implementing malware with virtual machines
DESCRIPTION
Seminar of “Virtual Machines” course By : F. Zahmatkesh U niversity of S cience and T echnology of M azandaran , B abol [email protected] December 24,2009. Implementing malware with virtual machines. Preview. Malware Short for malicious software - PowerPoint PPT PresentationTRANSCRIPT
IMPLEMENTING MALWARE WITH VIRTUAL MACHINES
Seminar of “Virtual Machines” course
By : F. ZahmatkeshUniversity of Science and Technology of Mazandaran, Babol
December 24,2009
Preview Malware
Short for malicious software Software acts on computer system W/O the knowledge of user A general term
Implementing malware with virtual machines 2/29
Preview(cont’d) Control
Major goal of malware, to Monitor, Intercept, Modify states and action of other software.
Allows malware to remain invisible by Lying to Disabling
intrusion detection software.
Implementing malware with virtual machines 3/29
Preview(cont’d)
Implementing malware with virtual machines 4/29
Rootkit A malware A software system designed to obscure this fact:
System has been compromised. Tools used to hide malicious activities Types:
1. Hardware/Firmware level2. Hypervisor level3. Boot loader level4. Kernel level5. Library level6. Application level
Agenda Attackers and defenders strive for control
Attackers monitor and perturb execution Avoid defenders
Defenders detect and remove attackerControl by lower layersBoth migrated to low-level OS code
5/29
HardwareOperating systemApp1 App2
Attackers Defenders
Implementing malware with virtual machines
Hope to help defenders
Outline Virtual Machines advantages Subvirt Project
VMBRs, a new class of threat
Installing a VMBR Maintaining control Malicious services Proof-of-concept VMBRs Example malicious services
Defending against this threat Trends toward virtualization Related Work Conclusion
6/29
Attacker’sperspective
Implementing malware with virtual machines
Virtual Machines Multiplexing HW Powerful platform to add service
o Debug OSo Migrate live machine o Detect/prevent intrusiono Attest for code integrity
A problemo Non-Visible states/events of guest
VMI is the solution.
Implementing malware with virtual machines 7/29
BUT… Despite all of it’s advantages “Technology of Virtual Machine” can provide a powerful platform to build malware.
Implementing malware with virtual machines 8/29
Virtual-Machine Based Rootkits (VMBRs)
9/29
HardwareTarget OS
App1 App2
Beforeinfection
Target OSApp1 App2
HardwareVMM
Attacksystem
Afterinfection
Implementing malware with virtual machines
Virtual-Machine Based Rootkits (VMBRs)(cont’d)
Hypervisor level Rootkit
Classic VM Architecture VMM runs beneath the OS
o Effectively new processor privilege level Fundamentally more control
Target system into a virtual machine Little to no difference
Run of malware in the VMM or Attack System(2nd VM)
10/29Implementing malware with virtual machines
Isolation Visible states or events of target system
o Easy to modify No visible states or events of VMBR
Easy to develop malicious services Run in Separate, general-purpose OS Invisible to detection software in target Uses VMI
Hard to detect and remove
Implementing malware with virtual machines 11/29
Virtual-Machine Based Rootkits (VMBRs)(cont’d)
Installing VMBR Attacker => kernel privilege
Traditional remote exploit Fool user to install malware Bribe OEM or vendor
VMBR’s state on persistent storage.
VMBR modifies system boot sequence. Master Boot record Final stages of shut down
Few processes running Efforts to prevent notification of activity
12/29Implementing malware with virtual machines
Installing VMBR(cont’d) The boot sequence
13/29
BIOS
Masterboot
recordBoot
sector OS
Implementing malware with virtual machines
Installing VMBR(cont’d) Modify the boot sequence
14/29
BIOS
BIOSMasterboot
recordBoot
sector OS
VMBRloads
Implementing malware with virtual machines
Maintaining control To avoid being removed Must protect its state Only time VMBR loses control
Period of time after the sys powers up until the VMBR starts System BIOS
15/29
BIOS
BIOSMasterboot
recordBoot
sector OS
VMBR
loads
Implementing malware with virtual machines
Maintaining control(cont’d) Loses control when the system is powered-off
Reboots ○ Restarting the virtual hardware
Shutdowns○ The system appears to shutdown
ACPI sleep states- Switch hardware into a low-power mode
Spin down hard disks Turning off fans Place monitor into a power-saving mode
Implementing malware with virtual machines 16/29
Malicious services Use a separate attack OS to implement Run invisible malicious services
Traditional malware with no fear of detection
17/29
Hardware
Target OSApp1 App2
VMMAttack OSApp
Implementing malware with virtual machines
Malicious services(cont’d) Malicious services into three categories:
1. Zero interaction malicious services○ E.g., phishing web server
2. Passive monitoring○ E.g., keystroke logger, network packets
3. Active execution modifications○ E.g., delete e-mail, modify network communication
VMBR supports all above All easy to implement
18/29Implementing malware with virtual machines
Evaluate:Proof-of-concept VMBRs
Host Boot+ Target Boot After Power-Off
Host Boot After Power-Off
Target BootAfter Emulated Shutdown
Target BootAfter Emulated Reboot
Target Bootw/o VMBR
InstallTime
VMM+AttackOSMemoSpace
Disk Space
Evaluate
145 52 96 74 53 24 3% 228MB
VMWareBasedVMBR
(Linux Target)
101 45 N/A 54 23 262 3% 251MB
Virtual PC BasedVMBR
(Win XP Target)
Implementing malware with virtual machines 19/29
Experimental setup: All experiments for the VMware-based VMBR run on a Dell Optiplex Workstation with a 2.8 GHz Pentium 4 and 1 GB of RAM. All experiments for the Virtual PC-based VMBR run on a Compaq Deskpro EN with a 1 GHz Pentium 4 and 256 MB of RAM. Our VMware-based VMBR compromises a RedHat Enterprise Linux 4 target system, and our Virtual PC-based VMBR compromises a Windows XP target system.
Example Malicious Services Using proof-of-concept VMBR’s, we
implemented four malicious services.1. Phishing web server2. Keystroke logger3. File system Scanner4. Countermeasure to detection tool
Implementing malware with virtual machines 20/29
Defending against VMBRs Detecting VMBR’s presence Hard to detect
virtualizes state seen by targetIdeal VMBR modifies no state inside target
Does leave signsIntrusion detection system can observe
Where to run detection softwareo Below VMBRo Above VMBR
21/29Implementing malware with virtual machines
Security software below More control, direct access to resources
Could observe/detect states or events
Ways to gain control below1. Secure hardware
• E.g., Intel’s LaGrande• E.g., AMD’s platform for trustworthy computing• E.g., Copilot all propose hardware
22/29Implementing malware with virtual machines
Security software below(cont’d)2. Secure VMM
• VMBR between VMM and target OS• Stops VMBR from modifying the boot sequence above secure VMM
3. Secure boot• Ensures integrity of the boot sequence
4. Boot from safe medium• CD-ROM, USB drive or network boot server• VMBR can avoid it !
• Unplug machine from wall• E.g., Strider GhostBuster
Implementing malware with virtual machines 23/29
Security software above Traditional techniques aren’t able to detect VMBR.
Attack state not visibleCan only detect side effects
VMBR perturbations(side effects) include:1. Increase in CPU overhead
○ Timing differences
24/29Implementing malware with virtual machines
Security software above(cont’d)
2. Use of memory and disk spaceo Run a program that requires entire machine’s memo/disk space
3. Not virtualizing all I/O devices o Directly access to non-virtualized devices
• Drivers access physical memo
4. Leak of VMM’s information by Sensitive, non-privileged instructions
o Execute them at a lower processor privilege level (rings 1 - 3)
Implementing malware with virtual machines 25/29
Trends toward virtualization
Towards hardware virtualization support Intel and AMD More practical VMBRs
Reduce the amount of state needed to support VMBRs Reduce the amount of time needed to boot VMBRs Allow hardware devices to perform at full capacity
Towards widespread VMM use Helps defenders detect/prevent VMBRs
Secure VMM
Implementing malware with virtual machines 26/29
Related work1. Layer below attacks
Kernel layer rootkits2. Projects use VMMs for security
Trusted VMMs: Terra, NGSCB Detect intrusions: VMI, IntroVirt Isolation: NSA’s NetTop Analyze intrusions: ReVirt
3. Project detect presence of VMM Pioneer
27/29Implementing malware with virtual machines
Conclusion VMBR
Qualitatively more controlStill easy to implement serviceHW enhancements might make more effectiveDefending is possible by controlling low layersWhen compared to traditional malwares,
○ More state○ More difficult to install○ Reboot needed to run○ More of an impact
28/29Implementing malware with virtual machines
Reference ST. King, PM. Chen, YM. Wang, C. Verbowski, HJ.
Wang, JR. Lorch, "SubVirt : Implementing malware with Virtual Machines" ,In the Proceedings of the IEEE Symposium on Security and Privacy,May 2006.
Implementing malware with virtual machines 29/29
Thanks for paying attention.
Implementing malware with virtual machines