Presentation is loading. Please wait.

Presentation is loading. Please wait.

Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov

Published byHeather Robertson Modified over 8 years ago

Similar presentations

Presentation on theme: "Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov"— Presentation transcript:

1 Testing Exploits and Malware in an isolated environment Luca Allodi – luca.allodi@unitn.it Fabio Massacci – fabio.massacci@unitn.it Vadim Kotov (now @ Bromium Inc., Cupertino CA ) – luca.allodi@unitn.it

2  Laboratory to measure malware as a “software artifact”  Does the malware/exploit work?  Under which circumstances?  How does it perform under different assumptions?  Disconnected from the network  At the moment located in Povo2, Floor 1  Soon to be moved and renovated

3 VICTIM 1VICTIM 2VICTIM 3 Malware Distribution Server (MDS) Virtualizes: XPSP0 XP SP1 XP SP2 XPSP3 Virtualizes Vista SP0 Vista SP1 Vista SP2 Virtualizes Seven SP0 Seven SP1

4  Python infrastructure  Automatically operate on Virtual Machines  Create, delete, restore VM Snapshots  Automatically install and verify software configurations on the VMs  Configuration file contains list of software  Script pushes the software on VM, lunches silent install  Possibility to verify the install with a batch file  Firefox, Opera, Java, Quicktime, Flash, Adobe Reader  Automated mechanism to verify exploit successfulness.  Fully modularized - Easy to add functionalities / software/malware

5 1.Requests web page to malicious server 2.Receives HTML exploit page 3.If exploit is successful, shellcode downloads malware of some sort 4.Computer is infected 1 2 3

6  Question: How resilent are cybercrime ekits to software updates?  Exploit kits span from (2007-2011)  How we chose the exploit kits ▪ Release date ▪ Popularity (as reported in industry reports) ▪ CrimePack, Eleonore, Bleeding Life, Shaman, …  Software: most popular one  Windows XP, Vista, Seven ▪ All service packs are treated like independent operating systems  Browsers: Firefox, Internet explorer  Plugins: Flash, Acrobat Reader, Java  247 software versions  spanning from 2005 to 2013  We randomly generate 180 sw combinations (times 9 Operating Systems) to be the configurations we test

7 Malware Distribution Server (MDS) Exploit kit 1 Exploit kit 2.. Exploit kit 10 Virtualizes Vista SP0 -Conf 1..180 Vista SP1 -Conf 1..180 Vista SP2 -Conf 1..180 Virtualizes Seven SP0 -Conf 1..180 Seven SP1 -Conf 1..180 Virtualizes: XPSP0 -Conf 1..180 XP SP1 -Conf 1..180 XP SP2 -Conf 1..180 XPSP3 -Conf 1..180

8  One configuration for: Windows XP Service Pack 2  Firefox 1.5.0.5  Flash 9.0.28.0  Acrobat Reader 8.0.0.0  Quicktime 7.0.4.0  Java 1.5.0.7  One configuration for: Windows Seven Service Pack 1  Firefox 8.0.1.0  Flash 10.3.183.10  Acrobat Reader 10.1.1.0  Quicktime: No version  Java 6.27

9

10 VICTIM 1 Malware Distribution Server (MDS) Victim 2Victim 3 Virtual Box Interface Windows XP Service Pack 0 Windows XP Service Pack 0 Control Scripts in Python Linux Ubuntu Firefox Plugin 1 Plugin 1 “Install configuration 1” 1.Pushes installers, installs software 2.Checks Install: push batch file on VM 3.Saves Configuration snapshot Plugin 2 Plugin 2 Plugin 3 Plugin 3 Plugin 4 Plugin 4 Pushes installers, installs softwareChecks install: push batch file on VM ✓ ✓✓ ✓ ✓ Saves Configuration snapshot Configuration Snapshot “Lunch against Exploit Kits” For x in 1..10: Restore(“Configuration snapshot”) Lunch(VM, EKIT(x)) Delete(“Configuration snapshot”) Restore Configuration Snapshot Lunch(VM, EKIT(1)) Configuration Snapshot (attacked) Lunch(VM, EKIT(x)) Restore Configuration snapshot Delete(“Configuration snapshot”) “Install configuration 2” …. “Install configuration 180” …. “End”

11 VICTIM 1VICTIM 2VICTIM 3 Malware Distribution Server (MDS) GET /Exploit Kit/ HTTP/1.1 Send Exploit If exploit is successful -> Requests “Casper” From MDS Set “Successful”= 1 In MDS table Infections Casper The “good-ghost-in-the-browser” malware

12

13  MalwareLab & Ekits:  CSET ’13: MalwareLab: Experimentation with Cybercrime Attack Tools.  ESSoS ’13: Anatomy of Exploit Kits - Preliminary Analysis of Exploit Kits as Software Artefacts.  Exploitation 101  [BOOK] HACKING: The Art of Exploitation – Erickson  Phrack Magazine: Smashing The Stack For Fun And Profit  Advanced exploitation  Usenix ’11 – Q: Exploit Hardening Made Easy  Blackhat 2013 - JUST-IN-TIME CODE REUSE: THE MORE THINGS CHANGE, THE MORE THEY STAY THE SAME  Usenix ’14 - ROP is Still Dangerous: Breaking Modern Defenses  Usenix ‘14 - Size Does Matter: Why Using Gadget - Chain Length to Prevent Code-Reuse Attacks is Hard  IEEE Symposium on Security & Privacy ’14: Framing Signals — A Return to Portable Shellcode  Tools  Damn Vulnerable Linux  gcc, gdb  MalwareLab

14  Exploit kit inner workings  Overview of an exploit  Acrobat Reader, CVE-2010-0188  Demo of attack

15  Buffer overflow: a variable can grow arbitrarily big in memory  No control over its size  If the attacker can control the variable, he can write into memory outside of the variable boundaries  It is possible to hijack program execution by redirecting it to a shellcode injected by the attacker  Shellcode can execute actions such as downloading and executing malware

16 RET Instruction n NOP …. RET Return Address in stack frame First byte where the overflow starts Variable’s first byte Memory space affected by Buffer Overflow Shellcode Instruction 1 RET overfill NOP Sled High memory address Low memory address

Download ppt "Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov"

Similar presentations

Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.

Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.

Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities Y.-M. Wang, D. Beck, X. Jiang in Proceedings of.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Chapter 9 Comparing Web Technologies. Agenda Browser Hypertext Markup Language (HTML) Common Gateway Interface Web Application Server Plug-in.

Chapter 9 Comparing Web Technologies. Agenda Browser Hypertext Markup Language (HTML) Common Gateway Interface Web Application Server Plug-in.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google