Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Fistful of Wonderland

Similar presentations

Presentation on theme: "A Fistful of Wonderland"— Presentation transcript:

1 A Fistful of Wonderland
Clint Eastwood vs. Louis Carroll in a One-Metaphor-Too-Many Look at the Good, the Bad, and the Ugly of Malware Analysis on Virtual Platforms Technologies for Critical Incident Preparedness Conference & Exposition 2008 Tom Liston, Senior Security Analyst - InGuardians, Inc.

2 Who are you and why are you here?
Tom Liston Senior Security Analyst - InGuardians, Inc. Handler - SANS Institute’s Internet Storm Center (ISC) Founding member - ISC Malware Analysis Team Co-Author (w/Ed Skoudis) - Counterhack Reloaded Developer - LaBrea, an Open Source network tarpit Technical Lead - InGuardian’s work on Virtual Machine Detection and Escape InGuardians, Inc. World class security consulting firm Provides penetrating testing, architecture review, code auditing, malware analysis, expert witnesses, and pure security research to government, military, and Fortune 100 companies

3 Through the Looking Glass…
Virtualization is currently IT’s “hot product” I’m going to assume you all know what virtualization… And, why not? Virtualization presents several amazing benefits to companies using it Cost savings! Space savings! Infrastructure Redundancy! But, you folks in the “infrastructure” world are just starting to catch on…

4 Getting there first… …and dragging the rest of you slackers with us.
Those of us who do malware analysis were some of the first adopters of virtualization Why? Virtual machines offer huge benefits for those of us who work with malware In order to understand those benefits, you need to understand a little about modern malware analysis

5 Modern Malware Analysis In a Nutshell
Malware analysis isn’t about pouring over densely packed code listings Stare at that stuff too long, and you end up with squinty eyes… Modern malware analysis is a combination of: Dead-code analysis Behavioral analysis It is an iterative process Behavioral analysis reinforces the code analysis and vice versa .text: F push ; flOptions .text: call ds:HeapCreate .text: mov hHeap, eax .text: C lea eax, [ebp+var_8] .text: F push eax .text: mov [ebp+var_8], 8 .text: mov [ebp+var_4], 800h .text: E call ds:InitCommonControlsEx .text:004012A push 28h .text:004012A lea eax, [ebp+hInstance] .text:004012A push edi .text:004012AA push eax .text:004012AB call memset .text:004012B add esp, 0Ch .text:004012B mov dword ptr [ebp-48h], offset

6 Behavioral Analysis!?! You RUN these things?
Yep! All the time… And that’s where virtualization comes into play… With virtual machines we have the ability to revert any changes made to our environment Additionally, using virtualization, I can create an entire network consisting of several target machines, all on their own isolated LAN, all within my laptop Test “worm-like” spreading behavior Test botnet command and control Monitor attempts to “phone home” We can, in essence, create a whole other world “through the looking glass” And, in theory, we can control and monitor EVERYTHING

7 A perfect malware world
Virtualization allows us to create everything needed to provide the malware with a full simulation of whatever it needs We can create VMs for multiple operating systems and even multiple patch levels of a single operating system We can attach VMs providing whatever services a piece of malware might want to our “network” Webservers Mailservers IRC Servers etc…

8 Trouble in Paradise But REMEMBER: So, we need to be careful…
Virtualization platforms were designed for general purpose use Like “Wonderland,” they’re only a slightly warped version of our own reality And the stuff we’re dropping into them is… well… NASTY It’s sort of like dropping any Clint Eastwood character into Wonderland And let’s face it, Clint really only plays ONE character It doesn’t matter if he’s wearing a cowboy hat or a business suit… they’re all the same guy… So, we need to be careful…

9 What problems could there be?
Well, that annoying White Rabbit and that mouthy Queen better watch it…

10 Background In the fall of 2005, InGuardians was contracted by DHS to research the potential for both virtual machine detection and escape The enormous market potential for virtualization, caused concerns about the security implications of VM isolation At the time that we began our research, virtualization security had received little attention Tools and methodologies for investigating the security of this new technology didn’t exist We, essentially, had to “invent the wheel”

11 Assumptions… Security issues are generally discovered by examining assumptions Challenging assumptions is the cornerstone of security research Our research into detection/escape concerns highlights an ENORMOUS assumption that all virtualization users make “There exists a high degree of isolation between host and guest and between guests” This assumption is especially dangerous when analyzing malware

12 Detection We began our research by investigating the potential for an attacker (human or malcode) to detect that the machine that they’re on is virtualized All available virtualization environments are detectable Additionally, we postulate that there are several characteristics of the IA64 (x86) architecture that will make virtualization running on that architecture always be detectible

13 Detection: Bad During the course of our research, we discovered some of the first specimens of malware that detected virtualization and changed their behavior Over the lifetime of our research project, virtualization detection within malware blossomed Now approximately 10% of the specimens we see have some sort of virtualization detection These are the most interesting 10%, because they have something to hide Virtualization detection is now becoming integrated into many executable packers

14 Escape Think VM escape is impossible?
In July of 2007, InGuardians demonstrated (for the first time publicly) an exploit that could, from within a guest, launch arbitrary code on the host The vulnerability was discovered in VMware Workstation, and has since been patched

15 Escape: Ugly While we’ve never seen or heard of “in the wild” malware capable of VM escape, it is especially important that we are aware that the possibility exists Don’t rely on the isolation provided by virtualization Keep hosts of VMs used for malware analysis air-gapped from production networks Periodically flatten and reinstall hosts

16 Conclusions VM escape is the big, bad scary possibility hanging over our heads Detection is of more concern Malware that alters its behavior in a VM environment requires special handling Harden VMs against detection Thwarting Virtual Machine Detection by Tom Liston and Ed Skoudis Examine code for VM detection routines Hiding Virtualization from Attackers and Malware. Carpenter, Liston, Skoudis, IEEE Security and Privacy, May-June 2007

17 Thank you! Questions, comments: Tom Liston
(815) Slides available at:

Download ppt "A Fistful of Wonderland"

Similar presentations

Ads by Google