implementing malware with virtual machines

IMPLEMENTING MALWARE WITH VIRTUAL MACHINES

Seminar of “Virtual Machines” course

By : F. ZahmatkeshUniversity of Science and Technology of Mazandaran, Babol

[email protected]

December 24,2009

Preview Malware

Short for malicious software Software acts on computer system W/O the knowledge of user A general term

Implementing malware with virtual machines 2/29

Preview(cont’d) Control

Major goal of malware, to Monitor, Intercept, Modify states and action of other software.

Allows malware to remain invisible by Lying to Disabling

intrusion detection software.


Preview(cont’d)


Rootkit A malware A software system designed to obscure this fact:

System has been compromised. Tools used to hide malicious activities Types:

1. Hardware/Firmware level2. Hypervisor level3. Boot loader level4. Kernel level5. Library level6. Application level

Agenda Attackers and defenders strive for control

Attackers monitor and perturb execution Avoid defenders

Defenders detect and remove attackerControl by lower layersBoth migrated to low-level OS code

5/29

HardwareOperating systemApp1 App2

Attackers Defenders

Implementing malware with virtual machines

Hope to help defenders

Outline Virtual Machines advantages Subvirt Project

VMBRs, a new class of threat

Installing a VMBR Maintaining control Malicious services Proof-of-concept VMBRs Example malicious services

Defending against this threat Trends toward virtualization Related Work Conclusion

6/29

Attacker’sperspective


Virtual Machines Multiplexing HW Powerful platform to add service

o Debug OSo Migrate live machine o Detect/prevent intrusiono Attest for code integrity

A problemo Non-Visible states/events of guest

VMI is the solution.


BUT… Despite all of it’s advantages “Technology of Virtual Machine” can provide a powerful platform to build malware.


Virtual-Machine Based Rootkits (VMBRs)

9/29

HardwareTarget OS

App1 App2

Beforeinfection

Target OSApp1 App2

HardwareVMM

Attacksystem

Afterinfection


Virtual-Machine Based Rootkits (VMBRs)(cont’d)

Hypervisor level Rootkit

Classic VM Architecture VMM runs beneath the OS

o Effectively new processor privilege level Fundamentally more control

Target system into a virtual machine Little to no difference

Run of malware in the VMM or Attack System(2nd VM)

10/29Implementing malware with virtual machines

Isolation Visible states or events of target system

o Easy to modify No visible states or events of VMBR

Easy to develop malicious services Run in Separate, general-purpose OS Invisible to detection software in target Uses VMI

Hard to detect and remove


Virtual-Machine Based Rootkits (VMBRs)(cont’d)

Installing VMBR Attacker => kernel privilege

Traditional remote exploit Fool user to install malware Bribe OEM or vendor

VMBR’s state on persistent storage.

VMBR modifies system boot sequence. Master Boot record Final stages of shut down

Few processes running Efforts to prevent notification of activity


Installing VMBR(cont’d) The boot sequence

13/29

BIOS

Masterboot

recordBoot

sector OS


Installing VMBR(cont’d) Modify the boot sequence

14/29

BIOS

BIOSMasterboot

recordBoot

sector OS

VMBRloads


Maintaining control To avoid being removed Must protect its state Only time VMBR loses control

Period of time after the sys powers up until the VMBR starts System BIOS

15/29

BIOS

BIOSMasterboot

recordBoot

sector OS

VMBR

loads


Maintaining control(cont’d) Loses control when the system is powered-off

Reboots ○ Restarting the virtual hardware

Shutdowns○ The system appears to shutdown

ACPI sleep states- Switch hardware into a low-power mode

Spin down hard disks Turning off fans Place monitor into a power-saving mode


Malicious services Use a separate attack OS to implement Run invisible malicious services

Traditional malware with no fear of detection

17/29

Hardware

Target OSApp1 App2

VMMAttack OSApp


Malicious services(cont’d) Malicious services into three categories:

1. Zero interaction malicious services○ E.g., phishing web server

2. Passive monitoring○ E.g., keystroke logger, network packets

3. Active execution modifications○ E.g., delete e-mail, modify network communication

VMBR supports all above All easy to implement


Evaluate:Proof-of-concept VMBRs

Host Boot+ Target Boot After Power-Off

Host Boot After Power-Off

Target BootAfter Emulated Shutdown

Target BootAfter Emulated Reboot

Target Bootw/o VMBR

InstallTime

VMM+AttackOSMemoSpace

Disk Space

Evaluate

145 52 96 74 53 24 3% 228MB

VMWareBasedVMBR

(Linux Target)

101 45 N/A 54 23 262 3% 251MB

Virtual PC BasedVMBR

(Win XP Target)


Experimental setup: All experiments for the VMware-based VMBR run on a Dell Optiplex Workstation with a 2.8 GHz Pentium 4 and 1 GB of RAM. All experiments for the Virtual PC-based VMBR run on a Compaq Deskpro EN with a 1 GHz Pentium 4 and 256 MB of RAM. Our VMware-based VMBR compromises a RedHat Enterprise Linux 4 target system, and our Virtual PC-based VMBR compromises a Windows XP target system.

Example Malicious Services Using proof-of-concept VMBR’s, we

implemented four malicious services.1. Phishing web server2. Keystroke logger3. File system Scanner4. Countermeasure to detection tool


Defending against VMBRs Detecting VMBR’s presence Hard to detect

virtualizes state seen by targetIdeal VMBR modifies no state inside target

Does leave signsIntrusion detection system can observe

Where to run detection softwareo Below VMBRo Above VMBR


Security software below More control, direct access to resources

Could observe/detect states or events

Ways to gain control below1. Secure hardware

• E.g., Intel’s LaGrande• E.g., AMD’s platform for trustworthy computing• E.g., Copilot all propose hardware


Security software below(cont’d)2. Secure VMM

• VMBR between VMM and target OS• Stops VMBR from modifying the boot sequence above secure VMM

3. Secure boot• Ensures integrity of the boot sequence

4. Boot from safe medium• CD-ROM, USB drive or network boot server• VMBR can avoid it !

• Unplug machine from wall• E.g., Strider GhostBuster


Security software above Traditional techniques aren’t able to detect VMBR.

Attack state not visibleCan only detect side effects

VMBR perturbations(side effects) include:1. Increase in CPU overhead

○ Timing differences


Security software above(cont’d)

2. Use of memory and disk spaceo Run a program that requires entire machine’s memo/disk space

3. Not virtualizing all I/O devices o Directly access to non-virtualized devices

• Drivers access physical memo

4. Leak of VMM’s information by Sensitive, non-privileged instructions

o Execute them at a lower processor privilege level (rings 1 - 3)


Trends toward virtualization

Towards hardware virtualization support Intel and AMD More practical VMBRs

Reduce the amount of state needed to support VMBRs Reduce the amount of time needed to boot VMBRs Allow hardware devices to perform at full capacity

Towards widespread VMM use Helps defenders detect/prevent VMBRs

Secure VMM


Related work1. Layer below attacks

Kernel layer rootkits2. Projects use VMMs for security

Trusted VMMs: Terra, NGSCB Detect intrusions: VMI, IntroVirt Isolation: NSA’s NetTop Analyze intrusions: ReVirt

3. Project detect presence of VMM Pioneer


Conclusion VMBR

Qualitatively more controlStill easy to implement serviceHW enhancements might make more effectiveDefending is possible by controlling low layersWhen compared to traditional malwares,

○ More state○ More difficult to install○ Reboot needed to run○ More of an impact


Reference ST. King, PM. Chen, YM. Wang, C. Verbowski, HJ.

Wang, JR. Lorch, "SubVirt : Implementing malware with Virtual Machines" ,In the Proceedings of the IEEE Symposium on Security and Privacy,May 2006.


Thanks for paying attention.


implementing malware with virtual machines

Documents

differencerun of malware

virtual machines729butdespite

system boot sequence

control target system

malicious activitiestypes

malicious servicesrun

computer system wo

intrusion detection