFF\xC1\x5E\x80 \x46\x0A\xE0\x30\x4C\x0E\x0B\x02\xFA... � Let’s try to figure out what this code does FORTH-ICS Michalis Polychronakis 9

  10. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly 00 6A7F push byte +0x7f 02 59 pop ecx 03 E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 0C 0AE0 or ah,al 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 10

  11. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly 00 6A7F push byte +0x7f 02 59 pop ecx Jumps to the middle 03 E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 of itself 0C 0AE0 or ah,al 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 11

  12. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly Recursive Traversal Disassembly 00 6A7F push byte +0x7f 00 6A7F push byte +0xf 02 59 pop ecx 02 59 pop ecx 03 E8FFFFFF FF call 0x7 03 Jumps to the middle E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 07 FFC1 inc ecx of itself 0C 0AE0 or ah,al 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 0e 304C0E0B xor [esi+ecx+0xb],cl 14 12 02FA add bh,dl ... <encrypted shellcode> 14 93 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 12

  13. Static Analysis Resistant Shellcode (3/4) � Linear disassembly can be easily tricked Linear Disassembly Recursive Traversal Disassembly 00 6A7F push byte +0x7f 00 6A7F push byte +0x7f 02 59 pop ecx 02 59 pop ecx much better, but not 03 E8FFFFFF FF call 0x7 03 Jumps to the middle E8FFFFFFFF call 0x7 08 C15E8046 rcr [esi-0x80],0x46 07 FFC1 the real code inc ecx of itself 0C 0AE0 or ah,al 09 5E pop esi that will be eventually 0a 80460AE0 add [esi+0xa],0xe0 0E 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 0e 304C0E0B xor [esi+ecx+0xb],cl executed! 14 12 02FA add bh,dl ... <encrypted shellcode> 14 93 ... <encrypted shellcode> 93 � Recursive traversal disassembly is still not enough… FORTH-ICS Michalis Polychronakis 13

  14. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx 03 E8FFFFFFFF call 0x7 07 FFC1 inc ecx 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 14

  15. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 07 FFC1 inc ecx 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 15

  16. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 16

  17. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx inc ecx ecx = 0x80 09 5E pop esi 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 17

  18. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx inc ecx ecx = 0x80 09 5E pop esi pop esi esi = 0x8 0a 80460AE0 add [esi+0xa],0xe0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 18

  19. Static Analysis Resistant Shellcode (4/4) � Self-modifying code can hide the real CFG Recursive Traversal Disassembly Real Code Execution 00 6A7F push byte +0x7f push byte +0x7f 02 59 pop ecx pop ecx ecx = 0x7F 03 E8FFFFFFFF call 0x7 call 0x7 (push 0x8) 07 FFC1 inc ecx inc ecx ecx = 0x80 09 5E pop esi pop esi esi = 0x8 0a 80460AE0 add [esi+0xa],0xe0 add [esi+0xa],0xe0 ADD [12] 0xE0 0e 304C0E0B xor [esi+ecx+0xb],cl 12 02FA add bh,dl 14 ... <encrypted shellcode> 93 FORTH-ICS Michalis Polychronakis 19

Recommend

Shellcode Shellcode A set of instructions injected and

Shellcode Shellcode A set of instructions injected and

Shellcode Shellcode A set of instructions injected and executed by exploited software Also called a payload Denoted as shellcode because

606 views • 49 slides
Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of

Low Level Low Level Low Level Low Level Detection of Detection of Detection of Detection of Ammonia Ammonia A A i i Ne w Me thod Validate d F ollowing E PA Guidanc e AT AT P Case #: N08 0004 P Case #: N08-0004 E dwa rd F Aske w

551 views • 32 slides
Problems and methods for attribute detection of social network users Anton Korshunov Institute

Problems and methods for attribute detection of social network users Anton Korshunov Institute

Problems and methods for attribute detection of social network users Anton Korshunov Institute for System Programming of Russian Academy of Sciences RCDL-2013 Contents Network Level: User Community Detection 1 User Level: Demographic

628 views • 41 slides
ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship Philipp Winter 1 , Tobias

ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship Philipp Winter 1 , Tobias

ScrambleSuit: A Polymorphic Network Protocol to Circumvent Censorship Philipp Winter 1 , Tobias Pulls 1 , and J urgen Fu 2 1 Karlstad University 2 FH Hagenberg November 4, 2013 Using Tor in China GFW actively probes bridges! . . . and

690 views • 24 slides
Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure

Outline Threat modeling, contd Shellcode techniques CSci 4271W Development of Secure Software Systems Binary-level GDB commands and demo Day 5: Memory safety attacks In-person lab logistics reminders Stephen McCamant Project 1 bcimgview

1.17k views • 6 slides
Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop

White Hat Shellcode Workshop Didier Stevens Go to http://workshop.DidierStevens.com Unzip shellcode-workshop.zip to C:\ Password is workshop . First example: loading/unloading a DLL Start calc.exe Start procexp.exe (Process Explorer) and

471 views • 23 slides
This time on Types ... Polymorphic -calculus (polymorphic -binding). Lets us type: f ((

This time on Types ... Polymorphic -calculus (polymorphic -binding). Lets us type: f ((

This time on Types ... Polymorphic -calculus (polymorphic -binding). Lets us type: f (( f true ) :: ( f nil )) -bound variables in ML cannot be used polymorphically within a function abstraction E.g. f (( f true ) :: ( f nil ))

945 views • 23 slides
Polymorphic Lists &amp; Trees Department of Computer Science University of Maryland, College Park

Polymorphic Lists &amp; Trees Department of Computer Science University of Maryland, College Park

CMSC 132: Object-Oriented Programming II Polymorphic Lists &amp; Trees Department of Computer Science University of Maryland, College Park Polymorphic Binary Search Trees Second approach to implement BST What do we mean by polymorphic?

329 views • 9 slides
Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection

Evading Network Anomaly Detection Sytems - Fogla,Lee Divya Muthukumaran Intrusion detection Systems Signature Based IDS Monitor packets on the network Compare them against database of signatures/attributes from known threats

476 views • 26 slides
Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses

Polymorphic &amp; Metamorphic Viruses CS4440/7440 Spring 2015 Evolution of Polymorphic Viruses (1) } Why polymorphism? } Anti-virus scanners detect viruses by looking for signatures (snippets of known virus code) } Virus writers

641 views • 40 slides
Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview

Learning Rules for Anomaly Detection (LERAD) of Hostile Network Traffic Matt Mahoney Overview Prior Work in Network Anomaly Detection The 1999 DARPA Intrusion Detection Evaluation Packet Header Anomaly Detection (PHAD) Application

575 views • 18 slides
POLYMORPHIC ON-CHIP NETWORKS Martha Mercaldi Kim, John D. Davis*, Mark Oskin, Todd Austin**

POLYMORPHIC ON-CHIP NETWORKS Martha Mercaldi Kim, John D. Davis*, Mark Oskin, Todd Austin**

POLYMORPHIC ON-CHIP NETWORKS Martha Mercaldi Kim, John D. Davis*, Mark Oskin, Todd Austin** University of Washington *Microsoft Research, Silicon Valley ** University of Michigan On-Chip Network Selection 2 Talk Outline Network-on-chip

1.01k views • 68 slides
Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and

Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and

Click to edit Master text styles Second level Third level Regulating Transportation Network Companies: Fourth level Fifth level Should Uber and Lyft Set Their Own Rules? Sen Li , Hamidreza Tavafoghi, Kameshwar Poolla and

501 views • 36 slides
A Polymorphic Data Visualization for Spatiotemporal Database Makoto Hanashima Institute for

A Polymorphic Data Visualization for Spatiotemporal Database Makoto Hanashima Institute for

A Polymorphic Data Visualization for Spatiotemporal Database Makoto Hanashima Institute for Areal Studies, Foundation Tokyo, Japan Outline of Presentation 2 An Introduction to Reki-Show Authoring Tools Conceptual design of polymorphic

325 views • 14 slides
Polymorphic types Polymorphic -calculus (System F) Simply typed -calculus is

Polymorphic types Polymorphic -calculus (System F) Simply typed -calculus is

Polymorphic types Polymorphic -calculus (System F) Simply typed -calculus is monomorphic, Extends simply-typed : i.e. a type has no flexible pieces ::= * | type syntax expression/value syntax

328 views • 4 slides
Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald

Optimising the resource utilisation in high-speed network intrusion detection systems. Gerald Tripp www.kent.ac.uk Network intrusion detection Network intrusion detection systems are provided to detect the presence of various security

260 views • 12 slides
Criminal Network Formation and Optimal Detection Policy: The Role of Cascade of Detection Liuchun

Criminal Network Formation and Optimal Detection Policy: The Role of Cascade of Detection Liuchun

Criminal Network Formation and Optimal Detection Policy: The Role of Cascade of Detection Liuchun Deng 1 and Yufeng Sun 2 Johns Hopkins University Chinese University of Hong Kong Deng &amp; Sun (JHU &amp; CUHK) Criminal Network 2/27/2016 1 /

633 views • 30 slides
oligoExpress exploiting probe level Signals, detection p-values, detection calls information

oligoExpress exploiting probe level Signals, detection p-values, detection calls information

Three ways to analyse GeneChip data PROVITRO - cells and more Absolute analysis (1 chip): oligoExpress exploiting probe level Signals, detection p-values, detection calls information in Affymetrix GeneChip Comparison analysis (1 chip

228 views • 3 slides
www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

www.thomas-leak-detection.com Leak Detection Class I Presentation EN 2014-02-19 Part1.docx ABOUT

Class I Leak Detection Systems - Highest level of monitoring and prevention of double walled tanks and pipes, according EU Standard EN 13160-2 Advantages Working Principle Product Overview www.thomas-leak-detection.com Leak

206 views • 16 slides
Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive

Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive

Global Network Interference Detection over the RIPE Atlas Network Adventures in Pervasive Measurement Collin Anderson, Philipp Winter and Roya USENIX FOCI, August 2014 Once Upon a Time Starting from the Dark Ages For Now We See Through

488 views • 31 slides
Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu

Network Intrusion Detection &amp; Forensics with Bro Matthias Vallentin vallentin@berkeley.edu BERKE1337 March 3, 2016 Outline 1. Intrusion Detection 101 2. Bro 3. Network Forensics Exercises 1 / 29 Detection vs. Blocking Intrusion

432 views • 32 slides
Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and

Anomaly Based Network Intrusion Detection with Unsupervised Outlier Detection Jiong Zhang and Mohammad Zulkernine School of Computing Queens University, Kingston Ontario, Canada K7L 3N6 {zhang, mzulker} @cs.queensu.ca Abstract- Anomaly

284 views • 6 slides
Community Detection in Social Networks Lei Tang Properties of Complex Network Power Law

Community Detection in Social Networks Lei Tang Properties of Complex Network Power Law

Community Detection in Social Networks Lei Tang Properties of Complex Network Power Law Community Structure Small World Why Community Detection? Communities in a citation network might represent related papers on a single topic;

288 views • 24 slides
Untyped general polymorphic functions Martin Pettai February 5, 2010 Introduction We would

Untyped general polymorphic functions Martin Pettai February 5, 2010 Introduction We would

Untyped general polymorphic functions Martin Pettai February 5, 2010 Introduction We would like to have a functional language where it is possible to define general polymorphic functions Return type of a function is uniquely determined

476 views • 22 slides

More recommend