av is dead! - rootcon 10/talks/rootcon 10 - is av d… · winresume.exe load kernel and other...

AVisDead!IsAVDead?AVisDead!IsAVDead?

1

AVisDead!

IsAVDead?

AVisDead!IsAVDead?

“Thereisnoalgorithmthatcanperfectlydetectallpossiblecomputerviruses.”

FredCohen,1987PioneerComputerVirusTechnology

AndDefense

AVisDead!IsAVDead?

Virus• Virusisanexecutableorpieceofcodethathasthe

capabilitytoreplicate andattach itselfontotargetfile

Malware• Istermusedtodenotemalicioussoftware,including

butnotlimitedtoworms,Trojans,ransomware andvirus

• Oftenreferredto,bysomepeople,as“virus”

AVisDead!IsAVDead?

Mainquestionstobeanswered

WHO

WHY

WHATWhyaretheysayingthatAVisdead

WhoaretheonesthataresayingAVisdead

Whatshouldwelearnfromallofthis

AVisDead!IsAVDead?

• HistoricMalwareFacts:ANeverEndingWar

• ProactiveDevelopmentOfNewWeapons

• BeingOpinionatedonData

• Derivation

Agenda

AVisDead!IsAVDead?

AV- Anti-Virus

• Softwareoriginallydesignedtodetectandremovecomputervirus

• Initiallybasedonsignaturedetectionsandblacklistingtechniquewhichusesscan-detect-protect-cleanparadigm

• Althoughdevelopedduringthe80s,non-ITpeoplearestillusedtothetermAV(antivirus)torefertothesoftwaretheyusetoprotectagainstmalware

AVisDead!IsAVDead?

ANeverEndingWarVirusWormsTrojans

Malware

Security

• Encryption,Polymorphism,Metamorphism

• Packing,Armouring,Protectors

• Anti-emulation,anti-debugging

1980- 1990 1990- 2000 2014- 20162010- 20142000- 2005 2005- 2010

Rootkit,Exploits HijackerAdwareSpywareRogueAV RansomwareAPT

• Botnet

• Vulnerabilityexploitation

• Dormancy

• Stealth

• EULA

• Lawsuits,greyware

• Socialengineering

• Stolendigitalsignatures

• Fastflux

• Rapidvariancegeneration

• Morelaserfocusedtargetedattacks

• Signaturebaseddetection

• Hashing

• Heuristic

• Emulation

• Intelligentscanning

• Genericunpacking

• Behaviouralanalysis

• Virtualizedenvironments

• Gatewaysolution

• Cloud

• Antirootkits

• Memoryprotection(PatchGuard)

• Machinelearning

• Datamining

• Anomalybasedetections

• NEXTGEN

AVisDead!IsAVDead?

ANeverEndingWar

PE32GoEntryPoint()

Sig=MatchExactHexa

[0x600xe80x000x00 0x5d0x810xed0x0b…]

If(Sig)

returnInfected

AVisDead!IsAVDead?

Usingheuristicbasedsignaturedetections,emulationandintelligentscanning.AVenginescannowremovegarbagecodesandproducetheactualmaliciouscode

Andagain,malwareauthorsrespondedbackwithanti-emulationtechniquessuchasnearinfiniteloopsandtimedbasedtechniquesbycountingthedifferenceinprocessorcyclesinbetween2points

ANeverEndingWar

AVisDead!IsAVDead?

Heuristicbaseddetectionarethesignaturedetectionsthatweusenowadays.It’scalleda1tomanydetectionpattern.

Theusualheuristicsigcandetectfromhundredstothousandssamplepersig.

Iknowofacouplewhocancatchamillionsamplewith1heuristicbasedsignature.

Butthosearefewandrare,asitisveryhardtofindacommonpatternfromdifferentvariant,familiesanddifferentgenerationsofmalware.

AVisDead!IsAVDead?

AmIrunningonaREALmachine???

GOTCHA!!!!

ANeverEndingWar

AVisDead!IsAVDead?

Windows764bit

- CodeIntegrityPolicypreventsunsignedkernel-modedriversonloading- Windows PatchGuard protectsmodificationof

- SSDTSystemServiceDispatchTable- IDTInterruptDescriptorTable- GlobalDescriptorTable- Patchingcodesonkernel

ANeverEndingWar

AVisDead!IsAVDead?

“TheMasterBootRecord(MBR)isthefirst512bytesofadatastoragedevicethatcontainscodeforbootstrappinganoperatingsystem.IthousesthetableofprimarypartitionsusingtheIBMpartitiontablescheme.It’sprimarypurposeistoloadthebootsectorandpasscontroltoit(volumebootrecord)”

AVisDead!IsAVDead?

LoadMBR

LoadVBR

LoadBootmgr

Loadwinload.exeorwinresume.exe

Loadkernelandotherdrivers

MBRMasterBootRecord

LoadstheVBR

VBRVolumeBootRecord

LoadstheBootmgr

Bootmgr

ReadsBCD(BootConfigurationData)Loadseitherwinload.exeorwinresume.exe(restorethestateofhibernatingsystem)

Winload.exe

Initializescodeintegritypolicy

loadskernelanditsdependencieshal.dll,bootvid.dll,kdcom.dll

KernelInitializationCallsKdDebuggerInitialize1fromkdcom.dll toinitializethedebuggingfacilitiesofthesystem

ANeverEndingWar

AVisDead!IsAVDead?

Call

KdDebuggerInitialize1

Loadntoskernel.exe,hal.dllandkdcom.dll

LoadinfectedMBR

LoadLDR16 fromitsfilesystem

HooksINT13andrestoreoriginalMBR

LoadVBR

LoadBootmgr

LoadWinload.exe(WINPEmode)

Initializekernel

InfectedMBRContainsmaliciouscodesforloadingTDL4

LoadsLDR16ReplacesakeyBCDvalueinregistrytoinitiateWinPEmode

HooksINT13HookINT13Waitsforkdcom.dlltobeloaded,thenreplacestheimageofitinmemorywithLDR32orLDR64(platformdependent)

WINPEmodeSincethevalueinBCDregistryhivewasreplacedWinPEmodeisactivated.

CodeIntegritydisabled

LoadskerneldependenciesLoadsdependencies,whenhookfindskdcom.dllinmemory,replacestheimagewithLDR32orLDR64WhyKDCOM.DLLContainsafunctionthatiscalledbythesystemtoinitializesystemdebuggers.

LDR32/64Containsthesamefunctionsasoriginalkdcom.dllbutonlyoneworks

KdDebuggerInitialize1

Allothersaredummiesandreturn0Kerneldebuggerdisabled

DRV32orDRV64(rootkit’smaincomponentforhooking)willbeloaded

Continueloadingasifnothinghappened

ANeverEndingWar

AVisDead!IsAVDead?

"Weareessentiallygoingincircles.Weimproveonlyafterouradversariesdefeatourdefenses.Mostsoftwareisstillriddledwithvulnerabilities,butthevendorstypicallymakenomovetofixoneuntilitbecomespubliclydisclosed.”

DavidHoelzerDirectorofResearch,EnclaveForensics

ANeverEndingWar

AVisDead!IsAVDead?

• Peoplewhohavelimitedknowledgeaboutthesubject

• Iratevictimsofamalwareattacks

• Peoplewhohaveotherintent

• Financialgain

• Ego

• Marketinganewtechnology(NextGen)

• 2008,2014BigAVcompanieswerequotedsayingin,essence,AVisnotsufficientanymore

WHO?

AVisDead!IsAVDead?

Pre-filteringWhitelisting&

MetadataconfidenceSample

NextGenSoftwareX

MemorySpaceContinuouscheckforanomalousbehaviour

Behaviouralanalysis(almost

similartosandbox)

Bad

Parallelpipe

Badpipe

ProactiveDevelopmentOfNewWeapons

• Avoidknownnamesormicrosoft systemfilenames

• Useantisandboxtechniquestodefeatthebehaviouralanalysis

• Staydormantbutdon’tuseone’sthatwilltriggerthesandboxtraps

• Usetrialanderrortoescapetheanomalousbehaviourchecks

AVisDead!IsAVDead?

2016VerizonDataBreachInvestigationsReport

BeingOpinionatedOnData

AVisDead!IsAVDead?

2015MicrosoftSecurityIntelligenceReport

InfectionRatesForProtectedandUnprotectedComputers

RecentreleasesoftheMSRTcollectandreportdetailsaboutthestateofreal-timeantimalwaresoftwareonacomputer,ifthecomputer’sadministratorhaschosentooptintoprovidedatatoMicrosoft.Thistelemetrydatamakesitpossibletoanalyzesecuritysoftwareusagepatternsaroundtheworldandcorrelatethemwithinfectionrates.

Thisgraphtellsusthatcomputersthatwereunprotectedwerebetween2.7and5.6times aslikelytobeinfectedwithmalwareascomputersthatwereprotected.

BeingOpinionatedOnData

AVisDead!IsAVDead?

“Antiviruswon'tprotectyoufromtheever-increasingpercentageofmalwarethat'sspecificallydesignedtobypassantivirussoftware,butitwillprotectyoufromalltherandomunsophisticatedattacksoutthere:the"backgroundradiation"oftheInternet.”

BeingOpinionatedOnData

https://www.schneier.com/blog/archives/2014/05/is_antivirus_de_1.html

AVisDead!IsAVDead?

“Inanerawhereanti-malwarelabsprocesshundredsofthousandsofsamplesaday,failuretorealizethesignificanceofavanishinglysmallsetofstealthy,low-prevalencesamples– howevergreattheirsubsequentimpact– whilehardlydescribableasasuccess,ishardlyaspectacularfailureinstatisticalterms.“[1]

AVisDead!IsAVDead?

Derivation

• Toreacttotheevolvingthreats,“AV”orAMhasevolvedtoo

• ItdoesnotSOLELYusethesimplesignaturebaseddetectionasitdid20yearsago

• Hash(blacklist),whitelisting,SmartpatternsorHeuristicsaretheBASICfunctionalitieswe’reusingfor“AV”thesedays

• Even20%protectionisbetterthannone(worsecasescenariofromAUSCERT)

AVisDead!IsAVDead?

Derivation

GOODSECURITY

• Doesnotrelyonasingletechnologyforprotection

• Multi-layeredsecurityistherightapproach

• Goodendpointsecurity(AV/AM)

• Goodnetworkbasedsecurity

• Backups

• UpdatesandPatches

• Secureyourchannels

• Don’toverdoit

AVisDead!IsAVDead?

“Considerwhetheryouwanttobaseyoursecuritystrategy(athomeoratwork)onaPRexercisebasedonstatisticalmisrepresentationandmisunderstanding.Don’tbetoooptimisticaboutfindingTheOneTrue(probablygeneric)Solution:lookforcombinationsofsolutionthatgiveyouthebestcoverageatapriceyoucanafford.Theprincipleappliestohomeuserstoo:therightfreeantivirusisalotbetterthannoprotection”[1]

Extra:GettingOpinionatedAgain

[1]www.welivesecurity.com/wp-content/uploads/.../avar-2013-paper.pdf

AVisDead!IsAVDead?

Q?