Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many.

Similar presentations


Presentation on theme: "1 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many."— Presentation transcript:

1 1 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many Look at the Good, the Bad, and the Ugly of Malware Analysis on Virtual Platforms Technologies for Critical Incident Preparedness Conference & Exposition 2008

2 Copyright Intelguardians Who are you and why are you here? Tom Liston –Senior Security Analyst - InGuardians, Inc. –Handler - SANS Institute’s Internet Storm Center (ISC) –Founding member - ISC Malware Analysis Team –Co-Author (w/Ed Skoudis) - Counterhack Reloaded –Developer - LaBrea, an Open Source network tarpit –Technical Lead - InGuardian’s work on Virtual Machine Detection and Escape InGuardians, Inc. –World class security consulting firm –Provides penetrating testing, architecture review, code auditing, malware analysis, expert witnesses, and pure security research to government, military, and Fortune 100 companies

3 Copyright Intelguardians Through the Looking Glass… Virtualization is currently IT’s “hot product” –I’m going to assume you all know what virtualization… And, why not? –Virtualization presents several amazing benefits to companies using it Cost savings! Space savings! Infrastructure Redundancy! But, you folks in the “infrastructure” world are just starting to catch on…

4 Copyright Intelguardians Getting there first… …and dragging the rest of you slackers with us. Those of us who do malware analysis were some of the first adopters of virtualization Why? –Virtual machines offer huge benefits for those of us who work with malware –In order to understand those benefits, you need to understand a little about modern malware analysis

5 Copyright Intelguardians Modern Malware Analysis In a Nutshell Malware analysis isn’t about pouring over densely packed code listings –Stare at that stuff too long, and you end up with squinty eyes… Modern malware analysis is a combination of: –Dead-code analysis –Behavioral analysis It is an iterative process –Behavioral analysis reinforces the code analysis and vice versa.text: F push 1 ; flOptions.text: call ds:HeapCreate.text: mov hHeap, eax.text: C lea eax, [ebp+var_8].text: F push eax.text: mov [ebp+var_8], 8.text: mov [ebp+var_4], 800h.text: E call ds:InitCommonControlsEx.text:004012A4 push 28h.text:004012A6 lea eax, [ebp+hInstance].text:004012A9 push edi.text:004012AA push eax.text:004012AB call memset.text:004012B0 add esp, 0Ch.text:004012B3 mov dword ptr [ebp-48h], offset

6 Copyright Intelguardians Behavioral Analysis!?! You RUN these things? Yep! All the time… And that’s where virtualization comes into play… –With virtual machines we have the ability to revert any changes made to our environment –Additionally, using virtualization, I can create an entire network consisting of several target machines, all on their own isolated LAN, all within my laptop Test “worm-like” spreading behavior Test botnet command and control Monitor attempts to “phone home” –We can, in essence, create a whole other world “through the looking glass” And, in theory, we can control and monitor EVERYTHING

7 Copyright Intelguardians A perfect malware world Virtualization allows us to create everything needed to provide the malware with a full simulation of whatever it needs –We can create VMs for multiple operating systems and even multiple patch levels of a single operating system –We can attach VMs providing whatever services a piece of malware might want to our “network” Webservers Mailservers IRC Servers etc…

8 Copyright Intelguardians Trouble in Paradise But REMEMBER: –Virtualization platforms were designed for general purpose use –Like “Wonderland,” they’re only a slightly warped version of our own reality –And the stuff we’re dropping into them is… well… NASTY –It’s sort of like dropping any Clint Eastwood character into Wonderland And let’s face it, Clint really only plays ONE character It doesn’t matter if he’s wearing a cowboy hat or a business suit… they’re all the same guy… So, we need to be careful…

9 Copyright Intelguardians What problems could there be? Well, that annoying White Rabbit and that mouthy Queen better watch it…

10 Copyright Intelguardians Background In the fall of 2005, InGuardians was contracted by DHS to research the potential for both virtual machine detection and escape –The enormous market potential for virtualization, caused concerns about the security implications of VM isolation –At the time that we began our research, virtualization security had received little attention Tools and methodologies for investigating the security of this new technology didn’t exist We, essentially, had to “invent the wheel”

11 Copyright Intelguardians Assumptions… Security issues are generally discovered by examining assumptions –Challenging assumptions is the cornerstone of security research Our research into detection/escape concerns highlights an ENORMOUS assumption that all virtualization users make –“There exists a high degree of isolation between host and guest and between guests” –This assumption is especially dangerous when analyzing malware

12 Copyright Intelguardians Detection We began our research by investigating the potential for an attacker (human or malcode) to detect that the machine that they’re on is virtualized –All available virtualization environments are detectable –Additionally, we postulate that there are several characteristics of the IA64 (x86) architecture that will make virtualization running on that architecture always be detectible

13 Copyright Intelguardians Detection: Bad During the course of our research, we discovered some of the first specimens of malware that detected virtualization and changed their behavior Over the lifetime of our research project, virtualization detection within malware blossomed –Now approximately 10% of the specimens we see have some sort of virtualization detection –These are the most interesting 10%, because they have something to hide –Virtualization detection is now becoming integrated into many executable packers

14 Copyright Intelguardians Escape Think VM escape is impossible? –In July of 2007, InGuardians demonstrated (for the first time publicly) an exploit that could, from within a guest, launch arbitrary code on the host The vulnerability was discovered in VMware Workstation, and has since been patched

15 Copyright Intelguardians Escape: Ugly While we’ve never seen or heard of “in the wild” malware capable of VM escape, it is especially important that we are aware that the possibility exists Don’t rely on the isolation provided by virtualization –Keep hosts of VMs used for malware analysis air-gapped from production networks –Periodically flatten and reinstall hosts

16 Copyright Intelguardians Conclusions VM escape is the big, bad scary possibility hanging over our heads Detection is of more concern –Malware that alters its behavior in a VM environment requires special handling –Harden VMs against detection Thwarting Virtual Machine Detection by Tom Liston and Ed Skoudis –Examine code for VM detection routines Hiding Virtualization from Attackers and Malware. Carpenter, Liston, Skoudis, IEEE Security and Privacy, May-June 2007

17 Copyright Intelguardians Thank you! Questions, comments: Tom Liston (815) Slides available at:


Download ppt "1 A Fistful of Wonderland Tom Liston, Senior Security Analyst - InGuardians, Inc. Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many."

Similar presentations


Ads by Google